Skip to content

MIPS

MIPS

MMUShell

Bases: MMUShell

Source code in mmushell/architectures/mips.py 
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
class MMUShell(MMUShellDefault):
    def __init__(self, completekey="tab", stdin=None, stdout=None, machine={}):
        super(MMUShell, self).__init__(completekey, stdin, stdout, machine)

        if not self.data:
            self.data = Data(
                is_mem_parsed=False,
                is_registers_found=False,
                opcodes={},
                regs_values={},
            )

    def do_parse_memory(self, args):
        """Find MMU related opcodes in dump"""
        if self.data.is_mem_parsed:
            logger.warning("Memory already parsed")
            return

        self.parse_memory()
        self.data.is_mem_parsed = True

    def parse_memory(self):
        logger.info("Look for opcodes related to MMU setup...")
        parallel_results = self.machine.apply_parallel(
            self.machine.mmu.PAGE_SIZE,
            self.machine.cpu.parse_opcodes_parallel,
            max_address=self.machine.cpu.processor_features["kern_code_phys_end"],
        )

        opcodes = {}
        logger.info("Reaggregate threads data...")
        for result in parallel_results:
            opcodes.update(result.get())

        self.data.opcodes = opcodes

    def do_find_registers_values(self, arg):
        """Find and execute MMU related functions inside the memory dump in order to extract MMU registers values"""

        if not self.data.is_mem_parsed:
            logging.warning("First parse the dump!")
            return

        if self.data.is_registers_found:
            logging.warning("Registers already searched")
            return

        logging.info("This analysis could be extremely slow!")
        logging.info("Use heuristics to find function addresses...")
        self.machine.cpu.identify_functions_start(self.data.opcodes)

        logging.info("Identify register values using data flow analysis...")

        # We use data flow analysis and merge the results
        dataflow_values = self.machine.cpu.find_registers_values_dataflow(
            self.data.opcodes, zero_registers=["ZERO"]
        )

        filtered_values = defaultdict(set)
        for register, values in dataflow_values.items():
            for value in values:
                reg_obj = CPURegMIPS.get_register_obj(register, value)
                if reg_obj.valid:
                    filtered_values[register].add(reg_obj)

        # Add default values
        for register, value in self.machine.cpu.registers_values.items():
            if (
                register
                not in self.machine.cpu.processor_features[
                    "opcode_to_mmu_regs"
                ].values()
            ):
                continue

            reg_obj = CPURegMIPS.get_register_obj(register, value)
            if reg_obj.valid and all(
                [not reg_obj.is_mmu_equivalent_to(x) for x in filtered_values[register]]
            ):
                filtered_values[register].add(reg_obj)

        self.data.regs_values = filtered_values
        self.data.is_registers_found = True

    def do_show_registers(self, args):
        """Show recovered registers values"""
        if not self.data.is_registers_found:
            logging.info("Please, find them first!")
            return

        for registers in sorted(self.data.regs_values.keys()):
            for register in self.data.regs_values[registers]:
                print(register)

do_find_registers_values(arg)

Find and execute MMU related functions inside the memory dump in order to extract MMU registers values

Source code in mmushell/architectures/mips.py 
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
def do_find_registers_values(self, arg):
    """Find and execute MMU related functions inside the memory dump in order to extract MMU registers values"""

    if not self.data.is_mem_parsed:
        logging.warning("First parse the dump!")
        return

    if self.data.is_registers_found:
        logging.warning("Registers already searched")
        return

    logging.info("This analysis could be extremely slow!")
    logging.info("Use heuristics to find function addresses...")
    self.machine.cpu.identify_functions_start(self.data.opcodes)

    logging.info("Identify register values using data flow analysis...")

    # We use data flow analysis and merge the results
    dataflow_values = self.machine.cpu.find_registers_values_dataflow(
        self.data.opcodes, zero_registers=["ZERO"]
    )

    filtered_values = defaultdict(set)
    for register, values in dataflow_values.items():
        for value in values:
            reg_obj = CPURegMIPS.get_register_obj(register, value)
            if reg_obj.valid:
                filtered_values[register].add(reg_obj)

    # Add default values
    for register, value in self.machine.cpu.registers_values.items():
        if (
            register
            not in self.machine.cpu.processor_features[
                "opcode_to_mmu_regs"
            ].values()
        ):
            continue

        reg_obj = CPURegMIPS.get_register_obj(register, value)
        if reg_obj.valid and all(
            [not reg_obj.is_mmu_equivalent_to(x) for x in filtered_values[register]]
        ):
            filtered_values[register].add(reg_obj)

    self.data.regs_values = filtered_values
    self.data.is_registers_found = True

do_parse_memory(args)

Find MMU related opcodes in dump

Source code in mmushell/architectures/mips.py 
694
695
696
697
698
699
700
701
def do_parse_memory(self, args):
    """Find MMU related opcodes in dump"""
    if self.data.is_mem_parsed:
        logger.warning("Memory already parsed")
        return

    self.parse_memory()
    self.data.is_mem_parsed = True

do_show_registers(args)

