def isLinuxOverlap(self, cpu, cell_name, pid, address):
''' is the given address the last page of text and does it overlap the first page of data? '''
if pid in self.__text_start[cell_name]:
given, dum = pageUtils.adjust(address, 0, self.top.PAGE_SIZE)
last_text, dum = pageUtils.adjust(
self.__text_start[cell_name][pid], 0, self.top.PAGE_SIZE)
if given == last_text and self.onSamePage(cpu, cell_name, pid):
return True
else:
return False
else:
return False
def setBreakRange(self, cell_name, pid, start, length, cpu, comm):
'''
Set breakpoints to carpet the process's address space
'''
self.lgr.debug('setBreakRange begin')
start, end = pageUtils.adjust(start, length, self.page_size)
cell = cpu.physical_memory
#my_args = procInfo.procInfo(comm, cpu, pid, None, False)
self.lgr.debug(
'Adding breakpoints for %s:%d (%s) at %x through %x, given length was %x'
% (cell_name, pid, comm, start, end, length))
while start <= end:
limit = start + self.page_size
phys_block = cpu.iface.processor_info.logical_to_physical(
start, Sim_Access_Read)
if phys_block.address != 0:
all_break_num = SIM_breakpoint(cell, Sim_Break_Physical,
Sim_Access_Execute,
phys_block.address,
self.page_size, 0)
self.the_breaks.append(all_break_num)
elif phys_block.address == 0:
self.lgr.debug(
'runToUserSpace FAILED breakpoints for %s:%d (%s) at %x ' %
(cell_name, pid, comm, start))
start = limit
def nonCodeRangeRemove(self, cell_name, pid, cpu, start, length):
cell = cpu.physical_memory
start, end = pageUtils.adjust(start, length, self.page_size)
while start < end:
limit = start + self.page_size
self.hap_manager.rm(cell_name, pid, start)
start = limit
def nonCodeBreakRange(self,
cell_name,
pid,
cpu,
start,
length,
init=False):
cell = cpu.physical_memory
start, end = pageUtils.adjust(start, length, self.page_size)
self.lgr.debug('nonCodeBreakRangePhys %s:%d start: %x end: %x' %
(cell_name, pid, start, end))
while start < end:
limit = start + self.page_size
#self.lgr.debug('nonCodeBreakRange call hap manager start: %x page: %x' % (start, self.page_size))
self.hap_manager.add(cpu, cell_name, pid, start, self.page_size,
Sim_Access_Execute, self.non_code_callback)
start = limit
def doRopPhys(self, cpu, start, length, cell_name, pid, comm):
cell = cpu.physical_memory
start, end = pageUtils.adjust(start, length, self.page_size)
#dumcpu, cur_addr, comm, pid = self.os_utils[cell_name].currentProcessInfo()
#self.lgr.debug('Adding Rop Cop breakpoints for %s:%d (%s) at %x through %x, given length was %x ' % (cell_name, pid, comm, start, end, length))
phys_block = cpu.iface.processor_info.logical_to_physical(
start, Sim_Access_Read)
#self.lgr.debug('add break at %x' % phys_block.address)
code_break_num = SIM_breakpoint(cell, Sim_Break_Physical,
Sim_Access_Execute, phys_block.address,
length, 0)
self.kernel_ret_break[cpu].append(code_break_num)
command = 'set-prefix %d "ret"' % code_break_num
SIM_run_alone(SIM_run_command, command)
hap_num = SIM_hap_add_callback_index("Core_Breakpoint_Memop",
self.rop_cop_ret_callback, cpu,
code_break_num)
self.kernel_ret_hap[cpu].append(hap_num)
def ropCopBreakRangePhys(self, cell_name, pid, start, length, cpu, comm, top=False, from_loader=False):
start, end = pageUtils.adjust(start, length, self.page_size)
cell = cpu.physical_memory
my_args = procInfo.procInfo(comm, cpu, pid, None, False)
self.lgr.debug('Adding Rop Cop breakpoints for %s:%d (%s) at %x through %x, given length was %x' % (cell_name, pid, comm, start, end, length))
while start <= end:
limit = start + self.page_size
phys_block = cpu.iface.processor_info.logical_to_physical(start, Sim_Access_Read)
if phys_block.address != 0:
if from_loader and self.hap_manager.hasCodePage(cell_name, pid, start):
