// Bonsai tree as list (indexed storage)
void test2(pgctx_t *ctx)
{
int i;
char tbuf[80];
dbtype_t *v, *node, *n;
node=NULL;
for(i=0; i<16; i++) {
v = dbint_new(ctx, i);
printf("inserting %d, node=%p ", i, node);
node = bonsai_insert_index(ctx, node, INT_MAX, v);
printf("--> %p\n", node);
}
bonsai_show(ctx, node, 0);
printf("aslist = [");
for(i=0; i<16; i++) {
n = bonsai_index(ctx, node, i);
printf("%s, ", dbprint(GET(n->value), tbuf, sizeof(tbuf)));
}
printf("]\n\n");
for(i=0; i<16; i++) {
v = NULL;
printf("deleting %d, node=%p ", i, node);
node = bonsai_delete_index(ctx, node, -1, &v);
printf("--> %p (val=%s)\n", node, dbprint(v, tbuf, sizeof(tbuf)));
bonsai_show(ctx, node, 0);
printf("**********************************************************************\n");
}
}
status_t
peparse_get_image_phys(
vmi_instance_t vmi,
addr_t base_paddr,
size_t len,
const uint8_t * const image)
{
uint32_t nbytes = vmi_read_pa(vmi, base_paddr, (void *)image, len);
if(nbytes != len) {
dbprint(VMI_DEBUG_MISC, "--PEPARSE: failed to read a continuous PE header\n");
return VMI_FAILURE;
}
if(VMI_SUCCESS != peparse_validate_pe_image(image, len)) {
dbprint(VMI_DEBUG_MISC, "--PEPARSE: failed to validate a continuous PE header\n");
if(vmi->init_mode & VMI_INIT_COMPLETE) {
dbprint(VMI_DEBUG_MISC, "--PEPARSE: You might want to use peparse_get_image_virt here!\n");
}
return VMI_FAILURE;
}
return VMI_SUCCESS;
}
int main(void) {
//initializations
Board_init();
Board_configure(USE_SERIAL | USE_LCD | USE_TIMER);
Interface_init();
//I2C_init(I2C_ID, I2C_CLOCK_FREQ);
dbprint("Interface online.\n");
DELAY(STARTUP_DELAY);
Timer_new(TIMER_TEST, DEBUG_PRINT_DELAY);
//cycle and check if buttons are pressed, if so, turn light on for 3 seconds
while(1) {
#ifdef DO_STUFF
//check to see which button is pressed
if(Timer_isExpired(TIMER_TEST)) {
LCD_setPosition(0,0);
dbprint("Ok=%d, C=%d, R=%d, S=%x,\n Reset=%x, SS=%x\n",
Interface_isOkPressed(), Interface_isCancelPressed(),
Interface_isRescuePressed(), Interface_isStopPressed(),
Interface_isResetPressed(), Interface_isSetStationPressed());
Timer_new(TIMER_TEST, DEBUG_PRINT_DELAY);
}
Interface_runSM();
#endif
}
return SUCCESS;
}
addr_t
windows_find_eprocess(
vmi_instance_t vmi,
char *name)
{
addr_t start_address = 0;
check_magic_func check = get_check_magic_func(vmi);
if (vmi->os.windows_instance.pname_offset == 0) {
vmi->os.windows_instance.pname_offset =
find_pname_offset(vmi, check);
if (vmi->os.windows_instance.pname_offset == 0) {
dbprint("--failed to find pname_offset\n");
return 0;
}
else {
dbprint("**set os.windows_instance.pname_offset (0x%x)\n",
vmi->os.windows_instance.pname_offset);
}
}
if (vmi->init_task) {
start_address =
vmi->init_task - vmi->os.windows_instance.tasks_offset;
}
return find_process_by_name(vmi, check, start_address, name);
}
void *memory_cache_insert (vmi_instance_t vmi, addr_t paddr)
{
memory_cache_entry_t entry = NULL;
addr_t paddr_aligned = paddr & ~( ((addr_t) vmi->page_size) - 1);
if (paddr != paddr_aligned){
