The purpose of this tool is to identify the field hierarchy of any binary program input. These code is modified from libdft64.
- Only consider the mov type instruction as taint propagation.
- Replace the BDDTag in libdft64 by SegTag which is hierarchical.
- Download Intel Pin 3.x and set PIN_ROOT to Pin's directory.
PREFIX=/path-to-install ./install_pin.sh
- build libdft64
make
cd tools
pin -t obj-intel64/dissinput.so -input_file cur_input -- obj-intel64/mini_test.exe cur_input
This step outputs two files
- input_tree.json This file is the tree of the input(Have removed the redundant nodes).
{
"begin": 0,
"end": 0,
"children": [
{
"begin": 0,
"end": 1764,
"children": [
{
"begin": 1699,
"end": 1764,
"children": [
{
"begin": 1753,
"end": 1762,
"children": []
},
{
"begin": 1747,
"end": 1750,
"children": []
},
{
"begin": 1743,
"end": 1745,
"children": []
}
]
}
]
}
]
}
More usage for this file see M4nval/DISSInput-tmin (github.com).
- tagList.out This file contains all the origin taint tag in program running.
{"id":1, "begin":0, "end":50, "parent":0, "temp":0}
{"id":2, "begin":0, "end":20, "parent":1, "temp":0}
{"id":3, "begin":0, "end":20, "parent":1, "temp":0}
{"id":4, "begin":20, "end":25, "parent":1, "temp":0}
{"id":5, "begin":25, "end":30, "parent":1, "temp":0}
{"id":6, "begin":30, "end":40, "parent":1, "temp":0}
{"id":7, "begin":30, "end":35, "parent":6, "temp":0}
{"id":8, "begin":35, "end":40, "parent":6, "temp":0}
{"id":9, "begin":35, "end":40, "parent":6, "temp":0}
{"id":10, "begin":30, "end":40, "parent":1, "temp":0}
{"id":11, "begin":30, "end":40, "parent":1, "temp":0}
{"id":12, "begin":30, "end":50, "parent":0, "temp":0}
{"id":13, "begin":40, "end":50, "parent":1, "temp":0}
……
In addition, "result_analysis.py" is a tool for visualizing the "tagList.out":
pip install pyecharts
python result_analysis.py
This step draw the picture about the input struct by tagList.out generate by prev step. The output is a file named "result.html".(see the following drawing)
-follow_execv
: Instructs Pin to also instrument all processes spawned using theexec(3)
class system calls by the program.-t
: Specifies the Pin tool to be used.