step-3

query a function named strlen

import cpp

from Function f

where f.getName() = "strlen"

select f, "a function named strlen"

step-4

query a function named memcpy

import cpp

from Function f

where f.getName() = "memcpy"

select f, "a function named memcpy"

step-5

query macros named ntohs or ntohl or ntohll

import cpp

from Macro macro

where macro.getName() = "ntohs"

    or macro.getName() = "ntohl"

    or macro.getName() = "ntohll"

select macro, "found macro"

more effective

import cpp

from Macro macro

where macro.getName() in ["ntohs", "ntohl", "ntohll"]

select macro, "found macro"

use Regular Expression

import cpp

from Macro macro

where macro.getName().regexpMatch("ntoh(s|l|ll)")

select macro, "found macro"

step-6

query the caller of a function

import cpp

from FunctionCall fc

where fc.getTarget().getName() = "memcpy"

select fc, "caller of the memcpy"

step-7

query the invocations of macros

import cpp

from MacroInvocation mi

where mi.getMacro().getName().regexpMatch("ntoh(s|l|ll)")

select mi

step-8

query the expressions that correspond to macro invocations.

import cpp

from MacroInvocation mi

where mi.getMacro().getName().regexpMatch("ntoh(s|l|ll)")

select mi.getExpr()

step-9

Write your own CodeQL class to represent a set of interesting source code elements

To define a class, you write:

  1. The keyword class.
  2. The name of the class. This is an identifier starting with an uppercase letter.
  3. The supertypes that the class is derived from via extends and/or instanceof
  4. The body of the class, enclosed in braces.
class OneTwoThree extends int {

    OneTwoThree() { // characteristic predicate

      this = 1 or this = 2 or this = 3

    }

    string getAString() { // member predicate

      result = "One, two or three: " + this.toString()

    }

    predicate isEven() { // member predicate

      this = 2

    }

}


import cpp

/**

 * An expression involved when swapping the byte order of network data.

 * Its value is likely to have been read from the network.

 */

class NetworkByteSwap extends Expr {

  NetworkByteSwap() {

    exists(MacroInvocation mi |

      mi.getMacroName().regexpMatch("ntoh(s|l|ll)") and

      this = mi.getExpr()

    )

  }

}

from NetworkByteSwap n

select n

step-10

query to track the flow of tainted data from network controlled interges to the memcpy length argument

import cpp

import semmle.code.cpp.dataflow.TaintTracking

import DataFlow::PathGraph

/**

 * An expression involved when swapping the byte order of network data.

 * Its value is likely to have been read from the network.

 */

class NetworkByteSwap extends Expr {

    NetworkByteSwap() {

      exists(MacroInvocation mi |

        mi.getMacroName().regexpMatch("ntoh(s|l|ll)") and

        this = mi.getExpr()

      )

    }

  }

class Config extends TaintTracking::Configuration {

    Config() { this = "no matter" }

    override predicate isSource(DataFlow::Node source) {

        source.asExpr() instanceof NetworkByteSwap

    }

    override predicate isSink(DataFlow::Node sink) {

        exists(FunctionCall fc | fc.getTarget().getName() = "memcpy" and sink.asExpr() = fc.getArgument(2))

    }

}

from Config cfg, DataFlow::PathNode source, DataFlow::PathNode sink

where cfg.hasFlowPath(source, sink)

select sink, source, sink, "Network byte swap flows to memcpy"

CodeQl lab learn的更多相关文章

  1. RH253读书笔记(1)-Lab 1 System Monitoring

    Lab 1 System Monitoring Goal: To build skills to better assess system resources, performance and sec ...

  2. Learn to securely share files on the blockchain with IPFS!

    https://medium.com/@mycoralhealth/learn-to-securely-share-files-on-the-blockchain-with-ipfs-219ee47d ...

  3. 什么是 Meta Learning / Learning to Learn ?

    Learning to Learn Chelsea Finn    Jul 18, 2017 A key aspect of intelligence is versatility – the cap ...

