用Bitblaze进行程序分析之三------VINE的使用

Vine操作步骤

（1）进入vine程序所在目录

   cd bitblaze/vine

 

（2）（可选）把trace文件翻译成汇编并在控制台显示 ,>为重定向符号，把数据写入到文件中

./trace_utils/trace_reader -trace ~/bitblaze/transfiles/foo1.trace  | grep T1

./trace_utils/trace_reader -trace ~/bitblaze/transfiles/foo1.trace  | grep T1 > ~/bitblaze/transfiles/foo1print_t1

 

或者./trace_utils/trace_reader -trace ~/bitblaze/transfiles/foo2.trace  > ~/bitblaze/transfiles/foo2print

 

（3）由.trace生成il文件，再由il文件生成stp文件：

由.trace生成il文件:

./trace_utils/appreplay -trace~/bitblaze/transfiles/foo1.trace -ir-out ~/bitblaze/transfiles/foo1.il-assertion-on-var false -use-post-var false(去除post变量，使代码易读)

再由il文件生成stp文件:

./utils/wputil~/bitblaze/transfiles/foo1.il -stpout ~/bitblaze/transfiles/foo1.stp

 

（4）对il文件取反，并重新生成stp文件

（5）用STP求解器对stp文件进行取反，保存求解结果
            ~/bitblaze/vine-1.0/stp/stp~/bitblaze/transfiles/foo1.stp

 

（***）（可选）根据trace文件直接生成il/stp/wp文件

   ./trace_utils/appreplay -trace examples/five.trace \

 -stp-out five.stp -ir-out five.il -wp-out five.wp

 

 ./trace_utils/appreplay -trace /home/zqc/foo.trace -stp-out /home/zqc/foo.stp -ir-out /home/zqc/foo.il-wp-out /home/zqc/foo.wp

 

appreplay工具的用法（~/bitblaze/vine-1.0/trace_utils$./appreplay ）：

\Usage: appreplay [options]<tracefile>

  -traceFILE     read trace from FILE

 -state FILE      read process statefrom FILE

 -state-range 0xDEAD:0xBEEF  initializerange 0xDEAD to 0xBEEF

 -conc-mem-idx      rewritenon-tainted mem indexes to literal values

 -prop-consts   Use evaluator to doconstant propagation

 -flatten    flatten IR

 -use-thunks     use eflag thunks(lazy eflag computation).

 -use-post-var use a post-conditionvariable instead of asserts.

 -assertion-on-var   create a uniqueboolean variable for each assertion.

 -deend     Deendianize all memoryaccesses wu

 -deend_multi When de-endianizing,use separate arrays by access size

 -verify-expected    Add asserts tocheck whether propagated inputs have expected values.

              (Onlymakes sense with -concrete)

 -include-all     Disasm and includeall instructions, not just tainted.

 -remove-unknowns      Removes someunsupported instructions

 -typecheck      Type check thegenerated IR

 -concrete Assign concrete valuesto input (when building from exec trace)

  -dead      perform dead code elimination

 -early-exit       add early exitswhen post-condition cannot be satisfied

 -simplify apply simplifications tothe WP

 -ir-out FILE    output trace ir toFILE

 -wp-out FILE  output WP to FILE inIR format

 -stp-out FILE  output trace to FILEin stp format

 -eval run trace through theevaluator

 -help  Display this list ofoptions

 --help  Display this list ofoptions

 

----------------------------------------------------------------------------------------------------------------

-----------------------------------------------------------------------------------------------------------------

·-trace: 指定Appreplay操作对象为TEMU生成的trace文件

·-state and -state-range areused to initialize ranges of memory locations from a TEMU state snapshot.

·-conc-mem-idx is anoptimization to do some constant propagation, which appears to help STP quite abit. This will likely become deprecated once some of the STP optimizationissues are resolved.

·-prop-consts isanother optimization that propagates all constant values using Vine’sevaluator.

·-use-thunks ifset to true, the generated IR will have calls to functions to update theprocessor’s condition codes (EFLAGSforthe x86). If false, this code will be inlined instead. For most analysis purposesthis should be disabled. It may be useful for generating a smaller IR with theintent of giving it to the evaluator rather than to STP.

·-use-post-var ifthis is set to true, then assert statementswill be rewritten to update a variable ’post’, such that at the end of thetrace post willhave value true if and only if all assertions would have passed. This is mostlyfor backwards compatibility for before we introduced the assert statement.

·-deend performs"deendianization", i.e. rewrites all memory expressions to equivalentarray expressions. This should usually be enabled.

·-concrete initializesall the ’input’ symbols to the values they had in the trace.

·-verify-expected ismostly for regression/sanity tests, in conjunction with -concrete. -verify-expected addsassertions to verify the all operands subsequently computed from those symbolshave the same value as they did in the trace, as they should in this case.

·-include-all translatesand includes all instructions,rather than only those that (may) operate on tainted data. Generally notdesirable, but sometimes useful for debugging.

·-ir-out specifythe output ir file.

·-wp-out and -stp-out tellappreplay to compute the weakest precondition (WP) over the variable post (described above), and convert theresulting IR to an STP formula. the formula holds for inputs that would followthe same execution path as in the trace.