errprint("Memory cache request for non-aligned page\n");
return NULL;
}
gint64 *key = safe_malloc(sizeof(gint64));
*key = paddr;
if ((entry = g_hash_table_lookup(vmi->memory_cache, key)) != NULL){
dbprint("--MEMORY cache hit 0x%llx\n", paddr);
free(key);
return validate_and_return_data(vmi, entry);
}
else{
dbprint("--MEMORY cache set 0x%llx\n", paddr);
entry = create_new_entry(vmi, paddr, vmi->page_size);
if (!entry) {
errprint ("create_new_entry failed\n");
return 0;
}
g_hash_table_insert(vmi->memory_cache, key, entry);
gint64 *key2 = safe_malloc(sizeof(gint64));
*key2 = paddr;
vmi->memory_cache_lru = g_list_prepend(vmi->memory_cache_lru, key2);
vmi->memory_cache_size++;
return entry->data;
}
}
int
find_pname_offset(
vmi_instance_t vmi,
check_magic_func check)
{
addr_t block_pa = 0;
addr_t offset = 0;
uint32_t value = 0;
void *bm = 0;
bm = boyer_moore_init((unsigned char *)"Idle", 4);
#define BLOCK_SIZE 1024 * 1024 * 1
unsigned char block_buffer[BLOCK_SIZE];
if (NULL == check) {
check = get_check_magic_func(vmi);
}
for (block_pa = 4096; block_pa + BLOCK_SIZE < vmi->max_physical_address; block_pa += BLOCK_SIZE) {
if ( VMI_FAILURE == vmi_read_pa(vmi, block_pa, BLOCK_SIZE, block_buffer, NULL) ) {
continue;
}
for (offset = 0; offset < BLOCK_SIZE; offset += 8) {
memcpy(&value, block_buffer + offset, 4);
if (check(value)) { // look for specific magic #
dbprint
(VMI_DEBUG_MISC, "--%s: found magic value 0x%.8"PRIx32" @ offset 0x%.8"PRIx64"\n",
__FUNCTION__, value, block_pa + offset);
unsigned char haystack[0x500];
if ( VMI_FAILURE == vmi_read_pa(vmi, block_pa + offset, 0x500, haystack, NULL) ) {
continue;
}
int i = boyer_moore2(bm, haystack, 0x500);
if (-1 == i) {
continue;
}
else {
vmi->init_task = block_pa + offset;
dbprint
(VMI_DEBUG_MISC, "--%s: found Idle process at 0x%.8"PRIx64" + 0x%x\n",
__FUNCTION__, block_pa + offset, i);
boyer_moore_fini(bm);
return i;
}
}
}
}
boyer_moore_fini(bm);
return 0;
}
static FILE *
open_config_file(
)
{
FILE *f = NULL;
char *location;
char *sudo_user = NULL;
struct passwd *pw_entry = NULL;
/* first check home directory of sudo user */
if ((sudo_user = getenv("SUDO_USER")) != NULL) {
if ((pw_entry = getpwnam(sudo_user)) != NULL) {
location = safe_malloc(snprintf(NULL,0,"%s/etc/libvmi.conf",
pw_entry->pw_dir)+1);
sprintf(location, "%s/etc/libvmi.conf",
pw_entry->pw_dir);
dbprint(VMI_DEBUG_CORE, "--looking for config file at %s\n", location);
f = fopen(location, "r");
if (f) {
goto success;
}
free(location);
}
}
/* next check home directory for current user */
location = safe_malloc(snprintf(NULL,0,"%s/etc/libvmi.conf",
getenv("HOME"))+1);
sprintf(location, "%s/etc/libvmi.conf", getenv("HOME"));
dbprint(VMI_DEBUG_CORE, "--looking for config file at %s\n", location);
f = fopen(location, "r");
if (f) {
goto success;
}
free(location);
/* finally check in /etc */
dbprint(VMI_DEBUG_CORE, "--looking for config file at /etc/libvmi.conf\n");
location = safe_malloc(strlen("/etc/libvmi.conf")+1);
