def action_singlestep(self):
cb_data = {
'interrupted': False
}
def cb_on_sstep(vmi, event):
self.log.debug('singlestepping')
vmi.pause_vm()
cb_data['interrupted'] = True
# unregister sstep_recoil
self.ctx.vmi.clear_event(self.ss_event_recoil)
num_vcpus = self.ctx.vmi.get_num_vcpus()
ss_event = SingleStepEvent(range(num_vcpus), cb_on_sstep)
self.ctx.vmi.register_event(ss_event)
self.ctx.vmi.resume_vm()
while not cb_data['interrupted']:
self.ctx.vmi.listen(1000)
self.ctx.vmi.listen(0)
self.ctx.vmi.clear_event(ss_event)
# reregister sstep_recoil
self.ctx.vmi.register_event(self.ss_event_recoil)
def singlestep_once(self):
# unregister sstep_recoil
self.vmi.clear_event(self.sstep_recoil)
stop_event = threading.Event()
def cb_on_sstep(vmi, event):
self.vmi.pause_vm()
stop_event.set()
try:
self.vmi.pause_vm()
except LibvmiError:
pass
# register sstep
num_vcpus = self.vmi.get_num_vcpus()
ss_event = SingleStepEvent(range(num_vcpus), cb_on_sstep)
self.vmi.register_event(ss_event)
# resume and listen
self.vmi.resume_vm()
while not stop_event.is_set():
self.vmi.listen(1000)
# clear queue
self.vmi.listen(0)
self.vmi.clear_event(ss_event)
# reregister sstep_recoil
self.vmi.register_event(self.sstep_recoil)
def main(args):
vm_name = args['<vm_name>']
symbol = args['<symbol>']
# register SIGINT
signal.signal(signal.SIGINT, signal_handler)
with Libvmi(vm_name, INIT_DOMAINNAME | INIT_EVENTS) as vmi:
vaddr = vmi.translate_ksym2v(symbol)
debug_event = DebugEvent(debug_callback)
num_vcpus = vmi.get_num_vcpus()
sstep_event = SingleStepEvent(range(num_vcpus), enable=False,
callback=sstep_callback)
with pause(vmi):
vmi.register_event(debug_event)
vmi.register_event(sstep_event)
# set dr0 to our address
vmi.set_vcpureg(vaddr, X86Reg.DR0.value, 0)
toggle_dr0(vmi, True)
# listen
while not interrupted:
print("Waiting for events")
vmi.listen(1000)
print("Stop listening")
with pause(vmi):
vmi.clear_event(debug_event)
vmi.clear_event(sstep_event)
def __init__(self, conn, addr, debug_ctx):
super().__init__(conn, addr)
self.ctx = debug_ctx
self.cmd_to_handler = {
GDBCmd.GEN_QUERY_GET: self.gen_query_get,
GDBCmd.GEN_QUERY_SET: self.gen_query_set,
GDBCmd.SET_THREAD_ID: self.set_thread_id,
GDBCmd.TARGET_STATUS: self.target_status,
GDBCmd.READ_REGISTERS: self.read_registers,
GDBCmd.WRITE_REGISTERS: self.write_registers,
GDBCmd.DETACH: self.detach,
GDBCmd.READ_MEMORY: self.read_memory,
GDBCmd.WRITE_MEMORY: self.write_memory,
GDBCmd.WRITE_DATA_MEMORY: self.write_data_memory,
GDBCmd.CONTINUE: self.cont_execution,
GDBCmd.SINGLESTEP: self.singlestep,
GDBCmd.REMOVE_XPOINT: self.remove_xpoint,
GDBCmd.INSERT_XPOINT: self.insert_xpoint,
GDBCmd.BREAKIN: self.breakin,
GDBCmd.V_FEATURES: self.v_features,
}
self.features = {
b'multiprocess': False,
b'swbreak': True,
b'hwbreak': False,
b'qRelocInsn': False,
b'fork-events': False,
b'vfork-events': False,
b'exec-events': False,
b'vContSupported': True,
b'QThreadEvents': False,
b'QStartNoAckMode': True,
b'no-resumed': False,
b'xmlRegisters': False,
b'qXfer:memory-map:read': True
}
# [addr] -> [saved_opcode]
self.addr_to_op = {}
self.stop_listen = threading.Event()
self.pool = ThreadPoolExecutor(max_workers=1)
# register some events
# register interrupt event
self.int_event = IntEvent(self.cb_on_int3)
self.ctx.vmi.register_event(self.int_event)
# single step event to handle wrong hits by sw breakpoints
# enabled via EventResponse.TOGGLE_SINGLESTEP
num_vcpus = self.ctx.vmi.get_num_vcpus()
self.ss_event_recoil = SingleStepEvent(range(num_vcpus),
self.cb_on_sstep_recoil,
enable=False)
self.ctx.vmi.register_event(self.ss_event_recoil)
# store the last addr where a swbreakpoint was hit
# but it was not our targeted process
# used in cb_on_sstep_recoil to restore the breakpoint after
# the recoil
self.last_addr_wrong_swbreak = None
def test_singlestep(vmiev):
def callback(vmi, event):
event.data['counter'] += 1
if event.data['counter'] == 50000:
vmi.clear_event(event)
event.data['interrupted'] = True
event_data = {'interrupted': False, 'counter': 0}
num_vcpus = vmiev.get_num_vcpus()
ss_event = SingleStepEvent(range(num_vcpus), callback, data=event_data)
with pause(vmiev):
vmiev.register_event(ss_event)
while not event_data['interrupted']:
vmiev.listen(500)
def main(args):
vm_name = args['<vm_name>']
symbol = args['<symbol>']
