REVEN-Axion 2016v1.3.1
slicer.py

The slicer script make use of REVEN data tainting capabilities to display a list of instructions that manipulate tainted data.

It uses reven.Project.taint method to retrieve the list of execution Point which deal with tainted data and print them.

1 #!/usr/bin/env python2
2 
3 import reven
4 import argparse
5 
6 def parse_args():
7  parser = argparse.ArgumentParser(description='Create a sliced trace based on some register taint propagation.')
8  parser.add_argument('--host', metavar='host', dest='host', help='the reven host', default="localhost")
9  parser.add_argument('--port', metavar='port', dest='port', type=int, help='the reven server port', default=13370)
10  parser.add_argument('-r', metavar='run', dest='run', help='the reven execution run name', default='Execution run')
11  parser.add_argument('-s', metavar='sequence', dest='sequence', type=int, help='the reven execution sequence', default=0)
12  parser.add_argument('-i', metavar='instruction', dest='instruction', type=int, help='the reven execution instruction', default=0)
13  parser.add_argument('-b', dest='backward', action='store_true', help='taint in backward direction')
14 
15  parser.add_argument(metavar='registers', dest='registers', help='name of the registers to taint', nargs='+')
16 
17  args = parser.parse_args()
18 
19  return args
20 
21 if __name__ == '__main__':
22 
23  # Parse the input arguments
24  args = parse_args()
25 
26  # Connect to the reven project
27  p = reven.Project(args.host, args.port)
28 
29  # Get the target trace
30  t = p.trace(args.run)
31 
32  # Get the taint range start point
33  start_point = t.point(args.sequence, args.instruction)
34 
35  # Get the taint range end point
36  if args.backward:
37  # Get the first trace point
38  stop_point = t.point(0)
39  else:
40  # Get the last trace point
41  stop_point = t.point(t.sequence_count-1)
42  last_instruction = len(stop_point.basic_block) -1
43  stop_point = t.point(t.sequence_count-1, last_instruction)
44 
45 
46  # Get the initially tainted registers (assume its a 4byte register).
47  syms = [ reven.SymbolicRegister(r, 4) for r in args.registers ]
48 
49  # Propagate the taint, timeout after 5s
50  result = p.taint(start_point, stop_point, syms, 5000)
51 
52  # Display the sliced trace
53  for r in sorted(result.keys()):
54  print "%d_%d - %-32s %s" % (r.sequence_index, r.instruction_index, r.symbol, r.instruction)
TETRANE © 2015 Last update on: Wed May 25 2016