I tried to keep the client
core system to a minimum.
Basically it does the following:
- Initialize logging, etc.
- Initialize shared memory (to communicate with PIN)
- Connect to the server (to the MQ)
- Request a MutationObject
- contains the Base64 encoded mutation file
- of course, write this to disk
- Run the victim under PIN with the mutation as input
- Fills the MutationObject with the information from the execution
- Sends this information to the server (to the MQ, actually)
- Most important is the bitmap
- Crash information in case of a crash
- Repeat :)
The shared memory object is named
The core sets up all helpers, that is, instantiate classes passing self as a parameter. This self parameter is used as parent by the different helpers. This way objects like cfg (configuration), logging, etc. are centralized and can be accessed via this parent parameter by them.
If the PinTool marked the bitmap as seen below, a crash is registered. Before sending this information, an attempt of reproducing the crash is made. This time without PIN but being monitored by Winappdbg instead.
#!python if curr_bitmap == 0x41414141 \ and curr_bitmap == 0x42424242: # Restore these first bytes to more appropriate values curr_bitmap = 0 curr_bitmap = 0 [...] self.mo.priority == CAUSED_CRASH # Analyzes the crash (and saves it, if determined interesting) # This sets the MutationObject crash_data attribute cmd = [self.cfg.get('target_info', 'filename'), input_filename] self.crash_analysis.analyze_crash(cmd)