├── Disassembler
    ├── Example_Trace_Output
    │   ├── entire_unpacked-1
    │   ├── entire_unpacked-1.til
    │   ├── entire_unpacked_clean-1
    │   ├── exports_wave-1
    │   ├── trace_output
    │   └── wave_entrypoints
    ├── PEtite_example
    │   ├── Petite_packed.exe
    │   ├── entire_unpacked-3
    │   ├── exports_wave-3
    │   ├── trace_output
    │   └── wave_entrypoints
    ├── README.md
    ├── disassembler.py
    └── main.py
├── README.md
└── Tracer
    ├── Example_of_packed_file
        ├── Petite_packed.exe
        └── UPX_packed.exe
    ├── Makefile
    ├── Pre_compiled_dll
        └── unpacker.dll
    ├── README.md
    ├── main.c
    └── unpacker.h


/Disassembler/Example_Trace_Output/entire_unpacked-1:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DavidKorczynski/RePEconstruct/df97c55f1fa1039cd80a73f3fe59f36b136f36f6/Disassembler/Example_Trace_Output/entire_unpacked-1


--------------------------------------------------------------------------------
/Disassembler/Example_Trace_Output/entire_unpacked-1.til:
--------------------------------------------------------------------------------
1 | IDATIL      Local type definitionsmssdk                             


--------------------------------------------------------------------------------
/Disassembler/Example_Trace_Output/entire_unpacked_clean-1:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DavidKorczynski/RePEconstruct/df97c55f1fa1039cd80a73f3fe59f36b136f36f6/Disassembler/Example_Trace_Output/entire_unpacked_clean-1


--------------------------------------------------------------------------------
/Disassembler/Example_Trace_Output/wave_entrypoints:
--------------------------------------------------------------------------------
1 | W 1 First executed instruction at 0x004011c2
2 | 


--------------------------------------------------------------------------------
/Disassembler/PEtite_example/Petite_packed.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DavidKorczynski/RePEconstruct/df97c55f1fa1039cd80a73f3fe59f36b136f36f6/Disassembler/PEtite_example/Petite_packed.exe


--------------------------------------------------------------------------------
/Disassembler/PEtite_example/entire_unpacked-3:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DavidKorczynski/RePEconstruct/df97c55f1fa1039cd80a73f3fe59f36b136f36f6/Disassembler/PEtite_example/entire_unpacked-3


--------------------------------------------------------------------------------
/Disassembler/PEtite_example/wave_entrypoints:
--------------------------------------------------------------------------------
1 | W 1 First executed instruction at 0x00140000
2 | W 2 First executed instruction at 0x00140398
3 | W 3 First executed instruction at 0x004011c2
4 | 


--------------------------------------------------------------------------------
/Disassembler/README.md:
--------------------------------------------------------------------------------
 1 | # Disassembler
 2 | 
 3 | The main idea with this disassembler is to use information from a concrete execution to support commonly done reverse engineering tasks. Specifically, the disassembler uses information about *branch instruction, memory reads and the modules exported by dynamically loaded libraries* from the concrete execution by our tracer, to rebuild the IAT of an unpacked binary and also relocate instructions or produce IDA scripts if desired. The relocation of instructions is a neat way to automatically patch the binary to something more useful than a binary with broken branching to imports. The point of the IDA script is to annotate and insert cross-references from branch calls (including obfuscated calls observed during the concrete execution) to imported functions.  
 4 | 
 5 | The *main.py* function gives a concrete example of how to use the disassembler, which should be fairly straight forward to interpret. When you have installed the software mentioned below, you should be able to simply run the main.py and see some results!
 6 | 
 7 | To run the disassembler you need to have Capstone installed.
 8 | **Note that you need to have the ["next" branch](https://github.com/aquynh/capstone/wiki/Next-branch) of Capstone installed.** There is a link on the home README file.  **You also need [PEfile](https://github.com/erocarrera/pefile)**. 
 9 | 
10 | 
11 | 
12 | 


