search

airbus-seclab / bincat

Binary code static analyser, with IDA integration. Performs value and taint analysis, type reconstruction, use-after-free and double-free detection
1.66k stars 159 forks source link

Can I taint functions? #131

Closed DerZc closed 2 years ago

DerZc commented 2 years ago

Hi! I have another question. Can I taint a function that set the return value of this funtion as taint.

szennou commented 2 years ago

You can. In the configuration file, add a section like this [libname] * = fname(conditions on parameters to taint the result)

For instance to add a rule for memcpy: [.dynsym] * = memcpy(_, , )

will taint the return value if either the second or the third argument is tainted

You can also override the taint and/or value of any register at any instruction [overrride] instruction address = reg[rname], mask | mem[address], mask

with having the same syntax as for the initial state For instance, to taint r2 at address 0x25484 you'll have: [override] 0x25484 = reg[r2], !TAINT_ALL