def __init__(self, address): if address != const.NULL_PTR: self.ip_object_object = IPCObject(address) self.ip_messages = utils.get_8_byte_at( address + const.IPCPortOffsets.IP_MSG.value) self.data = utils.get_8_byte_at(address + const.IPCPortOffsets.DATA.value) self.kdata = utils.get_8_byte_at(address + const.IPCPortOffsets.KDATA.value) self.kdata2 = utils.get_8_byte_at( address + const.IPCPortOffsets.KDATA2.value) self.ip_context = utils.get_8_byte_at( address + const.IPCPortOffsets.IP_CTXT.value) four_byte_data = utils.get_4_byte_at( address + const.IPCPortOffsets.IP_SPREQ.value) self.ip_sprequests = (four_byte_data & (1 << 0)) self.ip_spimportant = (four_byte_data & (1 << 1)) self.ip_impdonation = (four_byte_data & (1 << 2)) self.ip_tempowner = (four_byte_data & (1 << 3)) self.ip_guarded = (four_byte_data & (1 << 4)) self.ip_strict_guard = (four_byte_data & (1 << 5)) self.ip_specialreply = (four_byte_data & (1 << 6)) self.ip_sync_link_state = (four_byte_data & (0x000001ff)) self.ip_impcount = (four_byte_data & (0xfffffe00)) self.ip_mscount = utils.get_4_byte_at( address + const.IPCPortOffsets.IP_MSCNT.value) self.ip_srights = utils.get_4_byte_at( address + const.IPCPortOffsets.IP_SRIGHTS.value) self.ip_sorights = utils.get_4_byte_at( address + const.IPCPortOffsets.IP_SORIGHTS.value)
def __next__(self): if self.next_thread_ptr != self.stop_contition: self.result = Thread(self.next_thread_ptr) if self.type == const.ThrdItrType.GLOBAL: self.next_thread_ptr = utils.get_8_byte_at( self.result.global_threads_ptr) else: self.next_thread_ptr = utils.get_8_byte_at( self.result.curr_task_threads_ptr) return self.result raise StopIteration
def __iter__(self): if self.type == const.ThrdItrType.GLOBAL: self.next_thread_ptr = utils.get_8_byte_at( const.GLOBAL_THREADS_PTR) self.stop_contition = const.GLOBAL_THREADS_PTR else: relevant_task = Task(self.task_ptr) self.next_thread_ptr = utils.get_8_byte_at( relevant_task.threads_lst_ptr) self.stop_contition = self.task_ptr + \ const.TaskOffsets.THREAD_LST_FROM_TASK.value return self
def __init__(self, address): if address != const.NULL_PTR: self.io_bits = utils.get_4_byte_at( address) # parse it from ipc_object self.io_references = utils.get_4_byte_at( address + const.IPCObjectOffsets.IO_REFS.value) self.io_lock_data_1 = utils.get_8_byte_at( address + const.IPCObjectOffsets.IO_LOCK_DATA.value) self.io_lock_data_2 = utils.get_8_byte_at( address + const.IPCObjectOffsets.IO_LOCK_DATA.value + 0x08) # next else: raise gdb.GdbError(f"Wrong pointer to IPC Object {address}")
def __init__(self, address): if address != const.NULL_PTR: self.io_bits = utils.get_4_byte_at( address) # parse it from ipc_object self.io_references = utils.get_4_byte_at( address + const.IPCObjectOffsets.IO_REFS.value) self.io_lock_data_1 = utils.get_8_byte_at( address + const.IPCObjectOffsets.IO_LOCK_DATA.value) self.io_lock_data_2 = utils.get_8_byte_at( address + const.IPCObjectOffsets.IO_LOCK_DATA.value + 0x08) # next self.initialized = True else: self.initialized = False
def __init__(self, address): if address != const.NULL_PTR: self.address = address self.task_lst_ptr = address + const.TaskOffsets.TASK_NEXT.value self.threads_lst_ptr = address + const.TaskOffsets.THREAD_LST_FROM_TASK.value self.bsd_info_ptr = utils.get_8_byte_at( address + const.TaskOffsets.BSD_INFO.value) self.itk_self = utils.get_8_byte_at( address + const.TaskOffsets.ITK_SELF.value) self.ipc_space = utils.get_8_byte_at( address + const.TaskOffsets.IPC_SPACE.value) self.ipc_space_object = IPCSpace(self.ipc_space) self.bsdinfo_object = BsdInfo(self.bsd_info_ptr) else: raise gdb.GdbError(f"Null pointer in {__name__}")