--------------------------------------------------------------------------------
/Disassembler/disassembler.py:
--------------------------------------------------------------------------------
  1 | from collections import deque
  2 | from struct import *
  3 | from capstone import *
  4 | from capstone.x86 import *
  5 | import pefile
  6 | import struct
  7 | 
  8 | 
  9 | class RPE_XREF_type:
 10 |     branch = 1
 11 |     mem_read = 2
 12 |     mem_write = 3
 13 | 
 14 |     def __init__():
 15 |         None
 16 | 
 17 | 
 18 | class RPE_instruction:
 19 | 
 20 |     def __init__(self):
 21 |         self.address = None
 22 |         self.decoded_instr = None
 23 |         self.branch_destinations = set()
 24 |         self.values_read = set()
 25 | 
 26 |     def add_branch_destination(self, dst_address):
 27 |         self.branch_destinations.add(dst_address)
 28 | 
 29 |     def get_branch_destinations(self):
 30 |         return self.branch_destinations
 31 | 
 32 |     def add_values_read(self, value_read):
 33 |         self.values_read.add(value_read)
 34 | 
 35 |     def get_values_read(self):
 36 |         return self.values_read
 37 | 
 38 | 
 39 | class RPE_instruction_graph:
 40 |     """
 41 |     A representation of the binary as a directed graph where each node
 42 |     is an instruction of the binary. 
 43 |     
 44 |     The graph is represented as a mapping:
 45 |     instruction_address -> RPE_instruction
 46 |     
 47 |     
 48 |     """
 49 | 
 50 |     def __init__(self):
 51 |         self.graph = dict()
 52 | 
 53 |     def add_edge(self, src_instr, dst_address, ref_type):
 54 |         """
 55 |         
 56 |         :param RPE_instruction src_instr:
 57 |         :param unsigned int dst_address:
 58 |         :param REFERENCE_TYPE ref_type:
 59 |         
 60 |         :return: None
 61 |         """
 62 |         source_addr = src_instr.address
 63 |         self.graph[source_addr].add_branch_destination(dst_address)
 64 | 
 65 |     def add_node(self, instr):
 66 |         """
 67 |         :param RPE_instruction instr:
 68 |         
 69 |         :return: None
 70 |         """
 71 |         self.graph[instr.address] = instr
 72 | 
 73 |     def is_analysed(self, instr_addr):
 74 |         """
 75 |         
 76 |         :param unsigned int instr_addr:
 77 |         
 78 |         :return Boolean: whether the address is contained in the graph as a node.
 79 |         """
 80 |         return instr_addr in self.graph
 81 | 
 82 |     def get_instruction(self, instr_addr):
 83 |         """
 84 |         
 85 |         :param unsigned int instr_addr:
 86 |         
 87 |         :return RPE_instruction: The RPE_instruction at the instruction address. 
 88 |                                  None if the node is not in the graph.
 89 |         """
 90 |         if instr_addr in self.graph:
 91 |             return self.graph[instr_addr]
 92 |         print 'no such instruction'
 93 | 
 94 |     def number_of_instructions(self):
 95 |         return len(self.graph)
 96 | 
 97 |     def print_calls_to_exports(self):
 98 |         for instr_addr in self.graph:
 99 |             instr = self.graph[instr_addr]
100 |             dec_instr = instr.decoded_instr
101 |             for branch_dst in instr.branch_destinations:
102 |                 if branch_dst > 6291456:
103 |                     print '0x%x:\t%s\t%s' % (dec_instr.address, dec_instr.mnemonic, dec_instr.op_str)
104 |                     print '\t: ' + hex(branch_dst)
105 | 
106 | 
107 | class RPE_program_dump:
108 | 
109 |     def __init__(self, file_name):
110 |         self.endian = '<L'
111 |         pe = pefile.PE(file_name)
112 |         self.base_address = pe.OPTIONAL_HEADER.ImageBase
113 |         with open(file_name, 'rb') as f:
114 |             self.dump = f.read()
115 |             self.module_size = len(self.dump)
116 | 
117 |     def read_address(self, address):
118 |         file_offset = address - self.base_address
119 |         buf = self.dump[file_offset:file_offset + 4]
120 |         if len(buf) == 4:
121 |             address = unpack(self.endian, buf)
122 |         else:
123 |             address = (0, 0)
124 |         return address
125 | 
126 |     def read_memory(self, address, size):
127 |         file_offset = address - self.base_address
128 |         return self.dump[file_offset:file_offset + size]
129 | 
130 |     def is_it_in_module(self, address):
131 |         if address > self.base_address and address < self.base_address + self.module_size:
132 |             return True
133 |         return False
134 | 
135 |     def write_address(self, lvalue, value_to_write, add_base = 1):
136 |         if add_base == 1:
137 |             # Little endian is being written
138 |             file_offset = lvalue - self.base_address
139 | 
140 |             #print("writing %x at %x"%(value_to_write, file_offset))
141 |             bytes_to_write = struct.pack("<L", value_to_write)
142 | 
143 |             self.dump = self.dump[:file_offset] + bytes_to_write + self.dump[file_offset+4:]
144 | 
145 |             return 1
146 |         else:
147 |             # Write big endian -- Not supported now.
148 |             None
149 | 
150 |         return 0
151 | 
152 |     def overwrite_memory(self, start_address, memory):
153 |         None
154 | 
155 |     def write_file(self, file_name = 'output'):
156 |         None
157 | 
158 |     def append_memory_before_end(self, memory, start_append):
159 |         self.dump = self.dump[:start_append] + memory
160 | 
161 |     def dump_file(self, filename="reconstructedDirect"):
162 |         with open(filename, 'wb') as f:
163 |             f.write(self.dump)
164 | 
165 | 
166 | class RPE_dynamic_memory:
167 | 
168 |     def __init__(self, file_name, wave):
169 |         self.file_name = file_name
170 |         self.branching = dict()
171 |         self.wave = wave
172 |         self.instr_to_reads = dict()
173 |         self.lvalue_to_rvalue = dict()
174 |         if file_name != None:
175 |             self.parse_file()
176 | 
177 |     def parse_file(self):
178 |         with open(self.file_name) as f:
179 |             for line in f.readlines():
180 |                 splitted_line = line.split()
181 |                 if len(splitted_line) < 4:
182 |                     continue
183 |                 wave = int(splitted_line[1])
184 |                 if wave == self.wave and splitted_line[2] == 'B':
185 |                     source = splitted_line[3]
186 |                     destination = splitted_line[5]
187 |                     source_addr = int(source, 16)
188 |                     destination_addr = int(destination, 16)
189 |                     if source_addr not in self.branching:
190 |                         self.branching[source_addr] = set()
191 |                     self.branching[source_addr].add(destination_addr)
192 |                 if wave == self.wave and splitted_line[2] == 'I':
193 |                     instr_address = int(splitted_line[3], 16)
194 |                     lvalue = int(splitted_line[4], 16)
195 |                     rvalue = int(splitted_line[5], 16)
196 |                     if instr_address not in self.instr_to_reads:
197 |                         self.instr_to_reads[instr_address] = set()
198 |                     self.instr_to_reads[instr_address].add((lvalue, rvalue))
199 |                     if lvalue not in self.lvalue_to_rvalue:
200 |                         self.lvalue_to_rvalue[lvalue] = set()
201 |                     self.lvalue_to_rvalue[lvalue].add(rvalue)
202 | 
203 |     def get_branch_destinations(self, instr_address):
204 |         if instr_address in self.branching:
205 |             return list(self.branching[instr_address])
206 |         return []
207 | 
208 |     def get_instr_memory_reads(self, instr_address):
209 |         if instr_address not in self.instr_to_reads:
210 |             return None
211 |         return self.instr_to_reads[instr_address]
212 | 
213 |     def get_lvalue_to_rvalues(self, lvalue):
214 |         if lvalue not in self.lvalue_to_rvalue:
215 |             return None
216 |         return self.lvalue_to_rvalue[lvalue]
217 | 
218 | 
219 | class RPE_exported_modules:
220 | 
221 |     def __init__(self, export_dump_file = None):
222 |         self.export_file = export_dump_file
223 |         self.exports = dict()
224 |         if self.export_file != None:
225 |             self.parse_file()
226 | 
227 |     def parse_file(self):
228 |         with open(self.export_file) as f:
229 |             for line in f.readlines():
230 |                 dll_name, function_name, function_addr = line.split()
231 |                 self.insert_export(dll_name, function_name, int(function_addr, 16))
232 | 
233 |     def insert_export(self, dll_name, function_name, function_address):
234 |         self.exports[function_address] = (dll_name, function_name)
235 | 
236 |     def get_dll_and_function(self, address):
237 |         if address not in self.exports:
238 |             return None
239 |         return self.exports[address]
240 | 
241 |     def contains_address(self, address):
242 |         if address not in self.exports:
243 |             return False
244 |         return True
245 | 
246 | 
247 | class RPE_import_entry:
248 | 
249 |     def __init__(self, function_name):
250 |         self.function_name = function_name
251 |         self.thunk_addr = None
252 |         self.jump_addr = None
253 |         self.is_imported_via_static = False
254 |         self.is_imported_via_dynamic = False
255 |         self.referenced_instructions = set()
256 | 
257 |     def __eq__(self, other):
258 |         return self.function_name == `other`
259 | 
260 |     def __ne__(self, other):
261 |         return not self.__eq__(other)
262 | 
263 | 
264 | class RPE_import_table:
265 | 
266 |     def __init__(self):
267 |         self.dlls = dict()
268 | 
269 |     def add_function(self, dll_name, function_name, import_type, instr):
270 |         if dll_name not in self.dlls:
271 |             self.dlls[dll_name] = dict()
272 |         if function_name not in self.dlls[dll_name]:
273 |             new_import = RPE_import_entry(function_name)
274 |             self.dlls[dll_name][function_name] = new_import
275 |         self.dlls[dll_name][function_name].referenced_instructions.add(instr)
276 |         if import_type == 0:
277 |             self.dlls[dll_name][function_name].is_imported_via_static = True
278 |         elif import_type == 1:
279 |             self.dlls[dll_name][function_name].is_imported_via_dynamic = True
280 |         return 1
281 | 
282 |     def set_thunk_addr(self, dll_name, function_name, thunk_position):
283 |         self.dlls[dll_name][function_name].thunk_addr = thunk_position
284 | 
285 |     def get_thunk_addr(self, dll_name, function_name):
286 |         return self.dlls[dll_name][function_name].thunk_addr
287 | 
288 |     def set_jump_addr(self, dll_name, function_name, jump_position):
289 |     	self.dlls[dll_name][function_name].jump_addr = jump_position
290 | 
291 |     def get_jump_addr(self, dll_name, function_name):
292 |     	return self.dlls[dll_name][function_name].jump_addr
293 | 
294 |     def raw_memory_size(self):
295 |         size = 0
296 |         for dll_name in self.dlls:
297 |             size += len(dll_name) + 1
298 |             size += 20
299 |             for function_name in self.dlls[dll_name]:
300 |                 size += len(function_name) + 1
301 |                 size += 8
302 | 
303 |                 # Jump table too
304 | 
305 |             size += 4
306 | 
307 |         return size
308 | 
309 |     def get_jump_table_size(self):
310 |     	size = 0
311 |     	for dll_name in self.dlls:
312 |     		size += len(self.dlls[dll_name])
313 | 
314 |     	# We multiply the size by 6, because a jmp instruction 
315 |     	# using direct addressing is 6 bytes long.
316 |     	return size*6
317 | 
318 | 
319 |     def get_import_set(self):
320 |         import_set = set()
321 |         for dll in self.dlls:
322 |             for func in self.dlls[dll]:
323 |                 import_set.add((dll, func))
324 | 
325 |         return import_set
326 | 
327 |     def print_statistics(self):
328 |         number_of_functions = self.number_of_functions()
329 |         dynamic_imports = 0
330 |         static_imports = 0
331 |         hybrid_imports = 0
332 |         for dll in self.dlls:
333 |             for func in self.dlls[dll]:
334 |                 stat = self.dlls[dll][func].is_imported_via_static
335 |                 dyn = self.dlls[dll][func].is_imported_via_dynamic
336 |                 if stat and dyn:
337 |                     hybrid_imports += 1
338 |                 elif stat and not dyn:
339 |                     static_imports += 1
340 |                 elif not stat and dyn:
341 |                     dynamic_imports += 1
342 | 
343 |         print 'static imports: ' + `static_imports`
344 |         print 'dynamic imports: ' + `dynamic_imports`
345 |         print 'hybrid imports: ' + `hybrid_imports`
346 | 
347 |     def to_string(self):
348 |         returner = ''
349 |         for dll in self.dlls:
350 |             returner = returner + 'dll: ' + dll + '\n'
351 |             for func in self.dlls[dll]:
352 |                 returner = returner + '\t' + func
353 |                 if self.dlls[dll][func].thunk_addr == None:
354 |                     returner += '\tNo thunk\n'
355 |                 else:
356 |                     returner += '\t' + hex(self.dlls[dll][func].thunk_addr) + '\n'
357 | 
358 |         return returner
359 | 
360 |     def number_of_functions(self):
361 |         functions = 0
362 |         for dll in self.dlls:
363 |             for func_name in self.dlls[dll]:
364 |                 functions += 1
365 | 
366 |         return functions
367 | 
368 | 
369 | class RPE_disassembler:
370 | 
371 |     def __init__(self, binary, exported_file = None, trace_file = None, wave = 0):
372 |         self.instr_decoder = Cs(CS_ARCH_X86, CS_MODE_32)
373 |         self.instr_decoder.detail = True
374 |         self.instr_graph = RPE_instruction_graph()
375 |         self.import_table = RPE_import_table()
376 |         self.instructions_to_relocate = []
377 |         self.mem_dump = RPE_program_dump(binary)
378 |         self.exported_modules = RPE_exported_modules(exported_file)
379 |         self.ida_xrefs = set()
380 |         self.ida_comments = set()
381 |         if trace_file != None:
382 |             self.dynamic_memory = RPE_dynamic_memory(trace_file, wave)
383 |             self.use_trace_file = True
384 |             self.trace_file = trace_file
385 |             self.wave = wave
386 |         else:
387 |             self.use_trace_file = False
388 | 
389 |     def insert_branches_from_trace_file(self, queue):
390 |         """
391 |         Inserts into the queue, the address of each instructions 
392 |         that was observed during the dynamic analysis to have a branch. 
393 |         
394 |         These are then later used in combination with the disassembly
395 |         engine, since it will look for dynamically observed branches.
396 |         
397 |         :param dequeue queue: The queue of instruction addresses
398 |         
399 |         :return: None
400 |         """
401 |         with open(self.trace_file) as f:
402 |             for line in f.readlines():
403 |                 splitted_line = line.split()
404 |                 if len(splitted_line) < 4:
405 |                     continue
406 |                 wave = int(splitted_line[1])
407 |                 if wave == self.wave and splitted_line[2] == 'B':
408 |                     source = splitted_line[3]
409 |                     destination = splitted_line[5]
410 |                     source_addr = int(source, 16)
411 |                     destination_addr = int(destination, 16)
412 |                     queue.append(source_addr)
413 | 
414 |     def recursive_disassemble(self, start_addresses):
415 |         """
416 |         Perform a recursive disassemble.
417 |         
418 |         :param list start_addresses:    A list of instruction addresses to 
419 |                                         start disassemly from.
420 |         
421 |         :return: None
422 |         """
423 |         self.instr_queue = deque()
424 |         for address in start_addresses:
425 |             self.instr_queue.append(address)
426 | 
427 |         if self.use_trace_file == True:
428 |             self.insert_branches_from_trace_file(self.instr_queue)
429 |         limit = 0
430 |         disassembled = 0
431 |         while len(self.instr_queue) > 0:
432 |             instr_addr = self.instr_queue.popleft()
433 |             if self.instr_graph.is_analysed(instr_addr) == True or self.mem_dump.is_it_in_module(instr_addr) == False:
434 |                 continue
435 |             disassembled += 1
436 |             instr = RPE_instruction()
437 |             buf = self.mem_dump.read_memory(instr_addr, 15)
438 |             try:
439 |                 dec_instr = self.instr_decoder.disasm(buf, instr_addr).next()
440 |             except StopIteration:
441 |                 continue
442 | 
443 |             instr.address = instr_addr
444 |             instr.decoded_instr = dec_instr
445 |             self.instr_graph.add_node(instr)
446 |             branch_dsts = self.get_branch_destinations(instr)
447 |             for dst_addr in branch_dsts:
448 |                 self.instr_graph.add_edge(instr, dst_addr, 3)
449 |                 self.instr_queue.append(dst_addr)
450 | 
451 |             self.handle_branch_destination(instr)
452 |             self.handle_memory_reads(instr)
453 | 
454 |         print 'Disassembled in total: ' + `disassembled`
455 |         print 'number of nodes in graph: ' + `(len(self.instr_graph.graph))`
456 |         print 'Instructions to relocate: ' + `(len(self.instructions_to_relocate))`
457 |         print 'Number of functions in import table: ' + `(self.import_table.number_of_functions())`
458 |         relocate_set = set(self.instructions_to_relocate)
459 |         print 'Size of set to relocate: ' + `(len(relocate_set))`
460 |         #for instr_address in relocate_set:
461 |         #    print '%x\t' % instr_address
462 | 
463 |     def build_import_table(self):
464 |         """
465 |         Builds the new import table in the section added by the 
466 |         tracer.
467 |         """
468 |         self.section_alignment = 4096
469 |         pe = pefile.PE(data=self.mem_dump.dump)
470 |         IAT_addr = pe.OPTIONAL_HEADER.DATA_DIRECTORY[1].VirtualAddress
471 |         print 'IAT_addr: ' + hex(IAT_addr)
472 |         raw_size = self.import_table.raw_memory_size()
473 |         jump_table_size = self.import_table.get_jump_table_size()
474 | 
475 |         print "raw_size: ", `raw_size`
476 |         print "jump table size: ", `jump_table_size`
477 | 
478 |         size = ((raw_size+jump_table_size) / self.section_alignment + 1) * self.section_alignment
479 |         print size
480 |         byte_array = bytearray(size)
481 |         IID_pos = 0
482 |         content_pos = (len(self.import_table.dlls) + 1) * 20
483 | 
484 |         jump_table_pos = IID_pos + raw_size
485 | 
486 |         print "jump table position: ", hex(jump_table_pos)
487 | 
488 |         for dll in self.import_table.dlls:
489 |             print dll
490 |             thunk_position = content_pos + len(dll) + 1
491 |             byte_array[IID_pos + 12:IID_pos + 16] = pack('<L', content_pos + IAT_addr)
492 |             byte_array[IID_pos + 16:IID_pos + 20] = pack('<L', thunk_position + IAT_addr)
493 | 
494 |             print 'Dll position: ', content_pos
495 |             byte_array[content_pos:content_pos + len(dll)] = dll
496 |             names_pos = thunk_position + (len(self.import_table.dlls[dll]) + 1) * 4
497 | 
498 |             for function_name in self.import_table.dlls[dll]:
499 |                 self.import_table.set_thunk_addr(dll, function_name, thunk_position + IAT_addr)
500 |                 byte_array[thunk_position:thunk_position + 4] = pack('<L', names_pos + IAT_addr)
501 |                 func_name = '\x00\x00' + function_name
502 |                 func_name_len = len(function_name) + 2
503 |                 byte_array[names_pos:names_pos + func_name_len] = func_name
504 | 
505 | 
506 |                 # Write the jump table entry 
507 |                 byte_array[jump_table_pos] = 0xFF
508 |                 byte_array[jump_table_pos+1] = 0x25
509 |                 byte_array[jump_table_pos+2:jump_table_pos+6] = pack("<L", thunk_position + IAT_addr + self.mem_dump.base_address)
510 | 
511 |                 self.import_table.set_jump_addr(dll, function_name, jump_table_pos + IAT_addr)
512 | 
513 |                 # Accumulate the new counters
