Merge branch 'dev-v1.0'

Author: Triton Library

.build_number

@@ -1 +1 @@
-1597
+1599

.github/workflows/vcpkg.yml

@@ -11,15 +11,15 @@ jobs:
       matrix:
         os:
           - macOS-latest
-          - ubuntu-20.04
+          - ubuntu-latest
           - windows-2022
         include:
           - os: windows-2022
             platform: windows
             vcpkg-triplet: x64-windows-static-release-md
             cmake-preset: windows-x64
             python-executable: python
-          - os: ubuntu-20.04
+          - os: ubuntu-latest
             platform: linux
             vcpkg-triplet: x64-linux-release
             cmake-preset: linux-x64
@@ -38,7 +38,7 @@ jobs:
       name: Get vcpkg
       with:
         repository: 'microsoft/vcpkg'
-        ref: '2024.05.24'
+        ref: '2025.06.13'
         path: '${{ github.workspace }}/_vcpkg'
         fetch-depth: 0
 

src/examples/cpp/CMakeLists.txt

@@ -49,3 +49,15 @@ set_property(TARGET block PROPERTY CXX_STANDARD 17)
 target_link_libraries(block triton)
 add_test(TestBlock block)
 add_dependencies(check block)
+
+find_package(LIEF QUIET)
+find_package(fmt QUIET)
+if(LIEF_FOUND AND fmt_FOUND)
+    message(STATUS "LIEF found")
+    message(STATUS "FMT found")
+    add_executable(hooking_libc hooking_libc.cpp)
+    set_property(TARGET hooking_libc PROPERTY CXX_STANDARD 17)
+    target_link_libraries(hooking_libc triton LIEF::LIEF fmt::fmt)
+    add_test(TestHookingLibc hooking_libc)
+    add_dependencies(check hooking_libc)
+endif()

