reven2.preview.taint.Tainter

class documentation

class Tainter(object):

Entry point object for tainting data.

Taints can be created by using the simple_taint function. The last_taint method can be used to retrieve the started taint.

Please refer to the taint package documentation for more information.

Examples

>>> trace = reven_server.trace
>>> tainter = reven2.preview.taint.Tainter(trace)

Method	`__init__`	Undocumented
Method	`__repr__`	Undocumented
Method	`last_taint`	Get the last taint started by `simple_taint`
Method	`simple_taint`	Request the server to start a taint such that its parameters are the arguments to this function.
Method	`taint_from_state`	Request the server to start a taint from the `TaintState` passed as parameter.
Static Method	`_handle_tag`	Undocumented
Instance Variable	`_taint_data`	Undocumented
Instance Variable	`_trace`	Undocumented

def __init__(self, trace):

Undocumented

Parameters
trace:`_Trace`	Undocumented

def __repr__(self):

Undocumented

def last_taint(self):

Get the last taint started by simple_taint

Warnings

This function can only get the last taint if that taint was started by a tainter object in the same session.

Information

Returns
`_Optional[Taint]`	a `Taint` object if the `simple_taint` function was used before this method call, otherwise `None`.

def simple_taint(self, tag0, tag1=None, from_context=None, to_context=None, is_forward=True):

Request the server to start a taint such that its parameters are the arguments to this function.

As this function offers a simplified API, it starts the taint with a maximum of two different taint markers.

Warnings

Each successive call to this method will cancel and discard the previously started taint if any.

Taint parameters:

Tainted data: passed by tag0 and tag1, tag0 tainted data s labeled by tag0, tag1 tainted data is labeled by tag1. Tainted data can be one of: string, Iterable, reven2.arch.register.Register, TaintedRegisterSlice, integer (interpreted as a ds prefixed logical address), reven2.address.LogicalAddress, reven2.address.LinearAddress, reven2.address.LogicalAddressSegmentIndex, reven2.address.PhysicalAddress, TaintedMemories or reven2.MemoryRange.
Tainted range: Taint is propagated through all the Transitions between from_context and to_context
Taint direction: Forward if is_forward else Backward

Examples

>>> trace = reven_server.trace()
>>> tainter = reven2.preview.taint.Tainter(trace)
>>> # taint in forward on the full trace, starting at the first context,
>>> # "rax" with tag0, [ds:0xffffd001ea0d6040 ; 8] with tag1
>>> taint = tainter.simple_taint(tag0="rax", tag1="[ds:0xffffd001ea0d6040 ; 8]")
>>> # The same taint, with the arguments expressed differently.
>>> taint = tainter.simple_taint(tag0=reven2.arch.x64.rax, tag1=0xffffd001ea0d6040)
>>> # # A slightly different taint, where tag0 tags both `rax` and the memory address,
and where nothing it tagged with `tag1`.
>>> taint = tainter.simple_taint(tag0=[reven2.arch.x64.rax, 0xffffd001ea0d6040])

Warning

A reven2.register_slice.RegisterSlice will be converted to the containing byte if it is not aligned, except flags.

Information

Parameters
tag0:`_Union[str, TaintedData, _Iterable[TaintedData]]`	Initially tainted data marked with the `tag0` taint marker. The accepted types for this parameter are the following: a `string`, this string will be parsed by the tag parser, the string must be a comma separated list of registers and memory ranges, such as: `"rax, rbx[1:5], [0xffffd001ea0d6040], [ds:0xffffd001ea0d6040; 8], [phy:0x44554454; 16]"` an `integer` representing a memory range (`0xffffd001ea0d6040` is `[ds:0xffffd001ea0d6040; 1]`). a class from the `reven2.address` module a `reven2.arch.register.Register`. a `reven2.preview.taint.TaintedRegisterSlice`. a `reven2.preview.taint.TaintedMemories` a `reven2.MemoryRange` an iterable, mixing any of the previous possibilities, excepted string
tag1:`_Optional[_Union[str, TaintedData, _Iterable[TaintedData]]]`	Initially tainted data marked with the `tag1` taint marker. The accepted types for this parameter are the same as for `tag0`
from_context:`_Optional[_Context]`	`reven2.trace.Context` Context before the first transition in the requested taint range.
to_context:`_Optional[_Context]`	`reven2.trace.Context` Context after the last transition in the requested taint range.
is_forward:`bool`	`bool`, `True` for forward direction and `False` for backward direction.
Returns
`Taint`	A `Taint` instance.

def taint_from_state(self, state, from_context=None, to_context=None, is_forward=None):

Request the server to start a taint from the TaintState passed as parameter.

A TaintState can be obtained from the results of a previous taint.

Information

Parameters
state:`TaintState`	The state from we start the new taint.
from_context:`_Optional[_Context]`	Context before the first transition in the requested taint range. If `None`, then computed to resume the taint from which the state was extracted.
to_context:`_Optional[_Context]`	Context after the last transition in the requested taint range. Always greater than from_context. If `None`, then computed to resume the taint from which the state was extracted.
is_forward:`_Optional[bool]`	`True` for forward direction and `False` for backward direction. If `None`, then the same direction as the taint from which the state was extracted.
Returns
`Taint`	Undocumented

@staticmethod
def _handle_tag(tagname, tag):

Undocumented

Parameters
tagname:`str`	Undocumented
tag:`_Union[str, TaintedData, _Iterable[TaintedData]]`	Undocumented
Returns
`_List[TaintedData]`	Undocumented

_taint_data =

Undocumented

_trace =

Undocumented