sprintf(location, "/etc/libvmi.conf");
f = fopen(location, "r");
if (f) {
goto success;
}
free(location);
return NULL;
success:
dbprint(VMI_DEBUG_CORE, "**Using config file at %s\n", location);
free(location);
return f;
}
/* returns a windows PE export from an RVA*/
char*
windows_rva_to_export(
vmi_instance_t vmi,
addr_t rva,
const access_context_t *ctx)
{
access_context_t _ctx = *ctx;
struct export_table et;
addr_t et_rva;
size_t et_size;
// get export table structure
if (peparse_get_export_table(vmi, ctx, &et, &et_rva, &et_size) != VMI_SUCCESS) {
dbprint(VMI_DEBUG_PEPARSE, "--PEParse: failed to get export table\n");
return NULL;
}
if (rva>=et_rva && rva < et_rva+et_size) {
dbprint(VMI_DEBUG_PEPARSE, "--PEParse: symbol @ 0x%"PRIx64" is forwarded\n", ctx->addr+rva);
return NULL;
}
addr_t base1 = ctx->addr + et.address_of_names;
addr_t base2 = ctx->addr + et.address_of_name_ordinals;
addr_t base3 = ctx->addr + et.address_of_functions;
uint32_t i = 0;
for (; i < et.number_of_functions; ++i) {
uint32_t name_rva = 0;
uint16_t ordinal = 0;
uint32_t loc = 0;
_ctx.addr = base2 + i * sizeof(uint16_t);
if (VMI_FAILURE==vmi_read_16(vmi, &_ctx, &ordinal))
continue;
_ctx.addr = base3 + ordinal * sizeof(uint32_t);
if (VMI_FAILURE==vmi_read_32(vmi, &_ctx, &loc))
continue;
if (loc==rva) {
_ctx.addr = base1 + i * sizeof(uint32_t);
if (i < et.number_of_names && VMI_SUCCESS==vmi_read_32(vmi, &_ctx, &name_rva) && name_rva) {
_ctx.addr = ctx->addr + name_rva;
return vmi_read_str(vmi, &_ctx);
}
dbprint(VMI_DEBUG_PEPARSE, "--PEParse: symbol @ 0x%"PRIx64" is exported by ordinal only\n", ctx->addr+rva);
break;
}
}
return NULL;
}
addr_t v2p_ia32e (vmi_instance_t vmi,
addr_t dtb,
addr_t vaddr,
page_info_t *info)
{
uint64_t pml4e = 0, pdpte = 0, pde = 0, pte = 0;
// are we in compatibility mode OR 64-bit mode ???
// validate address based on above (e.g., is it canonical?)
// determine what MAXPHYADDR is
dbprint(VMI_DEBUG_PTLOOKUP, "--PTLookup: lookup vaddr = 0x%.16"PRIx64"\n", vaddr);
dbprint(VMI_DEBUG_PTLOOKUP, "--PTLookup: dtb = 0x%.16"PRIx64"\n", dtb);
pml4e = get_pml4e(vmi, vaddr, dtb, &info->l4_a);
dbprint(VMI_DEBUG_PTLOOKUP, "--PTLookup: pml4e = 0x%.16"PRIx64"\n", pml4e);
if (ENTRY_PRESENT(vmi->os_type, pml4e)) {
info->l4_v = pml4e;
pdpte = get_pdpte_ia32e(vmi, vaddr, pml4e, &info->l3_a);
dbprint(VMI_DEBUG_PTLOOKUP, "--PTLookup: pdpte = 0x%.16"PRIx64"\n", pdpte);
if (ENTRY_PRESENT(vmi->os_type, pdpte)) {
info->l3_v = pdpte;
if (PAGE_SIZE_FLAG(pdpte)) { // pdpte maps a 1GB page
info->paddr = get_gigpage_ia32e(vaddr, pdpte);
info->size = VMI_PS_1GB;
dbprint(VMI_DEBUG_PTLOOKUP, "--PTLookup: 1GB page\n");
}
else {
pde = get_pde_ia32e(vmi, vaddr, pdpte, &info->l2_a);
dbprint(VMI_DEBUG_PTLOOKUP, "--PTLookup: pde = 0x%.16"PRIx64"\n", pde);
}
if (ENTRY_PRESENT(vmi->os_type, pde)) {
info->l2_v = pde;
if (PAGE_SIZE_FLAG(pde)) { // pde maps a 2MB page
info->paddr = get_2megpage_ia32e(vaddr, pde);
info->size = VMI_PS_2MB;
dbprint(VMI_DEBUG_PTLOOKUP, "--PTLookup: 2MB page\n");
}
else {
