static void alloca_probe_ret(void *opaque) { uint32_t *handle = (uint32_t *)opaque; hookapi_remove_hook(*handle); free(handle); taintcheck_reg_clean(R_ESP, 0, 4); }
int tc_address_hook(void *opaque) { if (temu_plugin->monitored_cr3 == TEMU_cpu_cr[3]) { tracing_start_condition = 1; /* remove the hook */ hookapi_remove_hook(cond_func_hook_handle); } return 0; }
/* Return hook (executed after the return instruction) */ static int getsockname_ret(void *opaque) { static int offset = 0; int read_err = 0; uint32_t bufRealLen = 0; getsockname_t *s = (getsockname_t *)opaque; struct sockaddr_in addrData; char addrStr[INET_ADDRSTRLEN]; /* Remove return hook */ hookapi_remove_hook(s->hook_handle); /* Check return value -> status */ uint32_t eax = 0; read_reg(eax_reg, &eax); if (eax != 0) return 0; /* Read size of address structure */ read_err = read_mem(s->bufLenPtr, 4, (unsigned char*)&bufRealLen); if (!read_err) { WRITE ("tracenetlog","\tNumBytesWritten: %u\n",bufRealLen); } else { WRITE ("tracenetlog","\tCould not get number of bytes written\n"); return 0; } /* Read the address structure */ read_err = read_mem(s->bufStart, 16, (unsigned char*)&addrData); if (read_err) return 0; /* Print the address structure */ inet_ntop(AF_INET, &addrData.sin_addr, addrStr, sizeof(addrStr)); WRITE ("tracenetlog","\tFamily: %d Port: %u Address: %s\n", addrData.sin_family,ntohs(addrData.sin_port),addrStr); /* Taint address structure */ if (bufRealLen > 0) { hook_taint_record_t tr; tr.source = TAINT_SOURCE_API_SOCK_INFO_IN; tr.origin = GETSOCKNAME_ORIGIN; tr.offset = offset; taint_mem(s->bufStart+2, 6, (void *)&tr); } /* Increment the taint offset */ offset += 6; /* Free structure used to pass info between call and return hooks */ if (s) free(s); return 0; }
static void VirtualAlloc_ret(void *param) { NtCreateFile_hook_context_t *ctx = (NtCreateFile_hook_context_t *)param; DECAF_printf("VirtualAlloc exit:"); hookapi_remove_hook(ctx->hook_handle); DECAF_printf("lpAddress=%08x, dwSize=%d, ret=%08x\n", ctx->call_stack[1], ctx->call_stack[2], cpu_single_env->regs[R_EAX]); free(ctx); }
static void NtCreateFile_ret(void *param) { NtCreateFile_hook_context_t *ctx = (NtCreateFile_hook_context_t *)param; DECAF_printf("NtCreateFile exit:"); hookapi_remove_hook(ctx->hook_handle); uint32_t out_handle; DECAF_read_mem(NULL, ctx->call_stack[1], 4, &out_handle); DECAF_printf("out_handle=%08x\n", out_handle); free(ctx); }
int tc_address_start_hook(void *opaque) { term_printf("tc_address_start_hook(*) called\n"); if ((tracing_kernel_all() || (temu_plugin->monitored_cr3 == TEMU_cpu_cr[3])) && (tc_start_counter++ == tc_start_at)) { tracing_start_condition = 1; tc_stop_counter = 0; // reset the tc_stop_counter at the execution saving /* remove the hook */ hookapi_remove_hook(cond_func_hook_handle); } return 0; }
int tc_address_stop_hook(void *opaque) { term_printf("tc_address_stop_hook(*) called\n"); if ((tracing_kernel_all() || (temu_plugin->monitored_cr3 == TEMU_cpu_cr[3])) && (tc_stop_counter++ == tc_stop_at)) { tracing_start_condition = 0; if (gettimeofday(&trace_stop_time, 0) == 0) { term_printf("Trace ending time: %ld.%ld\n", trace_start_time.tv_sec, trace_start_time.tv_usec); term_printf("Total elapsed time: %ld usec\n", trace_stop_time.tv_sec*1000000 + trace_stop_time.tv_usec - trace_start_time.tv_sec*1000000 - trace_start_time.tv_usec); } /* remove the hook */ hookapi_remove_hook(tc_stop_hook_handle); } return 0; }
static int strcmp_ret(void *opaque) { int read_err = 0; strcmp_value *scv = (strcmp_value *)opaque; int eax = 0; hookapi_remove_hook(scv->hook_handle); read_reg(eax_reg, &eax); if (eax == 0 ) { WRITE ("stderr", "\tthe two strings are same!\n"); } else { WRITE ("stderr", "\tthe two strings are not same %x!\n",eax); } int tmp=1; write_reg(eax_reg,tmp); if (scv) free(scv); return 0; }