# duplicate pages in program header, we are parsing backwards, so skip this.
self.lgr.debug('ropCopBreakRange, already did code page for %x, skipping this page' % start)
elif not self.useDiscreteReturns(comm, pid, start, limit, cpu, cell_name, cell, my_args):
self.lgr.debug('ropCopBreakRange not using discrete returns for %s, phys %x (virt: %x)' % (comm,
phys_block.address, start))
# Set exectution breakpoints for "ret" instructions
code_break_num = SIM_breakpoint(cell, Sim_Break_Physical,
Sim_Access_Execute, phys_block.address, self.page_size, 0)
#self.checkExceptions(code_break_num, start, limit, cpu)
command = 'set-prefix %d "ret"' % code_break_num
SIM_run_alone(SIM_run_command, command)
cb_num = SIM_hap_add_callback_index("Core_Breakpoint_Memop",
self.rop_cop_ret_callback, my_args, code_break_num)
# use 'kind' of 2 to indicate these are Rop breaks
self.hap_manager.addBreak(cell_name, pid, code_break_num, start, 2)
self.hap_manager.addHap(cpu, cell_name, pid, cb_num, start, 2)
if top:
self.hap_manager.setTextTop(cell_name, physical_block.address)
elif phys_block.address == 0:
self.lgr.debug('FAILED Rop Cop breakpoints for %s:%d (%s) at %x ' % (cell_name, pid, comm,
start))
start = limit
def setBreakRange(self,
cell_name,
pid,
start,
length,
cpu,
comm,
call_ret,
reg=None):
'''
Set breakpoints to carpet the process's address space
'''
self.lgr.debug('setBreakRange begin')
start, end = pageUtils.adjust(start, length, self.page_size)
cell = cpu.physical_memory
my_args = procInfo.procInfo(comm, cpu, pid, None, False)
self.lgr.debug(
'Adding breakpoints for %s:%d (%s) at %x through %x, given length was %x'
% (cell_name, pid, comm, start, end, length))
while start <= end:
limit = start + self.page_size
phys_block = cpu.iface.processor_info.logical_to_physical(
start, Sim_Access_Read)
if phys_block.address != 0:
if call_ret:
# Set exectution breakpoints for "call" and "ret" instructions
call_break_num = SIM_breakpoint(cell, Sim_Break_Physical,
Sim_Access_Execute,
phys_block.address,
self.page_size, 0)
self.the_breaks.append(call_break_num)
if cpu.architecture == 'arm':
command = 'set-prefix %d "bl"' % call_break_num
else:
command = 'set-prefix %d "call"' % call_break_num
SIM_run_alone(SIM_run_command, command)
if cpu.architecture == 'arm':
ret_break_num = SIM_breakpoint(cell,
Sim_Break_Physical,
Sim_Access_Execute,
phys_block.address,
self.page_size, 0)
self.the_breaks.append(ret_break_num)
command = 'set-substr %d "PC"' % ret_break_num
SIM_run_alone(SIM_run_command, command)
ret_break_num = SIM_breakpoint(cell,
Sim_Break_Physical,
Sim_Access_Execute,
phys_block.address,
self.page_size, 0)
self.the_breaks.append(ret_break_num)
command = 'set-substr %d "LR"' % ret_break_num
SIM_run_alone(SIM_run_command, command)
else:
ret_break_num = SIM_breakpoint(cell,
Sim_Break_Physical,
Sim_Access_Execute,
phys_block.address,
self.page_size, 0)
self.the_breaks.append(ret_break_num)
command = 'set-prefix %d "ret"' % ret_break_num
SIM_run_alone(SIM_run_command, command)
self.lgr.debug(
'done setting breakpoints for call and ret addr: %x',
phys_block.address)
elif reg is not None:
all_break_num = SIM_breakpoint(cell, Sim_Break_Physical,
Sim_Access_Execute,
phys_block.address,
self.page_size, 0)
# TBD substr only applies to mnemonic?
#command = 'set-substr %d "%s"' % (all_break_num, reg)
#SIM_run_alone(SIM_run_command, command)
self.the_breaks.append(all_break_num)
self.lgr.debug(
'done setting breakpoints for reg substring %s addr: %x'
% (reg, phys_block.address))
else:
all_break_num = SIM_breakpoint(cell, Sim_Break_Physical,
Sim_Access_Execute,
phys_block.address,
self.page_size, 0)
self.lgr.debug(
'setBreakRange set phys addr 0x%x linear 0x%x' %
(phys_block.address, start))
self.the_breaks.append(all_break_num)
elif phys_block.address == 0:
self.lgr.debug(
'reverseToCall FAILED breakpoints for %s:%d (%s) at %x ' %
(cell_name, pid, comm, start))
start = limit
self.lgr.debug('setBreakRange done')
def __init__(self, start, length, page_size):
start, end = pageUtils.adjust(start, length, page_size)
self.start = start
self.end = end
