def stoppedReverseModReg(self, my_args, one, exception, error_string): ''' Invoked when the simulation stops while looking for a modified register ''' cmd = 'reverse' self.lgr.debug('stoppedReverseModReg, entered looking for %s' % self.reg) dum_cpu, cur_addr, comm, pid = self.task_utils.currentProcessInfo(self.cpu) cpl = memUtils.getCPL(self.cpu) if pid == self.pid and cpl != 0: reg_mod_type = self.cycleRegisterMod() if reg_mod_type is None: if not self.tooFarBack(): ''' stepped back into kernel, rev ''' self.lgr.debug('stoppedReverseModReg must have entered kernel, continue to previous place where this process ran') SIM_run_alone(SIM_run_command, cmd) else: self.lgr.debug('stoppedReverseModReg must have backed to first cycle 0x%x' % self.start_cycles) else: ''' current eip modifies self.reg, done, or continue taint ''' if not self.taint: self.cleanup(self.cpu) else: if not self.tooFarBack(): self.followTaint(reg_mod_type) else: self.lgr.debug('stoppedReverseModReg must backed to first cycle 0x%x' % self.start_cycles) else: self.lgr.error('stoppedReverseModReg wrong process or in kernel pid is %d expected %d' % (pid, self.pid)) SIM_run_alone(SIM_run_command, cmd)
def modeChanged(self, cpu, one, old, new): self.lgr.debug('returnToUserHap mode changed') if len(self.the_hap) == 0 or self.pid is None: self.lgr.error('returnToUserHap modeChanged, %s stop hap is gone, but here we are!' % (self.cell_name)) return if cpu != self.cpu: self.lgr.debug('cpu in modeChange hap not same as starting cpu: %s %s' % (cpu.name, self.cpu.name)) cpl = memUtils.getCPL(cpu) if cpl == 0: self.lgr.error('modeChanged says new but cpl is zero') return dumcpu, cur_addr, comm, pid = self.os_p_utils.getPinfo(cpu) if pid == self.pid: reg_num = cpu.iface.int_register.get_number("rip") eip = cpu.iface.int_register.read(reg_num) current = SIM_cycle_count(cpu) self.lgr.debug('returnToUserHap modeChanged %s:%d (%s) eip %x cycle: 0x%x' % (self.cell_name, pid, comm, eip, current)) pinfo = procInfo.procInfo(self.comm, cpu, self.pid, cur_addr=cur_addr) self.pid = None SIM_run_alone(self.runAlone, pinfo) else: self.lgr.debug('returnToUserHap, modeChanged, expected pid %d got %d' % (self.pid, pid)) status = SIM_simics_is_running() if not status: self.lgr.debug('modeChanged, simics not running, continue it') SIM_run_command('continue')
def frameFromRegs(self, cpu, compat32=False): frame = {} if cpu.architecture == 'arm': for p in memUtils.param_map['arm']: frame[p] = self.mem_utils.getRegValue( cpu, memUtils.param_map['arm'][p]) cpl = memUtils.getCPL(cpu) if cpl == 0: frame['sp'] = self.mem_utils.getRegValue(cpu, 'sp_usr') frame['pc'] = self.mem_utils.getRegValue(cpu, 'lr') frame['lr'] = self.mem_utils.getRegValue(cpu, 'lr_usr') else: frame['sp'] = self.mem_utils.getRegValue(cpu, 'sp') frame['pc'] = self.mem_utils.getRegValue(cpu, 'pc') frame['lr'] = self.mem_utils.getRegValue(cpu, 'lr') else: frame['sp'] = self.mem_utils.getRegValue(cpu, 'sp') frame['pc'] = self.mem_utils.getRegValue(cpu, 'pc') if self.mem_utils.WORD_SIZE == 8 and not compat32: for p in memUtils.param_map['x86_64']: frame[p] = self.mem_utils.getRegValue( cpu, memUtils.param_map['x86_64'][p]) else: for p in memUtils.param_map['x86_32']: frame[p] = self.mem_utils.getRegValue( cpu, memUtils.param_map['x86_32'][p]) return frame
def setDebugBookmark(self, mark, cpu=None, cycles=None, eip=None, steps=None, msg=None): self.lgr.debug('setDebugBookmark mark: %s' % mark) if cpu is None: dum, cpu = self.context_mgr.getDebugPid() cell_name = self.top.getTopComponentName(cpu) steps = None if cycles is None: #current = SIM_cycle_count(cpu) #steps = SIM_step_count(cpu) current = cpu.cycles steps = cpu.steps else: current = cycles steps = steps #SIM_run_command('set-bookmark %s' % mark) #if not mark.startswith('protected_memory') and not mark.startswith('_start+1'): if not mark.startswith('origin'): start_cycle = self.getCycle('origin') if start_cycle is None: self.lgr.debug('setDebugBookmark no origin') return delta = current - start_cycle if mark.startswith('protected_memory:') and self.hasBookmarkDelta( delta): self.lgr.debug('setDebugBookmark protected memory, return') return mark = mark + " cycle:%x" % delta cpl = memUtils.getCPL(cpu) if cpl == 0: self.__kernel_marks.append(mark) self.lgr.debug('setDebugBookmark, cpl0 for mark %s' % mark) elif mark in self.__kernel_marks: ''' replace kernel protected memory mark with one at syscall ''' if mark.startswith('protected_memory'): self.__kernel_marks.remove(mark) del self.__bookmarks[mark] else: self.lgr.debug( 'setDebugBookmark %s already exists, do nothing' % mark) return if eip is None: eip = self.top.getEIP(cpu) self.__bookmarks[mark] = self.top.cycleRecord(current, steps, eip) self.__mark_msg[mark] = msg instruct = SIM_disassemble_address(cpu, eip, 1, 0) if not mark.startswith('protected_memory'): self.lgr.debug( 'setDebugBookmark %s cycle on %s is %x step:0x%x eip: %x %s' % (mark, cell_name, current, steps, eip, instruct[1])) self.lgr.debug('setDebugBookmark return') return mark
def go(self, force=False): ''' Initial method for gathering kernel parameters. Will chain a number of functions, the first being runUntilSwapper ''' cpl = memUtils.getCPL(self.cpu) if cpl != 0: print('not in kernel, please run forward until in kernel') return if self.cpu.architecture != 'arm': self.fs_base = self.cpu.ia32_fs_base if self.fs_base == 0 and not force: print('fs_base is zero, maybe just entered kernel? consider running ahead a bit, or use gkp.go(True)') return self.runUntilSwapper()