pte = get_pte_ia32e(vmi, vaddr, pde, &info->l1_a);
dbprint(VMI_DEBUG_PTLOOKUP, "--PTLookup: pte = 0x%.16"PRIx64"\n", pte);
}
if (ENTRY_PRESENT(vmi->os_type, pte)) {
info->l1_v = pte;
info->size = VMI_PS_4KB;
info->paddr = get_paddr_ia32e(vaddr, pte);
}
}
}
}
dbprint(VMI_DEBUG_PTLOOKUP, "--PTLookup: paddr = 0x%.16"PRIx64"\n", info->paddr);
return info->paddr;
}
/* returns a windows PE export from an RVA*/
char*
windows_rva_to_export(
vmi_instance_t vmi,
addr_t rva,
addr_t base_vaddr,
vmi_pid_t pid)
{
struct export_table et;
addr_t et_rva;
size_t et_size;
int aon_index = -1;
int aof_index = -1;
char* symbol = NULL;
// get export table structure
if (peparse_get_export_table(vmi, base_vaddr, pid, &et, &et_rva, &et_size) != VMI_SUCCESS) {
dbprint(VMI_DEBUG_MISC, "--PEParse: failed to get export table\n");
return NULL;
}
if(rva>=et_rva && rva < et_rva+et_size) {
dbprint(VMI_DEBUG_MISC, "--PEParse: symbol @ %u:0x%"PRIx64" is forwarded\n", pid, base_vaddr+rva);
return NULL;
}
addr_t base1 = base_vaddr + et.address_of_names;
addr_t base2 = base_vaddr + et.address_of_name_ordinals;
addr_t base3 = base_vaddr + et.address_of_functions;
uint32_t i = 0;
for (; i < et.number_of_functions; ++i) {
uint32_t name_rva = 0;
uint16_t ordinal = 0;
uint32_t loc = 0;
if(VMI_FAILURE==vmi_read_16_va(vmi, base2 + i * sizeof(uint16_t), pid, &ordinal))
continue;
if(VMI_FAILURE==vmi_read_32_va(vmi, base3 + ordinal + sizeof(uint32_t), pid, &loc))
continue;
if(loc==rva) {
if(i < et.number_of_names && VMI_SUCCESS==vmi_read_32_va(vmi, base1 + i * sizeof(uint32_t), pid, &name_rva) && name_rva) {
symbol = rva_to_string(vmi, (addr_t)name_rva, base_vaddr, pid);
return symbol;
}
dbprint(VMI_DEBUG_MISC, "--PEParse: symbol @ %u:0x%"PRIx64" is exported by ordinal only\n", pid, base_vaddr+rva);
break;
}
}
return NULL;
}
status_t
windows_kernel_symbol_to_address(
vmi_instance_t vmi,
const char *symbol,
addr_t *kernel_base_address,
addr_t *address)
{
/* see if we have a cr3 value */
reg_t cr3 = 0;
windows_instance_t windows = vmi->os_data;
if (vmi->os_data == NULL) {
return VMI_FAILURE;
}
if (vmi->kpgd) {
cr3 = vmi->kpgd;
}
else {
driver_get_vcpureg(vmi, &cr3, CR3, 0);
}
dbprint("--windows symbol lookup (%s)\n", symbol);
if (kernel_base_address) {
*kernel_base_address = windows->ntoskrnl_va;
}
/* check kpcr if we have a cr3 */
if ( /*cr3 && */ VMI_SUCCESS ==
windows_kpcr_lookup(vmi, symbol, address)) {
dbprint("--got symbol from kpcr (%s --> 0x%"PRIx64").\n", symbol,
*address);
return VMI_SUCCESS;
}
dbprint("--kpcr lookup failed, trying kernel PE export table\n");
/* check exports */
if (VMI_SUCCESS
== windows_export_to_rva(vmi, windows->ntoskrnl_va, 0, symbol,
address)) {
addr_t rva = *address;
*address = windows->ntoskrnl_va + rva;
dbprint("--got symbol from PE export table (%s --> 0x%.16"PRIx64").\n",
symbol, *address);
return VMI_SUCCESS;
}
dbprint("--kernel PE export table failed, nothing left to try\n");
return VMI_FAILURE;
}
status_t vmi_clear_event (vmi_instance_t vmi,
vmi_event_t* event)
