用Bitblaze进行程序分析之三------VINE的使用

本文详细介绍了如何使用VINE工具进行程序分析,包括从进入VINE程序目录开始,到利用trace文件生成il和stp文件,再到使用STP求解器进行分析的完整步骤。同时,提到了appreplay工具的各种选项及其用途,如常用于初始化内存位置、优化IR生成等。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

Vine操作步骤

(1)进入vine程序所在目录

   cd bitblaze/vine

 

(2)(可选)把trace文件翻译成汇编并在控制台显示 ,>为重定向符号,把数据写入到文件中

./trace_utils/trace_reader -trace ~/bitblaze/transfiles/foo1.trace  | grep T1

./trace_utils/trace_reader -trace ~/bitblaze/transfiles/foo1.trace  | grep T1 > ~/bitblaze/transfiles/foo1print_t1

 

或者./trace_utils/trace_reader -trace ~/bitblaze/transfiles/foo2.trace  > ~/bitblaze/transfiles/foo2print

 

(3)由.trace生成il文件,再由il文件生成stp文件:

由.trace生成il文件:

./trace_utils/appreplay -trace~/bitblaze/transfiles/foo1.trace -ir-out ~/bitblaze/transfiles/foo1.il-assertion-on-var false -use-post-var false(去除post变量,使代码易读)

再由il文件生成stp文件:

./utils/wputil~/bitblaze/transfiles/foo1.il -stpout ~/bitblaze/transfiles/foo1.stp

 

(4)对il文件取反,并重新生成stp文件

(5)用STP求解器对stp文件进行取反,保存求解结果
            ~/bitblaze/vine-1.0/stp/stp~/bitblaze/transfiles/foo1.stp

 

(***)(可选)根据trace文件直接生成il/stp/wp文件

   ./trace_utils/appreplay -trace examples/five.trace \

 -stp-out five.stp -ir-out five.il -wp-out five.wp

 

 ./trace_utils/appreplay -trace /home/zqc/foo.trace -stp-out /home/zqc/foo.stp -ir-out /home/zqc/foo.il-wp-out /home/zqc/foo.wp

 

appreplay工具的用法(~/bitblaze/vine-1.0/trace_utils$./appreplay ):

\Usage: appreplay [options]<tracefile>

  -traceFILE     read trace from FILE

 -state FILE      read process statefrom FILE

 -state-range 0xDEAD:0xBEEF  initializerange 0xDEAD to 0xBEEF

 -conc-mem-idx      rewritenon-tainted mem indexes to literal values

 -prop-consts   Use evaluator to doconstant propagation

 -flatten    flatten IR

 -use-thunks     use eflag thunks(lazy eflag computation).

 -use-post-var use a post-conditionvariable instead of asserts.

 -assertion-on-var   create a uniqueboolean variable for each assertion.

 -deend     Deendianize all memoryaccesses wu

 -deend_multi When de-endianizing,use separate arrays by access size

 -verify-expected    Add asserts tocheck whether propagated inputs have expected values.

              (Onlymakes sense with -concrete)

 -include-all     Disasm and includeall instructions, not just tainted.

 -remove-unknowns      Removes someunsupported instructions

 -typecheck      Type check thegenerated IR

 -concrete Assign concrete valuesto input (when building from exec trace)

  -dead      perform dead code elimination

 -early-exit       add early exitswhen post-condition cannot be satisfied

 -simplify apply simplifications tothe WP

 -ir-out FILE    output trace ir toFILE

 -wp-out FILE  output WP to FILE inIR format

 -stp-out FILE  output trace to FILEin stp format

 -eval run trace through theevaluator

 -help  Display this list ofoptions

 --help  Display this list ofoptions

 

----------------------------------------------------------------------------------------------------------------

-----------------------------------------------------------------------------------------------------------------

·-trace: 指定Appreplay操作对象为TEMU生成的trace文件

·-state and -state-range areused to initialize ranges of memory locations from a TEMU state snapshot.

·-conc-mem-idx is anoptimization to do some constant propagation, which appears to help STP quite abit. This will likely become deprecated once some of the STP optimizationissues are resolved.

·-prop-consts isanother optimization that propagates all constant values using Vine’sevaluator.

·-use-thunks ifset to true, the generated IR will have calls to functions to update theprocessor’s condition codes (EFLAGSforthe x86). If false, this code will be inlined instead. For most analysis purposesthis should be disabled. It may be useful for generating a smaller IR with theintent of giving it to the evaluator rather than to STP.

·-use-post-var ifthis is set to true, then assert statementswill be rewritten to update a variable ’post’, such that at the end of thetrace post willhave value true if and only if all assertions would have passed. This is mostlyfor backwards compatibility for before we introduced the assert statement.

·-deend performs"deendianization", i.e. rewrites all memory expressions to equivalentarray expressions. This should usually be enabled.

·-concrete initializesall the ’input’ symbols to the values they had in the trace.

·-verify-expected ismostly for regression/sanity tests, in conjunction with -concrete. -verify-expected addsassertions to verify the all operands subsequently computed from those symbolshave the same value as they did in the trace, as they should in this case.

·-include-all translatesand includes all instructions,rather than only those that (may) operate on tainted data. Generally notdesirable, but sometimes useful for debugging.

·-ir-out specifythe output ir file.

·-wp-out and -stp-out tellappreplay to compute the weakest precondition (WP) over the variable post (described above), and convert theresulting IR to an STP formula. the formula holds for inputs that would followthe same execution path as in the trace.


评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值