// print all the memory layout of the process
void ProcInfo::PrintAllMemory(){
MYPRINT("\nCurrent Memory:");
this->enumerateCurrentMemory();
this->mergeCurrentMemory();
this->PrintCurrentMemorydAddr();
MYPRINT("\nWhitelist:");
this->enumerateWhiteListMemory();
this->PrintWhiteListedAddr();
}
/*
Executes the heuristics on the dumped memory
*/
VOID ProcessInjectionModule::ExecuteHeuristics(string path_to_analyse){
MYPRINT("\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -");
MYPRINT("- - - - - - - - - - - - - - - - - - - - - STAGE 2: ANALYZING DUMP - - - - - - - - - - - - - - - - - - - - - -");
MYPRINT("- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -");
vector<string> dumps_to_analyse;
dumps_to_analyse.push_back(path_to_analyse);
Heuristics::yaraHeuristic(dumps_to_analyse);
}
// This function is called when the application exits
// - print out the information relative to the current run
VOID Fini(INT32 code, VOID *v){
//inspect the write set at the end of the execution
WxorXHandler *wxorxHandler = WxorXHandler::getInstance();
//MYINFO("WRITE SET SIZE: %d", wxorxHandler->getWritesSet().size());
//get the execution time
MYPRINT("\n\n\nTotal execution Time: %.2fs", (double)(clock() - tStart)/CLOCKS_PER_SEC);
CLOSELOG();
Report::getInstance()->closeReport();
}
//------------------------------------------------------
// init the node struct
// give him some name
//------------------------------------------------------
int sim_mgr_node(node_t *node,u32 index, u32 pid)
{ // fix me mknod and mkfifo
// can't use /tmp/fifo/pp.. because can't mkdir. fifo
// tempolary use /tmp/pp..
// and must remove the exist fifo in /tmp/pp..
node->index = index;
node->pid = pid;
// sprintf(node->sim_cmd.name, "/tmp/pp_cmd_in_%d", index);
// printf("the node->sim_cmd.name = %s\n", node->sim_cmd.name);
// if(mknod(node->sim_cmd.name, S_IFIFO | 0666, 0) < 0){
// MYPRINT("mknod sim_cmd");
// return -1;
// }
//
// if((node->sim_cmd.pipe = open(node->sim_cmd.name, O_RDONLY)) == -1) {
// MYPRINT("open sim_cmd");
// return -1;
// }
// if(pthread_create(&(node->sim_cmd.thread), NULL, sim_cmd_thread, (void *)node) != 0){
// MYPRINT("sim_cmd");
// }
printf("index=%d\n", index);
sprintf(node->sim_data.name, "/tmp/pp_data_in_%d", index);
printf("name: %s\n",node->sim_data.name);
if(mknod(node->sim_data.name, S_IFIFO | 0666, 0) < 0){
MYPRINT("mknod sim_data");
return -1;
}
if((node->sim_data.pipe = open(node->sim_data.name, O_RDONLY)) == -1) {
MYPRINT("open sim_data");
return -1;
}
if(pthread_create(&(node->sim_data.thread), NULL, sim_data_thread, (void *)node) != 0){
MYPRINT("pthread_create");
}
return 1;
}
void *sim_data_thread(void *node)
{// data from node to simulator
static char msg[MAX_PIPE_SIZE];
node_t *pnode = (node_t *)node;
int read_num = 0;
while(1){
printf("pnode->sim_data.name = %s\n", pnode->sim_data.name);
if((read_num = read(pnode->sim_data.pipe, msg, MAX_PIPE_SIZE)) == -1){
MYPRINT("sim_data_thread");
}
sleep(5);
printf("read_num = %d\n", read_num);
printf("msg recived = %s\n", msg);
}
}
VOID ProcessInjectionModule::HandleInjectedMemory(std::vector<WriteInterval>& currentWriteSet,W::DWORD pid){
for(std::vector<WriteInterval>::iterator item = currentWriteSet.begin(); item != currentWriteSet.end(); ++item) {
MYPRINT("\n\n-------------------------------------------------------------------------------------------------------");
MYPRINT("------------------------------------ INJECTED STUB inside pid %d begin: %08x TO %08x -------------------------------------",pid,item->getAddrBegin(),item->getAddrEnd());
MYPRINT("-------------------------------------------------------------------------------------------------------\n");
MYPRINT("- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -");
MYPRINT("- - - - - - - - - - - - - - - - - - - - - STAGE 1: DUMPING - - - - - - - - - - - - - - - - - - - - - - - - -");
MYPRINT("- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -");
config->setNewWorkingDirectory(true);
string cur_dump_path = DumpRemoteWriteInterval(&(*item), pid);
report->createReportDump(item->getAddrBegin(),item->getAddrBegin(),item->getAddrEnd(),Config::getInstance()->getDumpNumber(),false,pid);
//check if the memory has been dumped correctly and execute the heuristics
if (cur_dump_path != ""){
ExecuteHeuristics(cur_dump_path);
}
report->closeReportDump();
config->incrementDumpNumber();
}
}
void ProcInfo::PrintCurrentMemorydAddr(){
//Iterate through the already whitelisted memory addresses
for(std::vector<MemoryRange>::iterator item = currentMemory.begin(); item != currentMemory.end(); ++item) {
MYPRINT("Current Memory %08x -> %08x",item->StartAddress,item->EndAddress) ;
}
}
int main(int argc, char *argv[])
{
MYPRINT("Hello world\n");
return 0;
}
