void emu_cpu_debug_print(struct emu_cpu *c)
{
logDebug(c->emu,"cpu state eip=0x%08x\n", c->eip);
logDebug(c->emu,"eax=0x%08x ecx=0x%08x edx=0x%08x ebx=0x%08x\n", c->reg[eax], c->reg[ecx], c->reg[edx], c->reg[ebx]);
logDebug(c->emu,"esp=0x%08x ebp=0x%08x esi=0x%08x edi=0x%08x\n", c->reg[esp], c->reg[ebp], c->reg[esi], c->reg[edi]);
char *fmsg;
fmsg = (char *)malloc(32*3+1);
memset(fmsg, 0, 32*3+1);
int i;
for ( i=0;i<32;i++ )
{
if ( CPU_FLAG_ISSET(c, i) )
{
strcat(fmsg, eflagm[i]);
strcat(fmsg," ");
}
}
logDebug(c->emu,"Flags: %s\n", fmsg);
free(fmsg);
return;
for (i=0; i<8; i++)
{
printf("%08x ",c->reg[esp] + i * 4);
}
printf("\n");
for (i=0; i<8; i++)
{
uint32_t d;
emu_memory_read_dword(c->mem, c->reg[esp] + i * 4, &d);
printf("%08x ",d);
}
printf("\n");
}
int32_t emu_cpu_parse(struct emu_cpu *c)
{
if (c->repeat_current_instr == true)
{
return 0;
}
/* TODO make unstatic for threadsafety */
uint8_t byte;
uint8_t *opcode;
uint32_t ret;
c->instr.prefixes = 0;
// logDebug(c->emu,"decoding\n");
// emu_cpu_debug_print(c);
uint8_t dis[32];
uint32_t readOk = emu_memory_read_block(c->mem,c->eip,dis,32);
if(readOk != 0){ //dzzie 5.14.11
emu_strerror_set(c->emu,"emu_parse no memory found at 0x%x\n", c->eip);
emu_errno_set(c->emu, EOPNOTSUPP);
return -1;
}
uint32_t expected_instr_size = 0;
if( CPU_DEBUG_FLAG_ISSET(c, instruction_string ) || CPU_DEBUG_FLAG_ISSET(c, instruction_size ) )
{
expected_instr_size = dasm_print_instruction(c->eip,dis,0,c->instr_string);
}
uint32_t eip_before = c->eip;
uint32_t eip_after = 0;
/* reset the instruction source and track infos, maybe move to a fn and call the fn instead? */
c->instr.source.has_cond_pos = 0;
/*c->instr.track.init.eflags = 0;
memset(c->instr.track.init.reg, 0, sizeof(uint32_t) * 8);
c->instr.track.init.fpu = 0;
c->instr.track.need.eflags = 0;
memset(c->instr.track.need.reg, 0, sizeof(uint32_t) * 8);
c->instr.track.need.fpu = 0;
*/
while( 1 )
{
ret = emu_memory_read_byte(c->mem, c->eip++, &byte);
if( ret != 0 )
return ret;
c->cpu_instr_info = &ii_onebyte[byte];
if( c->cpu_instr_info->function == prefix_fn )
{
c->instr.prefixes |= prefix_map[byte];
continue;
}
else
{
c->instr.opc = byte;
if( c->cpu_instr_info->format.fpu_info == 0 )
{
c->instr.is_fpu = 0;
c->instr.cpu.opc = c->instr.opc;
c->instr.cpu.prefixes = c->instr.prefixes;
if( c->instr.cpu.opc == 0x0f )
{
ret = emu_memory_read_byte(c->mem, c->eip++, &byte);
if( ret != 0 )
return ret;
c->instr.cpu.opc_2nd = byte;
opcode = &c->instr.cpu.opc_2nd;
c->cpu_instr_info = &ii_twobyte[byte];
}
else
{
opcode = &c->instr.cpu.opc;
}
if ( c->cpu_instr_info->function == 0 )
{
if( c->instr.cpu.opc == 0x0f )
emu_strerror_set(c->emu,"opcode 0f %02x not supported\n", c->instr.cpu.opc_2nd);
else
