def validate_integer_argument(pid, syscall_object, trace_arg, exec_arg, params=None): logging.debug('Validating integer argument (trace position: %d ' 'execution position: %d)', trace_arg, exec_arg) # EAX is the system call number POS_TO_REG = {0: tracereplay.EBX, 1: tracereplay.ECX, 2: tracereplay.EDX, 3: tracereplay.ESI, 4: tracereplay.EDI} if not params: arg = tracereplay.peek_register(pid, POS_TO_REG[exec_arg]) else: arg = params[exec_arg] arg_from_trace = int(syscall_object.args[trace_arg].value) logging.debug('Argument from execution: %d', arg) logging.debug('Argument from trace: %d', arg_from_trace) # Check to make sure everything is the same # Decide if this is a system call we want to replay if arg_from_trace != arg: raise ReplayDeltaError('Argument value at trace position: {}, ' 'execution position: {} from execution ({}) ' 'differs argument value from trace ({})' .format(trace_arg, exec_arg, arg, arg_from_trace))
def noop_current_syscall(pid): logging.debug('Nooping the current system call in pid: %s', pid) tracereplay.poke_register(pid, tracereplay.ORIG_EAX, 20) tracereplay.syscall(pid) next_syscall() skipping = tracereplay.peek_register(pid, tracereplay.ORIG_EAX) if skipping != 20: raise Exception('Nooping did not result in getpid exit. Got {}' .format(skipping)) tracereplay_globals.entering_syscall = False
def subcall_return_success_handler(syscall_id, syscall_object, pid): logging.debug('Entering subcall return success handler') if syscall_object.ret[0] == -1: logging.debug('Handling unsuccessful call') else: logging.debug('Handling successful call') ecx = tracereplay.peek_register(pid, tracereplay.ECX) logging.debug('Extracting parameters from address %s', ecx) params = extract_socketcall_parameters(pid, ecx, 1) fd = params[0] fd_from_trace = syscall_object.args[0].value logging.debug('File descriptor from execution: %s', fd) logging.debug('File descriptor from trace: %s', fd_from_trace) if fd != int(fd_from_trace): raise ReplayDeltaError('File descriptor from execution ({}) ' 'differs from file descriptor from trace' .format(fd, fd_from_trace)) noop_current_syscall(pid) apply_return_conditions(pid, syscall_object)
def swap_trace_fd_to_execution_fd(pid, pos, syscall_object, params_addr=None): POS_TO_REG = { 0: tracereplay.EBX, 1: tracereplay.ECX, 2: tracereplay.EDX, 3: tracereplay.ESI, 4: tracereplay.EDI, } logging.debug('Cleaning up file descriptor at position: {}' .format(pos)) trace_fd = int(syscall_object.args[pos].value) looked_up_fd = fd_pair_for_trace_fd(trace_fd)['os_fd'] if params_addr: params = extract_socketcall_parameters(pid, params_addr, pos+1) execution_fd = params[pos] else: execution_fd = tracereplay.peek_register(pid, POS_TO_REG[pos]) logging.debug('Replacing old value (trace fd): {} with new value: {}' .format(execution_fd, looked_up_fd)) if params_addr: update_socketcall_paramater(pid, params_addr, pos, looked_up_fd) else: tracereplay.poke_register(pid, POS_TO_REG[pos], looked_up_fd)