def stoppedReverseToCall(self, my_args, one, exception, error_string): ''' Invoked when the simulation stops while looking for a previous call ''' if self.stop_hap is None: self.lgr.error('stoppedReverseToCall invoked though hap is none') return #cmd = 'reverse-step-instruction' cmd = 'reverse' cpu, cur_addr, comm, pid = self.task_utils.currentProcessInfo(self.cpu) current = SIM_cycle_count(cpu) self.lgr.debug('stoppedReverseToCall, entered %d (%s) cycle: 0x%x' % (pid, comm, current)) #if current < self.top.getFirstCycle(): if current <= self.start_cycles: self.lgr.debug('stoppedReverseToCall found cycle 0x%x prior to first, stop here' %(current)) self.cleanup(cpu) #elif pid == my_args.pid and SIM_processor_privilege_level(cpu) != 0: elif pid == self.pid and memUtils.getCPL(cpu) != 0: eip = self.top.getEIP(cpu) instruct = SIM_disassemble_address(cpu, eip, 1, 0) if self.first_back and self.isSyscall(instruct[1]): self.lgr.debug('stoppedReverseToCall first back is syscall at %x, we are done' % eip) self.cleanup(cpu) elif (self.first_back and not self.uncall) and (not self.isRet(instruct[1]) or self.step_into): self.lgr.debug('stoppedReverseToCall first back not a ret or step_into at %x, we are done' % eip) self.cleanup(cpu) elif self.isCall(instruct[1]): self.got_calls += 1 if self.got_calls == self.need_calls: self.lgr.debug('stoppedReverseToCall %s at %x we must be done' % (instruct[1], eip)) self.cleanup(cpu) elif eip in self.frame_ips: self.lgr.debug('stoppedReverseToCall %s at %x found stack frame entry, declare we are done' % (instruct[1], eip)) self.cleanup(cpu) else: self.lgr.debug('stoppedReverseToCall 0x%x got call %s got_calls %d, need %d' % (eip, instruct[1], self.got_calls, self.need_calls)) SIM_run_alone(SIM_run_command, cmd) elif self.isRet(instruct[1]): self.need_calls += 1 self.lgr.debug('stoppedReverseToCall 0x%x got ret %s need: %d' % (eip, instruct[1], self.need_calls)) if self.first_back and not self.uncall: self.rmBreaks() ''' TBD fix this? ''' for item in self.x_pages: self.setBreakRange(self.cell_name, pid, item.address, item.length, cpu, comm, True) SIM_run_alone(SIM_run_command, cmd) else: self.lgr.debug('stoppedReverseToCall Not call or ret at %x, is %s' % (eip, instruct[1])) SIM_run_alone(SIM_run_command, cmd) else: self.lgr.debug('stoppedReverseInstruction in wrong pid (%d) or in kernel, try again' % pid) SIM_run_alone(SIM_run_command, cmd) self.first_back = False
def modeChangedToUserSpace(self, dbi, cpu, old, new): ''' TBD what if it dies before going to user space? ''' cur_processor, cur_addr, comm, pid = self.os_utils.currentProcessInfo( self.cpu) self.lgr.debug('chainHap in modeChangedToUserSpace pid %d' % pid) if self.pid == pid: cpl = memUtils.getCPL(cpu) #if new != Sim_CPU_Mode_Supervisor: if cpl != 0: print('mode changed to user for pid %d' % self.pid) SIM_break_simulation('should be in user space') SIM_hap_delete_callback_id("Core_Mode_Change", self.mode_changed_hap) self.mode_changed_hap = None
def runToUser(self, cpu, cell_name, pid, reverse=False): self.cpu = cpu self.cell_name = cell_name self.pid = pid cpl = memUtils.getCPL(self.cpu) if cpl != 0: self.lgr.debug('runToUser already in user space') self.top.skipAndMail(1) return if reverse: self.lgr.debug('runToUser, go backward') self.revToUser() else: self.lgr.debug('runToUser, go forward') self.runForward()
def __init__(self, top, cpu, cpu_list, pid, comm, callback, os_p_utils, is_monitor_running, lgr): self.the_hap = [] self.callback = callback self.lgr = lgr self.cpu_list = cpu_list self.pid = pid self.cpu = cpu self.comm = comm self.top = top self.os_p_utils = os_p_utils self.is_monitor_running = is_monitor_running self.cell_name = self.top.getTopComponentName(cpu) cpl = memUtils.getCPL(cpu) if cpl != 0: self.lgr.debug('returnToUser init, but already in user space') return if pid is not None: self.lgr.debug('returnToUserHap %s:%d ' % (self.cell_name, pid)) is_monitor_running.setRunning(True) SIM_run_alone(self.installModeHap, None)
def modeChangedPostFixup(self, dbi, cpu, old, new): cur_processor, cur_addr, comm, pid = self.os_utils.currentProcessInfo( cpu) self.lgr.debug('chainHap in modeChangedPostFixup pid %d' % pid) if self.pid == pid: cpl = memUtils.getCPL(cpu) if cpl != 0: reg_num = self.cpu.iface.int_register.get_number("eip") eip = self.cpu.iface.int_register.read(reg_num) phys_block = cpu.iface.processor_info.logical_to_physical( eip, Sim_Access_Read) if phys_block.address != 0: # page is mapped, put do-debug back into chain of haps self.lgr.debug('chainHap mode changed, page now mapped') SIM_hap_delete_callback_id("Core_Mode_Change", self.mode_changed_hap) self.cmds.append('do-debug') SIM_break_simulation('chainHap page now mapped') else: self.lgr.debug( 'chainHap mode changed, page STILL NOT MAPPED')
def writeHap(self, dumb, third, forth, memory): if self.write_hap is None: return cpu, comm, cur_pid = self.task_utils.curProc() if cur_pid != self.pid: return addr = memory.logical_address if addr >= self.param.kernel_base: return sp = self.mem_utils.getRegValue(self.cpu, 'sp') ''' TBD fix, pickle stack pointer recorded in genMonitor and use it!''' if addr > (sp - 9000): return cpl = memUtils.getCPL(cpu) if cpl == 0: return size = memory.size #eip = self.mem_utils.getRegValue(self.cpu, 'pc') #self.lgr.debug('trackFunctionWrite writeHap 0x%x length %d eip: 0x%x 0x%x' % (addr, size, eip, self.cpu.cycles)) count = self.writeMarks.dataWrite(addr, size) if count > 200: self.funExitHap(None, None, None, None)