def get_kernel_next_pc(self): if self.initialized is False or self.kernel_stack_ptr == const.NULL_PTR: return const.NULL_PTR # Get SP of thread_invoke. From Switch_context's frame kernel_saved_state = ThreadSavedState(self.kernel_stack_ptr) stack_ptr_thread_invoke = kernel_saved_state.sp # we are in thread_invoke context frame. # Look at LR and see if the next function is thread_invoke or thread_run next_to_thread_invoke = utils.get_8_byte_at( stack_ptr_thread_invoke + const.NextPcHelpOffsets.STORED_LR_IN_THREAD_INVOKE_FRAME.value) if next_to_thread_invoke == const.NextPcHelpOffsets.NEXT_IN_THREAD_RUN.value: # we came to thread invoke from thread_run. # The next LR will point to the function that we want kernel_next_pc = utils.get_8_byte_at( stack_ptr_thread_invoke + const.NextPcHelpOffsets.THREAD_INVOKE_FRAME_SIZE.value + 0x38) elif next_to_thread_invoke == const.NextPcHelpOffsets.NEXT_IN_THREAD_BLOCK.value: # we came to thread invoke from thread_block. # The next LR will point to the function that we want or to exception return kernel_next_pc = utils.get_8_byte_at( stack_ptr_thread_invoke + const.NextPcHelpOffsets.THREAD_INVOKE_FRAME_SIZE.value + 0x48) else: gdb.write( f"Something went wrong for thread {hex(self.address)} " f"with getting the next pc, maybe in a middle of thread's " f"create/exit") return const.NULL_PTR # Now we can check whether the next running function is exception_return. # If so, we need to go one more frame further if kernel_next_pc == const.NextPcHelpOffsets.EXEPTION_RETURN_PTR.value: # From the kernel code (Switch_context) we know that the pointer to # saved state is stored in x21 next_x21_ptr = utils.get_8_byte_at( stack_ptr_thread_invoke + const.NextPcHelpOffsets.THREAD_INVOKE_FRAME_SIZE.value + const.NextPcHelpOffsets.X21_IN_THREAD_INVOKE_FRAME.value) if next_x21_ptr == const.NULL_PTR: return const.NULL_PTR saved_state_exception_return = ThreadSavedState(next_x21_ptr) # now we have the saved state we can get the PC pc_from_saved_state = saved_state_exception_return.pc kernel_next_pc = pc_from_saved_state return kernel_next_pc
def __init__(self, address): if address != const.NULL_PTR: self.address = address self.task_lst_ptr = address + const.TaskOffsets.TASK_NEXT.value self.threads_lst_ptr = address + const.TaskOffsets.THREAD_LST_FROM_TASK.value self.bsd_info_ptr = utils.get_8_byte_at( address + const.TaskOffsets.BSD_INFO.value) self.itk_self = utils.get_8_byte_at( address + const.TaskOffsets.ITK_SELF.value) self.ipc_space = utils.get_8_byte_at( address + const.TaskOffsets.IPC_SPACE.value) self.ipc_space_object = IPCSpace(self.ipc_space) self.bsdinfo_object = BsdInfo(self.bsd_info_ptr) self.initialized = True else: self.initialized = False
def __init__(self, address): if address != const.NULL_PTR: self.iv_hash = utils.get_8_byte_at(address) self.iv_sum = utils.get_8_byte_at(address + 0x04) self.iv_refs = utils.get_8_byte_at(address + 0x08) self.iv_table_size = utils.get_8_byte_at(address + 0x0c) self.iv_inline_table = utils.get_8_byte_at(address + 0x10) self.iv_table = utils.get_8_byte_at(address + 0x30) self.iv_port = utils.get_8_byte_at(address + 0x38) self.iv_hash_link = utils.get_8_byte_at(address + 0x40)