{
status_t rc = VMI_FAILURE;
uint32_t vcpu = 0;
if(!(vmi->init_mode & VMI_INIT_EVENTS)){
return VMI_FAILURE;
}
switch(event->type) {
case VMI_EVENT_SINGLESTEP:
for(;vcpu<vmi->num_vcpus;vcpu++) {
if(CHECK_VCPU_SINGLESTEP(event->ss_event, vcpu)) {
dbprint("Disabling single step on vcpu: %u\n", vcpu);
rc = driver_stop_single_step(vmi, vcpu);
if(!vmi->shutting_down && rc==VMI_SUCCESS) {
g_hash_table_remove(vmi->ss_events, &(vcpu));
}
}
}
break;
case VMI_EVENT_REGISTER:
if(NULL!=g_hash_table_lookup(vmi->reg_events, &(event->reg_event.reg))) {
dbprint("Disabling register event on reg: %d\n",
event->reg_event.reg);
event->reg_event.in_access = VMI_REG_N;
rc = driver_set_reg_access(vmi, event->reg_event);
if(!vmi->shutting_down && rc==VMI_SUCCESS) {
g_hash_table_remove(vmi->reg_events, &(event->reg_event.reg));
}
}
break;
case VMI_EVENT_MEMORY:
if(NULL!=g_hash_table_lookup(vmi->mem_events, &(event->mem_event.page))) {
dbprint("Disabling memory event on page: %"PRIu64"\n",
event->mem_event.page);
event->mem_event.in_access = VMI_MEM_N;
rc = driver_set_mem_access(vmi, event->mem_event);
if(!vmi->shutting_down && rc==VMI_SUCCESS) {
g_hash_table_remove(vmi->mem_events, &(event->mem_event.page));
}
}
break;
default:
errprint("Cannot clear unknown event: %d\n", event->type);
return VMI_FAILURE;
}
return rc;
}
int main(void) {
// Initialize the UART,Timers, and I2C1v
Board_init();
Board_configure(USE_SERIAL | USE_LCD | USE_TIMER);
dbprint("Check encoder addr\n");
I2C_init(ENCODER_I2C_ID, I2C_CLOCK_FREQ);
uint8_t pitchAddress = readDevice(SLAVE_PITCH_READ_ADDRESS,
SLAVE_PITCH_WRITE_ADDRESS, READ_DIAGNOSTIC_ADDRESS);
uint8_t yawAddress = readDevice(SLAVE_YAW_READ_ADDRESS,
SLAVE_YAW_WRITE_ADDRESS, READ_DIAGNOSTIC_ADDRESS);
dbprint("Pitch=0x%X\nYaw=0x%X\n",pitchAddress, yawAddress);
return SUCCESS;
}
/* returns the rva value for a windows PE export */
status_t
windows_export_to_rva(
vmi_instance_t vmi,
const access_context_t *ctx,
const char *symbol,
addr_t *rva)
{
struct export_table et;
addr_t et_rva;
size_t et_size;
int aon_index = -1;
int aof_index = -1;
// get export table structure
if (peparse_get_export_table(vmi, ctx, &et, &et_rva, &et_size) != VMI_SUCCESS) {
dbprint(VMI_DEBUG_PEPARSE, "--PEParse: failed to get export table\n");
return VMI_FAILURE;
}
// find AddressOfNames index for export symbol
aon_index = get_aon_index(vmi, symbol, &et, ctx);
if ( -1 == aon_index ) {
dbprint(VMI_DEBUG_PEPARSE, "--PEParse: failed to get aon index\n");
return VMI_FAILURE;
}
// find AddressOfFunctions index for export symbol
aof_index = get_aof_index(vmi, aon_index, &et, ctx);
if ( -1 == aof_index ) {
dbprint(VMI_DEBUG_PEPARSE, "--PEParse: failed to get aof index\n");
return VMI_FAILURE;
}
// find RVA value for export symbol
if (VMI_SUCCESS==get_export_rva(vmi, rva, aof_index, &et, ctx)) {
// handle forwarded functions
// If the function's RVA is inside the exports section (as given by the
// VirtualAddress and Size fields in the idd), the symbol is forwarded.
