void CooperativeSearcher::onCustomInstruction(S2EExecutionState* state, uint64_t opcode)
{
//XXX: find a better way of allocating custom opcodes
if (!OPCODE_CHECK(opcode, COOPSEARCHER_OPCODE)) {
return;
}
uint8_t op = OPCODE_GETSUBFUNCTION(opcode);
bool ok = true;
target_ulong nextState = 0;
CoopSchedulerOpcodes opc = (CoopSchedulerOpcodes)op;
switch(opc) {
//Pick the next state specified as input ergument
case ScheduleNext:
{
ok &= state->readCpuRegisterConcrete(CPU_OFFSET(COOPSEARCHER_NEXTSTATE),
&nextState, sizeof nextState);
if(!ok) {
s2e()->getWarningsStream(state)
<< "ERROR: symbolic argument was passed to s2e_op "
"CooperativeSearcher ScheduleNext" << '\n';
break;
}
States::iterator it = m_states.find(nextState);
if (it == m_states.end()) {
s2e()->getWarningsStream(state)
<< "ERROR: Invalid state passed to " <<
"CooperativeSearcher ScheduleNext: " << nextState << '\n';
}
m_currentState = (*it).second;
s2e()->getMessagesStream(state) <<
"CooperativeSearcher picked the state " << nextState << '\n';
//Force rescheduling
state->setPc(state->getPc() + S2E_OPCODE_SIZE);
throw CpuExitException();
break;
}
//Deschedule the current state. Will pick the state with strictly lower id.
case Yield:
{
if (m_states.size() == 1) {
break;
}
States::iterator it = m_states.find(m_currentState->getID());
if (it == m_states.begin()) {
m_currentState = (*m_states.rbegin()).second;
}else {
--it;
m_currentState = (*it).second;
}
//Force rescheduling
state->setPc(state->getPc() + S2E_OPCODE_SIZE);
throw CpuExitException();
break;
}
}
}
void SkyriseAnalyst::slot_onEntryExecution(S2EExecutionState *state,
uint64_t pc)
{
assert(m_module.EntryPoint == pc);
assert(!(b_targetModule_exec));
// Disconnect entry point signals
regEntryHook.disconnect();
sig_EntryExec.disconnect();
// Set running flag
b_targetModule_exec = true;
// Parse PE import table of target module
if (!(m_monitor->getImports(state, m_module, imports))) {
std::cout << "[State " << std::dec
<< state->getID()
<< "] Error: Could not retrieve "
<< "imports from "
<< m_module.Name << '\n';
exit(1);
}
// Print APIs in import table
print_imports();
// Register imported API hooks
regImportHooks = s2e()->getCorePlugin()->onTranslateInstructionEnd.connect(
sigc::mem_fun(*this,
&SkyriseAnalyst::slot_registerImportHooks)
);
std::cout << "[+] Starting program execution at address 0x"
<< std::hex << pc << std::endl << std::endl;
/* State forking/switching
*
*/
s2e()->getCorePlugin()->onStateFork.connect(
sigc::mem_fun(*this,
&SkyriseAnalyst::slot_onStateFork)
);
s2e()->getCorePlugin()->onStateSwitch.connect(
sigc::mem_fun(*this,
&SkyriseAnalyst::slot_onStateSwitch)
);
/* Attempt to force re-translation so we can hook
* import functions. Surely adds less overhead than
* instrumenting *every* instruction.
*/
tb_flush(env);
throw CpuExitException();
}
