xin

klee-build/symbolic-engine/src/klee_output/info

@@ -1,11 +1,11 @@
-klee --posix-runtime --output-dir=klee_output --max-time=600 --max-memory=32768 --max-instructions=10000000 --max-solver-time=120 --max-forks=500 --max-stack-frames=50 --max-sym-array-size=1000 --batch-instructions=200 --search=random-path --rng-seed=507 --use-independent-solver --optimize comprehensive_vulnerability_test.c.bc
-PID: 70335
+klee --posix-runtime --output-dir=klee_output --max-time=600 --max-memory=32768 --max-instructions=10000000 --max-solver-time=120 --max-forks=500 --max-stack-frames=50 --max-sym-array-size=1000 --batch-instructions=200 --search=random-path --rng-seed=362 --use-independent-solver --optimize comprehensive_vulnerability_test.c.bc
+PID: 3916
 Using monotonic steady clock with 1/1000000000s resolution
-Started: 2025-10-28 17:21:26
+Started: 2025-10-30 14:48:36
 BEGIN searcher description
 RandomPathSearcher
 END searcher description
-Finished: 2025-10-28 17:21:26
+Finished: 2025-10-30 14:48:36
 Elapsed: 00:00:00
 KLEE: done: explored paths = 1
 KLEE: done: total queries = 0

klee-build/symbolic-engine/src/klee_output/messages.txt

@@ -1,8 +1,8 @@
 KLEE: Using Z3 solver backend
 KLEE: Deterministic allocator: Using quarantine queue size 8
-KLEE: Deterministic allocator: globals (start-address=0x76a8a7a00000 size=10 GiB)
-KLEE: Deterministic allocator: constants (start-address=0x76a627a00000 size=10 GiB)
-KLEE: Deterministic allocator: heap (start-address=0x75a627a00000 size=1024 GiB)
-KLEE: Deterministic allocator: stack (start-address=0x758627a00000 size=128 GiB)
+KLEE: Deterministic allocator: globals (start-address=0x7278f0000000 size=10 GiB)
+KLEE: Deterministic allocator: constants (start-address=0x727670000000 size=10 GiB)
+KLEE: Deterministic allocator: heap (start-address=0x717670000000 size=1024 GiB)
+KLEE: Deterministic allocator: stack (start-address=0x715670000000 size=128 GiB)
 KLEE: ERROR: comprehensive_vulnerability_test.c:178: memory error: out of bound pointer
 KLEE: NOTE: now ignoring this error at this location

klee-build/symbolic-engine/src/klee_output/run.istats

@@ -1,6 +1,6 @@
 version: 1
 creator: klee
-pid: 70335
+pid: 3916
 cmd: klee_init_env64_Debug+Asserts.bc
 
 

klee-build/symbolic-engine/src/klee_output/test000001.ptr.err

@@ -5,9 +5,9 @@ assembly.ll line: 981
 State: 1
 Stack: 
 	#000000981 in test_buffer_overflow_vulnerabilities() at comprehensive_vulnerability_test.c:178
-	#100000875 in __klee_posix_wrapped_main(1, 129597007986688) at comprehensive_vulnerability_test.c:93
-	#200000828 in main(1, 130474791927808, 130474791927824) at runtime/POSIX/klee_init_env.c:244
+	#100000875 in __klee_posix_wrapped_main(1, 124994017296384) at comprehensive_vulnerability_test.c:93
+	#200000828 in main(1, 125871801237504, 125871801237520) at runtime/POSIX/klee_init_env.c:244
 Info: 
-	address: 129255558086676
-	next: object at 129228714541056 of size 4
+	address: 124652567396372
+	next: object at 124625723850752 of size 4
 		MO389[4] allocated at __klee_posix_wrapped_main():  %4 = alloca i32, align 4