514 |                 thunk_position += 4
515 |                 names_pos += func_name_len
516 |                 jump_table_pos += 6
517 | 
518 |             IID_pos += 20
519 |             content_pos = names_pos + 1
520 | 
521 |         self.mem_dump.append_memory_before_end(byte_array, IAT_addr)
522 | 
523 | 
524 |     def relocate_single_instruction2(self, instr, dll_name, function_name):
525 | 		test = 1
526 | 		decoded_instr = instr.decoded_instr
527 | 		bytes = instr.decoded_instr.bytes
528 | 		opcode = bytes[0]
529 | 
530 | 		for group in decoded_instr.groups:
531 | 			if group == X86_GRP_JUMP:
532 | 				# We chec if it is a direct or indirect jmp.
533 | 				if opcode == 0xFF:
534 | 					# It uses addressing, so we need to 
535 | 					# relocate to point to a THUNK address
536 | 					thunk_addr = self.import_table.get_thunk_addr(dll_name, function_name)
537 | 					thunk_addr += self.mem_dump.base_address
538 | 					MOD = (bytes[1] & 0xC0)
539 | 
540 | 					if MOD == 0x00:
541 | 						self.mem_dump.write_address(instr.address + 2, thunk_addr)
542 | 
543 | 			# Check call instruction
544 | 			if group == X86_GRP_CALL:
545 | 
546 | 				if opcode == 0xFF:
547 | 					# We have a call instruction that does memory referencing.
548 | 					bytes = instr.decoded_instr.bytes
549 | 					thunk_addr = self.import_table.get_thunk_addr(dll_name, function_name)
550 | 					thunk_addr += self.mem_dump.base_address
551 | 					MOD = (bytes[1] & 0xC0)
552 | 					if MOD == 0x00:
553 | 						if decoded_instr.address == 0x40101a:
554 | 							print "Relocating call instruction to %x", hex(thunk_addr)
555 | 						self.mem_dump.write_address(instr.address + 2, thunk_addr)
556 | 
557 | 				elif opcode == 0xE8:
558 | 					# Direct call
559 | 
560 | 					jmp_addr = self.import_table.get_jump_addr(dll_name, function_name)
561 | 					jmp_addr += self.mem_dump.base_address
562 | 
563 | 					# Then we need to get the address of the next instruction, because
564 | 					# we need to calculate an offset.
565 | 					next_instr_addr = decoded_instr.address + decoded_instr.size
566 | 
567 | 					# Then we relocate the instruction to point into our jump table
568 | 					offset = jmp_addr - next_instr_addr
569 | 
570 |                     			print "This is what we write: ", hex(offset)
571 | 					self.mem_dump.write_address(instr.address+1, offset)
572 | 
573 | 
574 | 
575 | 		if opcode == 0x8B:
576 |             # Get MOD 
577 | 			MOD = (bytes[1] & 0xC0)
578 | 
579 | 			if MOD == 0x00:
580 |                 # We can relocate
581 | 				thunk_addr = self.import_table.get_thunk_addr(dll_name, function_name)
582 | 				thunk_addr += self.mem_dump.base_address
583 | 				self.mem_dump.write_address(instr.address + 2, thunk_addr)
584 | 				print "Relocating mov instruction"
585 | 
586 |     def relocate_single_instruction(self, instr, new_address):
587 |         """
588 |         
589 |         :return None:
590 |         """
591 |         #print "first"
592 |         decoded_instr = instr.decoded_instr
593 |         for group in decoded_instr.groups:
594 |             if group == X86_GRP_JUMP:
595 |                 # Can we relocate this instruction?
596 |                 bytes = instr.decoded_instr.bytes
597 | 
598 |                 opcode = bytes[0]
599 |                 if opcode == 0xFF:
600 |                     MOD = (bytes[1] & 0xC0)
601 | 
602 |                     if MOD == 0x00:
603 |                         self.mem_dump.write_address(instr.address + 2, new_address)
604 | 
605 |                 return
606 |             if group == X86_GRP_CALL:
607 |                 # Try to replace it, if it is a register or something else
608 |                 # then we won't re-arrange the diassembly.
609 |                 #print("Instruction address: %x"%(instr.address))
610 |                 bytes = instr.decoded_instr.bytes
611 |                 #print "bytes:"
612 |                 #for x in bytes:
613 |                 #    print("%.2x"%(x))
614 | 
615 | 
616 |                 if decoded_instr.address == 0x40101a:
617 |                 	print "We got the instruction, now let's check the destination addr"
618 |                 	print "New address: ", hex(new_address)
619 | 
620 |                 # Get the OP code
621 |                 opcode = bytes[0]
622 |                 if (opcode == 0xFF):
623 |                     # We got a potential candidate
624 | 
625 |                     MOD = (bytes[1] & 0xC0)
626 |                     if MOD == 0x00:
627 |                         # We can relocate
628 |                         #print "yeah"
629 | 
630 |                         # Write
631 |                         self.mem_dump.write_address(instr.address + 2, new_address)
632 | 
633 |                 elif (opcode == 0xE8):
634 |                 	print "We have a direct call"
635 | 
636 | 
637 |                 return
638 | 
639 |         # Those that we do not have any instruction groups on, let 
640 |         bytes = instr.decoded_instr.bytes
641 | 
642 |         # OP code
643 |         # MOV instruction
644 |         if bytes[0] == 0x8B:
645 |             # Get MOD 
646 |             MOD = (bytes[1] & 0xC0)
647 | 
648 |             if MOD == 0x00:
649 |                 # We can relocate
650 |                 self.mem_dump.write_address(instr.address + 2, new_address)
651 |                 print "Relocating mov instruction"
652 | 
653 | 
654 | 
655 |                 
656 | 
657 |     def dump_file(self):
658 |         self.mem_dump.dump_file()
659 | 
660 |     def output_ida_script(self):
661 |         """
662 |                 Outputs a script to be run in IDA, that will insert comments
663 |                 and add cross-references.
664 |         """
665 |         with open('ida_script.py', 'w') as f:
666 |             f.write('import idaapi\n')
667 |             f.write('import idautils\n')
668 |             for source_addr, dst_addr in self.ida_xrefs:
669 |                 #print 'idaapi.add_cref(0x%x, 0x%x, fl_CF)\n' % (source_addr, dst_addr)
670 |                 f.write('idaapi.add_cref(0x%x, 0x%x, fl_CF)\n' % (source_addr, dst_addr))
671 | 
672 |             for source_addr, comment, function_name in self.ida_comments:
673 |                 #print 'idc.MakeComm(0x%x, %s%s)\n' % (source_addr, comment, function_name)
674 |                 f.write('idc.MakeComm(0x%x, "%s%s")\n' % (source_addr, comment, function_name))
675 | 
676 |     def ida_branch_exporter(self, source_addr, dst_addr, function_name):
677 |         """
678 |                 Adds a cref to the IDAPython output script
679 |         """
680 |         self.ida_xrefs.add((source_addr, dst_addr))
681 |         self.ida_comments.add((source_addr, '[RePEconstruct] Branches to ', function_name))
682 | 
683 |     def ida_indir_read_exporter(self, source_addr, dst_addr, function_name):
684 | 
685 |         self.ida_xrefs.add((source_addr, dst_addr))
686 |         self.ida_comments.add((source_addr, '[RePEconstruct] indirectly reads ', function_name))
687 | 
688 |     def relocate_instructions(self):
689 |         """
690 |         Relocates all the instructions possible.
691 |         """
692 |         for instr_address in self.instructions_to_relocate:
693 |             instr = self.instr_graph.get_instruction(instr_address)
694 |             #print '%x %s' % (instr.address, instr.decoded_instr.mnemonic)
695 |             address_of_export_function = 0
696 |             for dst_addr in instr.get_branch_destinations():
697 |                 #print '\tB %x' % dst_addr
698 |                 if self.exported_modules.contains_address(dst_addr):
699 |                     dll_name, function_name = self.exported_modules.get_dll_and_function(dst_addr)
700 |                     new_thunk_addr = self.import_table.get_thunk_addr(dll_name, function_name)
701 |                     #print 'dll: %s\tfunction: %s\tthunk_addr %x' % (dll_name, function_name, new_thunk_addr)
702 |                     
703 |                     # IDA relocation
704 |                     new_thunk_addr += self.mem_dump.base_address
705 |                     self.ida_branch_exporter(instr_address, new_thunk_addr, function_name)
706 | 
707 |                     # Actual relocation
708 |                     #self.relocate_single_instruction(instr, new_thunk_addr)
709 |                     self.relocate_single_instruction2(instr, dll_name, function_name)
710 | 
711 |             for value in instr.get_values_read():
712 |                 #print '\tR %x' % value
713 |                 if self.exported_modules.contains_address(value):
714 |                     dll_name, function_name = self.exported_modules.get_dll_and_function(value)
715 |                     new_thunk_addr = self.import_table.get_thunk_addr(dll_name, function_name)
716 |                     #print 'dll: %s\tfunction: %s\tthunk_addr %x' % (dll_name, function_name, new_thunk_addr)
717 |                     new_thunk_addr += self.mem_dump.base_address
718 |                     #self.relocate_single_instruction(instr, new_thunk_addr)
719 |                     self.relocate_single_instruction2(instr, dll_name, function_name)
720 |                     self.ida_indir_read_exporter(instr_address, new_thunk_addr, function_name)
721 | 
722 |     def handle_branch_destination(self, instr):
723 |         """
724 |         Analyse the branch destinations to verify if any are inside
725 |         an exported library. For each there is, insert the 
726 |         library being called into the import table, and also insert
727 |         the instruction into the list of instructions to relocate.
728 |         
729 |         :param RPE_instruction instr: instruction to analyse.
730 |         
731 |         :return: None
732 |         """
733 |         if self.use_trace_file == True:
734 |             dyn_got_branches = self.get_branch_destinations_dynamic_analysis(instr)
735 |             for dst_addr in dyn_got_branches:
736 |                 if self.exported_modules.contains_address(dst_addr) == True:
737 |                     dll_name, function_name = self.exported_modules.get_dll_and_function(dst_addr)
738 |                     self.import_table.add_function(dll_name, function_name, 1, instr)
739 |                     self.instructions_to_relocate.append(instr.address)
740 | 
741 |         stat_got_branches = self.get_branch_destinations_static_analysis(instr)
742 |         for dst_addr in stat_got_branches:
743 |             if self.exported_modules.contains_address(dst_addr) == True:
744 |                 dll_name, function_name = self.exported_modules.get_dll_and_function(dst_addr)
745 |                 self.import_table.add_function(dll_name, function_name, 0, instr)
746 |                 self.instructions_to_relocate.append(instr.address)
747 | 
748 |     def handle_memory_reads(self, instr):
749 |         """
750 |         Analyses the instruction in terms of what values it reads.
751 |         Based on these values it will add the instruction to the list
752 |         of instructions to relocate, and also add the function
753 |         it referes into the import table.
754 |         
755 |         We only add imports if it reads the address of only one
756 |         import function. This is because otherwise instructions
757 |         that are used to iterate over all DLLs and their functions
758 |         will cause a blow up. 
759 |         
760 |         Note that the technique here should be substituted for 
761 |         data-flow analysis instead. 
762 |         
763 |         :param RPE_instruction instr:   The instruction to analyse.
764 |         
765 |         :return: None
766 |         """
767 |         reading_export_address = 0
768 |         number_of_exports_read = 0
769 |         dyn_import_pair = set()
770 |         stat_import_pair = set()
771 |         if self.use_trace_file == True:
772 |             dynamic_values_read = self.get_dynamic_memory_reads(instr)
773 |             for value in dynamic_values_read:
774 |                 if self.exported_modules.contains_address(value) == True:
775 |                     dll_name, function_name = self.exported_modules.get_dll_and_function(value)
776 |                     dyn_import_pair.add((dll_name, function_name, value))
777 | 
778 |         static_values_read = list(self.get_static_memory_read(instr))
779 |         for value in static_values_read:
780 |             if self.exported_modules.contains_address(value) == True:
781 |                 dll_name, function_name = self.exported_modules.get_dll_and_function(value)
782 |                 stat_import_pair.add((dll_name, function_name, value))
783 | 
784 |         combined_pairs = dyn_import_pair.union(stat_import_pair)
785 |         if len(combined_pairs) == 1:
786 |             if len(dyn_import_pair) == 1:
787 |                 for dll_name, function_name, value in dyn_import_pair:
788 |                     self.import_table.add_function(dll_name, function_name, 1, instr)
789 |                     instr.add_values_read(value)
790 |                     reading_export_address = 1
791 | 
792 |             if len(stat_import_pair) == 1:
793 |                 for dll_name, function_name, value in stat_import_pair:
794 |                     self.import_table.add_function(dll_name, function_name, 0, instr)
795 |                     instr.add_values_read(value)
796 |                     reading_export_address = 1
797 | 
798 |         if reading_export_address == 1:
799 |             self.instructions_to_relocate.append(instr.address)
800 | 
801 |     def analyse_instruction_reads(self, instr):
802 |         values_read = []
803 |         dec_instr = instr.decoded_instr
804 |         if self.use_trace_file == True:
805 |             ref_value_list = self.dynamic_memory.get_instr_memory_reads(instr.address)
806 |             if ref_value_list != None:
807 |                 for lvalue, rvalue in ref_value_list:
808 |                     values_read.append(rvalue)
809 | 
810 |         values_read += list(self.get_static_memory_read(instr))
811 |         return values_read
812 | 
813 |     def get_dynamic_memory_reads(self, instr):
814 |         values_read = []
815 |         dec_instr = instr.decoded_instr
816 |         if self.use_trace_file == True:
817 |             ref_value_list = self.dynamic_memory.get_instr_memory_reads(instr.address)
818 |             if ref_value_list != None:
819 |                 for lvalue, rvalue in ref_value_list:
820 |                     values_read.append(rvalue)
821 | 
822 |         first_opnd = 0
823 |         for opnd in dec_instr.operands:
824 |             if first_opnd == 0:
825 |                 first_opnd += 1
826 |                 continue
827 |             if opnd.type != X86_OP_MEM:
828 |                 continue
829 |             lvalue = opnd.mem.disp
830 |             if self.use_trace_file == True:
831 |                 dyn_rvalues = self.dynamic_memory.get_lvalue_to_rvalues(lvalue)
832 |                 if dyn_rvalues != None:
833 |                     for val in dyn_rvalues:
834 |                         values_read.append(val)
835 | 
836 |         return values_read
837 | 
838 |     def get_static_memory_read(self, instr):
839 |         dec_instr = instr.decoded_instr
840 |         values_read = set()
841 |         for opnd in dec_instr.operands:
842 |             if opnd.access == CS_AC_READ:
843 |                 if opnd.mem.segment != X86_REG_INVALID:
844 |                     continue
845 |                 if opnd.mem.base != X86_REG_INVALID:
846 |                     continue
847 |                 if opnd.mem.base != X86_REG_INVALID:
848 |                     continue
849 |                 if opnd.mem.disp != 0:
850 |                     lvalue = opnd.mem.disp
851 |                     static_rvalue = self.mem_dump.read_memory(lvalue, 4)
852 |                     if static_rvalue != None and len(static_rvalue) == 4:
853 |                         unpacked_val = unpack('<L', static_rvalue)
854 |                         values_read.add(unpacked_val[0])
855 |             if opnd.type != X86_OP_MEM:
856 |                 continue
857 | 
858 |         return values_read
859 | 
860 |     def get_branch_destinations(self, instr):
861 |         branch_destinations = []
862 |         branch_destinations += self.get_branch_destinations_static_analysis(instr)
863 |         if self.use_trace_file == True:
864 |             branch_destinations += self.get_branch_destinations_dynamic_analysis(instr)
865 |         return branch_destinations
866 | 
867 |     def get_branch_destinations_dynamic_analysis(self, instr):
868 |         dec_instr = instr.decoded_instr
869 |         destinations = self.dynamic_memory.get_branch_destinations(dec_instr.address)
870 |         return destinations
871 | 
872 |     def get_branch_destinations_static_analysis(self, instr):
873 |         branch_destinations = []
874 |         dec_instr = instr.decoded_instr
875 |         is_ret_instr = False
876 | 
877 |         for group in dec_instr.groups:
878 | 
879 |             if group == X86_GRP_JUMP:
880 |                 target = self.get_branch_destination_address(instr)
881 | 
882 |                 if target != None:
883 |                     branch_destinations.append(target)
884 | 
885 |             elif group == X86_GRP_CALL:
886 | 
887 |             	if dec_instr.address == 0x40101a:
888 |             		print("%x calls"%(dec_instr.address))
889 | 
890 |                 target = self.get_branch_destination_address(instr)
891 | 
892 |                 if dec_instr.address == 0x40101a:
893 |                 	print "targets: ", hex(target)
894 | 
895 |                 if target != None:
896 |                     branch_destinations.append(target)
897 | 
898 |             elif group == X86_GRP_RET:
899 |                 is_ret_instr = True
900 | 
901 |             elif group == X86_GRP_INT:
902 |                 None
903 | 
904 |             elif group == X86_GRP_INVALID:
905 |                 None
906 | 
907 |         if is_ret_instr == False:
908 |             next_instr_addr = dec_instr.address + dec_instr.size
909 |             next_dword = self.mem_dump.read_memory(next_instr_addr, 2)
910 |             if next_dword != '\x00\x00':
911 |                 branch_destinations.append(next_instr_addr)
912 |         return branch_destinations
913 | 
914 |     def get_branch_destination_address(self, instr):
915 |         dec_instr = instr.decoded_instr
916 |         for group in dec_instr.groups:
917 |             if group == X86_GRP_JUMP:
918 |                 for opnd in dec_instr.operands:
919 |                     if opnd.type == X86_OP_MEM:
920 |                         memory_address = opnd.mem
921 |                         if memory_address.disp == 0:
922 |                             continue
923 |                         value = self.mem_dump.read_address(memory_address.disp)
924 |                         return value[0]
925 |                     if opnd.type == X86_OP_IMM:
926 |                         immediate_address = opnd.imm
927 |                         return immediate_address
928 |                     if opnd.type == X86_OP_REG:
929 |                         None
930 | 
931 |             elif group == X86_GRP_CALL:
932 |                 for opnd in dec_instr.operands:
933 |                     if opnd.type == X86_OP_MEM:
934 |                         memory_address = opnd.mem
935 |                         if memory_address.disp == 0:
936 |                             continue
937 |                         if memory_address.segment != X86_REG_INVALID:
938 |                             continue
939 |                         if memory_address.base != X86_REG_INVALID:
940 |                             continue
941 |                         if memory_address.base != X86_REG_INVALID:
942 |                             continue
943 |                         value = self.mem_dump.read_address(memory_address.disp)
944 |                         return value[0]
945 |                     if opnd.type == X86_OP_IMM:
946 |                         immediate_address = opnd.imm
947 | 
948 |                         return immediate_address
949 |                     if opnd.type == X86_OP_REG:
950 |                         None
951 | 
952 |     def print_instruction(self, instr_address):
953 |         if not self.instr_graph.is_analysed(instr_address):
954 |             print 'instruction not in graph'
955 |             return
956 |         instr = self.instr_graph.get_instruction(instr_address)
957 |         if instr != None:
958 |             dec_instr = instr.decoded_instr
959 |             print '0x%x:\t%s\t%s' % (dec_instr.address, dec_instr.mnemonic, dec_instr.op_str)
960 |             destinations = instr.get_branch_destinations()
961 |             for dst in destinations:
962 |                 print hex(dst)
963 | 


