def hook__getattrlistbulk(ql, address, params):
getattrlistbulk_args = getattrlistbulk_args_t(ql, params["getattrlistbulk_args"]).loadFromMem()
dirfd = ql.os.ev_manager.map_fd[getattrlistbulk_args.dirfd]
vfs_attr_pack = ql.loader.kernel_extrn_symbols_detail[b"_vfs_attr_pack"]["n_value"]
uiovp_addr = ql.os.heap.alloc(ctypes.sizeof(user_iovec_t))
uiovp = user_iovec_t(ql, uiovp_addr)
uiovp.iov_base = getattrlistbulk_args.attributeBuffer
uiovp.iov_len = getattrlistbulk_args.bufferSize
uiovp.updateToMem()
uio_addr = ql.os.heap.alloc(ctypes.sizeof(uio_t))
uio = uio_t(ql, uio_addr)
uio.uio_iovs = iovecs_t(kiovp=POINTER64(uiovp_addr), uiovp=POINTER64(uiovp_addr))
uio.uio_iovcnt = 1
uio.uio_offset = 0
uio.uio_segflg = 8 # UIO_USERSPACE64
uio.uio_rw = 0 # UIO_READ
uio.uio_resid_64 = getattrlistbulk_args.bufferSize
uio.uio_size = 72
uio.uio_max_iovs = 1
uio.uio_flags = 1
uio.updateToMem()
result = 0
for path in dirfd.iterdir():
result += 1
ql.mem.write(params["retval"], struct.pack("<Q", result))
for path in dirfd.iterdir():
info = path.stat()
vap_addr = ql.os.heap.alloc(ctypes.sizeof(vnode_attr_t))
vap = vnode_attr_t(ql, vap_addr)
vap.va_supported = 51573293058
vap.va_active = 51573293058
vap.va_nlink = info.st_nlink
vap.va_total_size = info.st_size
vap.va_data_size = info.st_size
vap.va_uid = info.st_uid
vap.va_gid = info.st_gid
vap.va_mode = info.st_mode
vap.va_fileid = info.st_ino
vap.va_devid = info.st_dev
vap.va_create_time = timespec_t(tv_sec = int(info.st_ctime), tv_nsec = info.st_ctime_ns % 1000000)
vap.va_access_time = timespec_t(tv_sec = int(info.st_atime), tv_nsec = info.st_atime_ns % 1000000)
vap.va_modify_time = timespec_t(tv_sec = int(info.st_mtime), tv_nsec = info.st_mtime_ns % 1000000)
truename = path.name + "\x00"
vap.va_name = POINTER64(ql.os.heap.alloc(1024))
ql.mem.write(vap.va_name.value, truename.encode())
vap.updateToMem()
code = gen_stub_code(ql, [0, uio.base, getattrlistbulk_args.alist, getattrlistbulk_args.options, vap.base, 0, params["p"]], vfs_attr_pack)
print("[+] Trampoline created at 0x%x for %s (0x%x) and 0x%x" % (code, truename, vap.va_name.value, vap.base))
ql.stack_push(code)
return
def emit_by_type_and_proto(self, ev_type, protocol, params):
found = self.get_events_by_type_and_proto(ev_type, protocol)
for ev in found:
ev.set_params(params)
for cb in self.callbacks[ev]:
if self.ql.os.RUN is True:
self.ql.stack_push(gen_stub_code(self.ql, ev.params, cb))
else:
self.jobs.append((cb, ev))
def emit_by_type(self, ev_type, params, ins_cookie=False):
found = self.get_events_by_type(ev_type)
for ev in found:
if ins_cookie is True and ev.name in self.ipf_cookie:
params[0] = self.ipf_cookie[ev.name]
ev.set_params(params)
for cb in self.callbacks[ev]:
if self.ql.os.RUN is True:
self.ql.stack_push(gen_stub_code(self.ql, ev.params, cb))
else:
self.jobs.append((cb, ev))
def emit(self, ev_name, ev_type, params):
found = self.get_event_by_name_and_type(ev_name, ev_type)
if found is None:
self.ql.nprint("[!] No callbacks found for (%s, %s)" % (ev_name, ev_type))
return
found.set_params(params)
for cb in self.callbacks[found]:
if self.ql.os.RUN is True:
self.ql.stack_push(gen_stub_code(self.ql, found.params, cb))
else:
self.jobs.append((cb, found))