Vine操作步驟
(1)進入vine程序所在目錄
cd bitblaze/vine
(2)(可選)把trace文件翻譯成彙編並在控制檯顯示 ,>爲重定向符號,把數據寫入到文件中
./trace_utils/trace_reader -trace ~/bitblaze/transfiles/foo1.trace | grep T1
./trace_utils/trace_reader -trace ~/bitblaze/transfiles/foo1.trace | grep T1 > ~/bitblaze/transfiles/foo1print_t1
或者./trace_utils/trace_reader -trace ~/bitblaze/transfiles/foo2.trace > ~/bitblaze/transfiles/foo2print
(3)由.trace生成il文件,再由il文件生成stp文件:
由.trace生成il文件:
./trace_utils/appreplay -trace~/bitblaze/transfiles/foo1.trace -ir-out ~/bitblaze/transfiles/foo1.il-assertion-on-var false -use-post-var false(去除post變量,使代碼易讀)
再由il文件生成stp文件:
./utils/wputil~/bitblaze/transfiles/foo1.il -stpout ~/bitblaze/transfiles/foo1.stp
(4)對il文件取反,並重新生成stp文件
(5)用STP求解器對stp文件進行取反,保存求解結果
~/bitblaze/vine-1.0/stp/stp~/bitblaze/transfiles/foo1.stp
(***)(可選)根據trace文件直接生成il/stp/wp文件
./trace_utils/appreplay -trace examples/five.trace \
-stp-out five.stp -ir-out five.il -wp-out five.wp
./trace_utils/appreplay -trace /home/zqc/foo.trace -stp-out /home/zqc/foo.stp -ir-out /home/zqc/foo.il-wp-out /home/zqc/foo.wp
appreplay工具的用法(~/bitblaze/vine-1.0/trace_utils$./appreplay ):
\Usage: appreplay [options]<tracefile>
-traceFILE read trace from FILE
-state FILE read process statefrom FILE
-state-range 0xDEAD:0xBEEF initializerange 0xDEAD to 0xBEEF
-conc-mem-idx rewritenon-tainted mem indexes to literal values
-prop-consts Use evaluator to doconstant propagation
-flatten flatten IR
-use-thunks use eflag thunks(lazy eflag computation).
-use-post-var use a post-conditionvariable instead of asserts.
-assertion-on-var create a uniqueboolean variable for each assertion.
-deend Deendianize all memoryaccesses wu
-deend_multi When de-endianizing,use separate arrays by access size
-verify-expected Add asserts tocheck whether propagated inputs have expected values.
(Onlymakes sense with -concrete)
-include-all Disasm and includeall instructions, not just tainted.
-remove-unknowns Removes someunsupported instructions
-typecheck Type check thegenerated IR
-concrete Assign concrete valuesto input (when building from exec trace)
-dead perform dead code elimination
-early-exit add early exitswhen post-condition cannot be satisfied
-simplify apply simplifications tothe WP
-ir-out FILE output trace ir toFILE
-wp-out FILE output WP to FILE inIR format
-stp-out FILE output trace to FILEin stp format
-eval run trace through theevaluator
-help Display this list ofoptions
--help Display this list ofoptions
----------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------
·-trace: 指定Appreplay操作對象爲TEMU生成的trace文件
·-state and -state-range areused to initialize ranges of memory locations from a TEMU state snapshot.
·-conc-mem-idx is anoptimization to do some constant propagation, which appears to help STP quite abit. This will likely become deprecated once some of the STP optimizationissues are resolved.
·-prop-consts isanother optimization that propagates all constant values using Vine’sevaluator.
·-use-thunks ifset to true, the generated IR will have calls to functions to update theprocessor’s condition codes (EFLAGSforthe x86). If false, this code will be inlined instead. For most analysis purposesthis should be disabled. It may be useful for generating a smaller IR with theintent of giving it to the evaluator rather than to STP.
·-use-post-var ifthis is set to true, then assert statementswill be rewritten to update a variable ’post’, such that at the end of thetrace post willhave value true if and only if all assertions would have passed. This is mostlyfor backwards compatibility for before we introduced the assert statement.
·-deend performs"deendianization", i.e. rewrites all memory expressions to equivalentarray expressions. This should usually be enabled.
·-concrete initializesall the ’input’ symbols to the values they had in the trace.
·-verify-expected ismostly for regression/sanity tests, in conjunction with -concrete. -verify-expected addsassertions to verify the all operands subsequently computed from those symbolshave the same value as they did in the trace, as they should in this case.
·-include-all translatesand includes all instructions,rather than only those that (may) operate on tainted data. Generally notdesirable, but sometimes useful for debugging.
·-ir-out specifythe output ir file.
·-wp-out and -stp-out tellappreplay to compute the weakest precondition (WP) over the variable post (described above), and convert theresulting IR to an STP formula. the formula holds for inputs that would followthe same execution path as in the trace.