def activate(self, ctx):
if regFu.isHighlightedEffective():
addr = regFu.getOffset()
simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.getMemoryValue(0x%x)");' % addr)
print('effective addr 0x%x value %s' % (addr, simicsString))
value = getHex(simicsString)
else:
highlighted = idaapi.get_highlighted_identifier()
addr = getHex(highlighted)
if addr is None:
print('ModMemoryHandler unable to parse hex from %s' % highlighted)
return
simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.getMemoryValue(0x%x)");' % addr)
print('addr 0x%x value %s' % (addr, simicsString))
value = getHex(simicsString)
# Sample form from kernwin.hpp
s = """Modify memory
Address: %$
<~E~nter value:S:32:16::>
"""
num = Form.NumericArgument('N', value=value)
ok = idaapi.AskUsingForm(s,
Form.NumericArgument('$', addr).arg,
num.arg)
if ok == 1:
print("You entered: %x" % num.value)
simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.writeWord(0x%x, 0x%x)");' % (addr, num.value))
time.sleep(1)
idc.RefreshDebuggerMemory()
def signalClient(self, norev=False):
start_eip = idaversion.get_reg_value(self.PC)
#print('signalClient eip was at 0x%x, then after rev 1 0x%x call setAndDisable string is %s' % (start_eip, eip, simicsString))
if norev:
idaapi.step_into()
idaversion.wait_for_next_event(idc.WFNE_SUSP, -1)
simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.printRegJson()");')
try:
regs = json.loads(simicsString)
except:
try:
simicsString = gdbProt.Evalx(
'SendGDBMonitor("@cgc.printRegJson()");')
regs = json.loads(simicsString)
except:
print('failed to get regs from %s' % simicsString)
return
for reg in regs:
r = str(reg.upper())
if r == 'EFLAGS':
r = 'EFL'
elif r == 'CPSR':
r = 'PSR'
#print('set %s to 0x%x' % (r, regs[reg]))
idaversion.set_reg_value(regs[reg], r)
idaversion.refresh_debugger_memory()
new_eip = idaversion.get_reg_value(self.PC)
#print('signalClient back from cont new_eip is 0x%x' % new_eip)
if new_eip >= self.kernel_base:
print('in kernel, run to user')
self.updateStackTrace()
def revToSyscall(self):
simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.revToSyscall()");')
eip = gdbProt.getEIPWhenStopped(kernel_ok=True)
#print('revtoSyscall, stopped at eip 0x%x, now run to user space.' % eip)
simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.runToUserSpace()");')
eip = gdbProt.getEIPWhenStopped()
#print('revtoSyscall, stopped at eip 0x%x, then stepwait.' % eip)
#gdbProt.stepWait()
self.signalClient()
print('revtoSyscall done')
def revToSyscall(self):
simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.revToSyscall()");')
if self.checkNoRev(simicsString):
eip = gdbProt.getEIPWhenStopped()
self.signalClient()
else:
return
simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.runToUserSpace()");')
eip = gdbProt.getEIPWhenStopped()
self.signalClient()
print('revtoSyscall done')
def updateDataWatch(self):
print("in updateDataWatch")
#self.Close()
#self.Create()
#print('did create')
retval = []
self.ClearLines()
#self.Refresh()
print('did refresh of clear')
command = '@cgc.getWatchMarks()'
simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command)
if type(simicsString) is int:
print('updateStackTrace got an int? %d' % simicsString)
return
if simicsString.startswith('None'):
simicsString = simicsString[5:]
try:
data_json = json.loads(simicsString)
except:
print('could not get json from %s' % simicsString)
return
index = 0
for entry in data_json:
instruct = idc.GetDisasm(entry['ip'])
uline = '%3d 0x%08x 0x%08x %s' % (index, entry['ip'],
entry['cycle'], entry['msg'])
line = uline.encode('ascii', 'replace')
#print('do %s' % line)
if 'return from' in str(line):
cline = idaapi.COLSTR(str(line), idaapi.SCOLOR_DREF)
elif 'closed FD' in str(line):
cline = idaapi.COLSTR(str(line), idaapi.SCOLOR_DREF)