def stop_callback2(self, dbi, one, two, three): if self.__stop_hap2 is None: return SIM_hap_delete_callback_id("Core_Simulation_Stopped", self.__stop_hap2) self.__stop_hap2 = None cycles = dbi.cpu.cycles self.lgr.debug('debugSignal after skip to bookmark, cycles is %x' % cycles) new_want = cycles - 1 if dbi.unmapped_eip: self.lgr.debug('stop_callback2, was unmapped, rev 1') SIM_run_command('pselect cpu-name = %s' % dbi.cpu.name) SIM_run_command('skip-to cycle = 0x%x' % new_want) cycles = dbi.cpu.cycles if cycles == new_want: cpl = memUtils.getCPL(dbi.cpu) if cpl == 0: eip = self.top.getEIP(dbi.cpu) self.lgr.debug('debugSignal stop_callback2, simicsError after rev, cycle is 0x%x but eip is in kernel at %x, fail, try again' % (cycles, eip)) return else: self.lgr.debug('debugSignal, stop_callback2, simicsError after rev, cycle is 0x%x expected it to be 0x%x' % (cycles, new_want)) ida_msg = '' if dbi.frame is not None: ida_msg += 'Signal %d, thread frame from kernel:\n%s' \ % (dbi.event_value, self.os_utils.stringFromFrame(dbi.frame)) if dbi.negotiate_result is not None: ida_msg +='\n[%s]' % dbi.negotiate_result elif db.event_value is not None: ida_msg +='\n[Signal %d, failed negotiate]' % dbi.event_value dbi.context_manager.setIdaMessage(ida_msg) self.bookmarks.setOrigin(dbi.cpu) if not dbi.auto_analysis: dbi.context_manager.debug(dbi.cell_name, dbi.pid, dbi.comm, dbi.cpu, False, cycles) else: self.lgr.debug('debugSignal, call autoAnalysis') dbi.context_manager.debug(dbi.cell_name, dbi.pid, dbi.comm, dbi.cpu, False, cycles, auto_analysis=True) self.top.autoAnalysis(dbi.cell_name, dbi.pid, dbi.comm, dbi.cpu, False, cycles)
def modeChanged(self, cpu, one, old, new): dum_cpu, cur_addr, comm, pid = self.os_utils.currentProcessInfo( self.cpu) cell_name = self.top.getTopComponentName(self.cpu) #cpl = SIM_processor_privilege_level(self.cpu) cpl = memUtils.getCPL(cpu) self.lgr.debug('mode_changed %s %d (%s) look for %d, cpl is %d ' % (cell_name, pid, comm, self.pid, cpl)) if pid == self.pid and cpl != 0: #self.top.skipAndMail(1) eip = self.top.getEIP() instruct = SIM_disassemble_address(cpu, eip, 1, 0) self.lgr.debug( 'mode_changed in correct process, we are done, 0x%x %s' % (eip, instruct[1])) SIM_hap_delete_callback_id("Core_Mode_Change", self.mode_hap) self.mode_hap = None my_args = procInfo.procInfo(self.comm, self.cpu, self.pid) self.stop_in_user_hap = SIM_hap_add_callback( "Core_Simulation_Stopped", self.stoppedRanToUser, my_args) SIM_break_simulation('should be in user space') else: pass
def modeChanged(self, cpu, one, old, new): if self.__mode_changed is None: return cell_name = self.top.getTopComponentName(cpu) cpu, cur_addr, comm, pid = self.os_p_utils[cell_name].getPinfo(cpu) #self.lgr.debug('modeChanged %d %s' % (pid, comm)) if self.isTraced(comm, pid): # force comm, may not be updated in proc utils comm = self.i_trace cpl = memUtils.getCPL(cpu) if cpl == 0: cmd = '%s.stop' % self.tracer SIM_run_alone(SIM_run_command, cmd) self.lgr.debug('stopped tracing %s' % comm) if True: eip = self.top.getEIP(cpu) instruct = SIM_disassemble_address(cpu, eip, 1, 0) if decode.getMn(instruct[1]) == 'jmp': op1, op0 = decode.getOperands(instruct[1]) eip_str = '0x%x' % eip self.lgr.debug( 'modeChanged jmp is %s eip_str is <%s> op0 is <%s>' % (instruct[1], eip_str, op0)) if op0 == eip_str: self.closeTrace(cell_name, pid) self.lgr.debug( 'modeChanged, found ebfe, stop tracing') return else: if self.tracer is None: SIM_run_alone(self.createTracer, comm) self.lgr.debug('created tracer for %s' % comm) else: outfile = self.outfile[comm] cmd = '%s.start file=%s' % (self.tracer, outfile) SIM_run_alone(SIM_run_command, cmd) self.lgr.debug('start tracing %s' % comm)
def runAlone(self, dbi): all_done = False expected = dbi.command.split('=')[1].strip() want_cycle = int(expected) simics_crap_counter = 0 ida_msg = '' start_cycle = self.bookmarks.getCycle('_start+1') if self.top.SIMICS_BUG: while not all_done: done = False while not done: SIM_run_command('pselect cpu-name = %s' % dbi.cpu.name) SIM_run_command('skip-to cycle = 0x%x' % start_cycle) cycles = dbi.cpu.cycles self.lgr.debug('debugSignal, did skip to start at cycle %x, expected %x counter %d' % (cycles, start_cycle, simics_crap_counter)) #SIM_run_command('skip-to bookmark = bookmark0') #cycles = SIM_cycle_count(dbi.cpu) #self.lgr.debug('debugSignal, did skip to bookmark0, cycle now %x' % cycles) SIM_run_command('pselect cpu-name = %s' % dbi.cpu.name) SIM_run_command(dbi.command) cycles = dbi.cpu.cycles if dbi.command.startswith('skip-to'): eip = self.top.getEIP(dbi.cpu) if want_cycle != cycles or eip != dbi.sig_eip: self.lgr.error('debugSignal, simicsError expected cycle %x (0x%x) eip:0x%x, got cycles %x eip:0x%x' % (want_cycle, dbi.cycle, dbi.sig_eip, cycles, eip)) SIM_run_command('pselect cpu-name = %s' % dbi.cpu.name) SIM_run_command('skip-to cycle = 0x%x' % start_cycle) else: self.lgr.debug('debugSignal, went where we expected, expected cycle %x (0x%x) eip: 0x%x, got cycles %x eip:0x%x counter: %d' % (want_cycle, dbi.cycle, dbi.sig_eip, cycles, eip, simics_crap_counter)) done = True if dbi.unmapped_eip: new_want = want_cycle - 1 # TBD debug, do one time simics_crap_counter_x = 0 while all_done is False and simics_crap_counter_x < 1: self.lgr.debug('debugSignal was unmapped eip, so rev 1 so we do not end up looking at dumb eip counter: %d' % simics_crap_counter_x) SIM_run_command('pselect