emu_strerror_set(c->emu,"opcode %02x not supported\n", c->instr.cpu.opc);
emu_errno_set(c->emu, EOPNOTSUPP);
/* int y=0;
for (y=0;y<expected_instr_size;y++)
{
printf("%02x ", dis[y]);
}
printf("\n");
*/
return -1;
}
c->instr.cpu.w_bit = *opcode & 1;
c->instr.cpu.s_bit = (*opcode >> 1) & 1;
/* mod r/m byte? sib/disp */
if( c->cpu_instr_info->format.modrm_byte != 0 )
{
ret = emu_memory_read_byte(c->mem, c->eip++, &byte);
if( ret != 0 )
return ret;
c->instr.cpu.modrm.mod = MODRM_MOD(byte);
c->instr.cpu.modrm.opc = MODRM_REGOPC(byte);
c->instr.cpu.modrm.rm = MODRM_RM(byte);
if( c->cpu_instr_info->format.modrm_byte == II_MOD_REG_RM || c->cpu_instr_info->format.modrm_byte == II_MOD_YYY_RM ||
c->cpu_instr_info->format.modrm_byte == II_XX_REG1_REG2) /* cases with possible sib/disp*/
{
if( c->instr.cpu.modrm.mod != 3 )
{
if( c->instr.cpu.modrm.rm != 4 && !(c->instr.cpu.modrm.mod == 0 && c->instr.cpu.modrm.rm == 5) )
{
c->instr.cpu.modrm.ea = c->reg[c->instr.cpu.modrm.rm];
//TRACK_NEED_REG32(c->instr, c->instr.cpu.modrm.rm);
}
else
c->instr.cpu.modrm.ea = 0;
if( c->instr.cpu.modrm.rm == 4 ) /* sib byte present */
{
ret = emu_memory_read_byte(c->mem, c->eip++, &byte);
if( ret != 0 )
return ret;
c->instr.cpu.modrm.sib.base = SIB_BASE(byte);
c->instr.cpu.modrm.sib.scale = SIB_SCALE(byte);
c->instr.cpu.modrm.sib.index = SIB_INDEX(byte);
if( c->instr.cpu.modrm.sib.base != 5 )
{
c->instr.cpu.modrm.ea += c->reg[c->instr.cpu.modrm.sib.base];
//TRACK_NEED_REG32(c->instr, c->instr.cpu.modrm.sib.base);
}
else if( c->instr.cpu.modrm.mod != 0 )
{
c->instr.cpu.modrm.ea += c->reg[ebp];
//TRACK_NEED_REG32(c->instr, ebp);
}
if( c->instr.cpu.modrm.sib.index != 4 )
{
c->instr.cpu.modrm.ea += c->reg[c->instr.cpu.modrm.sib.index] * scalem[c->instr.cpu.modrm.sib.scale];
//TRACK_NEED_REG32(c->instr, c->instr.cpu.modrm.sib.index);
}
}
if( c->instr.cpu.modrm.mod == 1 ) /* disp8 */
{
ret = emu_memory_read_byte(c->mem, c->eip++, &c->instr.cpu.modrm.disp.s8);
if( ret != 0 )
return ret;
c->instr.cpu.modrm.ea += (int8_t)c->instr.cpu.modrm.disp.s8;
}
else if( c->instr.cpu.modrm.mod == 2 || (c->instr.cpu.modrm.mod == 0 && c->instr.cpu.modrm.rm == 5) ) /* disp32 */
{
ret = emu_memory_read_dword(c->mem, c->eip, &c->instr.cpu.modrm.disp.s32);
c->eip += 4;
if( ret != 0 )
return ret;
c->instr.cpu.modrm.ea += c->instr.cpu.modrm.disp.s32;
}
}
}
}
/* */
c->instr.cpu.operand_size = 0;
if( c->cpu_instr_info->format.imm_data == II_IMM8 || c->cpu_instr_info->format.disp_data == II_DISP8 )
c->instr.cpu.operand_size = OPSIZE_8;
else if( c->cpu_instr_info->format.imm_data == II_IMM16 || c->cpu_instr_info->format.disp_data == II_DISP16 )
c->instr.cpu.operand_size = OPSIZE_16;
else if( c->cpu_instr_info->format.imm_data == II_IMM32 || c->cpu_instr_info->format.disp_data == II_DISP32 )