--------------------------------------------------------------------------------
/Disassembler/main.py:
--------------------------------------------------------------------------------
 1 | import disassembler
 2 | import pefile
 3 | 
 4 | 
 5 | Main_folder = "./Example_Trace_Output/"
 6 | 
 7 | file_name = Main_folder + "entire_unpacked-1"
 8 | exports = Main_folder + "exports_wave-1"
 9 | trace = Main_folder + "trace_output"
10 | wave_entry_file = Main_folder + "wave_entrypoints"
11 | 
12 | 
13 | def get_wave_EP(wave_file, wave):
14 | 	with open(wave_file) as f:
15 | 		for line in f.readlines():
16 | 			#print line
17 | 			split_line = line.split()
18 | 
19 | 			if int(split_line[1]) == wave:
20 | 				entry_point = int(split_line[6], 16)
21 | 				return entry_point
22 | 
23 | def get_PE_entry_point(binary_file):
24 | 	b = pefile.PE(binary_file)
25 | 
26 | 	entry_point = b.OPTIONAL_HEADER.AddressOfEntryPoint
27 | 	base_address = b.OPTIONAL_HEADER.ImageBase
28 | 
29 | 	return entry_point + base_address
30 | 
31 | def main():
32 | 
33 | 	wave_entry = get_wave_EP(wave_entry_file, 1)
34 | 	print hex(wave_entry)
35 | 
36 | 	entry_point = get_PE_entry_point(file_name)
37 | 	print hex(entry_point)
38 | 	
39 | 	# Initiate disassembler
40 | 	disasm = disassembler.RPE_disassembler(file_name, exports, trace, 1)
41 | 
42 | 	# Perform disassembly
43 | 	disasm.recursive_disassemble([wave_entry, entry_point])
44 | 
45 | 	# Build the import table
46 | 	disasm.build_import_table()
47 | 
48 | 	# Relocate instructions 
49 | 	disasm.relocate_instructions()
50 | 
51 | 	# Dump file and dump IDA script
52 | 	disasm.dump_file()
53 | 	disasm.output_ida_script()
54 | 
55 | 
56 | 
57 | if __name__ == "__main__":
58 | 	main()