cpu-name = %s' % dbi.cpu.name) SIM_run_command('skip-to cycle = 0x%x' % start_cycle) cycles = dbi.cpu.cycles self.lgr.debug('debugSignal, before doing rev, did skip to start at cycle %x, expected %x counter %d' % (cycles, start_cycle, simics_crap_counter)) SIM_run_command('pselect cpu-name = %s' % dbi.cpu.name) SIM_run_command('skip-to cycle = 0x%x' % new_want) cycles = dbi.cpu.cycles if cycles == new_want: cpl = memUtils.getCPL(dbi.cpu) if cpl != 0: all_done = True else: eip = self.top.getEIP(dbi.cpu) self.lgr.debug('debugSignal, simicsError after rev, cycle is 0x%x but eip is in kernel at %x, fail, try again' % (cycles, eip)) break else: self.lgr.debug('debugSignal, simicsError after rev, cycle is 0x%x expected it to be 0x%x' % (cycles, new_want)) break simics_crap_counter_x += 1 else: all_done = True simics_crap_counter += 1 self.lgr.debug('inc counter to %d' % simics_crap_counter) if simics_crap_counter > 9: all_done = True self.lgr.error('debugSignal, simicsError simics has lost its way, TBD tell the idaClient user to try again later...') ida_msg += 'Simics got lost, what follows is wrong. Suggest you quit and try again' else: SIM_run_command('pselect cpu-name = %s' % dbi.cpu.name) SIM_run_command(dbi.command) cycles = dbi.cpu.cycles if dbi.unmapped_eip: new_want = want_cycle - 1 SIM_run_command('pselect cpu-name = %s' % dbi.cpu.name) SIM_run_command('skip-to cycle = 0x%x' % new_want) cycles = dbi.cpu.cycles self.lgr.debug('debugSignal after command, cycles is %x' % cycles) if dbi.frame is not None: ida_msg += 'Signal %d, thread frame from kernel:\n%s' \ % (dbi.event_value, self.os_utils.stringFromFrame(dbi.frame)) if dbi.negotiate_result is not None: ida_msg +='\n[%s]' % dbi.negotiate_result elif dbi.event_value is not None: ida_msg +='\n[Signal %d, failed negotiate]' % dbi.event_value dbi.context_manager.setIdaMessage(ida_msg) self.bookmarks.setOrigin(dbi.cpu) if not dbi.auto_analysis: dbi.context_manager.debug(dbi.cell_name, dbi.pid, dbi.comm, dbi.cpu, False, cycles) else: self.lgr.debug('debugSignal, call autoAnalysis') dbi.context_manager.debug(dbi.cell_name, dbi.pid, dbi.comm, dbi.cpu, False, cycles, auto_analysis=True) self.top.autoAnalysis(dbi.cell_name, dbi.pid, dbi.comm, dbi.cpu, False, cycles)
def cycleRegisterMod(self): ''' Step backwards one cycle at a time looking for the register being modified. If kernel entered before the register is found, return False. TBD: ARM write-back operations ''' retval = None done = False self.lgr.debug('cycleRegisterMod start for %s' % self.reg) while not done: #current = SIM_cycle_count(self.cpu) current = self.cpu.cycles previous = current - 1 SIM_run_command('pselect cpu-name = %s' % self.cpu.name) SIM_run_command('skip-to cycle = %d' % previous) self.lgr.debug('cycleRegisterMod skipped to 0x%x cycle is 0x%x' % (previous, self.cpu.cycles)) if self.tooFarBack(): self.lgr.debug( 'cycleRegisterMod prev cycle 0x%x prior to first 0x%x, stop here' % (previous, self.start_cycles)) break cpl = memUtils.getCPL(self.cpu) if cpl == 0: self.lgr.debug('cycleRegisterMod entered kernel') done = True else: cur_val = self.cpu.iface.int_register.read(self.reg_num) #self.lgr.debug('compare %x to %x eip: %x' % (cur_val, self.reg_val, eip)) ''' if cur_val != self.reg_val: eip = self.top.getEIP(self.cpu) self.lgr.debug('cycleRegisterMod at %x, we are done' % eip) done = True retval = True self.is_monitor_running.setRunning(False) ''' eip = self.top.getEIP(self.cpu) self.lgr.debug('cycleRegisterMod do disassemble for eip 0x%x' % eip) instruct = SIM_disassemble_address(self.cpu, eip, 1, 0) self.lgr.debug( 'cycleRegisterMod disassemble for eip 0x%x is %s' % (eip, str(instruct))) mn = self.decode.getMn(instruct[1]) self.lgr.debug('cycleRegisterMod decode is %s' % mn) if self.conditionalMet(mn): if self.decode.modifiesOp0(mn): self.lgr.debug('get operands from %s' % instruct[1]) op1, op0 = self.decode.getOperands(instruct[1]) self.lgr.debug( 'cycleRegisterMod mn: %s op0: %s op1: %s compare <%s> to <%s>' % (mn, op0, op1, op0, self.reg)) if self.decode.isReg(op0) and self.decode.regIsPart( op0, self.reg): self.lgr.debug( 'cycleRegisterMod at %x, we are done' % eip) done = True retval = RegisterModType(None, RegisterModType.UNKNOWN) elif self.cpu.architecture == 'arm': if ']!' in instruct[1]: ''' Look for write-back register mod ''' ''' for now just look for [myreg, xxx]! ''' if self.decode.armWriteBack(instruct[1], self.reg): done = True retval = RegisterModType( None, RegisterModType.UNKNOWN) elif mn.startswith('ldm') and self.reg in instruct[ 1] and '{' in instruct[1]: addr = self.decode.armLDM(self.cpu, instruct[1], self.reg) if addr is not None: done = True retval = RegisterModType( addr, RegisterModType.ADDR) return retval