if (*rva>=et_rva && *rva < et_rva+et_size) {
dbprint(VMI_DEBUG_PEPARSE, "--PEParse: %s @ 0x%p is forwarded\n", symbol, ctx);
return VMI_FAILURE;
} else {
return VMI_SUCCESS;
}
} else {
return VMI_FAILURE;
}
}
/* returns the rva value for a windows PE export */
status_t
windows_export_to_rva(
vmi_instance_t vmi,
addr_t base_vaddr,
vmi_pid_t pid,
const char *symbol,
addr_t *rva)
{
struct export_table et;
addr_t et_rva;
size_t et_size;
int aon_index = -1;
int aof_index = -1;
// get export table structure
if (peparse_get_export_table(vmi, base_vaddr, pid, &et, &et_rva, &et_size) != VMI_SUCCESS) {
dbprint(VMI_DEBUG_MISC, "--PEParse: failed to get export table\n");
return VMI_FAILURE;
}
// find AddressOfNames index for export symbol
if ((aon_index = get_aon_index(vmi, symbol, &et, base_vaddr, pid)) == -1) {
dbprint(VMI_DEBUG_MISC, "--PEParse: failed to get aon index\n");
return VMI_FAILURE;
}
// find AddressOfFunctions index for export symbol
if ((aof_index = get_aof_index(vmi, aon_index, &et, base_vaddr, pid)) == -1) {
dbprint(VMI_DEBUG_MISC, "--PEParse: failed to get aof index\n");
return VMI_FAILURE;
}
// find RVA value for export symbol
if(VMI_SUCCESS==get_export_rva(vmi, rva, aof_index, &et, base_vaddr, pid)) {
// handle forwarded functions
// If the function's RVA is inside the exports section (as given by the
// VirtualAddress and Size fields in the idd), the symbol is forwarded.
if(*rva>=et_rva && *rva < et_rva+et_size) {
dbprint(VMI_DEBUG_MISC, "--PEParse: %s @ %u:0x%"PRIx64" is forwarded\n", symbol, pid, base_vaddr);
return VMI_FAILURE;
} else {
return VMI_SUCCESS;
}
} else {
return VMI_FAILURE;
}
}
/* convert a VA into a symbol */
const char* vmi_translate_v2ksym(vmi_instance_t vmi, const access_context_t *ctx, addr_t va)
{
char *ret = NULL;
addr_t dtb = 0;
switch(ctx->translate_mechanism) {
case VMI_TM_PROCESS_PID:
if ( VMI_FAILURE == vmi_pid_to_dtb(vmi, ctx->pid, &dtb) )
return NULL;
break;
case VMI_TM_PROCESS_DTB:
dtb = ctx->dtb;
break;
default:
dbprint(VMI_DEBUG_MISC, "v2ksym only supported in a virtual context!\n");
return NULL;
};
if (VMI_FAILURE == rva_cache_get(vmi, ctx->addr, dtb, va, &ret)) {
if (vmi->os_interface && vmi->os_interface->os_v2ksym) {
ret = vmi->os_interface->os_v2ksym(vmi, va, ctx);
}
if (ret) {
rva_cache_set(vmi, ctx->addr, dtb, va, ret);
}
}
return ret;
}
/* convert a symbol into an address */
status_t vmi_translate_sym2v (vmi_instance_t vmi, const access_context_t *ctx, const char *symbol, addr_t *vaddr)
{
status_t status;
addr_t rva = 0;
addr_t address = 0;
addr_t dtb = 0;
switch(ctx->translate_mechanism) {
case VMI_TM_PROCESS_PID:
if ( VMI_FAILURE == vmi_pid_to_dtb(vmi, ctx->pid, &dtb) )
return VMI_FAILURE;
break;
case VMI_TM_PROCESS_DTB:
dtb = ctx->dtb;
break;
default:
dbprint(VMI_DEBUG_MISC, "sym2v only supported in a virtual context!\n");
return VMI_FAILURE;
};
status = sym_cache_get(vmi, ctx->addr, dtb, symbol, &address);
if( VMI_FAILURE == status) {
if (vmi->os_interface && vmi->os_interface->os_usym2rva) {
status = vmi->os_interface->os_usym2rva(vmi, ctx, symbol, &rva);
if ( VMI_SUCCESS == status ) {
address = canonical_addr(ctx->addr + rva);
sym_cache_set(vmi, ctx->addr, dtb, symbol, address);
}
}
}
*vaddr = address;
return status;
}
void
v2p_cache_flush(
vmi_instance_t vmi)
{