klee-build/symbolic-engine/src/klee_output/warnings.txt

@@ -20,9 +20,9 @@ KLEE: WARNING: undefined reference to function: strcpy
 KLEE: WARNING: undefined reference to function: strlen
 KLEE: WARNING: undefined reference to function: strncmp
 KLEE: WARNING ONCE: Alignment of memory from call "malloc" is not modelled. Using alignment of 8.
-KLEE: WARNING ONCE: calling external: syscall(4, 130458014711808, 129274885439488) at runtime/POSIX/fd.c:530 5
-KLEE: WARNING ONCE: calling external: printf(130462376787968) at comprehensive_vulnerability_test.c:78 5
-KLEE: WARNING ONCE: calling external: signal(2, 130459189116928) at comprehensive_vulnerability_test.c:82 5
-KLEE: WARNING ONCE: calling external: strcpy(129249115635712, 129272737955840) at comprehensive_vulnerability_test.c:168 10
-KLEE: WARNING ONCE: calling external: strcat(129257705570304, 130461974134784) at comprehensive_vulnerability_test.c:172 10
-KLEE: WARNING ONCE: calling external: sprintf(129246968152064, 130460262858752, 129272737955840) at comprehensive_vulnerability_test.c:176 9
+KLEE: WARNING ONCE: calling external: syscall(4, 125855024021504, 124671894749184) at runtime/POSIX/fd.c:530 5
+KLEE: WARNING ONCE: calling external: printf(125859386097664) at comprehensive_vulnerability_test.c:78 5
+KLEE: WARNING ONCE: calling external: signal(2, 125856198426624) at comprehensive_vulnerability_test.c:82 5
+KLEE: WARNING ONCE: calling external: strcpy(124646124945408, 124669747265536) at comprehensive_vulnerability_test.c:168 10
+KLEE: WARNING ONCE: calling external: strcat(124654714880000, 125858983444480) at comprehensive_vulnerability_test.c:172 10
+KLEE: WARNING ONCE: calling external: sprintf(124643977461760, 125857272168448, 124669747265536) at comprehensive_vulnerability_test.c:176 9

klee-build/symbolic-engine/src/ktest_exploit_generator.c

@@ -126,23 +126,38 @@ void generate_exploit_code(const char* source_file, const char* ktest_file,
     fprintf(f, "    printf(\"=== PoC 漏洞复现代码 ===\\n\");\n");
     fprintf(f, "    printf(\"从 .ktest 文件提取的数据:\\n\");\n\n");
     
+    // 声明符号变量
     for (int i = 0; i < obj_count; i++) {
         KTestObject* obj = &objects[i];
         fprintf(f, "    printf(\"%s (size=%d)\\n\");\n", obj->var_name, obj->var_size);
-        
         if (obj->var_size <= 256) {
             fprintf(f, "    unsigned char %s[%d];\n", obj->var_name, obj->var_size);
             fprintf(f, "    memcpy(%s, %s_data, %d);\n", obj->var_name, obj->var_name, obj->var_size);
         } else {
-            fprintf(f, "    char* %s = \"%s\"; // 截断显示\n", 
-                   obj->var_name, obj->var_name);
+            fprintf(f, "    char* %s = \"%s\"; // 截断显示\n", obj->var_name, obj->var_name);
         }
     }
-    
+
+    // ------- 自动化主调接口模板区（开发者可自定义） -------
+    fprintf(f, "\n    // ==== 自动生成调用区 ====");
+    fprintf(f, "    // 请修改为目标漏洞函数原型，示例：\n");
+    fprintf(f, "    // extern void target_function(unsigned char *data, int len);\n");
+    fprintf(f, "    //\n");
+    // 自动组织调用参数列表
+    fprintf(f, "    // PoC 自动调用示例：\n");
+    fprintf(f, "    // target_function(");
+    for (int i = 0; i < obj_count; i++) {
+        KTestObject* obj = &objects[i];
+        fprintf(f, "%s%s", obj->var_name, (i < obj_count - 1 ? ", " : ""));
+    }
+    if(obj_count > 0)
+        fprintf(f, ", ");
+    fprintf(f, "/* 其他参数 */ );\n");
+    fprintf(f, "    // === 请将上面调用替换为实际函数并补全参数类型 ===\n");
+    // ------------------------------------------------------
+
     fprintf(f, "\n    printf(\"\\n执行漏洞复现函数...\\n\");\n");
-    fprintf(f, "    // TODO: 调用原代码中的漏洞函数\n");
-    fprintf(f, "    // 将上述数据作为参数传递\n");
-    fprintf(f, "    \n");
+    fprintf(f, "    // 这里应执行目标函数，建议上方模板替换调用\n");
     fprintf(f, "    return 0;\n");
     fprintf(f, "}\n");
     