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # RePEconstruct
 2 | 
 3 | RePEconstruct is a tool for automatically unpacking binaries and rebuild the binaries in a manner well-suited for further analysis, specially focused on further manual analysis in IDA pro.
 4 | 
 5 | **The main idea behind RePEconstruct is to use dynamic analysis for unpacking self-modifying code and also use information from the execution to feed into a disassembler. The disassembler will then automatically rebuild the import table and also locate instructions, that branch to dynamically loaded code, including obfuscated calls as shown in Example 1.** Our disassembler can also produce IDA python scripts for each memory dump it disassembles, which will than add cross-references into the IDA db. The other approach is to have our disassembler try and re-locate instructions and effectively the rebuild binary can be applied to other interactive disassemblers and still leverage results from RePEconstruct. 
 6 | 
 7 | ## First example: rebuild IAT and locate branches to dynamically loaded code
 8 | **To run this example you will need to have Capstone *next* branch installed.** Please get this [here](https://github.com/aquynh/capstone/wiki/Next-branch) and don't forget to update your bindings if you have used the main branch of Capstone!
 9 | 
10 | **To run this example you will also need PEfile.** Please get this [here](https://github.com/erocarrera/pefile).
11 | 
12 | 
13 | In this example we use a dump from the dynamic tracer to show the use of our the static component which will rebuild the import table and also locate any obfuscated calls in the dump. 
14 | 
15 | The dump we will be using is a memory dump produced by our dynamic analysis component and the initial file is a binary that was packed with the Petite packer. We will now use this dump as input to our static analyser and view the output in IDA pro. 
16 | 
17 | The file *PEtite_example/entire_unpacked-3* is the dump of the third wave of self-modifying code produced by a packed Petite example. Note that this is merely a toy example produced by a synthetic application! 
18 | 
19 | In the binary, you will see at address **0x40f031** an obfuscated call that was used by the packed binary which at runtime constituted a call to dynamically loaded code. However, this is not resolved by IDA pro when we load a given memory dump into the disassembler. The exact purpose of RePEconstruct is to automatically thwart self-modifying code and find calls like this.
20 | 
21 | Simply execute main.py and you will see the result! The result is composed of two files: *reconstructedDirect.exe* and *ida_script.py*. *reconstructedDirect* is the binary file with instructions relocated where possible, and the *ida_script.py* is an IDA python script which setup cross-references and also comments.
22 | 
23 | Before picture: 
24 | ![alt tag](http://imageshack.com/a/img921/6003/nAOlGQ.png)
25 | 
26 | After picture (loaded reconstructedDirect into IDA and also run the ida_script.py in IDA):
27 | ![alt tag](http://imageshack.com/a/img921/7296/TjrV2k.png)
28 | 
29 | The main.py should be easy to follow and see what is needed to run any type of binary through the disassembler! 
30 | 
31 | ## Second example: automatically unpacking a packed application
32 | **To run this example you will need DynamoRIO 6.1.1-3.** You can get this [here](https://github.com/DynamoRIO/dynamorio/wiki/Downloads)
33 | 
34 | In this example we will use the dynamic analysis component to unpack a simple application that was packed with the Petite packer. 
35 | 
36 | Simply run the command from the main DynamoRIO folder:
37 | ```
38 | bin32\drrun.exe -max_bb_instrs 128 -c unpacker.dll –Petite_packed.exe
39 | ```
40 | 
41 | Note that you must have a folder namer *Refactor_output* in the folder of which you are executing this command. Also note that *unpacker.dll* is the DLL from *Tracer/Pre_compiled_dll/unpacker.dll* and the *Petite_packed.exe* is the binary given in *Tracer/Example_of_packed_file/Petite_packed.exe*
42 | 
43 | **This experiment was done on a Windows 32-bit SP3 VM, with DynamoRIO 6.1.1-3**
44 | 
45 | The result from the unpacker is generated in the *Refactor_output folder.* Here you will find several files: 
46 | *entire_unpacked-x* means a memory dump of the *x*'th layer of self-modifying code that has been prepared for IAT rebuilding. Specifically, this means we have constructed a new section where we will build the new IAT, as done in the example just above.
47 | 
48 | *entire_unpacked_clean-x* are files that are clean memory dumps of each layer of self-modifying code. These are not used by the static disassembler, but are provided in case needed.
49 | 
50 | *exports_wave-x* are files that contain addresses of dynamically loaded modules and the functions they export. This is used by the static rebuilder to map which instructions branch to dynamically loaded functions.
51 | 
52 | The files *trace_output* amd *wave_entrypoints* are also used by the static rebuilder. The main.py file from the example above shows in a simple manner how they are to be used!
53 | 
54 | ## Publications
55 | The tool is described in the 2016 MALWARE paper *RePEconstruct: reconstructing packed binaries with self-modifying code and import table destruction* by David Korczynski. 
56 | 


--------------------------------------------------------------------------------
/Tracer/Example_of_packed_file/Petite_packed.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DavidKorczynski/RePEconstruct/df97c55f1fa1039cd80a73f3fe59f36b136f36f6/Tracer/Example_of_packed_file/Petite_packed.exe


--------------------------------------------------------------------------------
/Tracer/Example_of_packed_file/UPX_packed.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DavidKorczynski/RePEconstruct/df97c55f1fa1039cd80a73f3fe59f36b136f36f6/Tracer/Example_of_packed_file/UPX_packed.exe


--------------------------------------------------------------------------------
/Tracer/Makefile:
--------------------------------------------------------------------------------
 1 | I1 = /I.\..\include
 2 | I2 = /I.\..\ext\include
 3 | I3 = /I.
 4 | I4 = /I.\Capstone
 5 | I5 = /I.\Capstone\include
 6 | 
 7 | INCLUDES = $(I1) $(I2) $(I3) $(I4) $(I5)
 8 | 
 9 | FLAGS = /GS- /DWINDOWS /DX86_32 
10 | 
11 | L1 = .\..\lib32\release\dynamorio.lib
12 | L2 = .\..\ext\lib32\release\drmgr.lib
13 | L3 = .\..\ext\lib32\release\drwrap.lib
14 | L4 = .\..\ext\lib32\release\drutil.lib
15 | L5 = .\Capstone\capstone.lib
16 | 
17 | LINKING = /link $(L1) $(L2) $(L3) $(L4) $(L5)
18 | AFTER_FLAGS = /dll
19 | 
20 | OUT = /out:unpacker.dll
21 | CC = cl
22 | 
23 | CFILES = main.c hashtable.c
24 | 
25 | 
26 | all: main
27 | 
28 | main:
29 | 	$(CC) $(CFILES) $(INCLUDES) $(FLAGS) $(LINKING) $(AFTER_FLAGS) $(OUT)
30 | 


