search

cmu-sei / pharos

Automated static analysis tools for binary programs
Other
1.56k stars 192 forks source link

thisptr-overhaul branch to improve support for virtual bases #224

Closed sei-eschwartz closed 2 years ago

sei-eschwartz commented 2 years ago

I am sure I'll forget my progress by the time I get back from vacation, so I'll add some notes here. I added a new fact type, thisPtrDefinition, which expresses pointers as expressions.

Here is an example:

[eschwartz@pd4 Lite]$ cat oo.facts | fgrep sv_3544081266679891044
possibleVFTableWrite(0x402487, 0x40247e, sv_18024155638382103558, 0, sv_3544081266679891044, 0x41238c).
thisPtrDefinition(sv_3544081266679891044, add([read([sv(sv_2925039723046125976, 'Mem'), add([read([sv(sv_2925039723046125976, 'Mem'), sv(sv_10664833297080542982, ecx_0)]), 0x4])]), sv(sv_10664833297080542982, ecx_0)]), 0x402487, 0x40247e).

I added a hash for the "full" or "expanded" thisptr to possibleVFTableWrite, which is sv_3544081266679891044 here. Then we can see the definition of sv_3544081266679891044, which must be describing a virtual base. Notice that the "old" fact information of sv_18024155638382103558 and offset 0 is laughably wrong.

So how do we use this on the vft_overwrite branch? Perhaps by verifying that the address is an offset from ecx at some point.

Originally posted by @edmcman in https://github.com/cmu-sei/pharos/issues/222#issuecomment-1130473655

sei-eschwartz commented 2 years ago

This branch adds thisPtrDefinition, which we are going to need to properly support virtual bases.

sei-eschwartz commented 2 years ago

All this branch does is add more information to thisptrs. Is there a reason we can't merge it to master immediately?

sei-eschwartz commented 2 years ago

Unit tests pass