c->instr.cpu.operand_size = OPSIZE_32;
else if( c->cpu_instr_info->format.imm_data == II_IMM || c->cpu_instr_info->format.disp_data == II_DISPF
|| (c->cpu_instr_info->format.type && !c->instr.cpu.modrm.opc))
{
if( c->cpu_instr_info->format.w_bit == 1 && c->instr.cpu.w_bit == 0 )
c->instr.cpu.operand_size = OPSIZE_8;
else
{
if( c->instr.cpu.prefixes & PREFIX_OPSIZE )
c->instr.cpu.operand_size = OPSIZE_16;
else
c->instr.cpu.operand_size = OPSIZE_32;
}
}
/* imm */
if( c->cpu_instr_info->format.imm_data != 0 || (c->cpu_instr_info->format.type && !c->instr.cpu.modrm.opc))
{
if( c->instr.cpu.operand_size == OPSIZE_32 )
{
ret = emu_memory_read_dword(c->mem, c->eip, &c->instr.cpu.imm);
c->eip += 4;
}
else if( c->instr.cpu.operand_size == OPSIZE_8 )
{
ret = emu_memory_read_byte(c->mem, c->eip++, c->instr.cpu.imm8);
}
else if( c->instr.cpu.operand_size == OPSIZE_16 )
{
ret = emu_memory_read_word(c->mem, c->eip, c->instr.cpu.imm16);
c->eip += 2;
}
if( ret != 0 )
return ret;
}
/* disp */
if( c->cpu_instr_info->format.disp_data != 0 )
{
if( c->instr.cpu.operand_size == OPSIZE_32 )
{
uint32_t disp32;
ret = emu_memory_read_dword(c->mem, c->eip, &disp32);
c->instr.cpu.disp = (int32_t)disp32;
c->eip += 4;
}
else if( c->instr.cpu.operand_size == OPSIZE_16 )
{
uint16_t disp16;
ret = emu_memory_read_word(c->mem, c->eip, &disp16);
c->instr.cpu.disp = (int16_t)disp16;
c->eip += 2;
}
else if( c->instr.cpu.operand_size == OPSIZE_8 )
{
uint8_t disp8;
ret = emu_memory_read_byte(c->mem, c->eip++, &disp8);
c->instr.cpu.disp = (int8_t)disp8;
}
if( ret != 0 )
return ret;
}
/* TODO level type ... */
}
else /* fpu */
{
/* this is a minimal parser without exact decomposition
* into all fields. instead it determines the length of
* the instruction and ignores pretty much everything else
* except for a few explicitly implemented instructions. */
c->instr.is_fpu = 1;
c->instr.fpu.prefixes = c->instr.prefixes;
c->instr.fpu.fpu_data[0] = c->instr.opc;
ret = emu_memory_read_byte(c->mem, c->eip++, &c->instr.fpu.fpu_data[1]);
if( ret != 0 )
return ret;
if( FPU_MOD(c->instr.fpu.fpu_data) != 3 ) /* intel pdf page 36 */
{
/* trivial case, one register is ea */
if( FPU_RM(c->instr.fpu.fpu_data) != 4 && !(FPU_MOD(c->instr.fpu.fpu_data) == 0 && FPU_RM(c->instr.fpu.fpu_data) == 5) )
c->instr.fpu.ea = c->reg[FPU_RM(c->instr.fpu.fpu_data)];
else
c->instr.fpu.ea = 0;
/* sib byte */
if( FPU_RM(c->instr.fpu.fpu_data) == 4 )
{
ret = emu_memory_read_byte(c->mem, c->eip++, &byte);
if( ret != 0 )
return ret;
if( SIB_BASE(byte) != 5 )
{
c->instr.fpu.ea += c->reg[SIB_BASE(byte)];
}
else if( FPU_MOD(c->instr.fpu.fpu_data) != 0 )
{
c->instr.fpu.ea += c->reg[ebp];
}
if( SIB_INDEX(byte) != 4 )
{