--------------------------------------------------------------------------------
/Tracer/Pre_compiled_dll/unpacker.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DavidKorczynski/RePEconstruct/df97c55f1fa1039cd80a73f3fe59f36b136f36f6/Tracer/Pre_compiled_dll/unpacker.dll


--------------------------------------------------------------------------------
/Tracer/README.md:
--------------------------------------------------------------------------------
 1 | To install the tracer you need to have DynamoRIO 6.1.1-3 installed. 
 2 | 
 3 | You can get DynamoRio here:
 4 | https://github.com/DynamoRIO/dynamoRIO/wiki/Downloads
 5 | 
 6 | 
 7 | You also need Capstone installed. 
 8 | 
 9 | Then put the tracer in a folder inside the main DynamoRIO directory and 
10 | also put the Capstone folder inside the directory of the Tracer.
11 | 
12 | Then run nmake.
13 | 


--------------------------------------------------------------------------------
/Tracer/main.c:
--------------------------------------------------------------------------------
   1 | /*
   2 |  * Author: David Korczynski
   3 |  * Email:  david.korczynski@linacre.ox.ac.uk
   4 |  * 
   5 |  * Copyright 2016.
   6 |  * All rights reserved.
   7 |  *
   8 |  *
   9 |  */
  10 | 
  11 | #include <Windows.h>
  12 | #include <tlhelp32.h>
  13 | #include <stdlib.h>
  14 | #include <stdio.h>
  15 | #include <string.h>
  16 | #include <wchar.h>
  17 | 
  18 | /* for offsetof */
  19 | #include <stddef.h>
  20 | 
  21 | // DynamoRIO imports
  22 | #include "dr_api.h"
  23 | #include "drmgr.h"
  24 | #include "drutil.h"
  25 | 
  26 | // Function declarations
  27 | #include "unpacker.h"
  28 | 
  29 | // Capstone
  30 | #include "Capstone/include/capstone.h"
  31 | 
  32 | 
  33 | #define SAVE_REG(_reg, _slot)\
  34 | 	dr_save_reg(drcontext, bb, instr, _reg, _slot);
  35 | 
  36 | #define RESTORE_REG(_reg, _slot)\
  37 | 	dr_restore_reg(drcontext, bb, instr, _reg, _slot);
  38 | 
  39 | 
  40 | // Used by the library referencer
  41 | unsigned int module_base_address = 0;
  42 | unsigned int module_base_size = 0;
  43 | 
  44 | /* Helper for dumping process */
  45 | //#define IMAGE_DOS_SIGNATURE 0x5a4d
  46 | 
  47 | typedef struct mapped_pe_t {
  48 | 	PIMAGE_DOS_HEADER pDosHeader;
  49 | 	PIMAGE_NT_HEADERS pNtHeader;
  50 | 	PIMAGE_OPTIONAL_HEADER pOptHeader;
  51 | 	PIMAGE_FILE_HEADER pFileHeader;
  52 | 	PIMAGE_SECTION_HEADER pSectHeader;
  53 | } mapped_pe;
  54 | 
  55 | mapped_pe dump_pe_header;
  56 | 
  57 | /* number of waves in the packer */
  58 | int dump_wave = 0;
  59 | 
  60 | #define new_import_section_size_definition 0x1000
  61 | 
  62 | 
  63 | // Capstone
  64 | // handle to disassembler
  65 | csh handle;
  66 | 
  67 | 
  68 | /* we have several number of operands */
  69 | typedef struct {
  70 |        unsigned int mem_ref1;
  71 |        unsigned int mem_ref2;
  72 |        unsigned int mem_ref3;
  73 |        unsigned int mem_ref4;
  74 |        unsigned int size_of_mem_write;
  75 |        app_pc pc;
  76 |        unsigned int reads_memory;
  77 |        unsigned int address_being_read;
  78 |        unsigned int number_of_refs; /* this indicates how many of the operands are used */
  79 |        unsigned int instr_size;
  80 |        unsigned int old_instr_size;
  81 |        unsigned int old_pc;
  82 | } tls_storage;
  83 | 
  84 | 
  85 | // Output file, with trace information
  86 | FILE *output_file;
  87 | FILE *wave_file;
  88 | 
  89 | static uint64 global_count;
  90 | 
  91 | /* hashtable */
  92 | #define SIZE 25000
  93 | #define HASHFUNCTION(n) (n) % (unsigned int) SIZE
  94 | 
  95 | struct node {
  96 | 	unsigned int address;
  97 | 	struct node *next;
  98 | 	struct node *prev;
  99 | };
 100 | 
 101 | /* initiate the data structures used for collecting all the 
 102 |  * functions exported by various modules.
 103 |  */
 104 | 
 105 | struct node *hashtable [SIZE];
 106 | int table_size = 0;
 107 | 
 108 | int tls_index;
 109 | 
 110 | tls_storage *mem_buffer;
 111 | 
 112 | /* hashtable implementation */
 113 | int
 114 | is_in(unsigned int address)
 115 | {
 116 |         struct node *tmp;
 117 |         unsigned int place;
 118 | 
 119 |         place = HASHFUNCTION(address);
 120 |         tmp = hashtable[place];
 121 | 
 122 |         while (tmp != NULL)
 123 |         {
 124 |                 if (tmp->address == address)
 125 |                         return 1;
 126 |                 tmp = tmp->next;
 127 |         }
 128 | 
 129 |         return 0;
 130 | }
 131 | 
 132 | int
 133 | insert(unsigned int address)
 134 | {
 135 |         struct node *holder;
 136 |         unsigned int place;
 137 | 
 138 |         place = HASHFUNCTION(address);
 139 | 
 140 |         holder = (struct node *) dr_global_alloc(sizeof(struct node));
 141 |         holder->address = address;
 142 | 
 143 | 
 144 |         holder->next = hashtable[place];
 145 |         holder->prev = NULL;
 146 | 
 147 |         if (hashtable[place] != NULL)
 148 |                 hashtable[place]->prev = holder;
 149 | 
 150 |         hashtable[place] = holder;
 151 | 
 152 |         table_size++;
 153 | 
 154 |         return 1;
 155 | }
 156 | 
 157 | /* 
 158 |  * Clear the hashtable containing dynamically written memory 
 159 |  */ 
 160 | void
 161 | delete_all()
 162 | {
 163 | 	int i;
 164 |         struct node *tmp;
 165 | 
 166 |         for (i=0; i < SIZE; i++)
 167 |         {
 168 |                 tmp = hashtable[i];
 169 |                 while (tmp != NULL)
 170 |                 {
 171 |                         struct node *tmp2;
 172 | 
 173 |                         tmp2 = tmp->next;
 174 |                         dr_global_free(tmp, sizeof(struct node));
 175 |                         tmp = tmp2;
 176 |                         table_size--;
 177 |                 }
 178 | 		hashtable[i] = NULL;
 179 |         }
 180 | 	if (table_size < 0)
 181 | 		DR_ASSERT(false);
 182 | }
 183 | 
 184 | /* 
 185 |  * Input: The address of a module
 186 |  *
 187 |  * Functionality:
 188 |  * 	Iterate the exported functions of the module
 189 |  * 	For each function, save the virtual address and the function name in the Dll_list 
 190 |  *
 191 |  */
 192 | void
 193 | TraverseExportedFunctions(HANDLE base_address, char *dll_name, FILE *output_file)
 194 | {
 195 | 	/* The PE header */
 196 | 	mapped_pe pe;
 197 | 	PIMAGE_EXPORT_DIRECTORY export_directory;
 198 | 	IMAGE_DATA_DIRECTORY export_data_dir;
 199 | 	unsigned int AddressOfNames_array;
 200 | 	char *func_name;
 201 | 	int i;
 202 | 	unsigned int *function_name_offset;
 203 | 	unsigned int ordinal_addr_arr;
 204 | 	short int ordinal;
 205 | 
 206 | 	unsigned int function_addr_arr;
 207 | 	unsigned int function;
 208 | 
 209 | 	char output_line[512];
 210 | 
 211 | 	// Get DOS header of module
 212 | 	pe.pDosHeader = (PIMAGE_DOS_HEADER) base_address;
 213 | 
 214 | 	if (pe.pDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
 215 | 		dr_fprintf(STDERR, "DOS signature not correct\n");
 216 | 
 217 | 	// Get PE header of module
 218 | 	pe.pNtHeader = (PIMAGE_NT_HEADERS) ((unsigned int)base_address + pe.pDosHeader->e_lfanew);
 219 | 
 220 | 	/* Is PE header valid? */
 221 | 	if (pe.pNtHeader->Signature !=  IMAGE_NT_SIGNATURE)
 222 | 		dr_fprintf(STDERR, "NT signature not correct\n");
 223 | 
 224 | 	// Get optional header
 225 | 	pe.pOptHeader = &(pe.pNtHeader->OptionalHeader);
 226 | 
 227 | 	/* Get the export directory */
 228 | 	export_data_dir = pe.pOptHeader->DataDirectory[0];
 229 | 	export_directory = (PIMAGE_EXPORT_DIRECTORY) ((unsigned int)base_address + export_data_dir.VirtualAddress);
 230 | 
 231 | 	/* Return if we don't export any functions */
 232 | 	if (export_directory->NumberOfFunctions == 0)
 233 | 		return;
 234 | 
 235 | 	// Get the address to the string of names
 236 | 	// AddressOfNames is an RVA that points to an array of RVAs of the functions/symbols in the module
 237 | 	AddressOfNames_array = ((unsigned int)base_address + export_directory->AddressOfNames);
 238 | 
 239 | 
 240 | 	i = 0;
 241 | 
 242 | 	// For each address in the array pointed to by AddressOfNames
 243 | 	// This one only iterates NAMES - modify so it also iterates Ordinals.
 244 | 	while (function_name_offset = (unsigned int *)AddressOfNames_array + i)
 245 | 	{
 246 | 		func_name = (char *)((unsigned int)base_address + *function_name_offset);
 247 | 		// End of function list
 248 | 		if (*func_name == '\0')
 249 | 			return;
 250 | 
 251 | 		/* Get the ordinal of what we are doing */
 252 | 		ordinal_addr_arr = (unsigned int)base_address + export_directory->AddressOfNameOrdinals;
 253 | 		ordinal = *((short *)ordinal_addr_arr + i);
 254 | 
 255 | 		/* Get the address of the function */
 256 | 		function_addr_arr = (unsigned int)base_address + export_directory->AddressOfFunctions;
 257 | 		function = *((unsigned int*)function_addr_arr+ordinal);
 258 | 
 259 | 		function += (unsigned int)base_address;
 260 | 
 261 | 		/* Write to output */
 262 | 		sprintf(output_line, "%s %s %x\n", dll_name, func_name, function);
 263 | 		fwrite(output_line, strlen(output_line), 1, output_file);
 264 | 
 265 | 		// Insert the function name and its address into our Dll_list list.
 266 | 		//insert_exported_function(dll_name, func_name, function);
 267 | 
 268 | 		i += 1;
 269 | 
 270 | 		if (i >= export_directory->NumberOfNames)
 271 | 			return;
 272 | 	}
 273 | }
 274 | 
 275 | 
 276 | /* 
 277 |  * Gets the name and exported functions from each module
 278 |  * in the process. Save this in the Dll_list data
 279 |  * structure.
 280 |  */
 281 | void
 282 | GetAllDllNames()
 283 | {
 284 | 	HANDLE snapshot;
 285 | 	MODULEENTRY32 module;
 286 | 	FILE *export_output;
 287 | 	char export_filename[255];
 288 | 	
 289 | 
 290 | 	// TH32CS_SNAPSHOT == 0x08
 291 | 	snapshot = CreateToolhelp32Snapshot(0x08, 0);
 292 | 
 293 | 	if (snapshot != INVALID_HANDLE_VALUE)
 294 | 	{
 295 | 		module.dwSize = sizeof(MODULEENTRY32);
 296 | 
 297 | 		if (Module32First(snapshot, &module))
 298 | 		{
 299 | 			/* Open file we write to */
 300 | 			sprintf(export_filename, ".\\Refactor_output\\exports_wave-%d", dump_wave);
 301 | 			export_output = fopen(export_filename, "w");
 302 | 
 303 | 			if (export_output == NULL)
 304 | 			{
 305 | 				dr_fprintf(STDERR, "Error opening export file, exiting\n");
 306 | 				exit(1);
 307 | 			}
 308 | 
 309 | 			module.dwSize = sizeof(MODULEENTRY32);
 310 | 
 311 | 			do // Iterate each module of the process to collect export functions
 312 | 			{
 313 | 				// Insert all the exported functions from the DLL into
 314 | 				// our Dll_list doubly linked list.
 315 | 				TraverseExportedFunctions(module.modBaseAddr, module.szModule, export_output);
 316 | 			}
 317 | 			while (Module32Next(snapshot, &module));
 318 | 
 319 | 			fclose(export_output);
 320 | 		}
 321 | 	}
 322 | }
 323 | 
 324 | #define FILE_ALIGNMENT      0x200
 325 | #define SECT_ALIGNMENT      0x1000
 326 | 
 327 | void
 328 | write_new_section(byte *memory_dump, unsigned int base_address)
 329 | {
 330 | 	unsigned int i;
 331 | 
 332 | 	unsigned int max_section_address;
 333 | 	unsigned int max_section_size;
 334 | 
 335 | 	PIMAGE_SECTION_HEADER new_import_section;
 336 | 
 337 | 	// Get section header
 338 | 	new_import_section = (PIMAGE_SECTION_HEADER) dump_pe_header.pSectHeader;
 339 | 
 340 | 	// max_section_address represents the address of the last section
 341 | 	max_section_address = 0;
 342 | 
 343 | 	// max_section_size represents the size of the last section.
 344 | 	max_section_size = 0;
 345 | 
 346 | 	// find the offset in the section header where our new section will be
 347 | 	for (i=0; i < (unsigned int)(dump_pe_header.pFileHeader->NumberOfSections); i++)
 348 | 	{
 349 | 		//if (new_import_section->
 350 | 		if (new_import_section->VirtualAddress > max_section_address)
 351 | 		{
 352 | 			max_section_address = new_import_section->VirtualAddress;
 353 | 			max_section_size = new_import_section->Misc.VirtualSize;
 354 | 		}
 355 | 		new_import_section++;
 356 | 	}
 357 | 
 358 | 	// Increase the number of sections
 359 | 	dump_pe_header.pFileHeader->NumberOfSections++;
 360 | 	
 361 | 	// ## Create the new section ##
 362 | 	// Set Name
 363 | 	strcpy(new_import_section->Name, "new_imp");	
 364 | 	
 365 | 	// Set virtual size of the section of new import table
 366 | 	new_import_section->Misc.VirtualSize = new_import_section_size_definition;
 367 | 
 368 | 	// Set a valid section Virtual Address of new import table
 369 | 	max_section_address += max_section_size;
 370 | 	max_section_address = 
 371 | 		((max_section_address%SECT_ALIGNMENT) != 0) ? 
 372 | 			(max_section_address/SECT_ALIGNMENT+1)*SECT_ALIGNMENT : max_section_address;
 373 | 
 374 | 	new_import_section->VirtualAddress = max_section_address;
 375 | 
 376 | 	// set a valid Raw offset of new import table, this is equal to the RVA 
 377 | 	// indicated by VirtualAddress because we dump the image as it is in the binary.
 378 | 	new_import_section->PointerToRawData = new_import_section->VirtualAddress;
 379 | 	
 380 | 	// set raw size - similar to VirtualSize
 381 | 	new_import_section->SizeOfRawData = new_import_section->Misc.VirtualSize;
 382 | 
 383 | 	// Set characteristics of the section
 384 | 	new_import_section->Characteristics = 0xc0300040;
 385 | 
 386 | 	/* set size and addr of new section */
 387 | 	dump_pe_header.pOptHeader->DataDirectory[1].VirtualAddress = max_section_address;
 388 | 	dump_pe_header.pOptHeader->DataDirectory[1].Size = 
 389 | 					new_import_section->Misc.VirtualSize;
 390 | 
 391 | 	/* Zero old data directory with fast address for import table */
 392 | 	dump_pe_header.pOptHeader->DataDirectory[12].VirtualAddress = 0x0;
 393 | 	dump_pe_header.pOptHeader->DataDirectory[12].Size = 0x0;
 394 | 
 395 | 	/* Size of the new image */
 396 | 	dump_pe_header.pOptHeader->SizeOfImage = (dump_pe_header.pOptHeader->SizeOfImage + new_import_section->Misc.VirtualSize);
 397 | }
 398 | 
 399 | 
 400 | /*
 401 |  * Sets PointerToRawData and SizeOfRawData in each section
 402 |  * in the section table, equal to the sizes and virtual
 403 |  * addresses in the virtual memory.
 404 |  *
 405 |  * We need this because we drop the entire Binary as it is in memory.
 406 |  */ 
 407 | void
 408 | configure_section_offsets(byte *memory_dump, unsigned int base)
 409 | {
 410 | 	int i;
 411 | 
 412 | 	/* we iterate through the sections */
 413 | 	for (i = 0; i < dump_pe_header.pFileHeader->NumberOfSections; i++)
 414 | 	{
 415 | 		/* Raw offset should remain the same as virtual address offset.  */
 416 | 		dump_pe_header.pSectHeader[i].PointerToRawData = dump_pe_header.pSectHeader[i].VirtualAddress;
 417 | 		dump_pe_header.pSectHeader[i].SizeOfRawData = dump_pe_header.pSectHeader[i].Misc.VirtualSize;
 418 | 	}
 419 | }
 420 | 
 421 | void
 422 | write_entry_point(unsigned int new_entry_point, unsigned int base_address, byte *memory_dump)
 423 | {
 424 | 	dump_pe_header.pOptHeader->AddressOfEntryPoint = (new_entry_point - base_address);
 425 | }
 426 | 
 427 | /* Sets the elements of dump_pe_header according to the new memory_dump */
 428 | int
 429 | Set_PE_header(byte *memory_dump)
 430 | {
 431 | 	dump_pe_header.pDosHeader = (PIMAGE_DOS_HEADER) memory_dump;
 432 | 	
 433 | 	if (dump_pe_header.pDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
 434 | 		dr_fprintf(STDERR, "DOS signature not correct\n");
 435 | 
 436 | 
 437 | 	dump_pe_header.pNtHeader = (PIMAGE_NT_HEADERS)(memory_dump + 
 438 | 						dump_pe_header.pDosHeader->e_lfanew);
 439 | 
 440 | 	/* set nt header */
 441 | 	if (dump_pe_header.pNtHeader->Signature !=  IMAGE_NT_SIGNATURE)
 442 | 		dr_fprintf(STDERR, "NT signature not correct\n");
 443 | 
 444 | 	/* Set optional header */
 445 | 	dump_pe_header.pOptHeader = (PIMAGE_OPTIONAL_HEADER) 
 446 | 					&(dump_pe_header.pNtHeader->OptionalHeader);
 447 | 	
 448 | 	/* Set file header */
 449 | 	dump_pe_header.pFileHeader = (PIMAGE_FILE_HEADER) 
 450 | 					&(dump_pe_header.pNtHeader->FileHeader);
 451 | 
 452 | 	if (dump_pe_header.pFileHeader == NULL)
 453 | 		dr_fprintf(STDERR, "File header == NULL");
 454 | 
 455 | 	/* Set section header */
 456 | 	dump_pe_header.pSectHeader = (PIMAGE_SECTION_HEADER)
 457 | 					((unsigned long)dump_pe_header.pNtHeader + 
 458 | 					 			sizeof(IMAGE_NT_HEADERS));
 459 | 
 460 | 
 461 | 	return 1;
 462 | }
 463 | 
 464 | 
 465 | int
 466 | write_process_image(unsigned int new_entry_point)
 467 | {
 468 | 	HANDLE snapshot;
 469 | 	MODULEENTRY32 module;
 470 | 	FILE *image;
 471 | 	char entire_dump_name[255];
 472 | 	byte *memory_dump;
 473 | 	unsigned int import_section_size;
 474 | 	unsigned int total_size;
 475 | 
 476 | 	snapshot = CreateToolhelp32Snapshot(0x08, 0x00);
 477 | 
 478 | 	if (snapshot != INVALID_HANDLE_VALUE)
 479 | 	{
 480 | 		module.dwSize = sizeof(MODULEENTRY32);
 481 | 
 482 | 		// Get main module
 483 | 		if (Module32First(snapshot, &module))
 484 | 		{
 485 | 
 486 | 			if (module.modBaseSize != 0xffffffff)
 487 | 			{
 488 | 		
 489 | 				module_base_address = (unsigned int)module.modBaseAddr;
 490 | 				module_base_size = (unsigned int) module.modBaseSize;
 491 | 
 492 | 				// Name of the file we dump to.
 493 | 				sprintf(entire_dump_name, ".\\Refactor_output\\entire_unpacked-%d", dump_wave);
 494 | 
 495 | 				// Size of the new import section.
 496 | 				import_section_size = new_import_section_size_definition;
 497 | 
 498 | 				// Size of the copied module + size of new import section
 499 | 				total_size = module.modBaseSize + import_section_size;
 500 | 
 501 | 				// Allocate space for the copied module.
 502 | 				memory_dump = dr_global_alloc(total_size);
 503 | 
 504 | 				if (memory_dump == 0)
 505 | 				{
 506 | 					dr_fprintf(STDERR, "error when allocating space for copy of memory\n");
 507 | 					exit(1);
 508 | 				}
 509 | 
 510 | 
 511 | 				// Copy main module into our newly allocated space.
 512 | 				memcpy(memory_dump, module.modBaseAddr, module.modBaseSize);
 513 | 					
 514 | 				Set_PE_header(memory_dump);
 515 | 
 516 | 				// Set the section headers' PointerToRawData and SizeOfRawData
 517 | 				// to be equal that which it is in virtual memory. This is because
 518 | 				// we dump the image as it looks like in memory.
 519 | 				configure_section_offsets(memory_dump, (unsigned int)module.modBaseAddr);
 520 | 
 521 | 				// Set entry point of module to be equal the first instruction in our
 522 | 				// dynamically generated code.
 523 | 
 524 | 				/*
 525 | 				 * In the experiments of the paper we actually sat the entry point.
 526 | 				 * However, we later observed this not to be the best choice and 
 527 | 				 * instead do not do it now. 
 528 | 				 */
 529 | 				//write_entry_point(new_entry_point, (unsigned int)module.modBaseAddr, memory_dump);
 530 | 
 531 | 				// Write the new import section to the image, extending the size of it.
 532 | 				write_new_section(memory_dump, (unsigned int) module.modBaseAddr);
 533 | 
 534 | 				/* Open the file we dump to. */
 535 | 				image = fopen(entire_dump_name, "wb");
 536 | 
 537 | 				// Write the memory to file
 538 | 				fwrite(memory_dump, total_size, 1, image);
 539 | 
 540 | 				fclose(image);
 541 | 			}
 542 | 		}
 543 | 	}	
 544 | 
 545 | 	return 1;
 546 | }
 547 | 
 548 | 
 549 | int
 550 | dump_clean()
 551 | {
 552 | 	HANDLE snapshot;
 553 | 	MODULEENTRY32 module;
 554 | 	FILE *image;
 555 | 	char entire_dump_name[255];
 556 | 	byte *memory_dump;
 557 | 	unsigned int import_section_size;
 558 | 	unsigned int total_size;
 559 | 
 560 | 	snapshot = CreateToolhelp32Snapshot(0x08, 0x00);
 561 | 
 562 | 	if (snapshot != INVALID_HANDLE_VALUE)
 563 | 	{
 564 | 		module.dwSize = sizeof(MODULEENTRY32);
 565 | 
 566 | 		// Get main module
 567 | 		if (Module32First(snapshot, &module))
 568 | 		{
 569 | 
 570 | 			if (module.modBaseSize != 0xffffffff)
 571 | 			{
 572 | 		
 573 | 				// Name of the file we dump to.
 574 | 				sprintf(entire_dump_name, ".\\Refactor_output\\entire_unpacked_clean-%d", dump_wave);
 575 | 
 576 | 				// Size of the copied module + size of new import section
 577 | 				total_size = module.modBaseSize;
 578 | 
 579 | 				// Allocate space for the copied module.
