diff options
| author | huangs <huangs@chromium.org> | 2015-09-18 11:52:56 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2015-09-18 18:53:28 +0000 |
| commit | 6d2a30316defffdd77c473547063316ebb9c279b (patch) | |
| tree | 6de1afe27ab096196c1c4e92587c19519691b443 /courgette/testdata | |
| parent | 6d5ddf5cd94ed429df19496948062fe137e68116 (diff) | |
| download | chromium_src-6d2a30316defffdd77c473547063316ebb9c279b.zip chromium_src-6d2a30316defffdd77c473547063316ebb9c279b.tar.gz chromium_src-6d2a30316defffdd77c473547063316ebb9c279b.tar.bz2 | |
[Courgette] Refactor: Adding Rel32FinderWin32X86_Basic and Unittests
We're planning to improve heuristic to find Rel32 addresses for Win32 x86.
First refactor by by extraacting the feature into its own class. This also
lead to the extraction of RVA and various helpers from disassembler.h to
image_utils.h.
Also adding unittests for Rel32FinderWin32X86_Basic. The test is
data-driven by adding a simple parser for test data.
BUG=
Review URL: https://codereview.chromium.org/1344173003
Cr-Commit-Position: refs/heads/master@{#349727}
Diffstat (limited to 'courgette/testdata')
| -rw-r--r-- | courgette/testdata/rel32_win32_x86_01.txt | 55 | ||||
| -rw-r--r-- | courgette/testdata/rel32_win32_x86_02.txt | 62 | ||||
| -rw-r--r-- | courgette/testdata/rel32_win32_x86_03.txt | 40 | ||||
| -rw-r--r-- | courgette/testdata/rel32_win32_x86_04.txt | 47 |
4 files changed, 204 insertions, 0 deletions
diff --git a/courgette/testdata/rel32_win32_x86_01.txt b/courgette/testdata/rel32_win32_x86_01.txt new file mode 100644 index 0000000..4234c86 --- /dev/null +++ b/courgette/testdata/rel32_win32_x86_01.txt @@ -0,0 +1,55 @@ +# Test all rel32 jump instructions. + +# .text start RVA and end RVA +1000 +3000 +# .reloc start RVA and end RVA +3800 +4000 +# End RVA +5000 + +# Assume ImageBase = 00400000. This does not affect the test. +Program: + 00401000: 55 push ebp + 00401001: 8B EC mov ebp,esp + 00401003: E8 00 00 00 00 call 00401008 + 00401008: E9 00 00 00 00 jmp 0040100D + 0040100D: 0F 80 00 00 00 00 jo 00401013 + 00401013: 0F 81 00 00 00 00 jno 00401019 + 00401019: 0F 82 00 00 00 00 jb 0040101F + 0040101F: 0F 83 00 00 00 00 jae 00401025 + 00401025: 0F 84 00 00 00 00 je 0040102B + 0040102B: 0F 85 00 00 00 00 jne 00401031 + 00401031: 0F 86 00 00 00 00 jbe 00401037 + 00401037: 0F 87 00 00 00 00 ja 0040103D + 0040103D: 0F 88 00 00 00 00 js 00401043 + 00401043: 0F 89 00 00 00 00 jns 00401049 + 00401049: 0F 8A 00 00 00 00 jp 0040104F # Ignored! + 0040104F: 0F 8B 00 00 00 00 jnp 00401055 # Ignored! + 00401055: 0F 8C 00 00 00 00 jl 0040105B + 0040105B: 0F 8D 00 00 00 00 jge 00401061 + 00401061: 0F 8E 00 00 00 00 jle 00401067 + 00401067: 0F 8F 00 00 00 00 jg 0040106D + 0040106D: 5D pop ebp + 0040106E: C3 ret + +Abs32: + +Expected: +1004 +1009 +100F +1015 +101B +1021 +1027 +102D +1033 +1039 +103F +1045 +1057 +105D +1063 +1069 diff --git a/courgette/testdata/rel32_win32_x86_02.txt b/courgette/testdata/rel32_win32_x86_02.txt new file mode 100644 index 0000000..a9e5b12 --- /dev/null +++ b/courgette/testdata/rel32_win32_x86_02.txt @@ -0,0 +1,62 @@ +# Test rel32 jump instructions with abs32 and .reloc obstructions. + +# .text start RVA and end RVA +1000 +3000 +# .reloc start RVA and end RVA +# Typically this won't overlap with .text. +# Note: If we use 1020, then the algorithm would never encounter it, so the +# .reloc does not get skipped! This edge case is not worth fixing right now. +101F +1030 +# End RVA +5000 + +# Assume ImageBase = 00400000. This does not affect the test. +Program: + 00401000: 55 push ebp + 00401001: 8B EC mov ebp,esp + 00401003: E8 00 00 00 00 call 00401008 # Overlaps with abs32 + 00401008: E9 00 00 00 00 jmp 0040100D # Overlaps with abs32 + 0040100D: 0F 80 00 00 00 00 jo 00401013 + 00401013: 0F 81 00 00 00 00 jno 00401019 + 00401019: 0F 82 00 00 00 00 jb 0040101F + 0040101F: 0F 83 00 00 00 00 jae 00401025 # Overlaps with .reloc + 00401025: 0F 84 00 00 00 00 je 0040102B # Overlaps with .reloc + 0040102B: 0F 85 00 00 00 00 jne 00401031 # Overlaps with .reloc + 00401031: 0F 86 00 00 00 00 jbe 00401037 + 00401037: 0F 87 00 00 00 00 ja 0040103D + 0040103D: 0F 88 00 00 00 00 js 00401043 + 00401043: 0F 89 00 00 00 00 jns 00401049 + 00401049: 0F 8A 00 00 00 00 jp 0040104F # Ignored! + 0040104F: 0F 8B 00 00 00 00 jnp 00401055 # Ignored! + 00401055: 0F 8C 00 00 00 00 jl 0040105B # Overlaps with abs32 + 0040105B: 0F 8D 00 00 00 00 jge 00401061 # Overlaps with abs32 + 00401061: 0F 8E 00 00 00 00 jle 00401067 + 00401067: 0F 8F 00 00 00 00 jg 0040106D + 0040106D: 5D pop ebp + 0040106E: C3 ret + +Abs32: +1004 +1008 +105A # Straddles across two instruction. +105F # Same, but covers the op code (and not the target) of the second. + +Expected: +# 1004 +# 1009 +100F +1015 +101B +# 1021 +# 1027 +# 102D +1033 +1039 +103F +1045 +# 1057 +# 105D +1063 # Op code 0F 8E overlaps with abs32 105F, but still okay +1069 diff --git a/courgette/testdata/rel32_win32_x86_03.txt b/courgette/testdata/rel32_win32_x86_03.txt new file mode 100644 index 0000000..6403b10 --- /dev/null +++ b/courgette/testdata/rel32_win32_x86_03.txt @@ -0,0 +1,40 @@ +# Test target validity: only accept target RVA in [1000, 3000). + +# .text start RVA and end RVA +1000 +3000 +# .reloc start RVA and end RVA +3800 +4000 +# End RVA +5000 + +# Assume ImageBase = 00400000. This does not affect the test. +Program: + 00401000: 55 push ebp + 00401001: 8B EC mov ebp,esp + 00401003: E8 F8 EF FF FF call 00400000 # RVA start, outside .text + 00401008: E8 F3 FF FF FF call 00401000 + 0040100D: E8 ED FF FF FF call 00400FFF # 1 byte before .text + 00401012: 90 nop # Padding so E8 & E9 ... + 00401013: 90 nop + 00401014: E9 E7 FF FF FF jmp 00401000 # ... don't appear here. + 00401019: E9 E1 FF FF FF jmp 00400FFF # 1 byte before .text + 0040101E: E8 DC 1F 00 00 call 00402FFF + 00401023: E8 D8 1F 00 00 call 00403000 # 1 byte after .text + 00401028: 0F 87 D1 1F 00 00 ja 00402FFF + 0040102E: 0F 88 CC 1F 00 00 js 00403000 # 1 byte after .text + 00401034: E8 C6 3F 00 00 call 00404FFF # In image, outside .text + 00401039: E8 C2 3F 00 00 call 00405000 # Outside image + 0040103E: E8 BE 3F 00 00 call 00405001 # Outside image + 00401043: E8 88 88 88 88 call 88C898D0 # Far away + 00401048: 5D pop ebp + 00401049: C3 ret + +Abs32: + +Expected: +1009 +1015 +101F +102A diff --git a/courgette/testdata/rel32_win32_x86_04.txt b/courgette/testdata/rel32_win32_x86_04.txt new file mode 100644 index 0000000..30b4f26 --- /dev/null +++ b/courgette/testdata/rel32_win32_x86_04.txt @@ -0,0 +1,47 @@ +# Test false detection cases. + +# .text start RVA and end RVA +1000 +3000 +# .reloc start RVA and end RVA +3800 +4000 +# End RVA +5000 + +# Assume ImageBase = 00400000. This does not affect the test. +Program: + 00401000: 55 push ebp + 00401001: 8B EC mov ebp,esp + 00401003: B8 E8 00 00 00 mov eax,0E8h # E8 00 00 00 00 + 00401008: 00 C0 add al,al + 0040100A: 90 nop + 0040100B: 90 nop + 0040100C: B9 00 00 00 E9 mov ecx,0E9000000h # E9 E8 00 00 00 + 00401011: E8 00 00 00 00 call 00401016 + 00401016: 90 nop + 00401017: 90 nop + 00401018: B1 0F mov cl,0Fh # 0F 80 C0 00 00 00 + 0040101A: 80 C0 00 add al,0 + 0040101D: 00 00 add byte ptr [eax],al + 0040101F: 90 nop + 00401020: 90 nop + 00401021: B8 E8 00 00 00 mov eax,0E8h # E8 00 00 00 E8 + 00401026: E8 00 00 00 00 call 0040102B + 0040102B: 90 nop + 0040102C: 90 nop + 0040102D: E8 00 E9 00 00 call 0040F932 # E9 00 00 00 00 + 00401032: 00 00 add byte ptr [eax],al + 00401034: 5D pop ebp + 00401035: C3 ret + +Abs32: + +Expected: +1005 # False positive +1011 # False positive +# 1012 => False negative: shadowed by 1011 +101B # False positive +# 1023 => Potential false positive, but suppressed since target is outside .text +1027 # Emerges since it's not shadowed by 1023 +1030 # False positive: target of 102E was outside .text, so fall back to this |