c->instr.fpu.ea += c->reg[SIB_INDEX(byte)] * scalem[SIB_SCALE(byte)];
}
}
/* modrm */
if( FPU_MOD(c->instr.fpu.fpu_data) == 1 )
{
ret = emu_memory_read_byte(c->mem, c->eip++, &byte);
if( ret != 0 )
return ret;
c->instr.fpu.ea += (int8_t)byte;
}
else if( FPU_MOD(c->instr.fpu.fpu_data) == 2 || (FPU_MOD(c->instr.fpu.fpu_data) == 0 && FPU_RM(c->instr.fpu.fpu_data) == 5) )
{
uint32_t dword;
ret = emu_memory_read_dword(c->mem, c->eip, &dword);
c->eip += 4;
if( ret != 0 )
return ret;
c->instr.fpu.ea += dword;
}
}
/*c->instr.fpu.last_instr = c->last_fpu_instr;*/
c->last_fpu_instr[1] = c->last_fpu_instr[0];
c->last_fpu_instr[0] = eip_before;
}
// logDebug(c->emu,"\n");
eip_after = c->eip;
if ( CPU_DEBUG_FLAG_ISSET(c, instruction_size ) && eip_after - eip_before != expected_instr_size)
{
logDebug(c->emu, "broken instr.cpu size %i %i\n",
eip_after - eip_before,
expected_instr_size);
return -1;
}
/* the default normal position is behind the instruction, specific instructions as call jmp set their
* norm position
*/
if ( c->instr.is_fpu == 0 )
{
SOURCE_NORM_POS(c->instr, c->eip);
}
else
{
SOURCE_NORM_POS(c->instr, c->eip);
}
break;
}
int32_t env_linux_hook_execve(struct emu_env *env, struct emu_env_hook *hook)
{
printf("execve\n");
struct emu_cpu *c = emu_cpu_get(env->emu);
struct emu_string *name = emu_string_new();
emu_memory_read_string(emu_memory_get(c->emu), c->reg[ebx], name, 255);
if ( env->profile != NULL )
{
emu_profile_function_add(env->profile, "execve");
emu_profile_argument_add_ptr(env->profile, "const char *", "dateiname", c->reg[ebx]);
emu_profile_argument_add_string(env->profile, "", "", emu_string_char(name));
// emu_profile_argument_add_ptr(env->profile, "", "", c->reg[ecx]);
emu_profile_argument_array_start(env->profile, "const char *", "argv[]");
}
uint32_t p_array = c->reg[ecx];
uint32_t p_arg = -1;
emu_memory_read_dword(emu_memory_get(c->emu), p_array, &p_arg);
int i=1;
// char **argv = NULL;
while (p_arg != 0)
{
// argv = realloc(argv, (i+1) * sizeof(char *));
// argv[i] = NULL;
struct emu_string *arg = emu_string_new();
emu_memory_read_string(emu_memory_get(c->emu), p_arg, arg, 128);
// argv[i-1] = strdup(emu_string_char(arg));
if( emu_string_char(arg) == NULL )
{
emu_string_free(arg);
break;
}
if ( env->profile != NULL )
{
emu_profile_argument_add_ptr(env->profile, "", "", p_array+((i-1)*4));
emu_profile_argument_add_ptr(env->profile, "", "", p_arg);
emu_profile_argument_add_string(env->profile, "", "", emu_string_char(arg));
}
emu_string_free(arg);
emu_memory_read_dword(emu_memory_get(c->emu), p_array+(i*4), &p_arg);
i++;
}
if ( env->profile != NULL )
{
emu_profile_argument_add_ptr(env->profile, "", "", p_arg);
emu_profile_argument_add_none(env->profile);
// printf("arg is %s\n", emu_string_char(arg));
