bool init_plugin(void *self) {
panda_cb pcb;
printf("Initializing plugin memstrings\n");
panda_arg_list *args = panda_get_args("memstrings");
const char *prefix = panda_parse_string(args, "name", "memstrings");
min_strlen = panda_parse_ulong(args, "len", 4);
char matchfile[128] = {};
sprintf(matchfile, "%s_strings.txt.gz", prefix);
mem_report = gzopen(matchfile, "w");
if(!mem_report) {
printf("Couldn't write report:\n");
perror("fopen");
return false;
}
// Need this to get EIP with our callbacks
panda_enable_precise_pc();
// Enable memory logging
panda_enable_memcb();
pcb.virt_mem_write = mem_write_callback;
panda_register_callback(self, PANDA_CB_VIRT_MEM_WRITE, pcb);
pcb.virt_mem_read = mem_read_callback;
panda_register_callback(self, PANDA_CB_VIRT_MEM_READ, pcb);
return true;
}
bool init_plugin(void *self) {
printf("Initializing taint plugin\n");
plugin_ptr = self;
panda_cb pcb;
panda_enable_memcb();
panda_disable_tb_chaining();
pcb.guest_hypercall = guest_hypercall_callback;
panda_register_callback(self, PANDA_CB_GUEST_HYPERCALL, pcb);
pcb.before_block_exec_invalidate_opt = before_block_exec_invalidate_opt;
panda_register_callback(self, PANDA_CB_BEFORE_BLOCK_EXEC_INVALIDATE_OPT, pcb);
/*
pcb.replay_handle_packet = handle_packet;
panda_register_callback(plugin_ptr, PANDA_CB_REPLAY_HANDLE_PACKET, pcb);
*/
panda_arg_list *args = panda_get_args("taint2");
tainted_pointer = !panda_parse_bool(args, "no_tp");
inline_taint = panda_parse_bool(args, "inline");
if (inline_taint) {
printf("taint2: Inlining taint ops by default.\n");
} else {
printf("taint2: Instructed not to inline taint ops.\n");
}
if (panda_parse_bool(args, "binary")) mode = TAINT_BINARY_LABEL;
if (panda_parse_bool(args, "word")) granularity = TAINT_GRANULARITY_WORD;
optimize_llvm = panda_parse_bool(args, "opt");
panda_require("callstack_instr");
assert(init_callstack_instr_api());
return true;
}
bool init_plugin(void *self) {
#if defined(TARGET_I386)
if (cs_open(CS_ARCH_X86, CS_MODE_32, &cs_handle_32) != CS_ERR_OK)
#if defined(TARGET_X86_64)
if (cs_open(CS_ARCH_X86, CS_MODE_64, &cs_handle_64) != CS_ERR_OK)
#endif
#elif defined(TARGET_ARM)
if (cs_open(CS_ARCH_ARM, CS_MODE_ARM, &cs_handle_32) != CS_ERR_OK)
#elif defined(TARGET_PPC)
if (cs_open(CS_ARCH_PPC, CS_MODE_32, &cs_handle_32) != CS_ERR_OK)
#endif
return false;
// Need details in capstone to have instruction groupings
cs_option(cs_handle_32, CS_OPT_DETAIL, CS_OPT_ON);
#if defined(TARGET_X86_64)
cs_option(cs_handle_64, CS_OPT_DETAIL, CS_OPT_ON);
#endif
panda_cb pcb;
panda_enable_memcb();
panda_enable_precise_pc();
pcb.after_block_translate = after_block_translate;
panda_register_callback(self, PANDA_CB_AFTER_BLOCK_TRANSLATE, pcb);
pcb.after_block_exec = after_block_exec;
panda_register_callback(self, PANDA_CB_AFTER_BLOCK_EXEC, pcb);
pcb.before_block_exec = before_block_exec;
panda_register_callback(self, PANDA_CB_BEFORE_BLOCK_EXEC, pcb);
return true;
}
bool init_plugin(void *self) {
printf("Initializing taint plugin\n");
plugin_ptr = self;
panda_cb pcb;
panda_enable_memcb();
panda_disable_tb_chaining();
pcb.guest_hypercall = guest_hypercall_callback;
panda_register_callback(self, PANDA_CB_GUEST_HYPERCALL, pcb);
#ifndef CONFIG_SOFTMMU
pcb.user_after_syscall = user_after_syscall;
panda_register_callback(self, PANDA_CB_USER_AFTER_SYSCALL, pcb);
#endif
return true;
}
bool init_plugin(void *self) {
panda_cb pcb;
printf("Initializing plugin tapindex\n");
// Need this to get EIP with our callbacks
panda_enable_precise_pc();
// Enable memory logging
panda_enable_memcb();
pcb.virt_mem_read = mem_read_callback;
panda_register_callback(self, PANDA_CB_VIRT_MEM_READ, pcb);
pcb.virt_mem_write = mem_write_callback;
panda_register_callback(self, PANDA_CB_VIRT_MEM_WRITE, pcb);
return true;
}
bool init_plugin(void *self) {
