def isLinuxOverlap(self, cpu, cell_name, pid, address): ''' is the given address the last page of text and does it overlap the first page of data? ''' if pid in self.__text_start[cell_name]: given, dum = pageUtils.adjust(address, 0, self.top.PAGE_SIZE) last_text, dum = pageUtils.adjust( self.__text_start[cell_name][pid], 0, self.top.PAGE_SIZE) if given == last_text and self.onSamePage(cpu, cell_name, pid): return True else: return False else: return False
def setBreakRange(self, cell_name, pid, start, length, cpu, comm): ''' Set breakpoints to carpet the process's address space ''' self.lgr.debug('setBreakRange begin') start, end = pageUtils.adjust(start, length, self.page_size) cell = cpu.physical_memory #my_args = procInfo.procInfo(comm, cpu, pid, None, False) self.lgr.debug( 'Adding breakpoints for %s:%d (%s) at %x through %x, given length was %x' % (cell_name, pid, comm, start, end, length)) while start <= end: limit = start + self.page_size phys_block = cpu.iface.processor_info.logical_to_physical( start, Sim_Access_Read) if phys_block.address != 0: all_break_num = SIM_breakpoint(cell, Sim_Break_Physical, Sim_Access_Execute, phys_block.address, self.page_size, 0) self.the_breaks.append(all_break_num) elif phys_block.address == 0: self.lgr.debug( 'runToUserSpace FAILED breakpoints for %s:%d (%s) at %x ' % (cell_name, pid, comm, start)) start = limit
def nonCodeRangeRemove(self, cell_name, pid, cpu, start, length): cell = cpu.physical_memory start, end = pageUtils.adjust(start, length, self.page_size) while start < end: limit = start + self.page_size self.hap_manager.rm(cell_name, pid, start) start = limit
def nonCodeBreakRange(self, cell_name, pid, cpu, start, length, init=False): cell = cpu.physical_memory start, end = pageUtils.adjust(start, length, self.page_size) self.lgr.debug('nonCodeBreakRangePhys %s:%d start: %x end: %x' % (cell_name, pid, start, end)) while start < end: limit = start + self.page_size #self.lgr.debug('nonCodeBreakRange call hap manager start: %x page: %x' % (start, self.page_size)) self.hap_manager.add(cpu, cell_name, pid, start, self.page_size, Sim_Access_Execute, self.non_code_callback) start = limit
def doRopPhys(self, cpu, start, length, cell_name, pid, comm): cell = cpu.physical_memory start, end = pageUtils.adjust(start, length, self.page_size) #dumcpu, cur_addr, comm, pid = self.os_utils[cell_name].currentProcessInfo() #self.lgr.debug('Adding Rop Cop breakpoints for %s:%d (%s) at %x through %x, given length was %x ' % (cell_name, pid, comm, start, end, length)) phys_block = cpu.iface.processor_info.logical_to_physical( start, Sim_Access_Read) #self.lgr.debug('add break at %x' % phys_block.address) code_break_num = SIM_breakpoint(cell, Sim_Break_Physical, Sim_Access_Execute, phys_block.address, length, 0) self.kernel_ret_break[cpu].append(code_break_num) command = 'set-prefix %d "ret"' % code_break_num SIM_run_alone(SIM_run_command, command) hap_num = SIM_hap_add_callback_index("Core_Breakpoint_Memop", self.rop_cop_ret_callback, cpu, code_break_num) self.kernel_ret_hap[cpu].append(hap_num)
def ropCopBreakRangePhys(self, cell_name, pid, start, length, cpu, comm, top=False, from_loader=False): start, end = pageUtils.adjust(start, length, self.page_size) cell = cpu.physical_memory my_args = procInfo.procInfo(comm, cpu, pid, None, False) self.lgr.debug('Adding Rop Cop breakpoints for %s:%d (%s) at %x through %x, given length was %x' % (cell_name, pid, comm, start, end, length)) while start <= end: limit = start + self.page_size phys_block = cpu.iface.processor_info.logical_to_physical(start, Sim_Access_Read) if phys_block.address != 0: if from_loader and self.hap_manager.hasCodePage(cell_name, pid, start): # duplicate pages in program header, we are parsing backwards, so skip this. self.lgr.debug('ropCopBreakRange, already did code page for %x, skipping this page' % start) elif not