Show recovered registers values

Source code in mmushell/architectures/mips.py 
766
767
768
769
770
771
772
773
774
def do_show_registers(self, args):
    """Show recovered registers values"""
    if not self.data.is_registers_found:
        logging.info("Please, find them first!")
        return

    for registers in sorted(self.data.regs_values.keys()):
        for register in self.data.regs_values[registers]:
            print(register)

MMUShellGTruth

Bases: MMUShell

Source code in mmushell/architectures/mips.py 
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
class MMUShellGTruth(MMUShell):
    def do_show_registers_gtruth(self, args):
        """Show recovered registers values and compare them with the ground truth"""
        if not self.data.is_registers_found:
            logging.info("Please, find them first!")
            return

        # Collect ground truth values as last register values loaded or default ones
        mmu_regs = self.machine.cpu.processor_features["opcode_to_mmu_regs"].values()
        gvalues = {}
        for reg_name in mmu_regs:
            if reg_name in self.gtruth:
                last_reg_value = sorted(
                    self.gtruth[reg_name].keys(),
                    key=lambda x: self.gtruth[reg_name][x][1],
                )[-1]
                gvalues[reg_name] = CPURegMIPS.get_register_obj(
                    reg_name, last_reg_value
                )
            elif reg_name in self.machine.cpu.registers_values:
                gvalues[reg_name] = CPURegMIPS.get_register_obj(
                    reg_name, self.machine.cpu.registers_values[reg_name]
                )

        tps = defaultdict(list)
        fps = defaultdict(list)
        fns = {}

        tps_count = 0
        fps_count = 0

        # Check between value recovered with dataflow analisys
        for register, register_obj in gvalues.items():
            tmp_fps = []
            tmp_fps_count = 0
            for found_value in self.data.regs_values[register]:
                if register_obj.is_mmu_equivalent_to(found_value):
                    # Count only one TP per register
                    if register not in tps:
                        tps_count += 1
                    tps[register].append(found_value)
                else:
                    # Count only FP not equivalent among them
                    if all(
                        [not found_value.is_mmu_equivalent_to(x) for x in fps[register]]
                    ):
                        tmp_fps_count += 1
                    tmp_fps.append(found_value)

            # Add false negatives
            if register not in tps:
                fns[register] = register_obj
            else:  # Add false positives only if it is not a false negative
                fps[register] = tmp_fps
                fps_count += tmp_fps_count

        print("\nTrue positives")
        pprint(tps)

        print("\nFalse positives")
        pprint(fps)

        print("\nFalse negatives")
        pprint(fns)
        print(f"\nTP:{tps_count}, FP:{fps_count}, FN:{len(fns)}")

do_show_registers_gtruth(args)

Show recovered registers values and compare them with the ground truth

Source code in mmushell/architectures/mips.py 
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
def do_show_registers_gtruth(self, args):
    """Show recovered registers values and compare them with the ground truth"""
    if not self.data.is_registers_found:
        logging.info("Please, find them first!")
        return

    # Collect ground truth values as last register values loaded or default ones
    mmu_regs = self.machine.cpu.processor_features["opcode_to_mmu_regs"].values()
    gvalues = {}
    for reg_name in mmu_regs:
        if reg_name in self.gtruth:
            last_reg_value = sorted(
                self.gtruth[reg_name].keys(),
                key=lambda x: self.gtruth[reg_name][x][1],
            )[-1]
            gvalues[reg_name] = CPURegMIPS.get_register_obj(
                reg_name, last_reg_value
            )
        elif reg_name in self.machine.cpu.registers_values:
            gvalues[reg_name] = CPURegMIPS.get_register_obj(
                reg_name, self.machine.cpu.registers_values[reg_name]
            )

    tps = defaultdict(list)
    fps = defaultdict(list)
    fns = {}

    tps_count = 0
    fps_count = 0

    # Check between value recovered with dataflow analisys
    for register, register_obj in gvalues.items():
        tmp_fps = []
        tmp_fps_count = 0
        for found_value in self.data.regs_values[register]:
            if register_obj.is_mmu_equivalent_to(found_value):
                # Count only one TP per register
                if register not in tps:
                    tps_count += 1
                tps[register].append(found_value)
            else:
                # Count only FP not equivalent among them
                if all(
                    [not found_value.is_mmu_equivalent_to(x) for x in fps[register]]
                ):
                    tmp_fps_count += 1
                tmp_fps.append(found_value)

        # Add false negatives
        if register not in tps:
            fns[register] = register_obj
        else:  # Add false positives only if it is not a false negative
            fps[register] = tmp_fps
            fps_count += tmp_fps_count

    print("\nTrue positives")
    pprint(tps)

    print("\nFalse positives")
    pprint(fps)

    print("\nFalse negatives")
    pprint(fns)
    print(f"\nTP:{tps_count}, FP:{fps_count}, FN:{len(fns)}")