// R0 is command (label or query) // R1 is buf_start // R2 is length // R3 is offset (not currently implemented) void arm_hypercall_callback(CPUState *env){ target_ulong buf_start = env->regs[1]; target_ulong buf_len = env->regs[2]; if (env->regs[0] == 7 || env->regs[0] == 8){ //Taint label if (!taintEnabled){ printf("Taint plugin: Label operation detected\n"); printf("Enabling taint processing\n"); __taint_enable_taint(); } TaintOpBuffer *tempBuf = tob_new(buf_len * sizeof(TaintOp)); add_taint_ram(env, shadow, tempBuf, (uint64_t)buf_start, (int)buf_len); tob_delete(tempBuf); } else if (env->regs[0] == 9){ //Query taint on label if (taintEnabled){ printf("Taint plugin: Query operation detected\n"); Addr a = make_maddr(buf_start); bufplot(env, shadow, &a, (int)buf_len); } //printf("Disabling taint processing\n"); //taintEnabled = false; //taintJustDisabled = true; //printf("Label occurrences on HD: %d\n", shad_dir_occ_64(shadow->hd)); } }
void i386_hypercall_callback(CPUState *env){ target_ulong buf_start = env->regs[R_EBX]; target_ulong buf_len = env->regs[R_ECX]; long label = env->regs[R_EDI]; // call to label data // EBX contains addr of that data // ECX contains size of data // EDI is the label integer // EDX = starting offset (for positional labels only) // -mostly not used, this is managed in pirate_utils if (env->regs[R_EAX] == 7 || env->regs[R_EAX] == 8){ if (!taintEnabled){ printf("Taint plugin: Label operation detected\n"); printf("Enabling taint processing\n"); __taint_enable_taint(); } TaintOpBuffer *tempBuf = tob_new( buf_len * sizeof(TaintOp)); if (env->regs[R_EAX] == 7){ // Standard buffer label add_taint_ram_single_label(env, shadow, tempBuf, (uint64_t)buf_start, (int)buf_len, label); } else if (env->regs[R_EAX] == 8){ // Positional buffer label add_taint_ram_pos(env, shadow, tempBuf, (uint64_t)buf_start, (int)buf_len); } tob_delete(tempBuf); } //mz Query taint on this buffer //mz EBX = start of buffer (VA) //mz ECX = size of buffer (bytes) // EDX = starting offset - for file queries // -mostly not used, this is managed in pirate_utils else if (env->regs[R_EAX] == 9){ //Query taint on label if (taintEnabled){ printf("Taint plugin: Query operation detected\n"); Addr a = make_maddr(buf_start); bufplot(env, shadow, &a, (int)buf_len); } //printf("Disabling taint processing\n"); //taintEnabled = false; //taintJustDisabled = true; //printf("Label occurrences on HD: %d\n", shad_dir_occ_64(shadow->hd)); } else if (env->regs[R_EAX] == 10){ // Guest util done - reset positional label counter taint_pos_count = 0; } }
int handle_packet(CPUState *env, uint8_t *buf, int size, uint8_t direction, uint64_t old_buf_addr){ switch (direction){ case PANDA_NET_RX: { #ifdef TAINTDEBUG printf("RX packet\n"); printf("Buf: 0x%lx, Old Buf: 0x%lx, Size %d\n", (uint64_t)buf, old_buf_addr, size); #endif if (taint_label_incoming_network_traffic){ if (!taintEnabled){ printf("Taint plugin: Label operation detected (network)\n"); printf("Enabling taint processing\n"); __taint_enable_taint(); } add_taint_io(env, shadow, tob_io_thread, old_buf_addr, size); count += size; break; } } case PANDA_NET_TX: #ifdef TAINTDEBUG printf("TX packet\n"); printf("Buf: 0x%lx, Old Buf: 0x%lx, Size %d\n", (uint64_t)buf, old_buf_addr, size); #endif if (taintEnabled && taint_query_outgoing_network_traffic){ TaintOp top; top.typ = QUERYOP; top.val.query.l = size; top.val.query.a = make_iaddr(old_buf_addr); // make the taint op buffer bigger if necessary tob_resize(&tob_io_thread); tob_op_write(tob_io_thread, &top); } break; default: assert(0); } return 0; }
// XXX: Support all features of label and query program void i386_hypercall_callback(CPUState *env){ target_ulong buf_start = env->regs[R_EBX]; target_ulong buf_len = env->regs[R_ECX]; // call to iferret to label data // EBX contains addr of that data // ECX contains size of data // EDI is a pointer to a buffer containing the label string // ESI contains the length of that label // EDX = starting offset (for positional labels only) if (env->regs[R_EAX] == 7 || env->regs[R_EAX] == 8){ if (!taintEnabled){ printf("Taint plugin: Label operation detected\n"); printf("Enabling taint processing\n"); __taint_enable_taint(); } TaintOpBuffer *tempBuf = tob_new( buf_len * sizeof(TaintOp)); add_taint_ram(env, shadow, tempBuf, (uint64_t)buf_start, (int)buf_len); tob_delete(tempBuf); } //mz Query taint on this buffer //mz EBX = start of buffer (VA) //mz ECX = size of buffer (bytes) // EDI is a pointer to a buffer containing the filename or another name for this query // ESI contains the length of that string // EDX = starting offset - for file queries else if (env->regs[R_EAX] == 9){ //Query taint on label if (taintEnabled){ printf("Taint plugin: Query operation detected\n"); Addr a = make_maddr(buf_start); bufplot(env, shadow, &a, (int)buf_len); } //printf("Disabling taint processing\n"); //taintEnabled = false; //taintJustDisabled = true; //printf("Label occurrences on HD: %d\n", shad_dir_occ_64(shadow->hd)); } }
// R0 is command (label or query) // R1 is buf_start // R2 is length // R3 is offset (not currently implemented, managed in pirate_utils) // R4 is the label integer void arm_hypercall_callback(CPUState *env){ target_ulong buf_start = env->regs[1]; target_ulong buf_len = env->regs[2]; long label = env->regs[4]; if (env->regs[0] == 7 || env->regs[0] == 8){ if (!taintEnabled){ printf("Taint plugin: Label operation detected\n"); printf("Enabling taint processing\n"); __taint_enable_taint(); } TaintOpBuffer *tempBuf = tob_new( buf_len * sizeof(TaintOp)); if (env->regs[0] == 7){ // Standard buffer label add_taint_ram_single_label(env, shadow, tempBuf, (uint64_t)buf_start, (int)buf_len, label); } else if (env->regs[0] == 8){ // Positional buffer label add_taint_ram_pos(env, shadow, tempBuf, (uint64_t)buf_start, (int)buf_len); } tob_delete(tempBuf); } else if (env->regs[0] == 9){ //Query taint on label if (taintEnabled){ printf("Taint plugin: Query operation detected\n"); Addr a = make_maddr(buf_start); bufplot(env, shadow, &a, (int)buf_len); } //printf("Disabling taint processing\n"); //taintEnabled = false; //taintJustDisabled = true; //printf("Label occurrences on HD: %d\n", shad_dir_occ_64(shadow->hd)); } else if (env->regs[0] == 10){ // Guest util done - reset positional label counter taint_pos_count = 0; } }
void taint_enable_taint(void) { __taint_enable_taint(); }