Beispiel #1
0
def str_with_len(name):
    return Struct(name,
                  UNInt32("len"),
                  Anchor("start"),
                  CString(name),
                  Anchor("offset"),
                  pad())
Beispiel #2
0
def string_list(name, extra = Pass):
    return PrefixedArray(Struct(name,
                               UNInt32("len"),
                               Anchor("start"),
                               CString(name),
                               Anchor("offset"),
                               pad(),
                               extra), UNInt32("nr"))
Beispiel #3
0
def build_id():
    return Struct("build_id",
                  Anchor("start"),
                  UNInt32("type"),
                  UNInt16("misc"),
                  UNInt16("size"),
                  SNInt32("pid"),
                  HexDumpAdapter(String("build_id", 24)),
                  CString("filename"),
                  Anchor("offset"),
                  pad("size"))
Beispiel #4
0
def mmap():
    return Struct("mmap",
                  SNInt32("pid"),
                  SNInt32("tid"),
                  UNInt64("addr"),
                  UNInt64("len"),
                  UNInt64("pgoff"),
                  Anchor("start_of_filename"),
                  CString("filename"),
                  Anchor("end_of_filename"),
                  # hack for now. this shouldn't be needed.
                  If(lambda ctx: True, # XXX
                     Embedded(Pointer(lambda ctx:
                                      ctx.size + ctx.start -
                                      sample_id_size(ctx),
                                      sample_id()))))
Beispiel #5
0
def RRName(name):
    '''
    A Resource Record Name structure. Supports DNS pointer compression through
    the MovingPointer class
    '''
    return Struct(
        name,
        Anchor('_start'),
        Union(
            'length_or_offset',
            UBInt8('length'),  # regular label
            UBInt16('offset'),  # compression pointer
        ),
        IfThenElse(
            'name',
            this.length_or_offset.length & 0xc0 == 0xc0,
            # compression pointer
            MovingPointer(
                lambda ctx: ctx.length_or_offset.offset & ~0xc000,
                Label(name),
                offset=1,
                whence=os.SEEK_CUR,
            ),
            # regular label
            MovingPointer(this._start, Label(name)),
        ),
    )
Beispiel #6
0
def perf_event():
    return Struct(
        "perf_event",
        Anchor("start"),
        perf_event_header(),
        Anchor("header_end"),
        Switch(
            "data",
            lambda ctx: ctx.type,
            {
                "MMAP":
                mmap(),  # noqa E121
                "MMAP2":
                mmap2(),
                "LOST":
                Struct("lost", UNInt64("id"), UNInt64("lost"), sample_id()),
                "COMM":
                Struct("comm", SNInt32("pid"), SNInt32("tid"), CString("comm"),
                       sample_id()),
                "EXIT":
                fork_exit("exit"),
                "THROTTLE":
                throttle("throttle"),
                "UNTHROTTLE":
                throttle("unthrottle"),
                "FINISHED_ROUND":
                Pass,
                "FORK":
                fork_exit("fork"),
                "READ":
                Embedded(
                    Struct("read_event", SNInt32("pid"), SNInt32("tid"),
                           read_format(), sample_id())),
                "SAMPLE":
                event()
            }),
        Anchor("end"),
        Padding(lambda ctx: ctx.size - (ctx.end - ctx.start)))
Beispiel #7
0
def event():
    return Embedded(
        Struct(
            "event",
            If(lambda ctx: sample_type(ctx).identifier, UNInt64("identifier")),
            If(lambda ctx: sample_type(ctx).ip, UNInt64("ip")),
            If(lambda ctx: sample_type(ctx).tid,
               Embedded(Struct("tid", SNInt32("pid"), SNInt32("tid")))),
            If(lambda ctx: sample_type(ctx).time, UNInt64("time")),
            If(lambda ctx: sample_type(ctx).addr, UNInt64("addr")),
            If(lambda ctx: sample_type(ctx).id, UNInt64("id")),
            If(lambda ctx: sample_type(ctx).stream_id, UNInt64("stream_id")),
            If(lambda ctx: sample_type(ctx).cpu,
               Embedded(Struct("cpu", UNInt32("cpu"), UNInt32("res")))),
            If(lambda ctx: sample_type(ctx).period, UNInt64("period")),
            If(lambda ctx: sample_type(ctx).read, read_format()),
            If(
                lambda ctx: sample_type(ctx).callchain,
                Struct("callchain", UNInt64("nr"),
                       Array(lambda ctx: ctx.nr, UNInt64("caller")))),
            If(
                lambda ctx: sample_type(ctx).raw,
                Struct("raw", UNInt32("size"),
                       Bytes("raw", lambda ctx: ctx.size))),
            If(
                lambda ctx: sample_type(ctx).branch_stack,
                Struct(
                    "branch_stack",
                    UNInt64("nr"),
                    Array(
                        lambda ctx: ctx.nr,
                        Struct(
                            "branch",
                            UNInt64("from"),
                            UNInt64("to"),
                            # Little-Endian!
                            BitStruct("flags", Padding(4), Flag("abort"),
                                      Flag("in_tx"), Flag("predicted"),
                                      Flag("mispred"),
                                      Padding(64 - 1 * 8)))))),
            If(
                lambda ctx: sample_type(ctx).regs_user,
                Struct("regs_user",
                       Enum(UNInt64("abi"), NONE=0, ABI_32=1, ABI_64=2),
                       Array(lambda ctx: hweight64(ctx), UNInt64("reg")))),
            If(
                lambda ctx: sample_type(ctx).stack_user,
                Struct("stack_user", UNInt64("size"),
                       Bytes("data", lambda ctx: ctx.size),
                       UNInt64("dyn_size"))),
            If(lambda ctx: sample_type(ctx).weight, UNInt64("weight")),
            If(lambda ctx: sample_type(ctx).data_src, UNInt64("data_src")),
            If(lambda ctx: sample_type(ctx).transaction,
               UNInt64("transaction")),
            If(
                lambda ctx: sample_type(ctx).regs_intr,
                Struct("regs_intr",
                       Enum(UNInt64("abi"), NONE=0, ABI_32=1, ABI_64=2),
                       Array(lambda ctx: hweight64(ctx), UNInt64("reg")))),
            Anchor("end_event"),
            Padding(lambda ctx: max(0, ctx.size - ctx.end_event))))
Beispiel #8
0
                "SAMPLE":
                event()
            }),
        Anchor("end"),
        Padding(lambda ctx: ctx.size - (ctx.end - ctx.start)))


