illera88 / ponce Goto Github PK
View Code? Open in Web Editor NEWIDA 2016 plugin contest winner! Symbolic Execution just one-click away!
Home Page: https://docs.idaponce.com
License: Other
IDA 2016 plugin contest winner! Symbolic Execution just one-click away!
Home Page: https://docs.idaponce.com
License: Other
We could show to the user a windows with all the configuration.
We could configure this things:
We shoudl blacklist all the functions that does not modify the user input (printf, puts, free, malloc...).
We can hardcode some of them and letting the user the chance to add more through a file.
The plugin could be use just to do tainting analysis and know which instructions of the program are tainted and this is different to make a symbolic execution analysis where all the formulas (from the tainted instructions) are being generated.
Tainting analysis should be quite more light than symbolic execution. So in some scenarios it could be useful to allow the user just to do tainting without symbolic.
As we are doing in the Athena plugin it could be useful with very big program to rename the functions containing tainted instructions with a preffix "T0001_sub_401000".
It would be nice to have an environment to compile the plugin for other OS.
They are nasty!
I think this is related with the way we get the selected bytes from the hex view
congrats on the release of this interesting tool! nice to you are using Capstone here. linked to your project from our website now: http://www.capstone-engine.org/showcase.html
keep it up, cheers.
@0ca
I get this error:
..\..\..\Ponce\src\main.cpp(31): error C2664: 'void triton::API::addCallback(triton::callbacks::symbolicSimplificationCallback)' : cannot convert argument 1 from 'void (__cdecl *)(triton::arch::MemoryAccess &)' to 'triton::callbacks::getConcreteMemoryValueCallback'
Like the ones we have in Athena to test quickly the different functionality and do some demos.
Memory tainting is working in the hex view. We are using this code to get the current selection:
selection_starts = action_activation_ctx->cur_sel.from.at->toea();
selection_ends = action_activation_ctx->cur_sel.to.at->toea();
But with the disassembly windows is not very clear how to do it. IDA group into arrays some variables:
We should be able to from the current line get the size of the "item" and then taint all of them.
In the future we can implement the option to solve/negate a condition and based in the solution inject the value in the process and change the flags to invert the condition.
The idea is use this option with manual stepping so the user could negate the conditions he wants and modify the execution in runtime.
In some cases this cannot work. When the input modified was used before in the program to do something additional, like active flags, or modified another input. But still I think it can work in simple cases and it is spectacular.
We need to implement the button solve a condition.
The idea is first to show the solution in the IDa output.
We could do more things:
Now when we run a program Ponce will stop at the breakpoint in the main and it would continue from there stepping.
But if we manually stop in a condition, we negate it and we run the progra, F9, we aren't going to do stepping, so from that point we would need to manually step for all the instructions.
I guess the idea is the first time the program run we should run it without stepping until we find a tainted input location (main, recv, fread). From there we do stepping and if the user manually stops the program to do things and he continues, F9, we should force the program to do stepping instead of real executing the program.
If the user is debugging the program and using the negate option, it could be very helpful to have an option to continue tracing until next tainted condition. So he could stop in the next tainted condition and decide if he wants to negate it or not.
If the user taints a register/memory used in the current instruction we should reanalyze the instruction so Triton can do the tainting analysis properly.
I think we are not setting the optimizations from triton, like optimization_align.
We should think too how we want to use the ONLY_TAINTED optimization.
If we use the plugin in tracing mode it would be useful to paint the executed instructions with a light color just to know the path the execution took.
Right now we are limiting a trace by the number of executed instructions. When this limit is reached we should ask to the user if he wants to stop or continue other X instructions.
Maybe it is also useful to add a time detection. So after X segx/mins the plugin can stop and ask to the user if he wants to continue.
We have some code with macros for x64. But IDA is x86 for both versions, so we cannot compile ponce for x64 bits. Instead we need to replace all the macros with a condition:
inf.is_32bit()
Original definition:
identifying all program code that can in any way affect the value of a given variable
This is now called “static backward slicing”
More info:
http://web.cs.iastate.edu/~weile/cs513x/5.TaintAnalysis2.pdf
The idea is from an instruction get all the previous instructions that modified the values used in the current instr.
This is very useful for exploiting. If you found an input is crashing a program via fuzzing, and you want to know where comes from the values from the registers, memory, you could use that.
They implemented in the past something similar in this paper. But they never released a fully functional version:
https://media.blackhat.com/us-13/US-13-Li-How-to-Grow-a-TREE-Slides.pdf
They show the previous functions involved in the tainting.
Right now we have a lot of commented code that we should clean up the make it more legible.
Like taint memory, register
The plugin is painting the tainted instructions and maybe in the future is adding other info.
We should give the user the possibility to clear the previous results and re-execute the program tainting/making symbolic other variables.
There is some options:
We can use the IDA comments in the "next lines" to do this. It is a lot of information so it should be disabled by default.
To use Triton we need first to set the architecture with setArchitecture. It would be cool to get the type of binary, x86 or x64 and set the architecture accord to that.
Right now it is hardcoded to x86:
https://github.com/illera88/ponce/blob/master/Ponce/src/main.cpp#L71
It would be cool to color the tainted instructions in the decompiled code, but I don't know if that is possible.
We could add comments, that for sure.
If the color is not possible we could request that functionality.
Priority -1 ;)
But in the future we should check if with the built-in IDA icons it is enough or if we can/want to use external icons: http://www.famfamfam.com/lab/icons/
For example if we have this instruction:
add eax, ecx
The user would like to know which register was tainted to taint the whole instruction, eax, ecx, both?
This would help the user to follow the tainting analysis.
So the user can disable it and execute it as native.
But when the user does this, he cannot use the restore snashot, because if the instructions are executed native we don't know the changes in memory.
Should we reset the snapshot? Show a message to the user (with a tick to not show the message again)? Or we should just explain that very clear in the readme?
We should be timing the tracing when the user is stopped.
The problem now is that the tracing is tracing the exit function, which has a lot of instructions. Maybe if we add this function to the blacklist is enough.
Other options not so elegant are to put a breakpoint in the end of the main function or at every exit, ThreadExit, etc...
Right now I am using the dynamic library from Z3. So all the project is static except for this dll. You need to put the libz3.dll in the IDA directory to load the plugin properly.
We did it this in the past but I don't remember very well how.
We should use PIN in the future and compare the performance.
We should clear the trace so the user can see the tainted instructions and not all the executed instructions in yellow.
We could use the same code we already have for Athena.
The plugin only works well the first time we execute a program inside a binary.
We should reset the engines, and all the state after an execution ends.
It would be very useful to implement blacklisting per modules/dlls or per functions.
For example we should skip the printf
implementation.
I think we should differentiate between this and heuristics or "apis simplification", p.e. (strcmp, srtcpy, etc..)
When we are debugging a program and we are in a symbolic condition, it could be very cool to have an option to negate the condition solving the formulas for the condition instruction.
We should inject the solution in the memory/registers and set the flags to satisfy the conditions (ZF or SF, or...).
It could be veeery useful to automatically taint all the possible user inputs.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.