self.useDiscreteReturns(comm, pid, start, limit, cpu, cell_name, cell, my_args): self.lgr.debug('ropCopBreakRange not using discrete returns for %s, phys %x (virt: %x)' % (comm, phys_block.address, start)) # Set exectution breakpoints for "ret" instructions code_break_num = SIM_breakpoint(cell, Sim_Break_Physical, Sim_Access_Execute, phys_block.address, self.page_size, 0) #self.checkExceptions(code_break_num, start, limit, cpu) command = 'set-prefix %d "ret"' % code_break_num SIM_run_alone(SIM_run_command, command) cb_num = SIM_hap_add_callback_index("Core_Breakpoint_Memop", self.rop_cop_ret_callback, my_args, code_break_num) # use 'kind' of 2 to indicate these are Rop breaks self.hap_manager.addBreak(cell_name, pid, code_break_num, start, 2) self.hap_manager.addHap(cpu, cell_name, pid, cb_num, start, 2) if top: self.hap_manager.setTextTop(cell_name, physical_block.address) elif phys_block.address == 0: self.lgr.debug('FAILED Rop Cop breakpoints for %s:%d (%s) at %x ' % (cell_name, pid, comm, start)) start = limit
def setBreakRange(self, cell_name, pid, start, length, cpu, comm, call_ret, reg=None): ''' Set breakpoints to carpet the process's address space ''' self.lgr.debug('setBreakRange begin') start, end = pageUtils.adjust(start, length, self.page_size) cell = cpu.physical_memory my_args = procInfo.procInfo(comm, cpu, pid, None, False) self.lgr.debug( 'Adding breakpoints for %s:%d (%s) at %x through %x, given length was %x' % (cell_name, pid, comm, start, end, length)) while start <= end: limit = start + self.page_size phys_block = cpu.iface.processor_info.logical_to_physical( start, Sim_Access_Read) if phys_block.address != 0: if call_ret: # Set exectution breakpoints for "call" and "ret" instructions call_break_num = SIM_breakpoint(cell, Sim_Break_Physical, Sim_Access_Execute, phys_block.address, self.page_size, 0) self.the_breaks.append(call_break_num) if cpu.architecture == 'arm': command = 'set-prefix %d "bl"' % call_break_num else: command = 'set-prefix %d "call"' % call_break_num SIM_run_alone(SIM_run_command, command) if cpu.architecture == 'arm': ret_break_num = SIM_breakpoint(cell, Sim_Break_Physical, Sim_Access_Execute, phys_block.address, self.page_size, 0) self.the_breaks.append(ret_break_num) command = 'set-substr %d "PC"' % ret_break_num SIM_run_alone(SIM_run_command, command) ret_break_num = SIM_breakpoint(cell, Sim_Break_Physical, Sim_Access_Execute, phys_block.address, self.page_size, 0) self.the_breaks.append(ret_break_num) command = 'set-substr %d "LR"' % ret_break_num SIM_run_alone(SIM_run_command, command) else: ret_break_num = SIM_breakpoint(cell, Sim_Break_Physical, Sim_Access_Execute, phys_block.address, self.page_size, 0) self.the_breaks.append(ret_break_num) command = 'set-prefix %d "ret"' % ret_break_num SIM_run_alone(SIM_run_command, command) self.lgr.debug( 'done setting breakpoints for call and ret addr: %x', phys_block.address) elif reg is not None: all_break_num = SIM_breakpoint(cell, Sim_Break_Physical, Sim_Access_Execute, phys_block.address, self.page_size, 0) # TBD substr only applies to mnemonic? #command = 'set-substr %d "%s"' % (all_break_num, reg) #SIM_run_alone(SIM_run_command, command) self.the_breaks.append(all_break_num) self.lgr.debug( 'done setting breakpoints for reg substring %s addr: %x' % (reg, phys_block.address)) else: all_break_num = SIM_breakpoint(cell, Sim_Break_Physical, Sim_Access_Execute, phys_block.address, self.page_size, 0) self.lgr.debug( 'setBreakRange set phys addr 0x%x linear 0x%x' % (phys_block.address, start)) self.the_breaks.append(all_break_num) elif phys_block.address == 0: self.lgr.debug( 'reverseToCall FAILED breakpoints for %s:%d (%s) at %x ' % (cell_name, pid, comm, start)) start = limit self.lgr.debug('setBreakRange done')
def __init__(self, start, length, page_size): start, end = pageUtils.adjust(start, length, page_size) self.start = start self.end = end