klee-build/symbolic-engine/src/output/archives/history.json

@@ -1,25 +1,25 @@
 {
   "version": "1.0",
   "total_entries": 1,
-  "last_updated": "2025-10-28 17:21:26",
+  "last_updated": "2025-10-30 14:48:36",
   "entries": [
     {
-      "archive_id": "analysis_1761643286_0",
-      "timestamp": "2025-10-28_17-21-26",
+      "archive_id": "analysis_1761806916_0",
+      "timestamp": "2025-10-30_14-48-36",
       "source_file": "comprehensive_vulnerability_test.c",
       "file_hash": "21207_1761036648",
       "vuln_count": 100,
       "klee_confirmed": 0,
       "coverage_rate": 42.00,
-      "analysis_time_ms": 546,
+      "analysis_time_ms": 1322,
       "reports": {
-        "html": "output/reports/analysis_1761643286_0_static_analysis_report.html",
-        "json": "output/reports/analysis_1761643286_0_static_analysis_report.json",
-        "txt": "output/reports/analysis_1761643286_0_static_analysis_report.txt",
-        "enhanced_html": "output/reports/analysis_1761643286_0_enhanced_analysis_report.html",
-        "enhanced_json": "output/reports/analysis_1761643286_0_enhanced_analysis_report.json"
+        "html": "output/reports/analysis_1761806916_0_static_analysis_report.html",
+        "json": "output/reports/analysis_1761806916_0_static_analysis_report.json",
+        "txt": "output/reports/analysis_1761806916_0_static_analysis_report.txt",
+        "enhanced_html": "output/reports/analysis_1761806916_0_enhanced_analysis_report.html",
+        "enhanced_json": "output/reports/analysis_1761806916_0_enhanced_analysis_report.json"
       },
-      "archive_path": "output/archives/analysis_1761643286_0_archive.tar.gz"
+      "archive_path": "output/archives/analysis_1761806916_0_archive.tar.gz"
     }
   ]
 }

klee-build/symbolic-engine/src/output/enhanced_analysis_report.html

@@ -14,7 +14,7 @@ body { font-family: Arial, sans-serif; margin: 20px; }
 </head><body>
 <div class='header'>
 <h1>🔍 智能符号执行分析报告</h1>
-<p>分析时间: 2025-10-28 17:21:26</p>
+<p>分析时间: 2025-10-30 14:48:35</p>
 <p>源文件: 未知</p>
 </div>
 <div class='section'>

klee-build/symbolic-engine/src/output/enhanced_analysis_report.json

@@ -1,6 +1,6 @@
 {
   "analysis_summary": {
-    "timestamp": "2025-10-28 17:21:26",
+    "timestamp": "2025-10-30 14:48:35",
     "source_file": "未知",
     "analysis_time_ms": 0,
     "total_vulnerabilities": 100,

klee-build/symbolic-engine/src/output/static_analysis_report.json

@@ -1,8 +1,8 @@
 {
   "analysis_metadata": {
-    "timestamp": "2025-10-28 17:21:26",
+    "timestamp": "2025-10-30 14:48:35",
     "file_hash": "21207_1761036648",
-    "analysis_time_ms": 546
+    "analysis_time_ms": 1322
   },
   "klee_analysis": {
     "total_instructions": 2817,

klee-build/symbolic-engine/src/output/static_analysis_report.txt

@@ -1,8 +1,8 @@
 === 通用化软件漏洞分析 - 符号执行引擎报告 ===
 
-分析时间: 2025-10-28 17:21:26
+分析时间: 2025-10-30 14:48:35
 文件哈希: 21207_1761036648
-分析耗时: 546 毫秒
+分析耗时: 1322 毫秒
 
 === 执行摘要 ===
 总指令数: 2817