 580 | 				memory_dump = dr_global_alloc(total_size);
 581 | 
 582 | 				if (memory_dump == 0)
 583 | 				{
 584 | 					dr_fprintf(STDERR, "error when allocating space for copy of memory\n");
 585 | 					exit(1);
 586 | 				}
 587 | 
 588 | 
 589 | 				// Copy main module into our newly allocated space.
 590 | 				memcpy(memory_dump, module.modBaseAddr, module.modBaseSize);
 591 | 					
 592 | 				Set_PE_header(memory_dump);
 593 | 
 594 | 				// Set the section headers' PointerToRawData and SizeOfRawData
 595 | 				// to be equal that which it is in virtual memory. This is because
 596 | 				// we dump the image as it looks like in memory.
 597 | 				configure_section_offsets(memory_dump, (unsigned int)module.modBaseAddr);
 598 | 
 599 | 				/* Open the file we dump to. */
 600 | 				image = fopen(entire_dump_name, "wb");
 601 | 
 602 | 				// Write the memory to file
 603 | 				fwrite(memory_dump, total_size, 1, image);
 604 | 
 605 | 				fclose(image);
 606 | 			}
 607 | 		}
 608 | 	}	
 609 | 
 610 | 	return 1;
 611 | }
 612 | 
 613 | int dump_clean_also = 1;
 614 | 
 615 | void
 616 | DumpProcess(unsigned int entry_point)
 617 | {
 618 | 	// Get name and exported functions of modules in the process
 619 | 	// The data is inserted in Dll_list
 620 | 	//
 621 | 	/* Keep this call */
 622 | 
 623 | 	/* Write exports */
 624 | 	GetAllDllNames();
 625 | 
 626 | 	// Drop the binary and reconstruct import table
 627 | 	write_process_image(entry_point);
 628 | 
 629 | 	if (dump_clean_also)
 630 | 	{
 631 | 		dump_clean();
 632 | 	}
 633 | 	
 634 | 	// Increase the wave number
 635 | //	dump_wave++;
 636 | }
 637 | 
 638 | static void
 639 | clean_call(void)
 640 | {
 641 | 	unsigned int mem_refs;
 642 | 	unsigned int mem_reference;
 643 | 	unsigned int value_being_read;
 644 | 	tls_storage *data;
 645 | 	int i;
 646 | 	void *drcontext;
 647 | 
 648 | 	drcontext = dr_get_current_drcontext();
 649 | 	data = (tls_storage *) drmgr_get_tls_field(drcontext, tls_index);
 650 | 	mem_refs = data->number_of_refs;
 651 | 
 652 | 
 653 | 	// Branch instructions
 654 | 	if (data->old_pc != 0 && 
 655 | 		data->old_pc < (module_base_address+module_base_size) &&
 656 | 		data->old_pc > (module_base_address) &&
 657 | 		((data->old_pc + data->old_instr_size) != (unsigned int)data->pc))
 658 | 	{
 659 | 		char output_line[100];
 660 | 		int c;
 661 | 			
 662 | 		for (c = 0; c < 100; c++)
 663 | 			output_line[c] = '\0';
 664 | 
 665 | 		sprintf(output_line, "W %d B %x to %x\n", 
 666 | 				dump_wave, data->old_pc, data->pc);
 667 | 
 668 | 		write_to_output(output_line, strlen(output_line));
 669 | 	}
 670 | 
 671 | 	data->old_pc = (unsigned int)data->pc;
 672 | 	data->old_instr_size = data->instr_size;
 673 | 	
 674 | 
 675 | 	// Is the instruction part of written memory?
 676 | 	for (i = 0; i < data->instr_size; i++)
 677 | 	{
 678 | 		if (is_in((unsigned int)data->pc + i))
 679 | 		{
 680 | 			char output_line[60];
 681 | 			int c;
 682 | 
 683 | 			dump_wave++; 
 684 | 		
 685 | 			for (c = 0; c<60; c++)
 686 | 			{
 687 | 				output_line[c] = '\0';
 688 | 			}
 689 | 
 690 | 
 691 | 			sprintf(output_line, "W %d First executed instruction at "PFX"\n",
 692 | 					dump_wave, data->pc);
 693 | 
 694 | 			write_wave_and_entrypoint(output_line, strlen(output_line));
 695 | 			
 696 | 
 697 | 
 698 | 			//dr_fprintf(STDERR, "Wave %d detected with entrypoint at "PFX"\n", dump_wave, data->pc);
 699 | 			//dr_printf("Executing dynamically generated code at "PFX"\n", data->pc);
 700 | 			// Clear hashtable of dynamically written memory
 701 | 			delete_all();
 702 | 
 703 | 			DumpProcess((unsigned int)data->pc);
 704 | 
 705 | 			// We only need to capture it once.
 706 | 			break;
 707 | 		}
 708 | 	}
 709 | 
 710 | 	/* 
 711 | 	 * Check memory references and insert if necessary 
 712 |          * We can optimize this by instead of having both is_in and insert, rather
 713 | 	 * have insert_if_not_in. 
 714 | 	 * */
 715 | 	switch(mem_refs)
 716 | 	{
 717 | 		int i;
 718 | 
 719 | 		case 4:
 720 | 			mem_reference = data->mem_ref4;
 721 | 			for (i = 0; i < data->size_of_mem_write; i++)
 722 | 				if (is_in(mem_reference+i) == 0) insert(mem_reference+i);
 723 | 		case 3: 
 724 | 			mem_reference = data->mem_ref3;
 725 | 			for (i = 0; i < data->size_of_mem_write; i++)
 726 | 				if (is_in(mem_reference+i) == 0) insert(mem_reference+i);
 727 | 		case 2:
 728 | 			mem_reference = data->mem_ref2;
 729 | 			for (i = 0; i < data->size_of_mem_write; i++)
 730 | 				if (is_in(mem_reference+i) == 0) insert(mem_reference+i);
 731 | 		case 1: 
 732 | 			mem_reference = data->mem_ref1;
 733 | 			for (i = 0; i < data->size_of_mem_write; i++)
 734 | 				if (is_in(mem_reference+i) == 0) insert(mem_reference+i);
 735 | 	}
 736 | 
 737 | 
 738 | 	/* Check if it is an indirect reference */
 739 | 	if (data->reads_memory)
 740 | 	{
 741 | 		if ((unsigned int)data->pc >= module_base_address && \
 742 | 			(unsigned int)data->pc < (module_base_address+module_base_size))
 743 | 		{
 744 | 			value_being_read = *(unsigned int*)data->address_being_read;
 745 | 
 746 | 			// Is address of memory being read inside module?
 747 | 			if (value_being_read <= module_base_address || value_being_read > (module_base_address+module_base_size))
 748 | 			{
 749 | 				char output_line[50];
 750 | 				int c;
 751 | 				
 752 | 				for (c=0; c<50; c++)
 753 | 					output_line[c] = '\0';
 754 | 
 755 | 				// format:
 756 | 				// wave #num I #instruction_address #address_being_read #value_of_addr_being_read
 757 | 				sprintf(output_line, "W %d I %x %x %x\n",
 758 | 						dump_wave, // Fix
 759 | 						data->pc, 
 760 | 						data->address_being_read, 
 761 | 						value_being_read);
 762 | 
 763 | 				write_to_output(output_line, strlen(output_line));
 764 | 			}
 765 | 		}
 766 | 	}
 767 | 	
 768 | 	/* set reference number to 0 */
 769 | 	/* ensure you don't have to use drmgr_set_tls_field here */
 770 | 	data->number_of_refs = 0;
 771 | 	data->reads_memory = 0;
 772 | }
 773 | 
 774 | /*
 775 |  *
 776 |  * Writes the output_text to the output file. 
 777 |  * Writes "text_length" number of bytes.
 778 |  *
 779 |  */
 780 | static void
 781 | write_to_output(char *output_text, int text_length)
 782 | {
 783 | 	fwrite(output_text, text_length, 1, output_file);
 784 | 	fflush(output_file);
 785 | }
 786 | 
 787 | static void
 788 | write_wave_and_entrypoint(char *output_text, int text_length)
 789 | {
 790 | 	fwrite(output_text, text_length, 1, wave_file);
 791 | 	fflush(wave_file);
 792 | }
 793 | 
 794 | /* 
 795 |  *
 796 |  * End of analysis
 797 |  *
 798 |  */
 799 | static void
 800 | event_exit(void)
 801 | {
 802 | 	// Close the output file
 803 | 	fclose(output_file);
 804 | 
 805 | 	// Close the wave file
 806 | 	fclose(wave_file);
 807 | }
 808 | 
 809 | DR_EXPORT void
 810 | dr_client_main(client_id_t id, int argc, const char *argv[])
 811 | {
 812 | 	int i;
 813 | 
 814 | 	global_count = 0;
 815 | 	dump_wave = 0;
 816 | 
 817 | 	/* if we can't print, then return */
 818 | 	if (!dr_enable_console_printing())
 819 | 		return;
 820 | 
 821 | 
 822 | 	/* init hash table */
 823 | 	for (i = 0; i < SIZE; i++)
 824 | 	{
 825 | 		hashtable[i] = NULL;
 826 | 	}
 827 | 
 828 | 	dr_set_client_name("DynamoRIO Sample Client 'memtrace'",
 829 | 				"http://dynamorio.org/issues");
 830 | 
 831 | 
 832 | 	/* initialize manager and util */
 833 | 	if (!drmgr_init() || !drutil_init())
 834 | 		DR_ASSERT(false);
 835 | 
 836 | 	dr_register_exit_event(event_exit);
 837 | 
 838 | 	// setup disassembler
 839 | 	if (cs_open(CS_ARCH_X86, CS_MODE_32, &handle) != CS_ERR_OK)
 840 | 	{
 841 | 		dr_fprintf(STDERR, "Could not initialize disassembler\n");	
 842 | 		DR_ASSERT(false);
 843 | 	}	
 844 | 
 845 | 	// Open output file
 846 | 	output_file = fopen(".\\Refactor_output\\trace_output", "w");
 847 | 	if (output_file == NULL)
 848 | 	{
 849 | 		dr_fprintf(STDERR, "Error opening output file\n");
 850 | 		exit(1);
 851 | 	}
 852 | 
 853 | 	wave_file = fopen(".\\Refactor_output\\wave_entrypoints", "w");
 854 | 	if (wave_file == NULL)
 855 | 	{
 856 | 		dr_fprintf(STDERR, "Error opening wave file\n");
 857 | 		exit(1);
 858 | 	}
 859 | 
 860 | 	/* we must call our initialization events */
 861 | 	if (!drmgr_register_thread_init_event(event_thread_init) ||
 862 | 	    !drmgr_register_thread_exit_event(event_thread_exit))
 863 | 		DR_ASSERT(false);
 864 | 
 865 | 	// Instrumentation
 866 | 	if (!drmgr_register_bb_app2app_event(event_bb_app2app, NULL) || 
 867 | 	    !drmgr_register_bb_instrumentation_event(event_bb_analysis,
 868 | 						     event_bb_insert,
 869 | 						     NULL))
 870 | 	{
 871 | 		DR_ASSERT(false);
 872 | 		return;
 873 | 	}	
 874 | 
 875 | 	/* initialize TLS */
 876 | 	tls_index = drmgr_register_tls_field();
 877 | 	DR_ASSERT(tls_index != -1);
 878 | }
 879 | 
 880 | static void
 881 | event_thread_init(void *drcontext)
 882 | {
 883 | 	tls_storage *data;
 884 | 
 885 | 	data = dr_thread_alloc(drcontext, sizeof(tls_storage));
 886 | 
 887 | 	drmgr_set_tls_field(drcontext, tls_index, data);
 888 | 	dr_printf("Thread init\n");
 889 | }
 890 | 
 891 | static void
 892 | event_thread_exit(void *drcontext)
 893 | {
 894 | 	tls_storage *data;
 895 | 
 896 | 	data = drmgr_get_tls_field(drcontext, tls_index);
 897 | 
 898 | 	dr_thread_free(drcontext, data, sizeof(tls_storage));
 899 | 	dr_printf("Thread exit\n");
 900 | }
 901 | 
 902 | /* we transform string loops into regular loops so we can more easily
 903 |  * monitor every memory reference they make
 904 |  */
 905 | static dr_emit_flags_t
 906 | event_bb_app2app(void *drcontext, void *tag, instrlist_t *bb,
 907 |                  bool for_trace, bool translating)
 908 | {
 909 |     //if (!drutil_expand_rep_string(drcontext, bb)) {
 910 |       //  DR_ASSERT(false);
 911 |         /* in release build, carry on: we'll just miss per-iter refs */
 912 |     //}
 913 |     return DR_EMIT_DEFAULT;
 914 | }
 915 | 
 916 | 
 917 | // Do nothing
 918 | static dr_emit_flags_t
 919 | event_bb_analysis(void *drcontext, void *tag, instrlist_t *bb,
 920 | 		  bool for_trace, bool translating,
 921 | 		  OUT void **user_data)
 922 | {
 923 | 	return DR_EMIT_DEFAULT;
 924 | }
 925 | 
 926 | /* 
 927 |  *
 928 |  * Main instrumentation function.
 929 |  *
 930 |  */
 931 | static dr_emit_flags_t
 932 | event_bb_insert(void *drcontext, void *tag, instrlist_t *bb, instr_t *instr,
 933 |                   bool for_trace, bool translating,
 934 |                   OUT void **user_data)
 935 | {
 936 |     int i;
 937 |     int memory_references, total_refs;
 938 |     int instruction_opcode;
 939 |     int indirect_call = 0;
 940 |     int bytes_occupied;
 941 | 
 942 | 	// Capstone stuff
 943 | 	cs_insn *insn;
 944 | 	unsigned int size;
 945 | 	int count;
 946 | 
 947 |     if (!instr_is_app(instr))
 948 | 		    return DR_EMIT_DEFAULT;
 949 | 
 950 |     memory_references = 0;
 951 |     total_refs = 0;
 952 | 
 953 |     if (instr_get_app_pc(instr) == NULL)
 954 | 	    return DR_EMIT_DEFAULT;
 955 | 
 956 |     instruction_opcode = instr_get_opcode(instr);
 957 | 
 958 | 	// Instrumentation for getting the readings of indirect references
 959 | 	if (instr_reads_memory(instr))
 960 | 	{
 961 | 		//dr_printf("It reads memory\n");
 962 | 		if (opnd_is_memory_reference(instr_get_src(instr, 0)))
 963 | 		{
 964 | 			instrument_read_memory(drcontext, bb, instr, 0);
 965 | 			instrument_set_value(drcontext, bb, instr,
 966 | 				(int) 1, offsetof(tls_storage, reads_memory));
 967 | 			indirect_call = 1;
 968 | 		}
 969 | 	}
 970 | 
 971 | 
 972 | 	// Instrumentation for getting the addresses being written
 973 |     if (instr_writes_memory(instr))
 974 |     {
 975 | 	unsigned int write_size;
 976 | 
 977 | 	// How many writes do we have in all
 978 | 	for (i = 0; i < instr_num_dsts(instr); i++)
 979 | 	{
 980 | 	    if (opnd_is_memory_reference(instr_get_dst(instr, i)))
 981 | 		    total_refs++;
 982 | 	}
 983 | 
 984 | 	// Instrument each write
 985 | 	for (i = 0; i < instr_num_dsts(instr); i++)
 986 | 	{
 987 | 	    if (opnd_is_memory_reference(instr_get_dst(instr, i)))
 988 | 	    {
 989 | 		    // i = operand number
 990 | 		    // memory_reference = the operand number which is a memory reference
 991 | 	        instrument_mem(drcontext, bb, instr, i, true, memory_references);
 992 | 	        memory_references++;
 993 | 	    }
 994 | 	}
 995 | 	
 996 | 	// Write size of the memory written
 997 | 	write_size = instr_memory_reference_size(instr);
 998 | 
 999 | 	instrument_set_value(drcontext, bb, instr,
1000 | 			(int)write_size, offsetof(tls_storage, size_of_mem_write));
1001 |     }
1002 | 
1003 | 	// Save the number of addresses the instruction writes to.
1004 | 	instrument_set_value(drcontext, bb, instr,
1005 | 			(int) total_refs, offsetof(tls_storage, number_of_refs));
1006 | 
1007 | 	// Save the address of the instruction
1008 | 	instrument_set_value(drcontext, bb, instr, 
1009 | 			(int)instr_get_app_pc(instr), offsetof(tls_storage, pc));
1010 | 
1011 | 	// Save the size of the instruction
1012 | 	// We use capstone to disassemble
1013 | 	count = cs_disasm(handle, instr_get_app_pc(instr), 15, (unsigned int)instr_get_app_pc(instr), 0, &insn);
1014 | 	if (count > 0)
1015 | 	{
1016 | 		size = (insn[0].size & 0xffff);
1017 | 		instrument_set_value(drcontext, bb, instr,
1018 | 			size, offsetof(tls_storage, instr_size));
1019 | 		//dr_printf("0x%llx\t%s\t%s\t%u\n", 
1020 | 		//		insn[0].address,
1021 | 		//		insn[0].mnemonic, 
1022 | 		//		insn[0].op_str,
1023 | 		//		(insn[0].size & 0xffff));
1024 | 	}
1025 | 
1026 |     dr_insert_clean_call(drcontext, bb, instr, (void *)clean_call, true, 0);
1027 | 
1028 |     return DR_EMIT_DEFAULT;
1029 | }
1030 | 
1031 | 
1032 | /*
1033 |  *
1034 |  * Writes a value to a field in a TLS structure.
1035 |  * The field is indicated by offset.
1036 |  * The value is given by value.
1037 |  *
1038 |  *
1039 |  * param ilist : basic block where instruction to instrument is
1040 |  * param where : instruction to instrument
1041 |  * param offset : offset of field in tls structure we are writing to
1042 |  * param value : value to be written in tls field.
1043 |  *
1044 |  */
1045 | static void instrument_set_value(
1046 | 		void *drcontext, instrlist_t *ilist, instr_t *where, 
1047 | 		int value, unsigned int offset)
1048 | {
1049 | 	tls_storage *data;
1050 | 	reg_id_t reg1 = DR_REG_XBX;
1051 | 	reg_id_t reg2 = DR_REG_XCX;
1052 | 	opnd_t ref;
1053 | 	opnd_t opnd1, opnd2;
1054 | 
1055 | 
1056 | 	dr_save_reg(drcontext, ilist, where, reg1, SPILL_SLOT_2);
1057 | 	dr_save_reg(drcontext, ilist, where, reg2, SPILL_SLOT_3);
1058 |         
1059 | 	// Instrumentation for writing "reads_memory" value into
1060 | 	// LTS->reads_memory
1061 | 	drmgr_insert_read_tls_field(drcontext, tls_index, ilist, where, reg2);
1062 | 	
1063 | 	opnd1 = OPND_CREATE_MEM32(reg2, offset);
1064 | 	opnd2 = OPND_CREATE_INT32(value);
1065 | 	
1066 | 	instrlist_meta_preinsert(ilist, where, 
1067 | 		INSTR_CREATE_mov_imm(drcontext, opnd1, opnd2));	
1068 | 	
1069 | 	dr_restore_reg(drcontext, ilist, where, reg1, SPILL_SLOT_2);
1070 | 	dr_restore_reg(drcontext, ilist, where, reg2, SPILL_SLOT_3);
1071 | 
1072 | }
1073 | 
1074 | /*
1075 |  * Add instrumentation to read the value of the memory
1076 |  * address given by the "pos" operand in instruction
1077 |  * "where" in the basic block ilist.
1078 |  * The value is stored in the TLS struct at "address_being_read" field
1079 |  *
1080 |  * param pos : the position of operand to be read
1081 |  * param ilist : the basic block with instruction to be instrumented
1082 |  * param where : the instruction the be instrumented
1083 |  *
1084 |  */ 
1085 | static void instrument_read_memory(void *drcontext, instrlist_t *ilist, instr_t *where,
1086 | 		int pos)
1087 | {
1088 | 	tls_storage *data;
1089 | 	reg_id_t reg1 = DR_REG_XBX;
1090 | 	reg_id_t reg2 = DR_REG_XCX;
1091 | 	app_pc pc;
1092 | 	opnd_t ref;
1093 | 	opnd_t opnd1, opnd2;
1094 | 
1095 | 	/* useless call, but they have something similar in memtrace_x86 */	
1096 | //	data = drmgr_get_tls_field(drcontext, tls_index);
1097 | 
1098 | 	dr_save_reg(drcontext, ilist, where, reg1, SPILL_SLOT_2);
1099 | 	dr_save_reg(drcontext, ilist, where, reg2, SPILL_SLOT_3);
1100 | 
1101 | 	/* read the memory reference */
1102 | 	ref = instr_get_src(where, pos);
1103 | 	
1104 | 	/* put memory address being read into reg1 */
1105 | 	drutil_insert_get_mem_addr(drcontext, ilist, where, ref, reg1, reg2);
1106 | 	opnd1 = opnd_create_reg(reg1);
1107 | 
1108 | 	/* read TLS field into reg2 */
1109 | 	drmgr_insert_read_tls_field(drcontext, tls_index, ilist, where, reg2);
1110 | 
1111 | 	/* read the field */
1112 | 	instrlist_meta_preinsert(ilist, where,
1113 | 			INSTR_CREATE_mov_st(drcontext,
1114 | 				OPND_CREATE_MEMPTR(reg2, offsetof(tls_storage, address_being_read)),
1115 | 				opnd1));
1116 | 
1117 | 	dr_restore_reg(drcontext, ilist, where, reg1, SPILL_SLOT_2);
1118 | 	dr_restore_reg(drcontext, ilist, where, reg2, SPILL_SLOT_3);
1119 | }
1120 | 		
1121 | 
1122 | 
1123 | /*
1124 |  *
1125 |  * Read the memory address holding by instruction "where" with
1126 |  * operand "pos" into the mem_refX field in the LTS struct,
1127 |  * where X is the number indicated by memory_reference.
1128 |  *
1129 |  * param ilist : basic block where instruction to be instrumented is
1130 |  * param where : instruction to be instrumented
1131 |  * param pos : position of operand that contains the address being
1132 |  *             written to.
1133 |  * param write : NOT USED ANYMORE
1134 |  * param memory_reference : the number mem_refX the written address
1135 | 			    is written to in our LTS struct.
1136 |  *
1137 |  */
1138 | static void instrument_mem(void *drcontext, instrlist_t *ilist, instr_t *where,
1139 | 		int pos, bool write, int memory_reference)
1140 | {
1141 | 	tls_storage *data;
1142 | 	reg_id_t reg1 = DR_REG_XBX;
1143 | 	reg_id_t reg2 = DR_REG_XCX;
1144 | 	app_pc pc;
1145 | 	opnd_t ref;
1146 | 	opnd_t opnd1, opnd2;
1147 | 
1148 | 	if (memory_reference > 3)
1149 | 	{
1150 | 		dr_printf("Memory reference too large\n");
1151 | 		DR_ASSERT(0);
1152 | 	}
1153 | 
1154 | 	/* useless call, but they have something similar in memtrace_x86 */	
1155 | //	data = drmgr_get_tls_field(drcontext, tls_index);
1156 | 
1157 | 	dr_save_reg(drcontext, ilist, where, reg1, SPILL_SLOT_2);
1158 | 	dr_save_reg(drcontext, ilist, where, reg2, SPILL_SLOT_3);
1159 | 
1160 | 	/* read the first memory reference */
1161 | 	ref = instr_get_dst(where, pos);
1162 | 	
1163 | 	/* put memory address being written into reg1 */
1164 | 	drutil_insert_get_mem_addr(drcontext, ilist, where, ref, reg1, reg2);
1165 | 	opnd1 = opnd_create_reg(reg1);
1166 | 
1167 | 	/* read TLS field into reg2 */
1168 | 	drmgr_insert_read_tls_field(drcontext, tls_index, ilist, where, reg2);
1169 | 
1170 | 	/* read the field */
1171 | 	if (memory_reference == 0)
1172 | 	{
1173 | 		instrlist_meta_preinsert(ilist, where,
1174 | 				INSTR_CREATE_mov_st(drcontext,
1175 | 					OPND_CREATE_MEMPTR(reg2, offsetof(tls_storage, mem_ref1)),
1176 | 					opnd1));
1177 | 	}
1178 | 	else if (memory_reference == 1)
1179 | 	{
1180 | 		instrlist_meta_preinsert(ilist, where,
1181 | 				INSTR_CREATE_mov_st(drcontext,
1182 | 					OPND_CREATE_MEMPTR(reg2, offsetof(tls_storage, mem_ref2)),
1183 | 					opnd1));
1184 | 	}
1185 | 	else if (memory_reference == 2)
1186 | 	{
1187 | 		instrlist_meta_preinsert(ilist, where,
1188 | 				INSTR_CREATE_mov_st(drcontext,
1189 | 					OPND_CREATE_MEMPTR(reg2, offsetof(tls_storage, mem_ref3)),
1190 | 					opnd1));
1191 | 	}
1192 | 	else if (memory_reference == 3)
1193 | 	{
1194 | 		instrlist_meta_preinsert(ilist, where,
1195 | 				INSTR_CREATE_mov_st(drcontext,
1196 | 					OPND_CREATE_MEMPTR(reg2, offsetof(tls_storage, mem_ref4)),
1197 | 					opnd1));
1198 | 	}
1199 | 
1200 | 	dr_restore_reg(drcontext, ilist, where, reg1, SPILL_SLOT_2);
1201 | 	dr_restore_reg(drcontext, ilist, where, reg2, SPILL_SLOT_3);
1202 | }
1203 | 
1204 | // Capstone needs this, otherwise it complains
1205 | __declspec(noreturn) void __cdecl __report_rangecheckfailure(void)
1206 | {
1207 |     exit(1);
1208 | }
1209 | 