sstep_enabled = args['--sstep']
# register SIGINT
signal.signal(signal.SIGINT, signal_handler)
with Libvmi(vm_name, INIT_DOMAINNAME | INIT_EVENTS) as vmi:
vaddr = vmi.translate_ksym2v(symbol)
paddr = vmi.translate_kv2p(vaddr)
frame = paddr >> 12
print("symbol: {} vaddr: {} paddr: {} frame: {}".format(
symbol, hex(vaddr), hex(paddr), hex(frame)))
user_data = {
'symbol': symbol,
'target_vaddr': vaddr,
'target_gfn': frame,
'mem_event': None,
'sstep': sstep_enabled
}
num_vcpus = vmi.get_num_vcpus()
ss_event = SingleStepEvent(range(num_vcpus),
cb_ss_event,
data=user_data,
enable=False)
mem_event = MemEvent(MemAccess.X,
cb_mem_event,
gfn=frame,
data=user_data)
user_data['mem_event'] = mem_event
with pause(vmi):
vmi.register_event(ss_event)
vmi.register_event(mem_event)
# listen
while not interrupted:
print("Waiting for events ({})".format(vmi.are_events_pending()))
vmi.listen(3000)
print("Stop listening")
with pause(vmi):
vmi.clear_event(mem_event)
def main(args):
if len(args) != 2:
print('./singlestep-event.py <vm_name>')
return 1
vm_name = args[1]
# register SIGINT
signal.signal(signal.SIGINT, signal_handler)
counter = 0
with Libvmi(vm_name, INIT_DOMAINNAME | INIT_EVENTS) as vmi:
num_vcpus = vmi.get_num_vcpus()
ss_event = SingleStepEvent(range(num_vcpus), callback, data=counter)
vmi.register_event(ss_event)
# listen
while not interrupted:
print("Waiting for events")
vmi.listen(500)
print("Stop listening")
counter = ss_event.data
print("Singlestepped {} instructions".format(counter))
def __enter__(self):
# init LibVMI
self.vmi = Libvmi(self.vm_name,
init_flags=INIT_DOMAINNAME | INIT_EVENTS,
partial=True)
self.vmi.init_paging(flags=0)
# catch every exception to force a clean exit with __exit__
# where vmi.destroy() must be called
try:
# determine debug context
if not self.process:
self.ctx = RawDebugContext(self.vmi)
else:
self.vmi.init_os()
ostype = self.vmi.get_ostype()
if ostype == VMIOS.WINDOWS:
self.ctx = WindowsDebugContext(self.vmi, self.process)
elif ostype == VMIOS.LINUX:
self.ctx = LinuxDebugContext(self.vmi, self.process)
else:
raise RuntimeError('unhandled ostype: {}'.format(
ostype.value))
# register some events
# register interrupt event
self.int_event = IntEvent(self.cb_on_int3)
self.vmi.register_event(self.int_event)
# single step event to handle wrong hits by sw breakpoints
# enabled via EventResponse.TOGGLE_SINGLESTEP
num_vcpus = self.vmi.get_num_vcpus()
self.ss_event_recoil = SingleStepEvent(range(num_vcpus),
self.cb_on_sstep_recoil,
enable=False)
self.vmi.register_event(self.ss_event_recoil)
self.ctx.attach()
self.attached = True
except:
logging.exception('Exception while initializing debug context')
return self
def __init__(self, vmi, ctx):
self.log = logging.getLogger(__class__.__name__)
self.vmi = vmi
self.ctx = ctx
# register Int3 event
self.int_event = IntEvent(self.cb_on_int3)
self.vmi.register_event(self.int_event)
# single step event to handle wrong hits by sw breakpoints
# enabled via EventResponse.TOGGLE_SINGLESTEP
num_vcpus = self.vmi.get_num_vcpus()
self.sstep_recoil = SingleStepEvent(range(num_vcpus),
self.cb_on_sstep_recoil,
enable=False)
self.vmi.register_event(self.sstep_recoil)
self.listen_thread = None
self.stop_listen = threading.Event()
self.addr_to_opcode = {}
self.handlers = {}
# store the last addr where a swbreakpoint was hit
# but it was not our targeted process
# used in cb_on_sstep_recoil to restore the breakpoint after
# the recoil
self.last_addr_wrong_swbreak = None
def __init__(self, vmi, ctx):
self.log = logging.getLogger(__class__.__name__)
self.vmi = vmi
self.ctx = ctx
# register int3 event
self.int_event = IntEvent(self.cb_on_int3)
self.vmi.register_event(self.int_event)
# # register hardware debug event
# self.debug_event = DebugEvent(self.cb_on_debug)
# self.vmi.register_event(self.debug_event)
# single step event to handle wrong hits by sw breakpoints
# enabled via EventResponse.TOGGLE_SINGLESTEP
num_vcpus = self.vmi.get_num_vcpus()
self.sstep_recoil = SingleStepEvent(range(num_vcpus),
self.cb_on_sstep_recoil,
enable=False)
self.vmi.register_event(self.sstep_recoil)
self.listen_thread = None
self.stop_listen = threading.Event()
# handling software breakpoint
self.swbp_addr_to_opcode = {}
self.swbp_handlers = {}
# handling hardware breakpoints
self.hwbp_handlers = {}