indirect_calls.py
1.42 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#!/usr/bin/env python
"""A tool for looking for indirect jumps and calls in x86 binaries.
Helpful to verify whether or not retpoline mitigations are catching
all of the indirect branches in a binary and telling you which
functions the remaining ones are in (assembly, etc).
Depends on llvm-objdump being in your path and is tied to the
dump format.
"""
from __future__ import print_function
import os
import sys
import re
import subprocess
import optparse
# Look for indirect calls/jmps in a binary. re: (call|jmp).*\*
def look_for_indirect(file):
args = ['llvm-objdump']
args.extend(["-d"])
args.extend([file])
p = subprocess.Popen(args=args, stdin=None, stderr=subprocess.PIPE, stdout=subprocess.PIPE)
(stdout,stderr) = p.communicate()
function = ""
for line in stdout.splitlines():
if line.startswith(' ') == False:
function = line
result = re.search('(call|jmp).*\*', line)
if result != None:
# TODO: Perhaps use cxxfilt to demangle functions?
print(function)
print(line)
return
def main(args):
# No options currently other than the binary.
parser = optparse.OptionParser("%prog [options] <binary>")
(opts, args) = parser.parse_args(args)
if len(args) != 2:
parser.error("invalid number of arguments: %s" % len(args))
look_for_indirect(args[1])
if __name__ == '__main__':
main(sys.argv)