g_hash_table_remove_all(vmi->v2p_cache);
dbprint(VMI_DEBUG_V2PCACHE, "--V2P cache flushed\n");
}
void
rva_cache_flush(
vmi_instance_t vmi)
{
g_hash_table_remove_all(vmi->rva_cache);
dbprint(VMI_DEBUG_RVACACHE, "--RVA cache flushed\n");
}
status_t
rva_cache_del(
vmi_instance_t vmi,
addr_t base_addr,
addr_t dtb,
addr_t rva)
{
status_t ret=VMI_FAILURE;
GHashTable *rva_table=NULL;
struct key_128 local_key;
key_128_t key = &local_key;
key_128_init(vmi, key, (uint64_t)base_addr, (uint64_t)dtb);
if ((rva_table = g_hash_table_lookup(vmi->rva_cache, key)) == NULL) {
return ret;
}
dbprint(VMI_DEBUG_RVACACHE, "--RVA cache del 0x%.16"PRIx64":0x%.16"PRIx64":0x%.16"PRIx64"\n",
dtb, base_addr, rva);
if (TRUE == g_hash_table_remove(rva_table, GUINT_TO_POINTER(rva))) {
ret=VMI_SUCCESS;
if(!g_hash_table_size(rva_table)) {
g_hash_table_remove(vmi->rva_cache, key);
}
}
return ret;
}
status_t
rva_cache_get(
vmi_instance_t vmi,
addr_t base_addr,
addr_t dtb,
addr_t rva,
char **sym)
{
status_t ret=VMI_FAILURE;
GHashTable *rva_table = NULL;
sym_cache_entry_t entry = NULL;
struct key_128 local_key;
key_128_t key = &local_key;
key_128_init(vmi, key, (uint64_t)base_addr, (uint64_t)dtb);
if ((rva_table = g_hash_table_lookup(vmi->rva_cache, key)) == NULL) {
return ret;
}
if ((entry = g_hash_table_lookup(rva_table, GUINT_TO_POINTER(rva))) != NULL) {
entry->last_used = time(NULL);
*sym = entry->sym;
dbprint(VMI_DEBUG_RVACACHE, "--RVA cache hit 0x%.16"PRIx64":0x%.16"PRIx64":%s -- 0x%.16"PRIx64"\n",
dtb, base_addr, *sym, rva);
ret=VMI_SUCCESS;
}
return ret;
}
status_t
sym_cache_del(
vmi_instance_t vmi,
addr_t base_addr,
vmi_pid_t pid,
char *sym)
{
status_t ret=VMI_FAILURE;
GHashTable *symbol_table=NULL;
struct key_128 local_key;
key_128_t key = &local_key;
key_128_init(vmi, key, (uint64_t)base_addr, (uint64_t)pid);
if ((symbol_table = g_hash_table_lookup(vmi->sym_cache, key)) == NULL) {
return ret;
}
dbprint(VMI_DEBUG_SYMCACHE, "--SYM cache del %u:0x%.16"PRIx64":%s\n", pid, base_addr, sym);
if (TRUE == g_hash_table_remove(symbol_table, sym)) {
ret=VMI_SUCCESS;
if(!g_hash_table_size(symbol_table)) {
g_hash_table_remove(vmi->sym_cache, key);
}
}
return ret;
}
void
sym_cache_set(
vmi_instance_t vmi,
addr_t base_addr,
vmi_pid_t pid,
const char *sym,
addr_t va)
{
GHashTable *symbol_table = NULL;
sym_cache_entry_t entry = sym_cache_entry_create(sym, va, base_addr, pid);
char* sym_dup = NULL;
key_128_t key = key_128_build(vmi, (uint64_t)base_addr, (uint64_t)pid);
symbol_table = g_hash_table_lookup(vmi->sym_cache, key);
if (symbol_table == NULL) {
symbol_table = g_hash_table_new_full(g_str_hash, g_str_equal, g_free,
sym_cache_entry_free);
g_hash_table_insert(vmi->sym_cache, key, symbol_table);
} else {
free(key);
}
sym_dup = strndup(sym, 100);
g_hash_table_insert(symbol_table, sym_dup, entry);
dbprint(VMI_DEBUG_SYMCACHE, "--SYM cache set %s -- 0x%.16"PRIx64"\n", sym, va);
}
status_t
sym_cache_get(
vmi_instance_t vmi,
addr_t base_addr,
vmi_pid_t pid,
const char *sym,
addr_t *va)
{
status_t ret=VMI_FAILURE;
GHashTable *symbol_table = NULL;
sym_cache_entry_t entry = NULL;
struct key_128 local_key;
key_128_t key = &local_key;
key_128_init(vmi, key, (uint64_t)base_addr, (uint64_t)pid);
if ((symbol_table = g_hash_table_lookup(vmi->sym_cache, key)) == NULL) {
return ret;
}
