bool init_plugin(void *self) { plugin_self = self; panda_require("stringsearch"); panda_require("taint2"); #ifdef CONFIG_SOFTMMU panda_arg_list *args; args = panda_get_args("tstringsearch"); positional_tainting = panda_parse_bool_opt(args, "pos", "positional taint"); only_first = panda_parse_bool_opt(args, "only_first", "only label first match"); args = panda_get_args("general"); enable_taint_instr_count = panda_parse_uint64_opt(args, "first_instr", 0, "enable taint at this instruction"); // this sets up the taint api fn ptrs so we have access assert(init_taint2_api()); // register the tstringsearch_match fn to be called at the on_ssm site within panda_stringsearch PPP_REG_CB("stringsearch", on_ssm, tstringsearch_match) ; return true; #else fprintf(stderr, "tstringsearch: plugin does not support linux-user mode\n"); return false; #endif }
bool init_plugin(void *self) { panda_require("taint2"); assert(init_taint2_api()); panda_require("callstack_instr"); assert (init_callstack_instr_api()); PPP_REG_CB("taint2", on_taint_change, taint_change); taint2_track_taint_state(); return true; }
bool init_plugin(void *self) { panda_require("callstack_instr"); assert (init_callstack_instr_api()); panda_require("taint2"); assert (init_taint2_api()); panda_cb pcb; pcb.after_block_exec = tbranch_after_block_exec; panda_register_callback(self, PANDA_CB_AFTER_BLOCK_EXEC, pcb); return true; }
bool init_plugin(void *self) { printf("Initializing plugin file_taint\n"); panda_arg_list *args; args = panda_get_args("file_taint"); taint_filename = panda_parse_string(args, "filename", "abc123"); positional_labels = panda_parse_bool(args, "pos"); // used to just find the names of files that get no_taint = panda_parse_bool(args, "notaint"); prob_label_u32 = panda_parse_double(args, "prob_label_u32", 0.0); end_label = panda_parse_ulong(args, "max_num_labels", 1000000); end_label = panda_parse_ulong(args, "end", end_label); start_label = panda_parse_ulong(args, "start", 0); first_instr = panda_parse_uint64(args, "first_instr", 0); printf ("taint_filename = [%s]\n", taint_filename); printf ("positional_labels = %d\n", positional_labels); printf ("no_taint = %d\n", no_taint); printf ("prob_label_u32 = %.3f\n", prob_label_u32); printf ("end_label = %d\n", end_label); printf ("first_instr = %" PRId64 " \n", first_instr); panda_require("syscalls2"); // this sets up the taint api fn ptrs so we have access if (!no_taint) { panda_require("taint2"); assert(init_taint2_api()); if (first_instr == 0) { taint2_enable_taint(); } } panda_cb pcb; if (first_instr > 0) { // only need this callback if we are turning on taint late pcb.before_block_translate = file_taint_enable; panda_register_callback(self, PANDA_CB_BEFORE_BLOCK_TRANSLATE, pcb); } #if defined(TARGET_I386) PPP_REG_CB("syscalls2", on_sys_open_enter, open_enter); PPP_REG_CB("syscalls2", on_sys_open_return, open_return); PPP_REG_CB("syscalls2", on_sys_read_enter, read_enter); PPP_REG_CB("syscalls2", on_sys_read_return, read_return); #endif return true; }
bool init_plugin(void *self) { printf("Initializing taint plugin\n"); plugin_ptr = self; panda_cb pcb; panda_enable_memcb(); panda_disable_tb_chaining(); pcb.guest_hypercall = guest_hypercall_callback; panda_register_callback(self, PANDA_CB_GUEST_HYPERCALL, pcb); pcb.before_block_exec_invalidate_opt = before_block_exec_invalidate_opt; panda_register_callback(self, PANDA_CB_BEFORE_BLOCK_EXEC_INVALIDATE_OPT, pcb); /* pcb.replay_handle_packet = handle_packet; panda_register_callback(plugin_ptr, PANDA_CB_REPLAY_HANDLE_PACKET, pcb); */ panda_arg_list *args = panda_get_args("taint2"); tainted_pointer = !panda_parse_bool(args, "no_tp"); inline_taint = panda_parse_bool(args, "inline"); if (inline_taint) { printf("taint2: Inlining taint ops by default.\n"); } else { printf("taint2: Instructed not to inline taint ops.\n"); } if (panda_parse_bool(args, "binary")) mode = TAINT_BINARY_LABEL; if (panda_parse_bool(args, "word")) granularity = TAINT_GRANULARITY_WORD; optimize_llvm = panda_parse_bool(args, "opt"); panda_require("callstack_instr"); assert(init_callstack_instr_api()); return true; }