panda_cb pcb;
printf("Initializing plugin correlatetaps\n");
if(!init_callstack_instr_api()) return false;
// Need this to get EIP with our callbacks
panda_enable_precise_pc();
// Enable memory logging
panda_enable_memcb();
pcb.virt_mem_write = mem_write_callback;
panda_register_callback(self, PANDA_CB_VIRT_MEM_WRITE, pcb);
return true;
}
bool init_plugin(void *self) {
printf("Initializing plugin llvm_trace\n");
// Look for llvm_trace:base=dir
for (int i = 0; i < panda_argc; i++) {
if(0 == strncmp(panda_argv[i], "llvm_trace", 10)) {
basedir = strrchr(panda_argv[i], '=');
if (basedir) basedir++; // advance past '='
}
}
if (basedir == NULL) {
basedir = default_basedir;
}
if (tubtf_on) {
char tubtf_path[256];
strcpy(tubtf_path, basedir);
strcat(tubtf_path, "/tubtf.log");
tubtf_open(tubtf_path, TUBTF_COLW_64);
panda_enable_precise_pc();
}
else {
// XXX: unsafe string manipulations
char memlog_path[256];
char funclog_path[256];
strcpy(memlog_path, basedir);
strcat(memlog_path, "/llvm-memlog.log");
open_memlog(memlog_path);
strcpy(funclog_path, basedir);
strcat(funclog_path, "/llvm-functions.log");
funclog = fopen(funclog_path, "w");
}
panda_cb pcb;
panda_enable_memcb();
pcb.before_block_exec = before_block_exec;
panda_register_callback(self, PANDA_CB_BEFORE_BLOCK_EXEC, pcb);
pcb.after_block_exec = after_block_exec;
panda_register_callback(self, PANDA_CB_AFTER_BLOCK_EXEC, pcb);
pcb.phys_mem_read = phys_mem_read_callback;
panda_register_callback(self, PANDA_CB_PHYS_MEM_READ, pcb);
pcb.phys_mem_write = phys_mem_write_callback;
panda_register_callback(self, PANDA_CB_PHYS_MEM_WRITE, pcb);
pcb.cb_cpu_restore_state = cb_cpu_restore_state;
panda_register_callback(self, PANDA_CB_CPU_RESTORE_STATE, pcb);
#ifndef CONFIG_SOFTMMU
pcb.user_after_syscall = user_after_syscall;
panda_register_callback(self, PANDA_CB_USER_AFTER_SYSCALL, pcb);
#endif
if (!execute_llvm){
panda_enable_llvm();
}
llvm::llvm_init();
panda_enable_llvm_helpers();
/*
* Run instrumentation pass over all helper functions that are now in the
* module, and verify module.
*/
llvm::Module *mod = tcg_llvm_ctx->getModule();
for (llvm::Module::iterator i = mod->begin(); i != mod->end(); i++){
if (i->isDeclaration()){
continue;
}
PIFP->runOnFunction(*i);
}
std::string err;
if(verifyModule(*mod, llvm::AbortProcessAction, &err)){
printf("%s\n", err.c_str());
exit(1);
}
return true;
}
bool init_plugin(void *self) {
printf("Initializing taint plugin\n");
plugin_ptr = self;
panda_cb pcb;
panda_enable_memcb();
panda_disable_tb_chaining();
pcb.guest_hypercall = guest_hypercall_callback;
panda_register_callback(self, PANDA_CB_GUEST_HYPERCALL, pcb);
pcb.replay_handle_packet = handle_packet;
panda_register_callback(plugin_ptr, PANDA_CB_REPLAY_HANDLE_PACKET, pcb);
#ifndef CONFIG_SOFTMMU
pcb.user_after_syscall = user_after_syscall;
panda_register_callback(self, PANDA_CB_USER_AFTER_SYSCALL, pcb);
#endif
tob_io_thread = tob_new(tob_io_thread_max_size);
panda_arg_list *args = panda_get_args("taint");
int i;
if (NULL != args) {
for (i = 0; i < args->nargs; i++) {
if (0 == strncmp(args->list[i].key, "max_taintset_card", 17)) {
max_taintset_card = atoi(args->list[i].value);
printf ("max_taintset_card = %d\n", max_taintset_card);
}
if (0 == strncmp(args->list[i].key, "max_taintset_compute_number", 24)) {
max_taintset_compute_number = atoi(args->list[i].value);
printf ("max_taintset_compute_number = %d\n", max_taintset_compute_number);
}
if (0 == strncmp(args->list[i].key, "compute_is_delete", 17)) {
compute_is_delete = 1;
}
if (0 == strncmp(args->list[i].key, "label_incoming_network", 22)) {
taint_label_incoming_network_traffic = 1;
}
if (0 == strncmp(args->list[i].key, "query_outgoing_network", 22)) {
taint_query_outgoing_network_traffic = 1;
}