  4. Lab 6-2

    Analyze the malware found in the file Lab06-02.exe. Questions and Short Answers What operation does ...

  5. Lab 6-1

    LABS The goal of the labs for this chapter is to help you to understand the overall functionality of ...

  6. Lab 1-4

    Analyze the file Lab01-04.exe. Questions and Short Answers Upload the Lab01-04.exe file to http://ww ...

  7. Lab 1-1

    LABS The purpose of the labs is to give you an opportunity to practice the skills taught in the chap ...

  8. 第六章:Reminders实验:第二部分[Learn Android Studio 汉化教程]

    Learn Android Studio 汉化教程 Reminders Lab: Part 2 This chapter covers capturing user input through the ...

  9. 第五章:Reminders实验:第一部分[Learn Android Studio 汉化教程]

    Learn Android Studio 汉化教程 By now you are familiar with the basics of creating a new project, program ...

  10. 6.824 Lab 2: Raft 2A

    6.824 Lab 2: Raft Part 2A Due: Feb 23 at 11:59pm Part 2B Due: Mar 2 at 11:59pm Part 2C Due: Mar 9 at ...

随机推荐

  1. js直接操作数据库会怎么样

    这几天刷脉脉的时候看到一个话题初看觉得可笑,再看陷入沉思,最后还是决定花点时间想清楚,写下来. 确实没见人这么干过,为什么呢? 技术限制 被技术限制了?据我所知目前没有面向js的数据库驱动,但反观现在 ...

  2. WPF随笔收录-解析DICOM文件

    一.前言 在最近的项目开发中,涉及到了解析DICOM文件.根据百度百科可知,DICOM(Digital Imaging and Communications in Medicine)即医学数字成像和通 ...

  3. 游戏模拟——Position based dynamics

    目录 Verlet积分 基本积分方法 Verlet 算位置 Verlet 算速度 PBD 基于力的方法解碰撞 过冲问题 基于位置的方法解碰撞 算法流程 求解器借用的思想 关于动量守恒 约束投影 简单约 ...

  4. Chrome浏览器插件 Undo Close Tab (恢复关掉的标签页)

    背景 如果您经常使用Chrome浏览器,也许有时候会意外关闭一个标签页,从而丢失您正在查看的内容.这时您可能会感到非常烦恼,并希望能够迅速找回这个标签页.当然,您可以通过点击浏览器历史记录中的条目来找 ...

  5. Python 3.11.官方文档

    索引 模块 | Python » English Spanish French Japanese Korean Brazilian Portuguese Simplified Chinese Trad ...

  6. MordernC++之 auto 和 decltype

    在C++11标准中,auto作为关键字被引入,可以用来自动推导变量类型,auto可以用于定义变量,函数返回值,lambda表达式等,在定义变量时可以使用auto来代替具体类型,编译器根据变量初始化表达 ...

  7. day06 循环和数据类型的内置方法

    循环加数据类型的内置方法 while 循环 for循环 range关键字 数据类型的内置方法 字符串的内置方法 while循环 while + continue #打印0-10的数字不打印6 n=0 ...

  8. LeeCode 1832 找出游戏的获胜者

    LeeCode 1832 题目描述: 共有 n 名小伙伴一起做游戏.小伙伴围成一圈,按顺时针顺序从1到n编号.确切地说,从第 i 名小伙伴顺时针移动一位会到达第 (i+1) 名小伙伴的位置,其中 1 ...

  9. Java构建树结构的公共方法

    一.前提 pId需要传入用来确认第一级的父节点,而且pId可以为null. 树实体类必须实现:TreeNode接口 MyTreeVo必须有这三个属性:id.pId.children 可以根据不同需求, ...

  10. 介绍箭头函数的 this

    由于箭头函数不绑定this, 它会捕获其所在(即定义的位置)上下文的this值, 作为自己的this值 1. 所以 call() / apply() / bind() 方法对于箭头函数来说只是传入参数 ...