def tryOneStopped(self, my_args, one, exception, error_string): ''' Invoked when the simulation stops after trying to go back one ''' if self.stop_hap is None: self.lgr.error('stoppedReverseToCall invoked though hap is none') return SIM_hap_delete_callback_id("Core_Simulation_Stopped", self.stop_hap) self.stop_hap = None #cmd = 'reverse-step-instruction' if self.tooFarBack(): self.lgr.debug('At start of recording, cycle: 0x%x' % self.cpu.cycles) print('At start of recording, cycle: 0x%x' % self.cpu.cycles) self.cleanup(self.cpu) self.top.skipAndMail() return self.lgr.debug('tryOneStopped, entered at cycle 0x%x' % self.cpu.cycles) eip = self.top.getEIP(self.cpu) instruct = SIM_disassemble_address(self.cpu, eip, 1, 0) self.lgr.debug('tryOneStopped reversed 1, eip: %x %s' % (eip, instruct[1])) cpl = memUtils.getCPL(self.cpu) done = False if cpl > 0: self.lgr.debug('tryBackOne user space') if self.step_into or not self.isRet(instruct[1]): self.lgr.debug('tryBackOne worked ok') done = True self.cleanup(self.cpu) self.top.skipAndMail() self.context_manager.setExitBreak(self.cpu) elif len(self.sysenter_cycles) > 0: cur_cycles = self.cpu.cycles cur_cpu, comm, pid = self.os_utils[self.cell_name].curProc() self.lgr.debug('tryBackOne kernel space pid %d expected %d' % (pid, my_args.pid)) is_exit = self.isExit(instruct[1], eip) if pid == self.pid and is_exit: self.lgr.debug('tryOneStopped is sysexit, cur_cycles is 0x%x' % cur_cycles) prev_cycles = None got_it = None page_cycles = self.sysenter_cycles if self.page_faults is not None: self.lgr.debug( 'tryBackOne adding %d page faults to cycles' % (len(self.page_faults.getFaultingCycles()))) page_cycles = page_cycles + self.page_faults.getFaultingCycles( ) for cycles in sorted(page_cycles): if cycles > cur_cycles: self.lgr.debug( 'tryOneStopped found cycle between 0x%x and 0x%x' % (prev_cycles, cycles)) got_it = prev_cycles - 1 break else: self.lgr.debug('tryOneStopped is not cycle 0x%x' % (cycles)) prev_cycles = cycles if not got_it: self.lgr.debug( 'tryOneStopped nothing between, assume last cycle of 0x%x' % prev_cycles) got_it = prev_cycles - 1 SIM_run_alone(self.jumpCycle, got_it) done = True elif pid == self.pid and not is_exit: self.lgr.debug( 'tryOneStopped in kernel but not exit? 0x%x %s' % (eip, instruct[1])) if not done: self.lgr.debug( 'tryOneStopped, back one did not work, starting at %x' % eip) self.stop_hap = SIM_hap_add_callback("Core_Simulation_Stopped", self.stoppedReverseToCall, my_args) self.lgr.debug('tryOneStopped, added stop hap') if self.previous_eip is not None and eip != self.previous_eip and cpl > 0: self.lgr.debug( 'tryOneStopped, prev %x not equal eip %x, assume syscall, set break on prev and rev' % (self.previous_eip, eip)) self.setOneBreak(self.previous_eip, self.cpu) else: self.uncall = False #for item in self.x_pages: # self.setBreakRange(self.cell_name, my_args.pid, item.address, item.length, self.cpu, my_args.comm, False) self.pageTableBreaks(False) self.lgr.debug('tryOneStopped, set break range') SIM_run_alone(SIM_run_command, 'reverse') #self.lgr.debug('reverseToCall, did reverse-step-instruction') self.lgr.debug('tryOneStopped, did reverse')
def thinkWeWrote(self, offset): #if self.stop_write_hap is None: # return eip = self.mem_utils.getRegValue(self.cpu, 'pc') cycle = self.cpu.cycles cpl = memUtils.getCPL(self.cpu) instruct = SIM_disassemble_address(self.cpu, eip, 1, 0) orig_cycle = self.bookmarks.getFirstCycle() dumb, comm, pid = self.task_utils.curProc() self.lgr.debug( 'in thinkWeWrote pid:%d, cycle 0x%x eip: %x %s cpl: %d orig cycle 0x%x' % (pid, cycle, eip, str(instruct), cpl, orig_cycle)) if cycle <= orig_cycle: range_start = self.dataWatch.findRange(self.addr) range_msg = '' if range_start is not None: offset = self.addr - range_start range_msg = ' And that is %d bytes from buffer starting at 0x%x' % ( offset, range_start) ida_msg = "Content of 0x%x was modified prior to enabling reverse execution. %s" % ( self.addr, range_msg) self.lgr.debug('findKernelWrite thinkWeWrote ' + ida_msg) self.context_manager.setIdaMessage(ida_msg) SIM_run_alone(self.cleanup, False) self.top.skipAndMail() return elif pid == 0: ida_msg = "Content of 0x%x was modified in pid ZERO?" % self.addr self.lgr.error('findKernelWrite thinkWeWrote ' + ida_msg) self.context_manager.setIdaMessage(ida_msg) SIM_run_alone(self.cleanup, False) self.top.skipAndMail() return if cpl == 0: if self.found_kernel_write: self.lgr.debug( 'thinkWeWrote stopToCheckWriteCallback found second write? but we deleted the breakpoint!!!! ignore this and reverse' ) #SIM_run_alone(SIM_run_command, 'reverse') return ''' get return address ''' self.found_kernel_write = True ''' Simics has no way to get recent memory transaction, so, go back one and set a hap on the break so we can get the memop ''' ''' We were going to run forward anyway to get to user space ,so manage it on the fly ''' back_one = self.cpu.cycles - 1 if not self.rev_to_call.skipToTest(back_one): return #cmd = 'skip-to cycle=%d' % (self.cpu.cycles-1) #SIM_run_command(cmd) self.forward_hap = SIM_hap_add_callback_index( "Core_Breakpoint_Memop", self.hitForwardCallback, None, self.kernel_write_break) self.lgr.debug( 'thinkWeWrote, forward_hap is %d on write to 0x%x. Set breaks on exit to user' % (self.forward_hap, self.kernel_write_break)) if self.cpu.architecture == 'arm': self.kernel_exit_break1 = self.context_manager.genBreakpoint( self.cell, Sim_Break_Linear, Sim_Access_Execute, self.param.arm_ret, 1, 0) self.exit_hap = self.context_manager.genHapIndex( "Core_Breakpoint_Memop", self.exitHap, None, self.kernel_exit_break1, 'findKernelWrite armexit') #self.cleanup() else: if self.param.sysexit is not None: self.kernel_exit_break1 = self.context_manager.genBreakpoint( self.cell, Sim_Break_Linear, Sim_Access_Execute, self.param.sysexit, 1, 0) self.exit_hap = self.context_manager.genHapIndex( "Core_Breakpoint_Memop", self.exitHap, None, self.kernel_exit_break1, 'findKernelWrite sysexit') if self.param.iretd is not None: self.kernel_exit_break2 = self.context_manager.genBreakpoint( self.cell, Sim_Break_Linear, Sim_Access_Execute, self.param.iretd, 1, 0) self.exit_hap2 = self.context_manager.genHapIndex( "Core_Breakpoint_Memop", self.exitHap, None, self.kernel_exit_break2, 'findKernelWrite iretd') SIM_run_alone(SIM_run_command, 'continue') elif self.found_kernel_write: self.lgr.debug( 'thinkWeWrote, BACKTRACK pid:%d user space address 0x%x after finding kernel write to 0x%x' % (pid, eip, self.addr)) if not self.checkWriteValue(eip): return value = self.mem_utils.readWord32(self.cpu, self.addr) eip = self.top.getEIP(self.cpu) if eip == self.bookmarks.getEIP('_start+1'): ida_message = "Content of 0x%x existed pror to _start+1, perhaps from loader." % self.addr bm = None else: ida_message = 'Kernel wrote 0x%x to address: 0x%x' % ( value, self.addr) self.lgr.debug('set ida msg to %s' % ida_message) bm = "eip:0x%x follows kernel write of value:0x%x to memory:0x%x" % ( eip, value, self.addr) if bm is not None: self.bookmarks.setBacktrackBookmark(bm) self.context_manager.setIdaMessage(ida_message) SIM_run_alone(self.cleanup, False) self.top.skipAndMail() #previous = SIM_cycle_count(my_args.cpu) - 1 #SIM_run_alone(SIM_run_command, 'skip-to cycle=%d' % previous) #eip = self.top.getEIP() #msg = '0x%x' % eip #self.top.gdbMailbox(msg) self.context_manager.setExitBreaks() else: if not self.checkWriteValue(eip): return eip = self.top.getEIP(self.cpu) SIM_run_alone(self.cleanup, False) if eip == self.bookmarks.getEIP('_start+1'): ida_message = "Content of %s came modified prior to enabling reverse." % self.addr bm = "eip:0x%x content of memory:%s modified prior to enabling reverse" % ( eip, self.addr) self.bookmarks.setBacktrackBookmark(bm) self.context_manager.setIdaMessage(ida_message) SIM_run_alone(self.cleanup, False) self.top.skipAndMail() elif self.rev_to_call is None: # reverse two so we land on the instruction that does the write (after client steps forward 1) self.lgr.debug( 'thinkWeWrote eip is %x in user space, stop here and reverse 2 : may break if page fault?' % eip) self.top.skipAndMail(cycles=2) else: self.lgr.debug('thinkWeWrote, call backOneAlone') SIM_run_alone(self.backOneAlone, offset) #self.top.skipAndMail() #previous = SIM_cycle_count(my_args.cpu) - 1 #SIM_run_alone(SIM_run_command, 'skip-to cycle=%d' % previous) #eip = self.top.getEIP() #msg = '0x%x' % eip #self.top.gdbMailbox(msg) self.context_manager.setExitBreaks()
def readHap(self, index, third, forth, memory): ''' watched data has been read (or written) ''' if self.cpu.cycles == self.prev_cycle: return if len(self.read_hap) == 0: return self.prev_cycle = self.cpu.cycles if self.back_stop is not None and not self.break_simulation and self.use_back_stop: self.back_stop.setFutureCycle(self.back_stop_cycles) if index >= len(self.read_hap): self.lgr.error( 'dataWatch readHap invalid index %d, only %d read haps' % (index, len(self.read_hap))) return if self.read_hap[index] is None: return op_type = SIM_get_mem_op_type(memory) addr = memory.logical_address eip = self.top.getEIP(self.cpu) #self.lgr.debug('dataWatch readHap index %d addr 0x%x eip 0x%x' % (index, addr, eip)) if self.show_cmp: self.showCmp(addr) if self.break_simulation: self.lgr.debug('readHap will break_simulation, set the stop hap') self.stopWatch() SIM_run_alone(self.setStopHap, None) offset = addr - self.start[index] cpl = memUtils.getCPL(self.cpu) ''' If execution outside of text segment, check for mem-something library call ''' start, end = self.context_manager.getText() call_sp = None self.lgr.debug('readHap eip 0x%x start 0x%x end 0x%x' % (eip, start, end)) if cpl != 0: if not self.break_simulation: ''' prevent stack trace from triggering haps ''' self.stopWatch() st = self.top.getStackTraceQuiet(max_frames=3) if st is None: self.lgr.debug('stack trace is None, wrong pid?') return #self.lgr.debug('%s' % st.getJson()) ''' look for memcpy'ish... TBD generalize ''' mem_stuff = st.memsomething() #mem_stuff = self.isMemSomething(eip) if mem_stuff is not None: self.lgr.debug('DataWatch readHap ret_ip 0x%x' % (mem_stuff.ret_addr)) ''' src is the referenced memory address by default ''' mem_something = self.MemSomething(mem_stuff.fun, mem_stuff.ret_addr, addr, None, None) SIM_run_alone(self.handleMemStuff, mem_something) else: self.lgr.debug( 'DataWatch readHap not memsomething, reset the watch') self.watch() instruct = SIM_disassemble_address(self.cpu, eip, 1, 0) if op_type == Sim_Trans_Load: self.lgr.debug( 'Data read from 0x%x within input buffer (offset of %d into buffer of %d bytes starting at 0x%x) eip: 0x%x <%s> cycle:0x%x' % (addr, offset, self.length[index], self.start[index], eip, instruct[1], self.cpu.cycles)) msg = ( 'Data read from 0x%x within input buffer (offset of %d into %d bytes starting at 0x%x) eip: 0x%x' % (addr, offset, self.length[index], self.start[index], eip)) self.context_manager.setIdaMessage(msg) #mark_msg = 'Read from 0x%08x offset %4d into 0x%8x (buf size %4d) %s' % (addr, offset, self.start[index], self.length[index], self.getCmp()) self.watchMarks.dataRead(addr, self.start[index], self.length[index], self.getCmp()) if self.break_simulation: SIM_break_simulation('DataWatch read data') if cpl == 0: if not self.break_simulation: self.stopWatch() SIM_run_alone(self.kernelReturn, addr) elif cpl > 0: self.lgr.debug( 'Data written to 0x%x within input buffer (offset of %d into buffer of %d bytes starting at 0x%x) eip: 0x%x' % (addr, offset, self.length[index], self.start[index], eip)) self.context_manager.setIdaMessage( 'Data written to 0x%x within input buffer (offset of %d into %d bytes starting at 0x%x) eip: 0x%x' % (addr, offset, self.length[index], self.start[index], eip)) if self.break_simulation: ''' TBD when to treat buffer as unused? does it matter?''' self.start[index] = 0 SIM_break_simulation('DataWatch written data')
