[docs]defhas_xor(self):""" Detects if there is any xor operation in the function. :return: Tags """def_has_xor(expr):returnisinstance(expr,pyvex.IRExpr.Binop)andexpr.op.startswith("Iop_Xor")found_xor=Falseforblockinself._function.blocks:ifblock.size==0:continueforstmtinblock.vex.statements:ifisinstance(stmt,pyvex.IRStmt.Put):found_xor=found_xoror_has_xor(stmt.data)elifisinstance(stmt,pyvex.IRStmt.WrTmp):found_xor=found_xoror_has_xor(stmt.data)iffound_xor:breakiffound_xor:return{CodeTags.HAS_XOR}returnNone
[docs]defhas_bitshifts(self):""" Detects if there is any bitwise operation in the function. :return: Tags. """def_has_bitshifts(expr):ifisinstance(expr,pyvex.IRExpr.Binop):returnexpr.op.startswith("Iop_Shl")orexpr.op.startswith("Iop_Shr")orexpr.op.startswith("Iop_Sar")returnFalsefound_bitops=Falseforblockinself._function.blocks:ifblock.size==0:continueforstmtinblock.vex.statements:ifisinstance(stmt,pyvex.IRStmt.Put):found_bitops=found_bitopsor_has_bitshifts(stmt.data)elifisinstance(stmt,pyvex.IRStmt.WrTmp):found_bitops=found_bitopsor_has_bitshifts(stmt.data)iffound_bitops:breakiffound_bitops:return{CodeTags.HAS_BITSHIFTS}returnNone
[docs]defhas_sql(self):""" Detects if there is any reference to strings that look like SQL queries. """ifself._function.is_pltorself._function.is_simprocedure:returnFalsemin_addr,max_addr=None,None# what strings are the current function referencing?forblockinself._function.blocks:ifmin_addrisNoneorblock.addr<min_addr:min_addr=block.addrifmax_addrisNoneorblock.addr+block.size>max_addr:max_addr=block.addr+block.sizexrefs=self.kb.xrefs.get_xrefs_by_ins_addr_region(min_addr,max_addr)forxrefinxrefs:xref:XRefifxref.memory_dataisnotNoneandxref.memory_data.sort=="string":iflooks_like_sql(xref.memory_data.content.decode("utf-8")):return{CodeTags.HAS_SQL}returnFalse