Skip to content
Snippets Groups Projects
Select Git revision
  • master default
  • add-u24
  • add_arm32_eh
  • 21-job-failed-248429
  • testCapstoneFix
  • debug_palignr
  • newStars
  • fix-calls-fix
  • 19-need-ubuntu22-support
  • bugfixes
  • intentionally_broken_build
  • unpin_type4
  • rida_speedup
  • SRL_kernelModules
  • SRL-Windows
  • 13-keystone-should-return-an-error-when-assembling-instruction
  • ZS-91-opensrc-zipr
  • libkeystone-integrate
  • aware-sw-delivery
  • copyright-headers
  • gt_eval
  • Release-2-26-2021
  • cfar-phase3-final
  • CFAR_AEI
  • CfarJuly2018Eval
  • pre-las-vegas
26 results
Search by author
  • Any Author
  • Anh Nguyen-Tuong Anh Nguyen-Tuong an7s
  • Bruno Dutertre Bruno Dutertre bruno
  • Chris Timperley Chris Timperley ChrisTimps
  • Clark Coleman Clark Coleman clc
  • Daniel Chen Daniel Chen dc3pe
  • GitLab Runner GitLab Runner gitlab-runner
  • Jack Davidson Jack Davidson jwd
  • Jason Hiser Jason Hiser jdh8d
  • Jessica Jones Jessica Jones Jjones203
  • Jonathan Rowanhill Jonathan Rowanhill jonathan.rowanhill
  • Jorge Navas Jorge Navas jorge.navas
  • Matthew McGill Matthew McGill mm8bx
  • Michele Co Michele Co mc2zk
  • Stefan Nagy Stefan Nagy stevenagy
  • Will Hawkins Will Hawkins whh8b
  • Yonghwi Kwon Yonghwi Kwon yonghwi
  • zafl_guest zafl_guest test_user
17 authors
  1. May 02, 2012
  3. May 01, 2012
  5. Apr 30, 2012
  7. Apr 29, 2012
  9. Apr 27, 2012
  11. Apr 20, 2012
  13. Apr 19, 2012
  15. Apr 17, 2012
  17. Apr 16, 2012
  19. Apr 15, 2012
  21. Apr 14, 2012
    • an7s's avatar
      added comment · 1789305a
      an7s authored 
      Former-commit-id: 84ee9b717624a7151823ac305a0f8c0fb6b26f36
      1789305a
  23. Apr 13, 2012
  25. Apr 12, 2012
    • jdh8d's avatar
      Changed p1/pn padding threshold to 512-1024 to support recursive funcs. · 4b720ff3
      jdh8d authored 
      Former-commit-id: c81610a6ba6408a995adc3eec7814ef097fb72c4
      4b720ff3
    • bdr7fv's avatar
      If a function is not believed to have a dynamic stack frame, canary checks are... · 78222ff5
      bdr7fv authored 
      If a function is not believed to have a dynamic stack frame, canary checks are performed prior to any function call. 



Former-commit-id: 20be9054ca856ffa82e9189618cab59aae23ebb7
      78222ff5
    • bdr7fv's avatar
      PNRegularExpressions.cpp: modified the regex_ret expression to only match... · 08852814
      bdr7fv authored 
      PNRegularExpressions.cpp: modified the regex_ret expression to only match lines that contain ret only.

OffsetInference.cpp: When inferring layouts, the number of ret instructions is counted. If 0 and no deallocation site is found, the function is considered transformable. 




Former-commit-id: 716e7a209e985fb0c3758300755efb95442fb760
      08852814
    • bdr7fv's avatar
      The primary change in this commit is the support of dynamic arrays and alloca... · 510e929d
      bdr7fv authored 
      The primary change in this commit is the support of dynamic arrays and alloca functions as well as adding a few more prologue checks. 

Added General_Utility.*, as of this commit, this utility "class" contains a str2int and str2uint function. 

Changed makefile to reflect addition of General_Utility.*.

Modified PNRegularExpressions.cpp, changed stack_dealloc_implicit. Added the pattern

lea esp, [ebp-<const>]

as a valid stack deallocation. 

OffsetInference.cpp now checks the amount by which esp is subtracted in 

sub esp, <val>

instructions. If the value is determined to be non-integral, it is assumed the function is using alloca or dynamic arrays, and the function is considered non PNsafe (only p1 is attempted). 

Given the addition to PNRegularExpressions.cpp, in OffsetInference.cpp, stack_dealloc_implicit checks are now done first. 

PNTransformDriver.cpp also does a check to see if sub esp, <val> contains an integral value, and does not transform instructions that do not. 

OffsetInference.cpp now does a stack deallocation check for add esp, 0x00000000, and does not filter a function based on 0 not matching the size of the stack frame. 




Former-commit-id: 9c9f3494d7bd13bf237ef9fc4925b1a72e95b3c2
      510e929d
  27. Apr 10, 2012
    • bdr7fv's avatar
      Typo found in PNRegularExpressions for ebp scaled regex, removed a useless + in the regex. · 13bb869d
      bdr7fv authored 
      If a scaled memory access is found that uses ebp as an index
e.g., [ecx+ebp*1+0x21]
The funciton is considered not PN safe, and only p1 is attempted if p1
has been determined to be safe. 

This check is done in OffsetInference.cpp. In PNTransformDriver.cpp, if this
pattern is encountered during transformation, it is assumed that p1 is being 
used and the offset is used to find the appropriate displacment by which
to modify the original instruction. 

In the future a dynamic solution would be more appropriate, and then PN
could be attempted. The issue with PN is the offset discovered in instructions
like these does not necessarily point to the variable the instruction will
reference at runtime. A runtime check is needed to see what memory is accessed. 




Former-commit-id: c5a33834377949a5cfef357004bdd29c6bc079c9
      13bb869d
  29. Apr 07, 2012
    • bdr7fv's avatar
      Multiple sets of srand were causing repeated canary values. · 9878e4cb
      bdr7fv authored 
      Also added comments for canary checks and canary setup which will now appear in the produced aspri and bspri code. 



Former-commit-id: 0122593dda5b095c13036e55802204742ea09f0d
      9878e4cb
    • bdr7fv's avatar
      In a previous commit, PN was altered to not place canaries in a function if an... · d4756706
      bdr7fv authored 
      In a previous commit, PN was altered to not place canaries in a function if an AND esp, <const> instruction was found. That was altered, but the functionality in in PNTransformDriver.cpp still replaced AND esp with a nop. In this commit that code is commented out, i.e., AND esp instructions are untouched. 



Former-commit-id: 5f5e66cde79953142797e0c2b91313f9a4388d7c
      d4756706
  31. Apr 05, 2012