def perf_event_seq(attr):
    return GreedyRange(perf_event(attr))


perf_event_attr_sizes = (64, 72, 80, 96, 104)

perf_event_attr = Struct(
    "perf_event_attr",
    Anchor("start"),
    Enum(UNInt32("type"),
         HARDWARE=0,
         SOFTWARE=1,
         TRACEPOINT=2,
         HW_CACHE=3,
         RAW=4,
         BREAKPOINT=5),
    UNInt32("size"),
    UNInt64("config"),
    UNInt64("sample_period_freq"),
    # must be in LE order, original is a u64
    # each byte is reversed
    BitStruct("sample_type", Flag("cpu"), Flag("id"), Flag("callchain"),
              Flag("read"), Flag("addr"), Flag("time"), Flag("tid"),
              Flag("ip"), Flag("data_src"), Flag("weight"), Flag("stack_user"),
Beispiel #9
0
def perf_event():
    return Struct("perf_event",
                  Anchor("start"),
                  perf_event_header(),
                  Anchor("header_end"),
                  Switch("data",
                           lambda ctx: ctx.type,
                           {
                              "MMAP": mmap(), # noqa E121
                              "MMAP2": mmap2(),
                              "LOST": Struct("lost",
                                              UNInt64("id"),
                                              UNInt64("lost"),
                                             sample_id()),
                              "COMM": Struct("comm",
                                             SNInt32("pid"),
                                             SNInt32("tid"),
                                             CString("comm"),
                                             sample_id()),
                              "EXIT": fork_exit("exit"),
                              "THROTTLE": throttle("throttle"),
                              "UNTHROTTLE": throttle("unthrottle"),
                              "FINISHED_ROUND": Pass,
                              "FORK": fork_exit("fork"),
                              "READ": Embedded(Struct("read_event",
                                                      SNInt32("pid"),
                                                      SNInt32("tid"),
                                                      read_format(),
                                                      sample_id())),
                              "SAMPLE": event(),
                              "TIME_CONV": time_conv(),
                              "THREAD_MAP": thread_map(),