src/examples/cpp/hooking_libc.cpp

@@ -0,0 +1,229 @@
+#include <iostream>
+#include <fstream>
+#include <vector>
+#include <string>
+#include <functional>
+#include <triton/context.hpp>
+#include <triton/x86Specifications.hpp>
+#include <LIEF/ELF.hpp>
+#include <fmt/format.h>
+#include <sstream>
+#include <iomanip>
+
+#define DEBUG 0
+
+std::string getMemoryString(const triton::Context& ctx, triton::uint64 addr) {
+    std::string s;
+    size_t index = 0;
+
+    while (auto value = ctx.getConcreteMemoryValue(addr + index)) {
+        char c = static_cast<char>(value);
+        if (std::isprint(c)) {
+            s += c;
+        }
+        index++;
+    }
+
+    return s;
+}
+
+std::string getFormatString(const triton::Context& ctx, triton::uint64 addr) {
+    std::string s = getMemoryString(ctx, addr);
+    // Implement string replacements here if needed
+    return s;
+}
+
+triton::uint64 strlenHandler(triton::Context& ctx) {
+    if constexpr (DEBUG) {
+        std::cout << "[+] Strlen hooked" << std::endl;
+    }
+    auto arg1 = getMemoryString(ctx, static_cast<triton::uint64>(ctx.getConcreteRegisterValue(ctx.registers.x86_rdi)));
+    return arg1.length();
+}
+
+
+
+triton::uint64 printfHandler(triton::Context& ctx) {
+    if constexpr (DEBUG) {
+        std::cout << "[+] printf hooked" << std::endl;
+    }
+    auto format_str = getFormatString(ctx, static_cast<triton::uint64>(ctx.getConcreteRegisterValue(ctx.registers.x86_rdi)));
+    auto arg1 = ctx.getConcreteRegisterValue(ctx.registers.x86_rsi);
+
+    std::stringstream ss;
+    size_t pos = format_str.find("%ld");
+    if (pos != std::string::npos) {
+        ss << format_str.substr(0, pos) << arg1 << format_str.substr(pos + 3);
+    } else {
+        ss << format_str;
+    }
+
+    std::string formatted_str = ss.str();
+    std::cout << formatted_str << std::endl;
+    return formatted_str.length();
+}
+
+triton::uint64 libcMainHandler(triton::Context& ctx) {
+    if constexpr (DEBUG) {
+        std::cout << "[+] __libc_start_main hooked" << std::endl;
+    }
+
+    auto main = ctx.getConcreteRegisterValue(ctx.registers.x86_rdi);
+
+    ctx.setConcreteRegisterValue(ctx.registers.x86_rsp,
+        ctx.getConcreteRegisterValue(ctx.registers.x86_rsp) - 8);
+
+    auto ret2main = triton::arch::MemoryAccess(static_cast<triton::uint64>(ctx.getConcreteRegisterValue(ctx.registers.x86_rsp)), 8);
+    ctx.setConcreteMemoryValue(ret2main, main);
+
+    ctx.concretizeRegister(ctx.registers.x86_rdi);
+    ctx.concretizeRegister(ctx.registers.x86_rsi);
+
+    std::vector<std::string> argvs = {"sample_1", "my_first_arg"};
+
+    triton::uint64 base = 0x20000000;
+    std::vector<triton::uint64> addrs;
+
+    for (const auto& argv : argvs) {
+        addrs.push_back(base);
+        ctx.setConcreteMemoryAreaValue(base, reinterpret_cast<const triton::uint8*>(argv.c_str()), argv.length() + 1);
+        base += argv.length() + 1;
+    }
+
+    triton::uint64 argc = argvs.size();
+    triton::uint64 argv = base;
+    for (const auto& addr : addrs) {
+        ctx.setConcreteMemoryValue(triton::arch::MemoryAccess(base, 8), addr);
+        base += 8;
+    }
+
+    ctx.setConcreteRegisterValue(ctx.registers.x86_rdi, argc);
+    ctx.setConcreteRegisterValue(ctx.registers.x86_rsi, argv);
+
+    return 0;
+}
+
+struct CustomRelocation {
+    std::string name;
+    std::function<triton::uint64(triton::Context&)> handler;
+    triton::uint64 address;
+};
+
+std::vector<CustomRelocation> customRelocation = {
+    {"strlen", strlenHandler, 0x10000000},
+    {"printf", printfHandler, 0x10000001},
+    {"__libc_start_main", libcMainHandler, 0x10000002},
+};
+
+void hookingHandler(triton::Context& ctx) {
+    auto pc = ctx.getConcreteRegisterValue(ctx.registers.x86_rip);
+    for (const auto& rel : customRelocation) {
+        if (rel.address == pc) {
+            auto ret_value = rel.handler(ctx);
+            ctx.setConcreteRegisterValue(ctx.registers.x86_rax, ret_value);
+
+            auto ret_addr = ctx.getConcreteMemoryValue(triton::arch::MemoryAccess(
+                static_cast<triton::uint64>(ctx.getConcreteRegisterValue(ctx.registers.x86_rsp)), 8));
+
+            ctx.setConcreteRegisterValue(ctx.registers.x86_rip, ret_addr);
+            ctx.setConcreteRegisterValue(ctx.registers.x86_rsp,
+                ctx.getConcreteRegisterValue(ctx.registers.x86_rsp) + 8);
+        }
+    }
+}
+
+void emulate(triton::Context& ctx, triton::uint64 pc) {
+    if constexpr (DEBUG) {
+        std::cout << "[+] Starting emulation." << std::endl;
+    }
+
+    while (pc) {
+        auto opcode = ctx.getConcreteMemoryAreaValue(pc, 16);
+
+        triton::arch::Instruction instruction;
+        instruction.setOpcode(opcode.data(), opcode.size());
+        instruction.setAddress(pc);
+
+        ctx.processing(instruction);
+        if constexpr (DEBUG) {
+            std::cout << instruction << std::endl;
+        }
+
+        if (instruction.getType() == triton::arch::x86::ID_INS_HLT || instruction.getType() == triton::arch::x86::ID_INS_RET) { // add ID_INS_RET too maybe? see issue https://github.com/JonathanSalwan/Triton/issues/912
+            break;
+        }
+
+        hookingHandler(ctx);
+
+        pc = static_cast<triton::uint64>(ctx.getConcreteRegisterValue(ctx.registers.x86_rip));
+    }
+    if constexpr (DEBUG) {
+        std::cout << "[+] Emulation done." << std::endl;
+    }
+}
+
+std::unique_ptr<LIEF::ELF::Binary> loadBinary(triton::Context& ctx, const std::string& path) {
+    std::unique_ptr<LIEF::ELF::Binary> binary = LIEF::ELF::Parser::parse(path);
+    if (!binary) {
+        throw std::runtime_error("Failed to parse ELF binary");
+    }
+
+    for (const auto& segment : binary->segments()) {
+        if (segment.type() != LIEF::ELF::Segment::TYPE::LOAD) {
+            continue;
+        }
+        triton::uint64 vaddr = segment.virtual_address();
+        const auto& content = segment.content(); // This is now a span<const uint8_t>
+        if constexpr (DEBUG) {
+            std::cout << "[+] Loading 0x" << std::hex << vaddr << " - 0x" << (vaddr + content.size()) << std::endl;
+        }
+
+        // Use data() and size() methods of span
+        ctx.setConcreteMemoryAreaValue(vaddr, content.data(), content.size());
+    }
+
+    return binary;
+}
+
+void makeRelocation(triton::Context& ctx, const LIEF::ELF::Binary& binary) {
+    for (const auto& pltgot_entry : binary.pltgot_relocations()) {
+        const std::string& symbolName = pltgot_entry.symbol()->name();
+        triton::uint64 symbolRelo = pltgot_entry.address();
+        for (const auto& crel : customRelocation) {
+            if (symbolName == crel.name) {
+                if constexpr (DEBUG) {
+                    std::cout << "[+] Hooking " << symbolName << std::endl;
+                }
+                ctx.setConcreteMemoryValue(triton::arch::MemoryAccess(symbolRelo, 8), crel.address);
+            }
+        }
+    }
+}
+
+int main(int argc, char* argv[]) {
+    if (argc != 2) {
+        std::cerr << "Usage: " << argv[0] << " <path_to_binary>" << std::endl;
+        return 1;
+    }
+
+    triton::Context ctx;
+    ctx.setArchitecture(triton::arch::ARCH_X86_64);
+
+    std::unique_ptr<LIEF::ELF::Binary> binary;
+    try {
+        binary = loadBinary(ctx, argv[1]);
+    } catch (const std::exception& e) {
+        std::cerr << "Error loading binary: " << e.what() << std::endl;
+        return 1;
+    }
+
+    makeRelocation(ctx, *binary);
+
+    ctx.setConcreteRegisterValue(ctx.registers.x86_rbp, 0x7fffffff);
+    ctx.setConcreteRegisterValue(ctx.registers.x86_rsp, 0x6fffffff);
+
+    triton::uint64 entrypoint = binary->entrypoint();
+    emulate(ctx, entrypoint);
+
+    return 0;
+}

