/* Delete a thread from the list of threads. */
static void
child_delete_thread (DWORD id)
{
struct inferior_list_entry *thread;
/* If the last thread is exiting, just return. */
if (all_threads.head == all_threads.tail)
return;
thread = find_inferior_id (&all_threads, id);
if (thread == NULL)
return;
delete_thread_info (thread);
}
/* Delete a thread from the list of threads. */
static void
child_delete_thread (DWORD pid, DWORD tid)
{
struct inferior_list_entry *thread;
ptid_t ptid;
/* If the last thread is exiting, just return. */
if (all_threads.head == all_threads.tail)
return;
ptid = ptid_build (pid, tid, 0);
thread = find_inferior_id (&all_threads, ptid);
if (thread == NULL)
return;
delete_thread_info (thread);
}
/*!
* This is not clear how Temu define a block, however, both Hookfinder
* & the sample plugin use this function to check if they are working
* on the monitored process or not.
*/
int detector_block_begin()
{
// We care for nothing
if (monitored_proc[0] == 0) { goto _finished; }
uint32_t eip, esp, cr3;
// Get the value of EIP register
TEMU_read_register(eip_reg, &eip);
// Get the value of CR3 register
TEMU_read_register(cr3_reg, &cr3);
// Get the value of ESP register
TEMU_read_register(esp_reg, &esp);
// Get the current process using the above registers
tmodinfo_t * mi = locate_module(eip, cr3, current_proc);
// Get the current working module inside the current process
strcpy(current_mod, mi ? mi->name : "<unknown>");
if (0x00 == strcasecmp(current_mod, monitored_proc)) {
// Save the base address
checked_module_base = mi->base;
// Save the size
checked_module_size = mi->size;
// We are inside the monitored module
in_checked_module = LOC_INSIDE;
goto _handle;
}
uint32_t phys_addr = TEMU_get_phys_addr(eip);
// Check what ?
taint_record_t records[0x04];
uint64_t taint = taintcheck_memory_check(phys_addr, 1, (uint8_t *) records);
if (taint) {
// This may be generated code
in_checked_module = LOC_GEN;
// Log
fprintf( loghandle,
"Tainted code: %s!%s eip=%08x\n",
current_proc,
mi ? mi->name: "<unknown>",
eip);
goto _handle;
}
// Get the id of the current thread
current_thread_id = get_current_tid();
// Get the information about the current thread
current_thread_node = (current_thread_id != -1UL) ? get_thread_info(current_thread_id) : NULL;
// In system call
if (current_thread_node) {
if (current_thread_node->origin == 1 || current_thread_node->origin == 2) {
// Jump out of malicious code
if (((current_thread_node->esp & 0x80000000) == (esp & 0x80000000)) &&
(current_thread_node->esp < esp))
{
// Return from malware
delete_thread_info(current_thread_id);
current_thread_node = NULL;
goto _finished;
}
if (((current_thread_node->esp & 0x80000000) == (esp & 0x80000000)) &&
(current_thread_node->esp > esp))
{
// External call - set the caller
current_thread_node->entry_eip = eip;
// Follow the Hookfinder style
current_thread_node->origin = 3;
goto _finished;
}
}
}
// Skip the rest
goto _finished;
_handle:
// This is not the monitored process
if(current_thread_id == -1UL) {
goto _finished;
}
// Set the current thread info
if (! current_thread_node) {
thread_info_t info;
// Zero-out
bzero( &info, sizeof(info) );
// Set its members
info.cr3 = cr3;
info.esp = esp;
// Why set its value to 0 ?
info.eip = 0x00;
info.origin = (uint32_t)in_checked_module;
// Save the thread info
write_thread_info(current_thread_id, &info);
// and refer to the newly updated current thread
current_thread_node = get_thread_info(current_thread_id);
}
current_thread_node->eip = 0;
current_thread_node->out_eip = 0;
current_thread_node->entry_eip = 0;
current_thread_node->origin = (uint32_t)in_checked_module;
_finished:
//we should always check if there is a hook at this point,
//no matter we are in the monitored context or not, because
//some hooks are global.
hookapi_check_call(should_monitor);
// Thread ?
in_checked_module = current_thread_node ? (enum location_t)current_thread_node->origin : LOC_NOWHERE;
// Done
return 0;
}