bool init_plugin(void *self) { panda_require("callstack_instr"); assert (init_callstack_instr_api()); panda_require("taint2"); assert (init_taint2_api()); panda_arg_list *args = panda_get_args("tainted_instr"); summary = panda_parse_bool_opt(args, "summary", "only print out a summary of tainted instructions"); if (summary) printf ("tainted_instr summary mode\n"); else printf ("tainted_instr full mode\n"); /* panda_cb pcb; pcb.after_block_exec = tbranch_after_block_exec; panda_register_callback(self, PANDA_CB_AFTER_BLOCK_EXEC, pcb); */ PPP_REG_CB("taint2", on_branch2, tbranch_on_branch_taint2); PPP_REG_CB("taint2", on_non_const_eip, tbranch_on_branch_taint2); return true; }
bool init_plugin(void *self) { #ifdef OSI_PROC_EVENTS panda_cb pcb; pcb.after_PGD_write = vmi_pgd_changed; panda_register_callback(self, PANDA_CB_VMI_PGD_CHANGED, pcb); #endif // figure out what kind of os introspection is needed and grab it? assert (!(panda_os_type == OST_UNKNOWN)); if (panda_os_type == OST_LINUX) { // sadly, all of this is to find kernelinfo.conf file char *progname = gargv[0]; if (progname[0] == '/') { // absolute path, yay! } else { // relative path char *cwd = get_current_dir_name(); char *rel_progname = strdup(progname); progname = (char *) malloc(256); sprintf (progname, "%s/%s", cwd, rel_progname); } char *progdir = strdup(progname); progdir = dirname(progdir); char kconfgroup[512]; sprintf (kconfgroup, "%s-%d", panda_os_details, panda_os_bits); char kconfile[256]; snprintf (kconfile, 256, "%s/../panda_plugins/osi_linux/kernelinfo.conf", progdir); char *kconfile2 = realpath( kconfile, NULL); printf ("kconfile [%s]\n", kconfile2); char osi_linux_arg[512]; sprintf (osi_linux_arg, "osi_linux:kconf_file=%s", kconfile2); panda_add_arg(osi_linux_arg, strlen(osi_linux_arg)); sprintf (osi_linux_arg, "osi_linux:kconf_group=%s", panda_os_details); panda_add_arg(osi_linux_arg, strlen(osi_linux_arg)); printf ("osi grabbing linux introspection backend. osi_linux arg [%s]\n", osi_linux_arg); panda_require("osi_linux"); } if (panda_os_type == OST_WINDOWS) { printf("osi grabbing windows introspection backend\n"); panda_require("win7x86intro"); panda_require("wintrospection"); } return true; }
bool init_plugin(void *self) { printf("Initializing plugin file_taint\n"); panda_arg_list *args; args = panda_get_args("file_taint"); taint_filename = panda_parse_string(args, "filename", "abc123"); positional_labels = panda_parse_bool(args, "pos"); use_taint2 = !panda_parse_bool(args, "taint1"); // used to just find the names of files that get no_taint = panda_parse_bool(args, "notaint"); printf ("taint_filename = [%s]\n", taint_filename); printf ("positional_labels = %d\n", positional_labels); panda_require("syscalls2"); // this sets up the taint api fn ptrs so we have access if (!no_taint) { if (use_taint2) { panda_require("taint2"); assert(init_taint2_api()); taint2_enable_taint(); } else { panda_require("taint"); assert(init_taint_api()); taint_enable_taint(); } } #if defined(TARGET_I386) PPP_REG_CB("syscalls2", on_sys_open_enter, open_enter); PPP_REG_CB("syscalls2", on_sys_open_return, open_return); PPP_REG_CB("syscalls2", on_sys_read_enter, read_enter); PPP_REG_CB("syscalls2", on_sys_read_return, read_return); #endif return true; }
bool init_plugin(void *self) { printf ("Initializing plugin coverage\n"); panda_arg_list *args = panda_get_args("coverage"); process_name = panda_parse_string(args, "process", ""); panda_require("osi"); // this sets up OS introspection API assert(init_osi_api()); panda_cb pcb; pcb.before_block_exec = coverage_before_block_exec; panda_register_callback(self, PANDA_CB_BEFORE_BLOCK_EXEC, pcb); return true; }
/* void on_taint_change(Addr a, uint64_t size){ uint32_t num_tainted = 0; for (uint32_t i=0; i<size; i++){ a.off = i; num_tainted += (taint2_query(a) != 0); } if (num_tainted > 0) { printf("In taint change!\n"); } } */ bool init_plugin(void *self) { #if defined(TARGET_I386) && !defined(TARGET_X86_64) //printf("Initializing plugin dwarf_taint\n"); //panda_arg_list *args = panda_get_args("dwarf_taint"); panda_require("callstack_instr"); assert(init_callstack_instr_api()); panda_require("pri"); assert(init_pri_api()); //panda_require("pri_dwarf"); //assert(init_pri_dwarf_api()); panda_require("taint2"); assert(init_taint2_api()); //assert(init_file_taint_api()); PPP_REG_CB("pri", on_before_line_change, on_line_change); //PPP_REG_CB("pri", on_fn_start, on_fn_start); //PPP_REG_CB("taint2", on_taint_change, on_taint_change); //taint2_track_taint_state(); #endif return true; }
