-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDRCOV.bt
90 lines (81 loc) · 2.11 KB
/
DRCOV.bt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
//------------------------------------------------
//--- 010 Editor v13.0.2 Binary Template
//
// File: DRCOV.bt
// Authors: saruman9 <rum.274.4 at gmail.com>
// Version: 0.1
// Purpose: Parse DrCov version 2 format of DynamoRIO.
// Category: Security
// File Mask: *.drcov
// ID Bytes: 44 52 43 4F 56 20 56 45 52 53 49 4F 4E 3A 20 //DRCOV VERSION:
// History:
// 0.1 saruman9: Initial version.
//------------------------------------------------
local string VERSION_STRING = "DRCOV VERSION: ";
char version_string[Strlen(VERSION_STRING)];
if (Strcmp(VERSION_STRING, version_string)) {
Warning("Version string failed: %s\n", version_string);
Exit(1);
}
char version;
FSkip(1); // 0x0A
local string FLAVOR_STRING = "DRCOV FLAVOR: ";
char flavor_string[Strlen(FLAVOR_STRING)];
if (Strcmp(FLAVOR_STRING, flavor_string)) {
Warning("Flavor string failed: %s\n", flavor_string);
Exit(1);
}
local string temp = ReadLine(FTell(), -1, false);
char flavor[Strlen(temp)];
FSkip(1); // 0x0A
temp = ReadLine(FTell());
FSkip(Strlen(temp) - 2);
char count;
local int cnt = Atoi(count);
FSkip(1); // 0x0A
temp = ReadLine(FTell());
FSkip(Strlen(temp));
struct Module {
int id;
uint64 base;
uint64 end;
uint64 entry;
uint32 checksum;
uint32 timestamp;
string path;
};
void ReadModuleInfo(Module &module) {
local string line = ReadLine(FTell());
SScanf(line, "%d, 0x%Lx, 0x%Lx, 0x%Lx, 0x%x, 0x%x, %s",
module.id,
module.base,
module.end,
module.entry,
module.checksum,
module.timestamp,
module.path);
FSkip(Strlen(line));
};
local Module module[cnt];
local int i = 0;
for (i = 0; i < cnt; i++) {
ReadModuleInfo(module);
Printf("%d, %Lx, %Lx, %x, %x, %x, %s\n",
module.id,
module.base,
module.end,
module.entry,
module.checksum,
module.timestamp,
module.path);
}
local int bbs_cnt;
temp = ReadLine(FTell());
SScanf(temp, "BB Table: %d bbs", bbs_cnt);
FSkip(Strlen(temp));
struct BasicBlock {
uint32 start;
uint16 size;
uint16 mod_id;
};
BasicBlock bbs[bbs_cnt];