2018-04-03 15:01:33 +08:00
|
|
|
#!/usr/bin/env python
|
|
|
|
|
|
|
|
"""A tool for looking for indirect jumps and calls in x86 binaries.
|
|
|
|
|
|
|
|
Helpful to verify whether or not retpoline mitigations are catching
|
|
|
|
all of the indirect branches in a binary and telling you which
|
|
|
|
functions the remaining ones are in (assembly, etc).
|
|
|
|
|
|
|
|
Depends on llvm-objdump being in your path and is tied to the
|
|
|
|
dump format.
|
|
|
|
"""
|
|
|
|
|
2019-01-03 22:11:33 +08:00
|
|
|
from __future__ import print_function
|
|
|
|
|
2018-04-03 15:01:33 +08:00
|
|
|
import os
|
|
|
|
import sys
|
|
|
|
import re
|
|
|
|
import subprocess
|
|
|
|
import optparse
|
|
|
|
|
|
|
|
# Look for indirect calls/jmps in a binary. re: (call|jmp).*\*
|
|
|
|
def look_for_indirect(file):
|
|
|
|
args = ['llvm-objdump']
|
|
|
|
args.extend(["-d"])
|
|
|
|
args.extend([file])
|
|
|
|
|
|
|
|
p = subprocess.Popen(args=args, stdin=None, stderr=subprocess.PIPE, stdout=subprocess.PIPE)
|
|
|
|
(stdout,stderr) = p.communicate()
|
|
|
|
|
|
|
|
function = ""
|
|
|
|
for line in stdout.splitlines():
|
|
|
|
if line.startswith(' ') == False:
|
|
|
|
function = line
|
|
|
|
result = re.search('(call|jmp).*\*', line)
|
|
|
|
if result != None:
|
|
|
|
# TODO: Perhaps use cxxfilt to demangle functions?
|
2019-01-03 22:11:33 +08:00
|
|
|
print(function)
|
|
|
|
print(line)
|
2018-04-03 15:01:33 +08:00
|
|
|
return
|
|
|
|
|
|
|
|
def main(args):
|
|
|
|
# No options currently other than the binary.
|
|
|
|
parser = optparse.OptionParser("%prog [options] <binary>")
|
|
|
|
(opts, args) = parser.parse_args(args)
|
|
|
|
if len(args) != 2:
|
|
|
|
parser.error("invalid number of arguments: %s" % len(args))
|
|
|
|
look_for_indirect(args[1])
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
main(sys.argv)
|