void move_selected_module_left(){ if(!selected_module) return; auto pos = locate_module(selected_module); if(pos == modules.begin()) return; auto pos2 = pos-1; swap_modules(pos2,pos); }
void move_selected_module_right(){ if(!selected_module) return; auto pos = locate_module(selected_module); auto pos2 = pos+1; if(pos2 == modules.end()) return; swap_modules(pos,pos2); }
void remove_module(Module* m){ if(!m) return; auto pos = locate_module(m); auto it = modules.erase(pos); for(; it != modules.end(); ++it) (*it)->xoffset -= m->panel_width + 1; last_x_offset -= m->panel_width + 1; mainwindow->cabinet.set_size_request((last_x_offset + 1)*gui_scale,-1); mainwindow->cabinet_scrolledwindow.set_size_request(-1,MODULE_PANEL_HEIGHT*gui_scale); delete m; }
void do_read_taint_mem(DECAF_Callback_Params *param) { uint32_t eip = cpu_single_env->eip; uint32_t cr3 = cpu_single_env->cr[3]; char name[128]; dmodule * dm = NULL; dm = locate_module(eip,cr3,name); if(!dm) return; if(param->rt.size <=4) DECAF_printf("READ 0x%08x 0x%08x 0x%08x %s\n",param->rt.vaddr,param->rt.paddr,*((uint32_t *)param->rt.taint_info),dm->name); else DECAF_printf("READ 0x%08x 0x%08x 0x%16x %s\n",param->rt.vaddr,param->rt.paddr,*((uint32_t *)param->rt.taint_info),dm->name); }
static int gsynth_read_module(FILE *fp) { ModuleInfo *mi; Module *mod = NULL; char basename[32]; char modulename[32]; int module_id; fread(&module_id, 4, 1, fp); module_id = ntohl(module_id); fread(basename, 32, 1, fp); fread(modulename, 32, 1, fp); if(module_id) { mi = locate_module(basename); if(mi) mod = gsynth_editor->CreateModule(mi); if(mod) mod->GetSModule()->set_id(module_id); } else mod = gsynth_editor->GetMaster(); if(!mod) { fprintf(stderr, "Can't load module \"%s\". Aborting load.\n", basename); return 0; } int x, y; fread(&x, 4, 1, fp); x = ntohl(x); fread(&y, 4, 1, fp); y = ntohl(y); mod->Move((float)x/GSYNTH_FLOAT_SCALE, (float)y/GSYNTH_FLOAT_SCALE); mod->SetName(modulename); int num_patterns; fread(&num_patterns, 4, 1, fp); num_patterns = ntohl(num_patterns); for(;num_patterns;num_patterns--) gsynth_read_pattern(fp, mod->GetSModule()); int num_entries; fread(&num_entries, 4, 1, fp); num_entries = ntohl(num_entries); for(;num_entries;num_entries--) { int row, patID; gsynth_Pattern *p; fread(&row, 4, 1, fp); row = ntohl(row); fread(&patID, 4, 1, fp); patID = ntohl(patID); p = locate_pattern(patID, mod->GetSModule()); mod->GetSModule()->sequence.SetEntry(p, row); } return 1; }
void tracing_block_begin(DECAF_Callback_Params* params) { char current_proc[512] = ""; CPUState* env = NULL; if (params != NULL) { env = params->bb.env; } /* Get thread id (needs to be done before checking hooks) */ // TODO: Are hooks checked before or after invoking block begin handler? current_tid = get_current_tid(env); // Let DECAF now that we want to hook the instructions in this block should_monitor = (decaf_plugin->monitored_cr3 == DECAF_cpu_cr[3]) && (!DECAF_is_in_kernel() || tracing_kernel()); /* If not right context, return */ if (!should_monitor) return; /* No need to check if we are tracing, otherwise block_begin unregistered */ //if ((tracepid == 0) && (!procname_is_set())) // return; /* If tracing module, check if we are in traced module */ if (modname_is_set()) { // Get current module name tmodinfo_t *mi = locate_module(*DECAF_cpu_eip, DECAF_cpu_cr[3], current_proc); // Check if right module if (mi && (modname_match(mi->name))) { tracing_start_condition = 1; modname_clear(); } } return; }
/*! * This is not clear how Temu define a block, however, both Hookfinder * & the sample plugin use this function to check if they are working * on the monitored process or not. */ int detector_block_begin() { // We care for nothing if (monitored_proc[0] == 0) { goto _finished; } uint32_t eip, esp, cr3; // Get the value of EIP register TEMU_read_register(eip_reg, &eip); // Get the value of CR3 register TEMU_read_register(cr3_reg, &cr3); // Get the value of ESP register TEMU_read_register(esp_reg, &esp); // Get the current process using the above registers tmodinfo_t * mi = locate_module(eip, cr3, current_proc); // Get the current working module inside the current process strcpy(current_mod, mi ? mi->name : "<unknown>"); if (0x00 == strcasecmp(current_mod, monitored_proc)) { // Save the base address checked_module_base = mi->base; // Save the size checked_module_size = mi->size; // We are inside the monitored module in_checked_module = LOC_INSIDE; goto _handle; } uint32_t phys_addr = TEMU_get_phys_addr(eip); // Check what ? taint_record_t records[0x04]; uint64_t taint = taintcheck_memory_check(phys_addr, 1, (uint8_t *) records); if (taint) { // This may be generated code in_checked_module = LOC_GEN; // Log fprintf( loghandle, "Tainted code: %s!%s eip=%08x\n", current_proc, mi ? mi->name: "<unknown>", eip); goto _handle; } // Get the id of the current thread current_thread_id = get_current_tid(); // Get the information about the current thread current_thread_node = (current_thread_id != -1UL) ? get_thread_info(current_thread_id) : NULL; // In system call if (current_thread_node) { if (current_thread_node->origin == 1 || current_thread_node->origin == 2) { // Jump out of malicious code if (((current_thread_node->esp & 0x80000000) == (esp & 0x80000000)) && (current_thread_node->esp < esp)) { // Return from malware delete_thread_info(current_thread_id); current_thread_node = NULL; goto _finished; } if (((current_thread_node->esp & 0x80000000) == (esp & 0x80000000)) && (current_thread_node->esp > esp)) { // External call - set the caller current_thread_node->entry_eip = eip; // Follow the Hookfinder style current_thread_node->origin = 3; goto _finished; } } } // Skip the rest goto _finished; _handle: // This is not the monitored process if(current_thread_id == -1UL) { goto _finished; } // Set the current thread info if (! current_thread_node) { thread_info_t info; // Zero-out bzero( &info, sizeof(info) ); // Set its members info.cr3 = cr3; info.esp = esp; // Why set its value to 0 ? info.eip = 0x00; info.origin = (uint32_t)in_checked_module; // Save the thread info write_thread_info(current_thread_id, &info); // and refer to the newly updated current thread current_thread_node = get_thread_info(current_thread_id); } current_thread_node->eip = 0; current_thread_node->out_eip = 0; current_thread_node->entry_eip = 0; current_thread_node->origin = (uint32_t)in_checked_module; _finished: //we should always check if there is a hook at this point, //no matter we are in the monitored context or not, because //some hooks are global. hookapi_check_call(should_monitor); // Thread ? in_checked_module = current_thread_node ? (enum location_t)current_thread_node->origin : LOC_NOWHERE; // Done return 0; }