emu_profile_argument_array_end(env->profile);
emu_profile_argument_add_ptr(env->profile, "const char *", "envp[]", c->reg[edx]);
emu_profile_argument_add_none(env->profile);
emu_profile_function_returnvalue_int_set(env->profile, "int", 0);
}
printf("int execve (const char *dateiname=%08x={%s}, const char * argv[], const char *envp[]);\n",
c->reg[ebx],
emu_string_char(name));
emu_string_free(name);
return 0;
}
int32_t env_linux_hook_socketcall(struct emu_env *env, struct emu_env_hook *hook)
{
struct emu_cpu *c = emu_cpu_get(env->emu);
#define AL(x) (x)
static unsigned char nargs[18]={AL(0),AL(3),AL(3),AL(3),AL(2),AL(3),
AL(3),AL(3),AL(4),AL(4),AL(4),AL(6),
AL(6),AL(2),AL(5),AL(5),AL(3),AL(3)};
#undef AL
uint32_t a[6];
int i;
for ( i=0;i<nargs[c->reg[ebx]];i++ )
{
emu_memory_read_dword(emu_memory_get(c->emu),c->reg[ecx]+4*i,a+i);
}
uint32_t returnvalue = 0;
switch ( c->reg[ebx] )
{
case 1: // SYS_SOCKET
printf("int socket(int domain=%i, int type=%i, int protocol=%i);\n",
a[0],
a[1],
a[2]);
if (hook->hook.lin->userhook != NULL)
returnvalue = hook->hook.lin->userhook(env, hook, a[0], a[1], a[2]);
else
returnvalue = 14;
if ( env->profile != NULL )
{
emu_profile_function_add(env->profile, "socket");
emu_profile_argument_add_int(env->profile, "int", "domain", a[0]);
emu_profile_argument_add_int(env->profile, "int", "type", a[1]);
emu_profile_argument_add_int(env->profile, "int", "protocol", a[2]);
emu_profile_function_returnvalue_int_set(env->profile, "int", returnvalue);
}
emu_cpu_reg32_set(c, eax, returnvalue);
break;
case 2: // SYS_BIND
{
/*
printf("int bind(int sockfd=%i, struct sockaddr *my_addr=%08x={host %s port %i}, int addrlen);\n",
a[0],
a[1], inet_ntoa(*(struct in_addr *)&((struct sockaddr_in *)&sa)->sin_addr), ntohs(((struct sockaddr_in *)&sa)->sin_port)
);
*/
struct sockaddr sa;
memset(&sa, 0, sizeof(struct sockaddr));
emu_memory_read_block(emu_memory_get(c->emu), a[1], &sa, sizeof(struct sockaddr));
if (hook->hook.lin->userhook != NULL)
returnvalue = hook->hook.lin->userhook(env, hook, a[0], &sa, a[2]);
else
returnvalue = 0;
if (env->profile != NULL)
{
emu_profile_function_add(env->profile, "bind");
emu_profile_argument_add_int(env->profile, "int", "sockfd", a[0]);
emu_profile_argument_add_sockaddr_ptr(env->profile, "my_addr", a[1], sa);
emu_profile_argument_add_int(env->profile, "int", "addrlen", a[2]);
emu_profile_function_returnvalue_int_set(env->profile, "int", returnvalue);
}
emu_cpu_reg32_set(c, eax, returnvalue);
}
break;
case 3: // SYS_CONNECT
{
printf("connect\n");
struct sockaddr sa;
memset(&sa, 0, sizeof(struct sockaddr));
emu_memory_read_block(emu_memory_get(c->emu), a[1], &sa, sizeof(struct sockaddr));
if (hook->hook.lin->userhook != NULL)