src/libtriton/arch/arm/aarch64/aarch64Semantics.cpp

@@ -256,9 +256,10 @@ namespace triton {
             case ID_INS_CNEG:      this->cneg_s(inst);          break;
             case ID_INS_CSEL:      this->csel_s(inst);          break;
             case ID_INS_CSET:      this->cset_s(inst);          break;
+            case ID_INS_CSETM:     this->csetm_s(inst);         break;
             case ID_INS_CSINC:     this->csinc_s(inst);         break;
-            case ID_INS_CSNEG:     this->csneg_s(inst);         break;
             case ID_INS_CSINV:     this->csinv_s(inst);         break;
+            case ID_INS_CSNEG:     this->csneg_s(inst);         break;
             case ID_INS_EON:       this->eon_s(inst);           break;
             case ID_INS_EOR:       this->eor_s(inst);           break;
             case ID_INS_EXTR:      this->extr_s(inst);          break;
@@ -1734,6 +1735,28 @@ namespace triton {
         }
 
 
+        void AArch64Semantics::csetm_s(triton::arch::Instruction& inst) {
+          auto& dst = inst.operands[0];
+
+          /* Create symbolic operands */
+          triton::uint512 temp = 1;
+          auto op1 = this->astCtxt->bv((temp << dst.getBitSize()) - 1, dst.getBitSize());
+          auto op2 = this->astCtxt->bv(0, dst.getBitSize());
+
+          /* Create the semantics */
+          auto node = this->getCodeConditionAst(inst, op1, op2);
+
+          /* Create symbolic expression */
+          auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "CSETM operation");
+
+          /* Spread taint */
+          expr->isTainted = this->taintEngine->setTaint(dst, this->getCodeConditionTainteSate(inst));
+
+          /* Update the symbolic control flow */
+          this->controlFlow_s(inst);
+        }
+
+
         void AArch64Semantics::csinc_s(triton::arch::Instruction& inst) {
           auto& dst  = inst.operands[0];
           auto& src1 = inst.operands[1];

src/libtriton/ast/llvm/llvmToTriton.cpp

@@ -44,6 +44,19 @@ namespace triton {
             }
             return node;
           }
+          else if (call->getCalledFunction()->getName().find("llvm.fshl.i") != std::string::npos) {
+            // (X << (Z % BW)) | (Y >> (BW - (Z % BW)))
+            // https://llvm.org/docs/LangRef.html#llvm-fshl-intrinsic
+            auto x  = this->do_convert(call->getArgOperand(0));
+            auto y  = this->do_convert(call->getArgOperand(1));
+            auto z  = this->do_convert(call->getArgOperand(2));
+            auto bw = this->actx->bv(x->getBitvectorSize(), x->getBitvectorSize());
+
+            auto LHS = this->actx->bvshl(x, z);
+            auto RHS = this->actx->bvlshr(y, this->actx->bvsub(bw, z));
+
+            return this->actx->bvor(LHS, RHS);
+          }
           /* We symbolize the return of call */
           return this->var(instruction->getName().str(), instruction->getType()->getScalarSizeInBits());
         }