else:
cline = str(line)
#print("added %s" % line)
retval.append(str(line))
self.AddLine(cline)
index += 1
self.Refresh()
command = '@cgc.nextWatchMark()'
simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command)
try:
index = int(simicsString)
except:
print('%s' % simicsString)
return
self.Jump(index)
#self.Show()
return retval
def doRevStepOver(self):
#print 'in doRevStepOver'
curAddr = idc.GetRegValue(self.PC)
prev_eip = idc.PrevHead(curAddr)
if prev_eip == idaapi.BADADDR:
prev_eip = None
simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.reverseToCallInstruction(False)");')
else:
#print('cur is 0x%x prev is 0x%x' % (curAddr, prev_eip))
simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.reverseToCallInstruction(False, prev=0x%x)");' % prev_eip)
eip = gdbProt.getEIPWhenStopped()
#gdbProt.stepWait()
self.signalClient()
return eip
def doRevStepOver(self):
#print 'in doRevStepOver'
curAddr = idaversion.get_reg_value(self.PC)
prev_eip = idaversion.prev_head(curAddr)
eip = None
if prev_eip == idaapi.BADADDR:
prev_eip = None
simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.reverseToCallInstruction(False)");')
else:
#print('cur is 0x%x prev is 0x%x' % (curAddr, prev_eip))
simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.reverseToCallInstruction(False, prev=0x%x)");' % prev_eip)
if self.checkNoRev(simicsString):
eip = gdbProt.getEIPWhenStopped()
self.signalClient()
return eip
def updateStackTrace(self):
#print "in updateStackTrace"
#self.Close()
#self.Create()
#print('did create')
retval = []
self.ClearLines()
#self.Refresh()
#print('did refresh of clear')
command = '@cgc.getStackTrace()'
simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command)
if type(simicsString) is int:
print('updateStackTrace got an int? %d' % simicsString)
return
try:
st_json = json.loads(simicsString)
except:
print('could not get json from %s' % simicsString)
return
for entry in st_json:
instruct = idc.GetDisasm(entry['ip'])
#print('instruct is %s' % str(instruct))
#line = '0x%x %-20s %s' % (entry['ip'], entry['fname'], entry['instruct'])
fun = idc.GetFunctionName(entry['ip'])
so = str(entry['fname'])
fname = os.path.basename(so)
line = '0x%08x %-15s %-10s %s' % (entry['ip'], fname, fun,
str(instruct))
#print("added %s" % line)
retval.append(str(line))
self.AddLine(str(line))
self.Refresh()
#self.Show()
return retval
def goToBookmarkRefresh(self, mark):
if mark != 'origin' and mark != '<None>':
simicsString = gdbProt.goToBookmark(mark)
if simicsString == "reverse disabled":
print('Reverse execution is disabled')
return
eip = gdbProt.getEIPWhenStopped()
#gdbProt.stepWait()
print('Now at bookmark: %s' % mark)
else:
''' monitor goToFirst will now handle missing page, and it starts in user space '''
''' TBD will end up at second instruction '''
print('goToBookmarkRefresh, is start_1, goToFirst')
#simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.goToFirst()");')
simicsString = gdbProt.Evalx(
'SendGDBMonitor("@cgc.goToOrigin()");')
eip = gdbProt.getEIPWhenStopped()
#gdbProt.stepWait()
#print('eip when stopped is 0x%x' % eip)
#self.runToUserSpace()
#self.runToUserSpace()
print('Now at bookmark: %s' % mark)
self.isim.showSimicsMessage()
def updateBookmarkView(self):
#print "in updateBookmarkView"
#self.Close()
#self.Create()
#print('did create')
retval = []
self.ClearLines()
self.Refresh()
print('did clear and refresh')
command = '@cgc.listBookmarks()'
simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command)
if type(simicsString) is int or type(simicsString) is long:
print('listBookmarks got an int? %d' % simicsString)
return
lines = simicsString.split('\n')
for l in lines:
if ':' in l:
#print l
num, bm = l.split(':', 1)
entry = bm.strip()
if entry.startswith(BT) and START not in entry:
entry = '<<<' + entry[len(BT):]
self.AddLine(str(entry))
#print("added %s" % entry)
retval.append(entry)
self.Refresh()
self.Show()
return retval
def trackRegister(self):
highlighted = idaversion.getHighlight()
if highlighted is None or not self.isReg(highlighted):
print('%s not in reg list' % highlighted)
print('%s' % str(self.reg_list))
return
c=idaapi.Choose([], "back track to source of selected register", 1)
c.width=50
c.list = self.reg_list
chose = c.choose()
if chose == 0:
print('user canceled')
return
else:
highlighted = self.reg_list[chose-1]
print 'backtrack to source of to %s...' % highlighted
command = "@cgc.revTaintReg('%s')" % highlighted
simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command)
print('trackRegister got simicsString %s' % simicsString)
eip = None
if self.checkNoRev(simicsString):
eip = gdbProt.getEIPWhenStopped()
self.signalClient()
else:
return
curAddr = idaversion.get_reg_value(self.PC)
print('Current instruction (0x%x) is as far back as we can trace reg %s' % (curAddr, highlighted))
self.showSimicsMessage()
bookmark_list = self.bookmark_view.updateBookmarkView()
return eip
def wroteToRegister(self):
highlighted = idaversion.getHighlight()
'''
if highlighted is None or highlighted not in self.reg_list:
print('%s not in reg list' % highlighted)
c=idaapi.Choose([], "Run backward until selected register modified", 1)
c.width=50
c.list = self.reg_list
chose = c.choose()
if chose == 0:
print('user canceled')
return
else:
highlighted = self.reg_list[chose-1]
'''
print 'Looking for a write to %s...' % highlighted
command = "@cgc.revToModReg('%s')" % highlighted
simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command)
eip = None
if self.checkNoRev(simicsString):
eip = gdbProt.getEIPWhenStopped()
self.signalClient()
else:
return
curAddr = idaversion.get_reg_value(self.PC)
print('Current instruction (0x%x) wrote to reg %s' % (curAddr, highlighted))
return eip
def reverseStepInstruction(self, num=1):
command = "@cgc.reverseStepInstruction(%d)" % num
simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command)
if self.checkNoRev(simicsString):
eip = gdbProt.getEIPWhenStopped()
self.signalClient()
def activate(self, ctx):
addr = getRefAddr()
if addr is None:
highlighted = idaversion.getHighlight()
addr = getHex(highlighted)
'''
if regFu.isHighlightedEffective():
addr = regFu.getOffset()
else:
highlighted = idaversion.getHighlight()
addr = getHex(highlighted)
'''
sas = setAddrValue.SetAddrValue()
sas.Compile()
sas.iAddr.value = addr
sas.iOffset.value = 0
sas.iRawHex.value = idaversion.get_wide_dword(sas.iAddr.value)
ok = sas.Execute()
if ok != 1:
return
val = sas.iRawHex.value
addr = sas.iAddr.value
offset = sas.iOffset.value
new_addr = addr+offset
simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.writeWord(0x%x, 0x%x)");' % (new_addr, val))
time.sleep(2)
self.isim.updateBookmarkView()
self.isim.updateDataWatch()
idaversion.refresh_debugger_memory()
idaversion.refresh_idaview_anyway()
idaversion.refresh_choosers()
print('Bookmarks cleared -- select origin bookmark to return to this cycle')
print('Note: data watches previous to this point are retained, but associated bookmarks are deleted')
def doReverse(self, extra_back=None):
print 'in doReverse'
curAddr = idaversion.get_reg_value(self.PC)
#goNowhere()
#print('doReverse, back from goNowhere curAddr is %x' % curAddr)
isBpt = idc.CheckBpt(curAddr)
# if currently at a breakpoint, we need to back an instruction to so we don't break
# here
if isBpt > 0:
print 'curAddr is %x, it is a breakpoint, do a rev step over' % curAddr
addr = self.doRevStepOver()
if addr is None:
return None
print 'in doReverse, did RevStepOver got addr of %x' % addr
isBpt = idc.CheckBpt(addr)
if isBpt > 0:
