search

decaf-project / DECAF

DECAF (short for Dynamic Executable Code Analysis Framework) is a binary analysis platform based on QEMU. This is also the home of the DroidScope dynamic Android malware analysis platform. DroidScope is now an extension to DECAF.
GNU General Public License v3.0
803 stars 168 forks source link

find_shadow_arg in tcg_taint.c #99

Closed XMUsuny closed 1 year ago

XMUsuny commented 1 year ago

Hi, I use the taint analysis of DECAF these days. During test, I find no new instructions are inserted. After I check the I see that the find_shadow_arg function in tcg_taint.c always return 0 because of the check on temp in TCGContext: TCGv find_shadow_arg(TCGv arg) { if (arg < tcg_ctx.nb_globals) return shadow_arg[arg];

/ Check if this temp is allocated in the context / if (!tcg_ctx.temps[arg].temp_allocated) return 0;

However, in QEMU, most instructions are handled in tcg-op.h and do not allocate new TCGTemp such as qemu_ld and qemu_st (In fact, is allocated but freed). Therefore, no new instructions can be added because no shadow args are found: case INDEX_op_qemu_ld32: arg0 = find_shadow_arg(gen_opparam_ptr[-3]); if (arg0) { / Patch qemu_ld opcode into taint_qemu_ld / gen_opc_ptr[-1] += (INDEX_op_taint_qemu_ld8u - INDEX_op_qemu_ld8u);

Could you provide some advices to help me to use DECAF? Thanks~

XMUsuny commented 1 year ago

Oh, the tcg_temp_free_internal function returns early if taint enabled.. Now I close this issue.