                              # below are the so far not handled ones. Dump their
                              # raw data only
                              "RECORD_AUX": ignore(),
                              "AUX": ignore(),
                              "ITRACE_START": ignore(),
                              "LOST_SAMPLES": ignore(),
                              "SWITCH": ignore(),
                              "SWITCH_CPU_WIDE": ignore(),
                              "NAMESPACES": ignore(),
                              "KSYMBOL": ignore(),
                              "BPF_EVENT": ignore(),
                              "CGROUP": ignore(),
                              "HEADER_ATTR": ignore(),
                              "HEADER_EVENT_TYPE": ignore(),
                              "TRACING_DATA": ignore(),
                              "HEADER_BUILD_ID": ignore(),
                              "ID_INDEX": ignore(),
                              "AUXTRACE_INFO": ignore(),
                              "AUXTRACE": ignore(),
                              "AUXTRACE_ERROR": ignore(),
                              "CPU_MAP": ignore(),
                              "STAT": ignore(),
                              "STAT_ROUND": ignore(),
                              "EVENT_UPDATE": ignore(),
                              "HEADER_FEATURE": ignore(),
                              "COMPRESSED": ignore(),
                           }),
                        Anchor("end"),
                        Padding(lambda ctx:
                                    ctx.size - (ctx.end - ctx.start)))
Beispiel #10
0
                              "STAT_ROUND": ignore(),
                              "EVENT_UPDATE": ignore(),
                              "HEADER_FEATURE": ignore(),
                              "COMPRESSED": ignore(),
                           }),
                        Anchor("end"),
                        Padding(lambda ctx:
                                    ctx.size - (ctx.end - ctx.start)))

def perf_event_seq(attr):
    return GreedyRange(perf_event(attr))

perf_event_attr_sizes = (64, 72, 80, 96, 104)

perf_event_attr = Struct("perf_event_attr",
                         Anchor("start"),
                         Enum(UNInt32("type"),
                              HARDWARE = 0,
                              SOFTWARE = 1,
                              TRACEPOINT = 2,
                              HW_CACHE = 3,
                              RAW = 4,
                              BREAKPOINT = 5),
                         UNInt32("size"),
                         UNInt64("config"),
                         UNInt64("sample_period_freq"),
                         # must be in LE order, original is a u64
                         # each byte is reversed
                         BitStruct("sample_type",
                                   Flag("cpu"),
                                   Flag("id"),
Beispiel #11
0
def ResourceRecord(name):
    return Struct(
        name,
        Embed(RRNAME),
        TYPE,
        CLASS,
        TTL,
        RDLENGTH,
        RDATA,
    )


# The DNS packet header itself, combining all of the above
DNSHeader = Struct(
    'DNSHeader',
    Anchor('packet_start'),
    UBInt16('identification'),
    BitStruct(
        'flags_and_codes',
        Enum(
            BitField('qr', 1),  # query/response
            QUERY=0,
            RESPONSE=1,
        ),
        Nibble('opcode'),  # opcode
        Enum(
            Flag('aa'),  # authoritative answer
            NON_AUTHORITATIVE=0,
            AUTHORITATIVE=1,
        ),
        Enum(