def runAlone(self, dbi): # record where the process is through, won't let debug past this point backstop_cycles = dbi.cpu.cycles bm = 'protected_memory:0x%x' % self.address self.bookmark_mgr.mapOrigin(bm) #self.bookmark_mgr.goToDebugBookmark(bm, internal=True, cpu=dbi.cpu) ''' want_cycle = self.bookmark_mgr.getCycle(bm) want_step = self.bookmark_mgr.getStep(bm) want_eip = self.bookmark_mgr.getEIP(bm) done = False count = 0 start_cycle = self.bookmark_mgr.getCycle('_start+1') while not done: SIM_run_command('pselect cpu-name = %s' % dbi.cpu.name) SIM_run_command('skip-to cycle = 0x%x' % start_cycle) cycles = SIM_cycle_count(dbi.cpu) self.lgr.debug('debugType2, did skip to start at cycle %x, expected %x ' % (cycles, start_cycle)) SIM_run_command(dbi.command) cycles = SIM_cycle_count(dbi.cpu) eip = self.top.getEIP(dbi.cpu) steps = SIM_step_count(dbi.cpu) if want_step is not None: self.lgr.debug('debugType2, got cycle: %x step %x eip: %x, expected %x %x %x' % (cycles, steps, eip, want_cycle, want_step, want_eip)) else: self.lgr.debug('debugType2, got cycle: %x step %x eip: %x, expected %x unknown %x' % (cycles, steps, eip, want_cycle, want_eip)) if cycles != want_cycle or (want_step is not None and steps != want_step) or eip != want_eip: self.lgr.error('debugType2, simicsError, try again?') else: done = True count += 1 if count > 4: self.lgr.error('debugType2 simics is hosed') done = True self.lgr.debug('debugType2 after command, cycles is 0x%x, backstop is 0x%x' % (cycles, backstop_cycles)) ''' dbi.context_manager.setIdaMessage('[Type 2 Pov read from 0x%x]' % self.address) # remove the previously added bookmark for protected memory #self.bookmark_mgr.clearOtherBookmarks('protected_memory:') self.bookmark_mgr.clearOtherBookmarks('protected_memory:', bm) if not dbi.auto_analysis: dbi.context_manager.debug(dbi.cell_name, dbi.pid, dbi.comm, dbi.cpu, False, backstop_cycles) else: self.lgr.debug('debugType2, call autoAnalysis') dbi.context_manager.debug(dbi.cell_name, dbi.pid, dbi.comm, dbi.cpu, False, backstop_cycles, auto_analysis=True) self.top.autoAnalysis(dbi.cell_name, dbi.pid, dbi.comm, dbi.cpu, False, backstop_cycles) cpl = memUtils.getCPL(dbi.cpu) if cpl == 0: # should not get here, cycles was adjusted when protected memory was read self.lgr.error('debugType2 found self in kernel space')
def mem_callback(self, my_args, third, forth, memory): cell_name = self.top.getTopComponentName(my_args.cpu) cpu, cur_addr, comm, pid = self.os_p_utils[cell_name].getPinfo( my_args.cpu) self.lgr.debug('mem_callack, %s %d' % (comm, pid)) if pid == my_args.pid: #if self.context_manager.getDebugging() or pid in self.top.__pending_signals: if self.context_manager.getDebugging( ) or self.top.hasPendingSignal(cell_name, pid): self.lgr.debug('mem_callack, debugging or pending signal?') return if self.ignore_me: self.lgr.debug('mem_callack, ignore me?') return self.ignore_me = True location = memory.logical_address physical = memory.physical_address if location is 0 and physical is 0: self.lgr.debug('mem_callack, location zero?') ''' recursive callback triggered by this Hap ''' return elif location is 0: if pid in self.protected[cell_name]: protected = self.protected[cell_name][pid] if protected is not None: offset = physical & 0x00000fff location = protected.start + offset length = memory.size op_type = SIM_get_mem_op_type(memory) eip = self.os_p_utils[cell_name].mem_utils.getRegValue(cpu, 'eip') type_name = SIM_get_mem_op_type_name(op_type) self.lgr.debug( 'mem_callback location 0x%x phys 0x%x len %d type %s' % (location, physical, length, type_name)) value = 0xDEADBEEF where = location if length <= 8: if op_type is Sim_Trans_Store: value = SIM_get_mem_op_value_le(memory) else: if location is not 0: value = int(self.top.getBytes(cpu, length, location), 16) else: value = int( self.top.getBytesPhys(cpu, length, physical), 16) where = physical if length == 4: self.recent_value = value self.recent_where = where self.lgr.debug( 'protectedMemory, set recent_value to 0x%x' % value) elif length == 1: if self.recent_where is None: self.recent_value = value self.recent_where = where self.lgr.debug( 'protectedMemory, set 1 byte recent_value to 0x%x' % value) else: value_str = '%x' % self.recent_value if len(value_str) >= 7: ''' more than three bytes, reset ''' self.recent_value = value self.recent_where = where self.lgr.debug( 'protectedMemory, reset 1 byte recent_value to 0x%x' % value) elif where == self.recent_where + 1: self.recent_value = ( self.recent_value << 8) + value self.recent_where = where self.lgr.debug( 'protectedMemory, append 1 byte recent_value of 0x%x, now is 0x%x' % (value, self.recent_value)) else: self.recent_value = value self.recent_where = where self.lgr.debug( 'protectedMemory, not contiguous, reset 1 byte recent_value to 0x%x' % value) else: self.lgr.info( 'Following entry for memory operation > 8 bytes, IGNORE VALUE' ) self.negotiate.getPage(cpu, pid, cell_name) self.lgr.info( 'protectedMemory mem_callback cycle: 0x%x from eip: %x, %d (%s) %s address %x (phys %x) (%d bytes) value: %x' % (my_args.cpu.cycles, eip, pid, comm, type_name, location, physical, length, value)) cpl = memUtils.getCPL(my_args.cpu) if cpl == 0: # assume transmit direct from protected page, what else would cause pl0 reference to it? if not