In my recent work, I need insert the instrumentation code at the entry and exit of basic blocks to get value of varibles and so I can check them based on a DFA of the source code. Another task is when the executable file is executed according to the instrumentation code, an exception will be triggered before function call and system call or an access of an variable or after an update of an variable.
I've read LLVM manual about how to write a pass. However, it doesn't tell me how can I get the latest value of variables.
Someone provide a link contains basic usage of LLVM pass but it's too simple -----------
①https://github.com/SumedhArani/LLVM
②https://www.cs.cornell.edu/~asampson/blog/llvm.html
A simple program that can be exploited to launch DOP attacks:
#include <stdio.h>
int main(){
int old_valud,new_value;
int *p=&old_value,*q=&new_value;
int connect_limit=100;
char buf[64];
while(connect_limit--){
read(0,buf);
*p=*q;
}
return 0;
}
LLVM IR
define i32 @main() #0 {
%1 = alloca i32, align 4
%old_value = alloca i32, align 4
%new_value = alloca i32, align 4
%p = alloca i32*, align 8
%q = alloca i32*, align 8
%connect_limit = alloca i32, align 4
%buf = alloca [64 x i8], align 16
store i32 0, i32* %1
store i32* %old_value, i32** %p, align 8
store i32* %new_value, i32** %q, align 8
store i32 100, i32* %connect_limit, align 4
br label %2
; <label>:2 ; preds = %6, %0
%3 = load i32, i32* %connect_limit, align 4
%4 = add nsw i32 %3, -1
store i32 %4, i32* %connect_limit, align 4
%5 = icmp ne i32 %3, 0
br i1 %5, label %6, label %12
; <label>:6 ; preds = %2
%7 = getelementptr inbounds [64 x i8], [64 x i8]* %buf, i32 0, i32 0
%8 = call i32 (i8*, ...) @__isoc99_scanf(i8* getelementptr inbounds ([3 x i8], [3 x i8]* @.str, i32 0, i32 0), i8* %7)
%9 = load i32*, i32** %q, align 8
%10 = load i32, i32* %9, align 4
%11 = load i32*, i32** %p, align 8
store i32 %10, i32* %11, align 4
br label %2
; <label>:12 ; preds = %2
ret i32 0
}
** CFG **
Can someone provide some relevant source code and guidance?