if (0 == strncmp(args->list[i].key, "no_tainted_pointer", 18)) {
tainted_pointer = 0;
}
if (0 == strncmp(args->list[i].key, "label_mode", 10)) {
if (0 == strncmp(args->list[i].value, "binary", 6)){
taint_label_mode = TAINT_BINARY_LABEL;
}
else if (0 == strncmp(args->list[i].value, "byte", 4)){
taint_label_mode = TAINT_BYTE_LABEL;
}
else {
printf("Invalid taint label_mode. Using default byte label.\n");
taint_label_mode = TAINT_BYTE_LABEL;
}
}
if (0 == strncmp (args->list[i].key, "tainted_instructions", 20)) {
tainted_instructions = 1;
}
}
}
if (taint_label_mode == TAINT_BYTE_LABEL){
printf("Taint: running in byte labeling mode.\n");
}
else if (taint_label_mode == TAINT_BINARY_LABEL){
printf("Taint: running in binary labeling mode.\n");
}
printf ("max_taintset_card = %d\n", max_taintset_card);
printf ("max_taintset_compute_number = %d\n", max_taintset_compute_number);
printf ("taint_label_incoming_network_traffic = %d\n",
taint_label_incoming_network_traffic);
printf ("taint_query_outgoing_network_traffic = %d\n",
taint_query_outgoing_network_traffic);
printf ("tainted_pointer = %d\n", tainted_pointer);
printf ("compute_is_delete = %d\n", compute_is_delete);
printf ("done initializing taint plugin\n");
return true;
}
bool init_plugin(void *self) {
printf("Initializing taint plugin\n");
panda_cb pcb;
panda_enable_memcb();
panda_disable_tb_chaining();
pcb.before_block_exec = before_block_exec;
panda_register_callback(self, PANDA_CB_BEFORE_BLOCK_EXEC, pcb);
pcb.after_block_exec = after_block_exec;
panda_register_callback(self, PANDA_CB_AFTER_BLOCK_EXEC, pcb);
pcb.phys_mem_read = phys_mem_read_callback;
panda_register_callback(self, PANDA_CB_PHYS_MEM_READ, pcb);
pcb.phys_mem_write = phys_mem_write_callback;
panda_register_callback(self, PANDA_CB_PHYS_MEM_WRITE, pcb);
pcb.cb_cpu_restore_state = cb_cpu_restore_state;
panda_register_callback(self, PANDA_CB_CPU_RESTORE_STATE, pcb);
pcb.guest_hypercall = guest_hypercall_callback;
panda_register_callback(self, PANDA_CB_GUEST_HYPERCALL, pcb);
#ifndef CONFIG_SOFTMMU
pcb.user_after_syscall = user_after_syscall;
panda_register_callback(self, PANDA_CB_USER_AFTER_SYSCALL, pcb);
#endif
if (!execute_llvm){
panda_enable_llvm();
}
llvm::llvm_init();
panda_enable_llvm_helpers();
/*
* Run instrumentation pass over all helper functions that are now in the
* module, and verify module.
*/
llvm::Module *mod = tcg_llvm_ctx->getModule();
for (llvm::Module::iterator i = mod->begin(); i != mod->end(); i++){
if (i->isDeclaration()){
continue;
}
PIFP->runOnFunction(*i);
}
std::string err;
if(verifyModule(*mod, llvm::AbortProcessAction, &err)){
printf("%s\n", err.c_str());
exit(1);
}
/*
* Taint processor initialization
*/
//uint32_t ram_size = 536870912; // 500MB each
#ifdef TARGET_X86_64
// this is only for the fast bitmap which we currently aren't using for
// 64-bit, it only supports 32-bit
uint64_t ram_size = 0;
#else
uint32_t ram_size = 0xffffffff; //guest address space -- QEMU user mode
#endif
uint64_t hd_size = 536870912;
uint64_t io_size = 536870912;
uint16_t num_vals = 2000; // LLVM virtual registers
shadow = tp_init(hd_size, ram_size, io_size, num_vals);
if (shadow == NULL){
printf("Error initializing shadow memory...\n");
exit(1);
}
taintfpm = new llvm::FunctionPassManager(tcg_llvm_ctx->getModule());
// Add the taint analysis pass to our taint pass manager
llvm::FunctionPass *taintfp =
llvm::createPandaTaintFunctionPass(15*1048576/* global taint op buffer
size, 10MB */, NULL /* existing taint cache */);
PTFP = static_cast<llvm::PandaTaintFunctionPass*>(taintfp);
taintfpm->add(taintfp);
taintfpm->doInitialization();
// Populate taint cache with helper function taint ops
for (llvm::Module::iterator i = mod->begin(); i != mod->end(); i++){
if (i->isDeclaration()){
continue;
}
PTFP->runOnFunction(*i);
}
return true;
}