self.track_access: log_entry = "Protected memory, %d bytes, read from %x using kernel" % ( length, where) self.top.addLogEvent(cell_name, pid, comm, forensicEvents.USER_MEM_LEAK, log_entry, low_priority=True) ''' track the protected memory access for a CB magic page use assessment ''' if self.track_access: #delta = my_args.cpu.cycles - self.start_cycle delta = self.top.getPidCycles(cell_name, my_args.pid) record = utils.protectedAccess(length, location, delta, cpl) #self.lgr.debug('delta is 0x%x' % delta) #json_dump = json.dumps(record, default=utils.jdefault) #log_entry = 'Protected memory tracker %d bytes from 0x%x cycle 0x%x' % (length, location, delta) #self.top.addLogEvent(cell_name, pid, comm, forensicEvents.USER_MEM_LEAK, # json_dump , low_priority=False) self.top.addProtectedAccess(record, my_args.pid, cell_name) if self.stop_on_memory: bm = 'protected_memory:0x%x' % location if cpl == 0: cycles, eip = self.other_faults.getCycles( cell_name, my_args.pid) if cycles is None: self.lgr.error( 'protectedMemory failed to find cycle of int80 from otherFaults' ) return self.top.setDebugBookmark(bm, cpu=my_args.cpu, cycles=cycles, eip=eip) self.lgr.debug( 'Protected memory, add bookmark for syscall %s' % bm) #self.lgr.debug('Protected memory, add bookmark adjusted for user space %s set for address %x' % (bm, location)) else: self.top.setDebugBookmark(bm, cpu=my_args.cpu) self.lgr.debug( 'Protected memory, add bookmark %s set for address %x' % (bm, location)) t_cpu, t_cur_addr, t_comm, t_pid = self.os_p_utils[ cell_name].currentProcessInfo(my_args.cpu) #self.lgr.debug('Protected memory os_p_utils says %s %d ' % (t_comm, t_pid)) if location not in self.address_readers: self.address_readers[location] = procInfo.procInfo( comm, cpu, pid) #SIM_break_simulation('address 0x%x (virt: 0x%x) value 0x%x' % (physical, location, value)) else: self.lgr.info( 'unexpected memory access in %s %d, comm: %s address %x' % (cell_name, pid, comm, memory.logical_address)) pass self.ignore_me = False
def thinkWeWrote(self): #if self.stop_write_hap is None: # return reg_num = self.cpu.iface.int_register.get_number("eip") eip = self.cpu.iface.int_register.read(reg_num) cycle = self.cpu.cycles cpl = memUtils.getCPL(self.cpu) instruct = SIM_disassemble_address(self.cpu, eip, 1, 0) self.lgr.debug('in thinkWeWrote, cycle %x eip: %x %s cpl: %d' % (cycle, eip, str(instruct), cpl)) if cpl == 0: if self.found_kernel_write: self.lgr.debug( 'stopToCheckWriteCallback found second write? but we deleted the breakpoint!!!! ignore this and reverse' ) #SIM_run_alone(SIM_run_command, 'reverse') return cpu, cur_addr, comm, pid = self.os_utils.currentProcessInfo( self.cpu) ''' get return address ''' self.found_kernel_write = True if self.kernel_write_break is not None: self.lgr.debug('deleting breakpoint %d' % self.kernel_write_break) SIM_delete_breakpoint(self.kernel_write_break) self.kernel_write_break = None self.kernel_exit_break1 = self.context_manager.genBreakpoint( self.cell, Sim_Break_Linear, Sim_Access_Execute, self.param.sysexit, 1, 0) self.kernel_exit_break2 = self.context_manager.genBreakpoint( self.cell, Sim_Break_Linear, Sim_Access_Execute, self.param.iretd, 1, 0) self.exit_hap = self.context_manager.genHapRange( "Core_Breakpoint_Memop", self.exitHap, None, self.kernel_exit_break1, self.kernel_exit_break2, 'findKernelWrite exits') self.cleanup() SIM_run_alone(SIM_run_command, 'continue') elif self.found_kernel_write: self.lgr.debug( 'thinkWeWrote, BACKTRACK user space address 0x%x after finding kernel write to 0x%x' % (eip, self.addr)) if not self.checkWriteValue(eip): return value = self.os_p_utils.getMemUtils().readWord32( self.cpu, self.addr) eip = self.top.getEIP(self.cpu) if eip == self.bookmarks.getEIP('_start+1'): ida_message = "Content of 0x%x existed pror to _start+1, perhaps from loader." % self.addr bm = None else: ida_message = 'Kernel wrote 0x%x to address: 0x%x' % ( value, self.addr) self.lgr.debug('set ida msg to %s' % ida_message) bm = "backtrack eip:0x%x follows kernel write of value:0x%x to memory:0x%x" % ( eip, value, self.addr) if bm is not None: self.bookmarks.setDebugBookmark(bm) self.context_manager.setIdaMessage(ida_message) SIM_run_alone(self.cleanup, False) self.top.skipAndMail() #previous = SIM_cycle_count(my_args.cpu) - 1 #SIM_run_alone(SIM_run_command, 'skip-to cycle=%d' % previous) #eip = self.top.getEIP() #msg = '0x%x' % eip #self.top.gdbMailbox(msg) self.context_manager.setExitBreak(self.cpu) else: if not self.checkWriteValue(eip): return eip = self.top.getEIP(self.cpu) SIM_run_alone(self.cleanup, False) if eip == self.bookmarks.getEIP('_start+1'): ida_message = "Content of %s came from loader." % self.addr bm = "backtrack eip:0x%x content of memory:%s came from loader" % ( eip, self.addr) self.bookmarks.setDebugBookmark(bm) self.context_manager.setIdaMessage(ida_message) SIM_run_alone(self.cleanup, False) self.top.skipAndMail() elif self.rev_to_call is None: # reverse two so we land on the instruction that does the write (after client steps forward 1) self.lgr.debug( 'thinkWeWrote eip is %x in user space, stop here and reverse 2 : may break if page fault?' % eip) self.top.skipAndMail(cycles=2) else: SIM_run_alone(self.backOneAlone, None) #self.top.skipAndMail() #previous = SIM_cycle_count(my_args.cpu) - 1 #SIM_run_alone(SIM_run_command, 'skip-to cycle=%d' % previous) #eip = self.top.getEIP() #msg = '0x%x' % eip #self.top.gdbMailbox(msg) self.context_manager.setExitBreak(self.cpu)