step-3

query a function named strlen

import cpp

from Function f

where f.getName() = "strlen"

select f, "a function named strlen"

step-4

query a function named memcpy

import cpp

from Function f

where f.getName() = "memcpy"

select f, "a function named memcpy"

step-5

query macros named ntohs or ntohl or ntohll

import cpp

from Macro macro

where macro.getName() = "ntohs"

    or macro.getName() = "ntohl"

    or macro.getName() = "ntohll"

select macro, "found macro"

more effective

import cpp

from Macro macro

where macro.getName() in ["ntohs", "ntohl", "ntohll"]

select macro, "found macro"

use Regular Expression

import cpp

from Macro macro

where macro.getName().regexpMatch("ntoh(s|l|ll)")

select macro, "found macro"

step-6

query the caller of a function

import cpp

from FunctionCall fc

where fc.getTarget().getName() = "memcpy"

select fc, "caller of the memcpy"

step-7

query the invocations of macros

import cpp

from MacroInvocation mi

where mi.getMacro().getName().regexpMatch("ntoh(s|l|ll)")

select mi

step-8

query the expressions that correspond to macro invocations.

import cpp

from MacroInvocation mi

where mi.getMacro().getName().regexpMatch("ntoh(s|l|ll)")

select mi.getExpr()

step-9

Write your own CodeQL class to represent a set of interesting source code elements

To define a class, you write:

  1. The keyword class.
  2. The name of the class. This is an identifier starting with an uppercase letter.
  3. The supertypes that the class is derived from via extends and/or instanceof
  4. The body of the class, enclosed in braces.
class OneTwoThree extends int {

    OneTwoThree() { // characteristic predicate

      this = 1 or this = 2 or this = 3

    }

    string getAString() { // member predicate

      result = "One, two or three: " + this.toString()

    }

    predicate isEven() { // member predicate

      this = 2

    }

}


import cpp

/**

 * An expression involved when swapping the byte order of network data.

 * Its value is likely to have been read from the network.

 */

class NetworkByteSwap extends Expr {

  NetworkByteSwap() {

    exists(MacroInvocation mi |

      mi.getMacroName().regexpMatch("ntoh(s|l|ll)") and

      this = mi.getExpr()

    )

  }

}

from NetworkByteSwap n

select n

step-10

query to track the flow of tainted data from network controlled interges to the memcpy length argument

import cpp

import semmle.code.cpp.dataflow.TaintTracking

import DataFlow::PathGraph

/**

 * An expression involved when swapping the byte order of network data.

 * Its value is likely to have been read from the network.

 */

class NetworkByteSwap extends Expr {

    NetworkByteSwap() {

      exists(MacroInvocation mi |

        mi.getMacroName().regexpMatch("ntoh(s|l|ll)") and

        this = mi.getExpr()

      )

    }

  }

class Config extends TaintTracking::Configuration {

    Config() { this = "no matter" }

    override predicate isSource(DataFlow::Node source) {

        source.asExpr() instanceof NetworkByteSwap

    }

    override predicate isSink(DataFlow::Node sink) {

        exists(FunctionCall fc | fc.getTarget().getName() = "memcpy" and sink.asExpr() = fc.getArgument(2))

    }

}

from Config cfg, DataFlow::PathNode source, DataFlow::PathNode sink

where cfg.hasFlowPath(source, sink)

select sink, source, sink, "Network byte swap flows to memcpy"

CodeQl lab learn的更多相关文章

  1. RH253读书笔记(1)-Lab 1 System Monitoring

    Lab 1 System Monitoring Goal: To build skills to better assess system resources, performance and sec ...

  2. Learn to securely share files on the blockchain with IPFS!

    https://medium.com/@mycoralhealth/learn-to-securely-share-files-on-the-blockchain-with-ipfs-219ee47d ...

  3. 什么是 Meta Learning / Learning to Learn ?

    Learning to Learn Chelsea Finn    Jul 18, 2017 A key aspect of intelligence is versatility – the cap ...

  4. Lab 6-2

    Analyze the malware found in the file Lab06-02.exe. Questions and Short Answers What operation does ...

  5. Lab 6-1

    LABS The goal of the labs for this chapter is to help you to understand the overall functionality of ...

  6. Lab 1-4

    Analyze the file Lab01-04.exe. Questions and Short Answers Upload the Lab01-04.exe file to http://ww ...

  7. Lab 1-1

    LABS The purpose of the labs is to give you an opportunity to practice the skills taught in the chap ...

  8. 第六章:Reminders实验:第二部分[Learn Android Studio 汉化教程]

    Learn Android Studio 汉化教程 Reminders Lab: Part 2 This chapter covers capturing user input through the ...

  9. 第五章:Reminders实验:第一部分[Learn Android Studio 汉化教程]

    Learn Android Studio 汉化教程 By now you are familiar with the basics of creating a new project, program ...

  10. 6.824 Lab 2: Raft 2A

    6.824 Lab 2: Raft Part 2A Due: Feb 23 at 11:59pm Part 2B Due: Mar 2 at 11:59pm Part 2C Due: Mar 9 at ...

随机推荐

  1. 刷爆 LeetCode 双周赛 100,单方面宣布第一题最难

    本文已收录到 AndroidFamily,技术和职场问题,请关注公众号 [彭旭锐] 提问. 大家好,我是小彭. 上周末是 LeetCode 第 100 场双周赛,你参加了吗?这场周赛整体没有 Hard ...

  2. Hyper-V由于虚拟机监控程序未运行

    以管理员权限打开命令提示符 输入bcdedit /set hypervisorlaunchtype Auto 重启计算机

  3. 当transcational遇上synchronized

    工作当中经常会遇到既需要开启事务管理,同时也需要同步保证线程安全的场景. 比如一个方法 @Transactional public synchronized void test(){ // } 不知道 ...

  4. es6数组相关操作

    1. 获取两个数组中某个属性值相等的项 let a=[{name:1},{name:4},{name:3}] let b=[{name:5},{name:4},{name:2}] let index ...

  5. cron语句

    名称 是否必须 允许值 特殊字符 秒 是 0-59 , - * / 分 是 0-59 , - * / 时 是 0-23 , - * / 日 是 1-31 , - * ? / L W C 月 是 1-1 ...

  6. 使用Kali复现永恒之蓝

    使用Kali复现永恒之蓝 本次实验为离线靶机测试 实验步骤 确认测试环境:在开始测试之前,需要确认测试环境是否符合要求.我使用的是一台运行Kali的测试机和一台运行Windows 7 64位的靶机.确 ...

  7. 白嫖一个月的ES,完成了与MySQL的联动

    前言 <腾讯云 x Elasticsearch三周年>活动来了.文章写之前的思路是:在腾讯云服务器使用docker搭建ES.但是理想很丰满,显示很骨感,在操作过程中一波三折,最后还是含着泪 ...

  8. 搭建私有YUM仓库_及_内网镜像站

    搭建私有YUM仓库_及_内网镜像站 搭建私有YUM仓库(自己定制的rpm包)私有yum仓库环境系统版本:centos7.4 IP:192.168.1.47 #最好能上公网 私有yum仓库服务端配置 第 ...

  9. idea快捷键--增强for循环

    增强for循环,用于遍历:数组或单列集合 快捷键: 数组.for

  10. 脚本:Oracle巡检html版

    做一个日常巡检oracle数据库的脚本,生成一个html版本,简介方便查看 check_db.sql 1.数据库情况 2.数据文件及表空间情况 3.数据库性能问题 4.加入邮件,定期发送到邮箱 发件语 ...