Annotate function not working

[sebastianwalla]

I want to annotate the recv function from the ws2_32.dll in windows 10. I retrieved the dll from the guest (win10 enterprise 1703) and ran dumpbin ws2_32.dll /exports :more in a visual studio console in order to get the relative address of the recv function. As a result I got back 0x6ce0. I then registered the dll to be monitored in the ModuleExecutionDetector plugin in the s2e-config.lua file of my project. I also activated qemus default network settings in order to be able to receive something via the network.

add_plugin("ModuleExecutionDetector")
pluginsConfig.ModuleExecutionDetector = {

    mod_0 = {
        moduleName = "main.exe",
        kernelMode =  false ,
    },

ws2_32_dll = {
    moduleName = "ws2_32.dll",
    kernelMode = true ,
    userMode = true,
    },     
}

I then activated the listed plugins, like stated in the Annotations tutorial:

add_plugin("LuaFunctionAnnotation")
add_plugin("LuaBindings")
add_plugin("FunctionMonitor")

All the other plugins like KeyValueStore were already active by default, since I created the project using the s2e new_project command.

I then registered the annotation for the recv function like this:

pluginsConfig.LuaFunctionAnnotation = {
    -- For each function to annotate, provide an entry in the "annotations" table
    annotations = {
        -- define an annotation called "recv_fun"
        recv_fun = {
            -- The name of the module that we are interested in
            module_name = "ws2_32_dll",
            -- The name of the Lua function to call when this annotation is triggered
            name = "recv_annotated",
            -- The virtual address of a function in the given module that will trigger the annotation
            pc = 0x6ce0,
            -- Number of parameters that the function at "pc" takes
            param_count = 4,
            -- Set to "true" to fork a new state when this annotation is triggered
            fork = false,
            -- Calling convention of the function at "pc". Either "cdecl" or "stdcall"
            convention = "stdcall",
        },
}

function recv_annotated(state, annotation_state, is_call, socket, buf, len, flags)
    print("hooking worked")
    state:debug("recv called")
end

However when I know execute the program I never seem to find neither of this printed output. What am I doing wrong? Is the virtual address I found out wrong? If so how else could I find this address out? I know that the recv function is actually executed, print statements of the to analyzing program, which follow the recv call can be observed. (They are printed into the serial.txt, since I removed the piping of stdin and stdout into /dev/null from bootstrap.sh

I'm trying to get this working for several days but I can't seem to find the problem. Right know I'm following your documentation at Annotations, but I also read your article The S2E Platform: Design, Implementation, and Application to see how to annotate functions. However the way to do this in s2e seems to have changed since this article was published.

[vitalych]

Hi, you need to set kernelMode to false for your dll (and remove userMode). Also, the address is not relative but native. E.g., if the DLL's default load address is 0x1000000, specify 0x1006ce0. I'll add an issue to allow specifying functions by name, it should make it much easier.

[sebastianwalla]

Hi, thank you. Yeah I was unsure about the kernelMode.. I tried using native addresses but it didn't work either (probably since more than one dll is loaded the ws2_32 dll is not at the default load address). Being able to simply specify functions by name would be a great relief.

[sebastianwalla]

Why would it even work with specifying the dlls prefered load address? Shouldn't ASLR destroy this assumption, since the dll will be loaded each time at a random base address and not at its prefered address?