bool init_plugin(void *self) { //panda_arg_list *args = panda_get_args("loaded"); panda_require("osi_linux"); assert(init_osi_linux_api()); panda_require("osi"); assert(init_osi_api()); panda_require("syscalls2"); #if defined(TARGET_I386) { panda_cb pcb; pcb.before_block_exec = osi_foo; panda_register_callback(self, PANDA_CB_BEFORE_BLOCK_EXEC, pcb); } PPP_REG_CB("syscalls2", on_sys_mmap_pgoff_return, linux_mmap_pgoff_return); #else fprintf(stderr, "The loaded plugin is not currently supported on this platform.\n"); return false; #endif return true; }
bool init_plugin(void *self) { #if defined(TARGET_I386) && !defined(TARGET_X86_64) printf("Initializing plugin pri_simple\n"); //panda_arg_list *args = panda_get_args("pri_taint"); panda_require("pri"); assert(init_pri_api()); //panda_require("dwarfp"); //assert(init_dwarfp_api()); PPP_REG_CB("pri", on_before_line_change, on_line_change); //PPP_REG_CB("pri", on_fn_start, on_fn_start); { panda_cb pcb; pcb.virt_mem_write = virt_mem_write; panda_register_callback(self,PANDA_CB_VIRT_MEM_WRITE,pcb); pcb.virt_mem_read = virt_mem_read; panda_register_callback(self,PANDA_CB_VIRT_MEM_READ,pcb); } #endif return true; }
bool init_plugin(void *self) { printf("Initializing plugin file_taint\n"); #ifdef TARGET_I386 panda_cb pcb; panda_arg_list *args; args = panda_get_args("file_taint"); taint_filename = panda_parse_string(args, "filename", "abc123"); positional_labels = panda_parse_bool(args, "pos"); no_taint = panda_parse_bool(args, "notaint"); end_label = panda_parse_ulong(args, "max_num_labels", 1000000); end_label = panda_parse_ulong(args, "end", end_label); start_label = panda_parse_ulong(args, "start", 0); enable_taint_on_open = panda_parse_bool(args, "enable_taint_on_open"); first_instr = panda_parse_uint64(args, "first_instr", 0); taint_stdin = panda_parse_string(args, "use_stdin_for", nullptr); printf ("taint_filename = [%s]\n", taint_filename); printf ("positional_labels = %d\n", positional_labels); printf ("no_taint = %d\n", no_taint); printf ("end_label = %d\n", end_label); printf ("first_instr = %" PRId64 " \n", first_instr); // you must use '-os os_name' cmdline arg! assert (!(panda_os_type == OST_UNKNOWN)); panda_require("osi"); assert(init_osi_api()); panda_require("syscalls2"); if (taint_stdin) { printf("tainting stdin\n"); assert (panda_os_type == OST_LINUX); } if (panda_os_type == OST_LINUX) { panda_require("osi_linux"); assert(init_osi_linux_api()); PPP_REG_CB("syscalls2", on_sys_open_enter, linux_open_enter); PPP_REG_CB("syscalls2", on_sys_read_enter, linux_read_enter); PPP_REG_CB("syscalls2", on_sys_read_return, linux_read_return); PPP_REG_CB("syscalls2", on_sys_pread64_enter, linux_pread_enter); PPP_REG_CB("syscalls2", on_sys_pread64_return, linux_pread_return); } if (panda_os_type == OST_WINDOWS) { panda_require("wintrospection"); assert(init_wintrospection_api()); PPP_REG_CB("syscalls2", on_NtOpenFile_enter, windows_open_enter); PPP_REG_CB("syscalls2", on_NtOpenFile_return, windows_open_return); PPP_REG_CB("syscalls2", on_NtCreateFile_enter, windows_create_enter); PPP_REG_CB("syscalls2", on_NtCreateFile_return, windows_create_return); PPP_REG_CB("syscalls2", on_NtReadFile_enter, windows_read_enter); PPP_REG_CB("syscalls2", on_NtReadFile_return, windows_read_return); } // this sets up the taint api fn ptrs so we have access if (!no_taint) { if (debug) printf("file_taint: initializing taint2 plugin\n"); panda_require("taint2"); assert(init_taint2_api()); if (!enable_taint_on_open && first_instr == 0) { if (debug) printf("file_taint: turning on taint at replay beginning\n"); taint2_enable_taint(); } } if (!no_taint && first_instr > 0) { if (debug) printf ("file_taint: turning on taint at instruction %" PRId64 "\n", first_instr); // only need this callback if we are turning on taint late pcb.before_block_translate = file_taint_enable; panda_register_callback(self, PANDA_CB_BEFORE_BLOCK_TRANSLATE, pcb); } pcb.before_block_exec = osi_foo; panda_register_callback(self, PANDA_CB_BEFORE_BLOCK_EXEC, pcb); #else printf ("file_taint: only works for x86 target (really just 32-bit)\n"); return false; #endif return true; }