# back up onto a breakpoint, we are done
print('doReverse backed to breakpoint, we are done')
return addr
#print 'do reverse'
param = ''
if extra_back is not None:
param = extra_back
command = '@cgc.doReverse(%s)' % param
simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command)
addr = None
if self.checkNoRev(simicsString):
addr = gdbProt.getEIPWhenStopped()
self.signalClient()
return addr
def reverseStepInstruction(self, num=1):
command = "@cgc.reverseStepInstruction(%d)" % num
simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command)
#simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.reverseToCallInstruction(True)");')
eip = gdbProt.getEIPWhenStopped()
return eip
def updateWriteWatch(self):
print "in updateWriteWatch"
#self.Close()
#self.Create()
#print('did create')
retval = []
self.ClearLines()
#self.Refresh()
#print('did refresh of clear')
command = '@cgc.getWriteMarks()'
simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command)
if type(simicsString) is int:
print('updateStackTrace got an int? %d' % simicsString)
return
try:
data_json = json.loads(simicsString)
except:
print('could not get json from %s' % simicsString)
return
index = 0
for entry in data_json:
instruct = idc.GetDisasm(entry['ip'])
uline = '%3d 0x%08x %s' % (index, entry['ip'], entry['msg'])
line = uline.encode('ascii', 'replace')
cline = str(line)
#print("added %s" % line)
retval.append(str(line))
self.AddLine(cline)
index += 1
self.Refresh()
#self.Show()
return retval
def trackRegister(self):
highlighted = idaapi.get_highlighted_identifier()
if highlighted is None or highlighted not in self.reg_list:
print('%s not in reg list' % highlighted)
c = Choose([], "back track to source of selected register", 1)
c.width = 50
c.list = self.reg_list
chose = c.choose()
if chose == 0:
print('user canceled')
return
else:
highlighted = self.reg_list[chose - 1]
print 'backtrack to source of to %s...' % highlighted
command = "@cgc.revTaintReg('%s')" % highlighted
simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command)
eip = gdbProt.getEIPWhenStopped(2)
#gdbProt.stepWait()
self.signalClient()
curAddr = idc.GetRegValue(self.PC)
print(
'Current instruction (0x%x) is as far back as we can trace reg %s'
% (curAddr, highlighted))
self.showSimicsMessage()
bookmark_list = self.bookmark_view.updateBookmarkView()
return eip
def doRevStepInto(self):
#print 'in doRevStepInto'
#eip = reverseStepInstruction()
curAddr = idc.GetRegValue(self.PC)
prev_eip = idc.PrevHead(curAddr)
eip = None
if prev_eip == idaapi.BADADDR:
prev_eip = None
simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.reverseToCallInstruction(True)");')
else:
#print('cur is 0x%x prev is 0x%x' % (curAddr, prev_eip))
simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.reverseToCallInstruction(True, prev=0x%x)");' % prev_eip)
if self.checkNoRev(simicsString):
eip = gdbProt.getEIPWhenStopped()
self.signalClient()
return eip
def getMailbox(self):
msg = gdbProt.Evalx('SendGDBMonitor("@cgc.emptyMailbox()");')
lines = msg.split('\n')
if len(lines) > 1:
msg = lines[0]
print 'got mailbox message: <%s>' % msg
return msg
def watchData(self):
command = "@cgc.watchData()"
print('called %s' % command)
simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command)
time.sleep(1)
eip = gdbProt.getEIPWhenStopped()
self.signalClient()
self.showSimicsMessage()
def revTo(self):
highlighted = idaapi.get_highlighted_identifier()
addr = reHooks.getHex(highlighted)
command = '@cgc.revToAddr(0x%x, extra_back=0)' % (addr)
#print('cmd: %s' % command)
simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command)
eip = gdbProt.getEIPWhenStopped()
self.isim.signalClient()
def activate(self, ctx):
highlighted = idaversion.getHighlight()
addr = getHex(highlighted)
command = '@cgc.revToAddr(0x%x, extra_back=0)' % (addr)
