PE代码段中可能包含一些数据,比如
optional header中的data directory会索引到一些数据,比如import/export table等等;
还有一些jump table/switch table等等。
一般来说,direct/indirect call/branch的目标,可能是代码,也可能是数据,比如:
mov eax, offset_func
call eax
以及
mov eax, offset_shellcode
xor [eax + N]
call eax
但是第二种,属于对代码段做修改之后,再调用的情况很可能是Malicious,而也不能够被“W异或X”机制所允许。
但是仅仅是读,或者以其为源,拷贝到可写数据区再进行修改还是有可能的。
可能通过监控对于代码段中的内容的读和写(写可能不会发生)进行监控,并且跟踪其数据流,就像是Taint分析一样。
在Pin中,与内存读写有关的参数
IARG_MEMORYREAD_EA
Type: ADDRINT. Effective address of a memory read, only valid if INS_IsMemoryRead is true and at IPOINT_BEFORE.IARG_MEMORYREAD2_EA
Type: ADDRINT. Effective address of a 2nd memory read (e.g. 2nd operand in cmps on ia32), only valid at IPOINT_BEFORE.
IARG_MEMORYWRITE_EA
Type: ADDRINT. Effective address of a memory write, only valid at IPOINT_BEFORE.
IARG_MEMORYREAD_SIZE
Type: UINT32. Size in bytes of memory read.
IARG_MEMORYWRITE_SIZE
Type: UINT32. Size in bytes of memory write.
但是在真正跑时,出现了以下的exception:
IARG_MEMORY*_EA is only valid at IPOINT_BEFORE
因此,想要得到Write事后的地址,需要在程序中自己存储,参考pin sample pinatrace.
BOOL LEVEL_CORE::INS_OperandIsAddressGenerator ( INS ins,
UINT32 n
)
Returns:
true if this operand generates an address, but the address does not access memory (e.g. load effective address instruction)