llvm-for-llvmta/utils/indirect_calls.py

#!/usr/bin/env python

"""A tool for looking for indirect jumps and calls in x86 binaries.

   Helpful to verify whether or not retpoline mitigations are catching
   all of the indirect branches in a binary and telling you which
   functions the remaining ones are in (assembly, etc).

   Depends on llvm-objdump being in your path and is tied to the
   dump format.
"""

from __future__ import print_function

import os
import sys
import re
import subprocess
import optparse

# Look for indirect calls/jmps in a binary. re: (call|jmp).*\* 
def look_for_indirect(file):
    args = ['llvm-objdump']
    args.extend(["-d"])
    args.extend([file])

    p = subprocess.Popen(args=args, stdin=None, stderr=subprocess.PIPE, stdout=subprocess.PIPE)
    (stdout,stderr) = p.communicate()

    function = ""
    for line in stdout.splitlines():
        if line.startswith(' ') == False:
            function = line
        result = re.search('(call|jmp).*\*', line)
        if result != None:
            # TODO: Perhaps use cxxfilt to demangle functions?
            print(function)
            print(line)
    return

def main(args):
    # No options currently other than the binary.
    parser = optparse.OptionParser("%prog [options] <binary>")
    (opts, args) = parser.parse_args(args)
    if len(args) != 2:
        parser.error("invalid number of arguments: %s" % len(args))
    look_for_indirect(args[1])

if __name__ == '__main__':
    main(sys.argv)
first commit 2022-04-25 10:02:23 +02:00			`#!/usr/bin/env python`

			`"""A tool for looking for indirect jumps and calls in x86 binaries.`

			`Helpful to verify whether or not retpoline mitigations are catching`
			`all of the indirect branches in a binary and telling you which`
			`functions the remaining ones are in (assembly, etc).`

			`Depends on llvm-objdump being in your path and is tied to the`
			`dump format.`
			`"""`

			`from __future__ import print_function`

			`import os`
			`import sys`
			`import re`
			`import subprocess`
			`import optparse`

			`# Look for indirect calls/jmps in a binary. re: (call\|jmp).\`
			`def look_for_indirect(file):`
			`args = ['llvm-objdump']`
			`args.extend(["-d"])`
			`args.extend([file])`

			`p = subprocess.Popen(args=args, stdin=None, stderr=subprocess.PIPE, stdout=subprocess.PIPE)`
			`(stdout,stderr) = p.communicate()`

			`function = ""`
			`for line in stdout.splitlines():`
			`if line.startswith(' ') == False:`
			`function = line`
			`result = re.search('(call\|jmp).\', line)`
			`if result != None:`
			`# TODO: Perhaps use cxxfilt to demangle functions?`
			`print(function)`
			`print(line)`
			`return`

			`def main(args):`
			`# No options currently other than the binary.`
			`parser = optparse.OptionParser("%prog [options] <binary>")`
			`(opts, args) = parser.parse_args(args)`
			`if len(args) != 2:`
			`parser.error("invalid number of arguments: %s" % len(args))`
			`look_for_indirect(args[1])`

			`if __name__ == '__main__':`
			`main(sys.argv)`