def __init__(self, address): if address != const.NULL_PTR: self.is_table = utils.get_8_byte_at( address + const.IPCSpaceOffsets.IS_TABLE.value) self.is_table_size = utils.get_4_byte_at( address + const.IPCSpaceOffsets.IS_TABLE_SIZE.value) self.is_table_free = utils.get_4_byte_at( address + const.IPCSpaceOffsets.IS_TABLE_FREE.value) else: raise gdb.GdbError(f"Null pointer for {__name__}")
def __init__(self, address): if address != const.NULL_PTR: self.is_table = utils.get_8_byte_at( address + const.IPCSpaceOffsets.IS_TABLE.value) self.is_table_size = utils.get_4_byte_at( address + const.IPCSpaceOffsets.IS_TABLE_SIZE.value) self.is_table_free = utils.get_4_byte_at( address + const.IPCSpaceOffsets.IS_TABLE_FREE.value) self.initialized = True else: self.initialized = False
def __init__(self, address): if address != const.NULL_PTR: self.address = address self.task_ptr = utils.get_8_byte_at(address + const.ThreadOffsets.TASK.value) self.tid = utils.get_8_byte_at(address + const.ThreadOffsets.THREAD_ID.value) self.continuation = utils.get_8_byte_at( address + const.ThreadOffsets.CONTINUATION.value) self.global_threads_ptr = address + const.ThreadOffsets.GLOBAL_THREADS.value self.curr_task_threads_ptr = address + const.ThreadOffsets.TASK_THREADS.value self.ucontext_data = utils.get_8_byte_at( address + const.ThreadOffsets.CONTEXT_USER_DATA_PTR.value) self.kernel_stack_ptr = utils.get_8_byte_at( address + const.ThreadOffsets.KSTACK_PTR.value) self.voucher_ptr = utils.get_8_byte_at( address + const.ThreadOffsets.VOUCHER_PTR.value) # Meta Data self.next_pc = const.NULL_PTR if self.is_currect(): self.next_pc = utils.print_val('$pc') elif self.ucontext_data != const.NULL_PTR: user_saved_state = ThreadSavedState(self.ucontext_data) self.next_pc = user_saved_state.pc elif self.kernel_stack_ptr != const.NULL_PTR: self.next_pc = self.get_kernel_next_pc() self.task_object = Task(self.task_ptr) else: raise gdb.GdbError(f"Null pointer in {__name__}")
def __init__(self, address): if address != const.NULL_PTR: self.address = address self.ie_object = utils.get_8_byte_at(address) self.ie_bits = utils.get_4_byte_at( address + const.IPCEntryOffsets.IE_BITS.value) self.ie_index = utils.get_4_byte_at( address + const.IPCEntryOffsets.IE_INDEX.value) self.index = utils.get_4_byte_at(address + const.IPCEntryOffsets.INDEX.value) if self.ie_object: self.ie_object_object = IPCObject(self.ie_object) else: raise gdb.GdbError(f"Wrong pointer to IPC Entry {address}")
def __init__(self, address): if address != const.NULL_PTR: self.address = address self.ie_object = utils.get_8_byte_at(address) self.ie_bits = utils.get_4_byte_at( address + const.IPCEntryOffsets.IE_BITS.value) self.ie_index = utils.get_4_byte_at( address + const.IPCEntryOffsets.IE_INDEX.value) self.index = utils.get_4_byte_at(address + const.IPCEntryOffsets.INDEX.value) if self.ie_object: self.ie_object_object = IPCObject(self.ie_object) self.initialized = True else: self.initialized = False