--------------------------------------------------------------------------------
/Tracer/unpacker.h:
--------------------------------------------------------------------------------
 1 | static dr_emit_flags_t event_bb_analysis(void *drcontext, void *tag, instrlist_t *bb,
 2 |                                          bool for_trace, bool translating,
 3 |                                          OUT void **user_data);
 4 | 
 5 | static dr_emit_flags_t
 6 | event_bb_insert(void *drcontext, void *tag, instrlist_t *bb, instr_t *instr,
 7 |                   bool for_trace, bool translating,
 8 |                   OUT void **user_data);
 9 | 
10 | static void instrument_mem(void *drcontext, instrlist_t *ilist, instr_t *where,
11 | 		int pos, bool write, int memory_reference);
12 | 
13 | static void instrument_read_memory(void *drcontext, instrlist_t *ilist, instr_t *where, int pos);
14 | 
15 | static void
16 | write_to_output(char *output_text, int text_length);
17 | 
18 | static void
19 | write_wave_and_entrypoint(char *output_text, int text_length);
20 | 
21 | static void
22 | event_thread_init(void *drcontext);
23 | 
24 | static void
25 | event_thread_exit(void *drcontext);
26 | 
27 | static dr_emit_flags_t
28 | event_bb_app2app(void *drcontext, void *tag, instrlist_t *bb,
29 |                  bool for_trace, bool translating);
30 | 
31 | 
32 | static void instrument_set_value(
33 | 		void *drcontext, instrlist_t *ilist, instr_t *where, 
34 | 		int value, unsigned int offset);
35 | 


--------------------------------------------------------------------------------