returnvalue = hook->hook.lin->userhook(env, hook, a[0], &sa, a[2]);
else
returnvalue = 0;
if (env->profile != NULL)
{
emu_profile_function_add(env->profile, "connect");
emu_profile_argument_add_int(env->profile, "int", "sockfd", a[0]);
emu_profile_argument_add_sockaddr_ptr(env->profile, "serv_addr", a[1], sa);
emu_profile_argument_add_int(env->profile, "int", "addrlen", a[2]);
emu_profile_function_returnvalue_int_set(env->profile, "int", returnvalue);
}
emu_cpu_reg32_set(c, eax, returnvalue);
}
break;
case 4: // SYS_LISTEN
printf("int listen(int s=%i, int backlog=%i);\n",
a[0],
a[1]);
if (hook->hook.lin->userhook != NULL)
returnvalue = hook->hook.lin->userhook(env, hook, a[0], a[1]);
else
returnvalue = 0;
if (env->profile != NULL)
{
emu_profile_function_add(env->profile, "listen");
emu_profile_argument_add_int(env->profile, "int", "s", a[0]);
emu_profile_argument_add_int(env->profile, "int", "backlog", a[1]);
emu_profile_function_returnvalue_int_set(env->profile, "int", returnvalue);
}
emu_cpu_reg32_set(c, eax, returnvalue);
break;
case 5: // SYS_ACCEPT
printf("int accept(int s=%i, struct sockaddr *addr=%08x, int *addrlen=%08x);\n",
a[0],
a[1],
a[2]);
struct sockaddr sa;
memset(&sa, 0, sizeof(struct sockaddr));
emu_memory_read_block(emu_memory_get(c->emu), a[1], &sa, sizeof(struct sockaddr));
if (hook->hook.lin->userhook != NULL)
returnvalue = hook->hook.lin->userhook(env, hook, a[0], &sa, a[2]);
else
returnvalue = 19;
if (env->profile != NULL)
{
emu_profile_function_add(env->profile, "accept");
emu_profile_argument_add_int(env->profile, "int", "sockfd", a[0]);
emu_profile_argument_add_ptr(env->profile, "sockaddr_in *", "addr", a[1]);
emu_profile_argument_add_none(env->profile);
emu_profile_argument_add_ptr(env->profile, "int", "addrlen", a[2]);
emu_profile_argument_add_none(env->profile);
emu_profile_function_returnvalue_int_set(env->profile, "int", returnvalue);
}
emu_cpu_reg32_set(c, eax, returnvalue);
break;
case 6: // SYS_GETSOCKNAME
printf("sys_getsockname(2)\n");
break;
case 7: // SYS_GETPEERNAME
printf("sys_getpeername(2)\n");
break;
case 8: // SYS_SOCKETPAIR
printf("sys_socketpair(2)\n");
break;
case 9: // SYS_SEND
printf("sys_send(2)\n");
break;
case 10: // SYS_RECV
printf("sys_recv(2)\n");
break;
case 11: // SYS_SENDTO
printf("sys_sendto(2)\n");
break;
case 12: // SYS_RECVFROM
printf("sys_recvfrom(2)\n");
break;
case 13: // SYS_SHUTDOWN
printf("sys_shutdown(2)\n");
break;
case 14: // SYS_SETSOCKOPT
printf("sys_setsockopt(2)\n");
break;
case 15: // SYS_GETSOCKOPT
printf("sys_getsockopt(2)\n");
break;
case 16: // SYS_SENDMSG
printf("sys_sendmsg(2)\n");
break;
case 17: // SYS_RECVMSG
printf("sys_recvmsg(2)\n");
break;
default:
printf("syscall %i (%x) unknown", c->reg[ebx], c->reg[ebx]);
}
return 0;
}