def __init__(self, addr): # TODO: support more versions self.offsets = StructZone.struct_offsets_16B92 self.globals = StructZone.zone_globals_16B92 self.addr = addr self.cur_size = utils.get_8_byte_at(addr + self.offsets["cur_size"]) self.max_size = utils.get_8_byte_at(addr + self.offsets["max_size"]) self.elem_size = utils.get_8_byte_at(addr + self.offsets["elem_size"]) self.alloc_size = utils.get_8_byte_at(addr + self.offsets["alloc_size"]) self.page_count = utils.get_8_byte_at(addr + self.offsets["page_count"]) self.sum_count = utils.get_8_byte_at(addr + self.offsets["sum_count"]) self.flags = utils.get_4_byte_at(addr + self.offsets["flags"]) self.index = utils.get_4_byte_at(addr + self.offsets["index"]) name_ptr = utils.get_8_byte_at(addr + self.offsets["zone_name"]) self.zone_name = utils.get_string_at(name_ptr)
def __next__(self): if self.next_task_ptr != self.stop_contition: self.result = Task(self.next_task_ptr) self.next_task_ptr = utils.get_8_byte_at(self.result.task_lst_ptr) return self.result raise StopIteration
def __init__(self): self.stop_contition = const.GLOBAL_TASKS_PTR self.next_task_ptr = utils.get_8_byte_at(const.GLOBAL_TASKS_PTR) self.result = None
def is_valid_ptr(ptr): try: utils.get_8_byte_at(ptr) return True except Exception: raise gdb.GdbError(f"Wrong pointer! {hex(ptr)}")
def is_in_kernel_space(): try: utils.get_8_byte_at(const.GLOBAL_TASKS_PTR) return True except Exception: return False
def get_current_task_ptr(): try: address = utils.print_val(const.CURRENT_THREAD) return utils.get_8_byte_at(address + const.ThreadOffsets.TASK.value) except Exception: raise gdb.GdbError(f"Error occured, maybe in user land?")
def __init__(self, address): if address != const.NULL_PTR: address += 0x08 # skip arm_state_hdr_t ash at arm_saved_state self._x0 = utils.get_8_byte_at(address) self._x1 = utils.get_8_byte_at(address + 0x08) self._x2 = utils.get_8_byte_at(address + 0x10) self._x3 = utils.get_8_byte_at(address + 0x18) self._x4 = utils.get_8_byte_at(address + 0x20) self._x5 = utils.get_8_byte_at(address + 0x28) self._x6 = utils.get_8_byte_at(address + 0x30) self._x7 = utils.get_8_byte_at(address + 0x38) self._x8 = utils.get_8_byte_at(address + 0x40) self._x9 = utils.get_8_byte_at(address + 0x48) self._x10 = utils.get_8_byte_at(address + 0x50) self._x11 = utils.get_8_byte_at(address + 0x58) self._x12 = utils.get_8_byte_at(address + 0x60) self._x13 = utils.get_8_byte_at(address + 0x68) self._x14 = utils.get_8_byte_at(address + 0x70) self._x15 = utils.get_8_byte_at(address + 0x78) self._x16 = utils.get_8_byte_at(address + 0x80) self._x17 = utils.get_8_byte_at(address + 0x88) self._x18 = utils.get_8_byte_at(address + 0x90) self._x19 = utils.get_8_byte_at(address + 0x98) self._x20 = utils.get_8_byte_at(address + 0xa0) self._x21 = utils.get_8_byte_at(address + 0xa8) self._x22 = utils.get_8_byte_at(address + 0xb0) self._x23 = utils.get_8_byte_at(address + 0xb8) self._x24 = utils.get_8_byte_at(address + 0xc0) self._x25 = utils.get_8_byte_at(address + 0xc8) self._x26 = utils.get_8_byte_at(address + 0xd0) self._x27 = utils.get_8_byte_at(address + 0xd8) self._x28 = utils.get_8_byte_at(address + 0xe0) self._fp = utils.get_8_byte_at(address + 0xe8) self._lr = utils.get_8_byte_at(address + 0xf0) self.sp = utils.get_8_byte_at(address + 0xf8) self.pc = utils.get_8_byte_at(address + 0x100) self._cpsr = utils.get_4_byte_at(address + 0x108) self._reserved = utils.get_4_byte_at(address + 0x10c) self._far = utils.get_8_byte_at(address + 0x110) self._esr = utils.get_4_byte_at(address + 0x118) self._exception = utils.get_4_byte_at(address + 0x11c)