print('cmd: %s' % command)
simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command)
eip = gdbProt.getEIPWhenStopped()
self.isim.signalClient()
return 1
def goToOrigin(self):
simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.goToOrigin()");')
eip = gdbProt.getEIPWhenStopped()
if eip is not None:
print('goToOrigin eip when stopped is 0x%x' % eip)
#gdbProt.stepWait()
#print('did step wait')
else:
print('goToOrigin, getEIPWhenStopped returned None')
def nextWatchMark(self):
command = '@cgc.nextWatchMark()'
simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command)
try:
index = int(simicsString)
except:
print('%s' % simicsString)
return
self.Jump(index)
def recordText(self):
for seg_ea in idautils.Segments():
print('seg: %s' % idaversion.get_segm_name(seg_ea))
if idaversion.get_segm_name(seg_ea) == '.text':
start = idaversion.get_segm_attr(seg_ea, idc.SEGATTR_START)
end = idaversion.get_segm_attr(seg_ea, idc.SEGATTR_END)
print('text at 0x%x - 0x%x' % (start, end))
gdbProt.Evalx('SendGDBMonitor("@cgc.recordText(0x%x, 0x%x)");' % (start, end))
break
def recordText(self):
for seg_ea in idautils.Segments():
print('seg: %s' % idc.SegName(seg_ea))
if idc.SegName(seg_ea) == '.text':
start = idc.SegStart(seg_ea)
end = idc.SegEnd(seg_ea)
print('text at 0x%x - 0x%x' % (start, end))
gdbProt.Evalx('SendGDBMonitor("@cgc.recordText(0x%x, 0x%x)");' % (start, end))
break
def runToSyscall(self):
value = idaversion.ask_long(0, "Syscall number?")
print('run to syscall of %d' % value)
if value == 0:
simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.runToSyscall()");')
else:
simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.runToSyscall(%s)");' % value)
eip = gdbProt.getEIPWhenStopped(kernel_ok=True)
#print('runtoSyscall, stopped at eip 0x%x, now run to user space.' % eip)
self.showSimicsMessage()
simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.runToUserSpace()");')
eip = gdbProt.getEIPWhenStopped()
#print('runtoSyscall, stopped at eip 0x%x, then stepwait.' % eip)
#gdbProt.stepWait()
self.signalClient(norev=True)
eax = idaversion.get_reg_value("EAX")
print('Syscall result: %d' % int(eax))
def activate(self, ctx):
if regFu.isHighlightedEffective():
addr = regFu.getOffset()
simicsString = gdbProt.Evalx(
'SendGDBMonitor("@cgc.getMemoryValue(0x%x)");' % addr)
print('effective addr 0x%x value %s' % (addr, simicsString))
value = simicsString
else:
highlighted = idaapi.get_highlighted_identifier()
addr = getHex(highlighted)
if addr is None:
print('ModMemoryHandler unable to parse hex from %s' %
highlighted)
return
simicsString = gdbProt.Evalx(
'SendGDBMonitor("@cgc.getMemoryValue(0x%x)");' % addr)
print('addr 0x%x value %s' % (addr, simicsString))
value = simicsString
# Sample form from kernwin.hpp
s = """Modify memory
Address: %$
<~E~nter value:t40:80:50::>
"""
ti = idaapi.textctrl_info_t(value)
ok = idaapi.AskUsingForm(
s,
Form.NumericArgument('$', addr).arg,
idaapi.pointer(idaapi.c_void_p.from_address(ti.clink_ptr)))
'''
string = Form.StringArgument(value)
ok = idaapi.AskUsingForm(s,
Form.NumericArgument('$', addr).arg,
string.arg)
'''
if ok == 1:
arg = "'%s'" % ti.text.strip()
print("You entered: %s <%s>" % (ti.text, arg))
cmd = "@cgc.writeString(0x%x, %s)" % (addr, arg)
print cmd
simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % (cmd))
time.sleep(1)
idc.RefreshDebuggerMemory()
def continueForward(self):
simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.continueForward()");')
#while True:
# simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.getEIPWhenStopped(%s)");' % 'True')
# time.sleep(2)
#idc.PauseProcess()
eip = gdbProt.getEIPWhenStopped()
print('continueForward got eip 0x%x' % eip)
self.signalClient()
self.bookmark_list = self.bookmark_view.updateBookmarkView()
