Entry point object for tainting data.
Taints can be created by using the simple_taint function. The last_taint method can be used to retrieve the started taint.
Please refer to the
taint package documentation for more information.
>>> trace = reven_server.trace >>> tainter = reven2.preview.taint.Tainter(trace)
||Get the last taint started by simple_taint|
||Request the server to start a taint such that its parameters are the arguments to this function.|
||Request the server to start a taint from the
Request the server to start a taint such that its parameters are the arguments to this function.
As this function offers a simplified API, it starts the taint with a maximum of two different taint markers.
Each successive call to this method will cancel and discard the previously started taint if any.
- Tainted data: passed by tag0 and tag1, tag0 tainted data s labeled by tag0, tag1 tainted data is labeled by tag1. Tainted data can be one of: string, Iterable,
TaintedRegisterSlice, integer (interpreted as a ds prefixed logical address),
- Tainted range: Taint is propagated through all the Transitions between from_context and to_context
- Taint direction: Forward if is_forward else Backward
>>> trace = reven_server.trace() >>> tainter = reven2.preview.taint.Tainter(trace) >>> # taint in forward on the full trace, starting at the first context, >>> # "rax" with tag0, [ds:0xffffd001ea0d6040 ; 8] with tag1 >>> taint = tainter.simple_taint(tag0="rax", tag1="[ds:0xffffd001ea0d6040 ; 8]") >>> # The same taint, with the arguments expressed differently. >>> taint = tainter.simple_taint(tag0=reven2.arch.x64.rax, tag1=0xffffd001ea0d6040) >>> # # A slightly different taint, where tag0 tags both `rax` and the memory address, and where nothing it tagged with `tag1`. >>> taint = tainter.simple_taint(tag0=[reven2.arch.x64.rax, 0xffffd001ea0d6040])
reven2.register_slice.RegisterSlice will be converted to the containing byte if it is not aligned, except flags.
Initially tainted data marked with the tag0 taint marker. The accepted types for this parameter are the following:
|tag1:||Initially tainted data marked with the tag1 taint marker. The accepted types for this parameter are the same as for tag0|
|is||bool, True for forward direction and False for backward direction.|
Request the server to start a taint from the
TaintState passed as parameter.
TaintState can be obtained from the results of a previous taint.
|state:||The state from we start the new taint.|
|from||Context before the first transition in the requested taint range. If None, then computed to resume the taint from which the state was extracted.|
|to||Context after the last transition in the requested taint range. Always greater than from_context. If None, then computed to resume the taint from which the state was extracted.|
|is||True for forward direction and False for backward direction. If None, then the same direction as the taint from which the state was extracted.|
def _handle_tag(tagname, tag):