if ((entry = g_hash_table_lookup(symbol_table, sym)) != NULL) {
entry->last_used = time(NULL);
*va = entry->va;
dbprint(VMI_DEBUG_SYMCACHE, "--SYM cache hit %u:0x%.16"PRIx64":%s -- 0x%.16"PRIx64"\n", pid, base_addr, sym, *va);
ret=VMI_SUCCESS;
}
return ret;
}
void *
server_thread(void *parm_ptr)
{
#define PARMPTR ((struct serverParm *) parm_ptr)
int recievedMsgLen;
char msgBuf[1025];
char msgRet[1025];
if (PARMPTR->connection_desc < 0) {
printf("Accept failed\n");
return (0); /* Exit thread */
}
/* Receive messages from sender... */
while ((recievedMsgLen = read(PARMPTR->connection_desc, msgBuf, sizeof(msgBuf) - 1)) > 0) {
recievedMsgLen[msgBuf] = '\0';
handleMessage(msgBuf, msgRet);
if (write(PARMPTR->connection_desc, msgRet, sizeof(msgRet)) < 0) {
perror("Server: write error");
return (0);
}
}
dbprint("%s", "server_thread return\n");
close(PARMPTR->connection_desc); /* Avoid descriptor leaks */
free(PARMPTR); /* And memory leaks */
return (0); /* Exit thread */
}
status_t vmi_translate_uv2p (vmi_instance_t vmi, addr_t virt_address, vmi_pid_t pid, addr_t *paddr)
{
status_t ret = VMI_FAILURE;
addr_t dtb = 0;
if ( VMI_FAILURE == vmi_pid_to_dtb(vmi, pid, &dtb) || !dtb ) {
dbprint(VMI_DEBUG_PTLOOKUP, "--early bail on v2p lookup because dtb not found\n");
return VMI_FAILURE;
}
ret = vmi_pagetable_lookup_cache(vmi, dtb, virt_address, paddr);
if ( VMI_FAILURE == ret) {
if ( VMI_FAILURE == pid_cache_del(vmi, pid) )
return VMI_FAILURE;
ret = vmi_pid_to_dtb(vmi, pid, &dtb);
if (VMI_SUCCESS == ret) {
page_info_t info = {0};
/* _extended() skips the v2p_cache lookup that must have already failed */
ret = vmi_pagetable_lookup_extended(vmi, dtb, virt_address, &info);
if ( VMI_SUCCESS == ret )
*paddr = info.paddr;
}
}
return ret;
}
void
handleMessage(const char *msgBuf, char *msgRet)
{
int cmd = 0;
char param1[512], param2[512];
bzero(param1, sizeof(param1));
bzero(param2, sizeof(param2));
bzero(msgRet, sizeof(msgRet));
dbprint("handle buf: %s\n", msgBuf);
sscanf(msgBuf, "%d\t%s\t%s\n", &cmd, param1, param2);
switch (cmd) {
case ORG_IP:
//params: process handle(created and saved), orginal ip
saveProcesssIp(param1, param2, msgRet);
break;
case NEW_IP:
//params: process handle(read from settings), new ip
// return: original ip
getProcesssIp(param1, param2, msgRet);
break;
default:
sprintf(msgRet, "NACK");
break;
}
}
void
sym_cache_flush(
vmi_instance_t vmi)
{
g_hash_table_remove_all(vmi->sym_cache);
dbprint(VMI_DEBUG_SYMCACHE, "--SYM cache flushed\n");
}
static check_magic_func
get_check_magic_func(
vmi_instance_t vmi)
{
check_magic_func rtn = NULL;
if (vmi->os_data == NULL) {
return &check_magic_unknown;
}
switch (((windows_instance_t)vmi->os_data)->version) {
case VMI_OS_WINDOWS_2000:
case VMI_OS_WINDOWS_XP:
case VMI_OS_WINDOWS_2003:
rtn = &check_magic_2k;
break;
case VMI_OS_WINDOWS_VISTA:
rtn = &check_magic_vista;
break;
case VMI_OS_WINDOWS_7:
rtn = &check_magic_7;
break;
case VMI_OS_WINDOWS_2008:
case VMI_OS_WINDOWS_UNKNOWN:
rtn = &check_magic_unknown;
break;
default:
rtn = &check_magic_unknown;
dbprint
(VMI_DEBUG_MISC, "--%s: illegal value in vmi->os.windows_instance.version\n",
__FUNCTION__);
break;
}
return rtn;
}
void
pid_cache_flush(
vmi_instance_t vmi)
{
g_hash_table_remove_all(vmi->pid_cache);
dbprint(VMI_DEBUG_PIDCACHE, "--PID cache flushed\n");
}