void move_selected_module_left(){
if(!selected_module) return;
auto pos = locate_module(selected_module);
if(pos == modules.begin()) return;
auto pos2 = pos-1;
swap_modules(pos2,pos);
}
void move_selected_module_right(){
if(!selected_module) return;
auto pos = locate_module(selected_module);
auto pos2 = pos+1;
if(pos2 == modules.end()) return;
swap_modules(pos,pos2);
}
void remove_module(Module* m){
if(!m) return;
auto pos = locate_module(m);
auto it = modules.erase(pos);
for(; it != modules.end(); ++it) (*it)->xoffset -= m->panel_width + 1;
last_x_offset -= m->panel_width + 1;
mainwindow->cabinet.set_size_request((last_x_offset + 1)*gui_scale,-1);
mainwindow->cabinet_scrolledwindow.set_size_request(-1,MODULE_PANEL_HEIGHT*gui_scale);
delete m;
}
void do_read_taint_mem(DECAF_Callback_Params *param)
{
uint32_t eip = cpu_single_env->eip;
uint32_t cr3 = cpu_single_env->cr[3];
char name[128];
dmodule * dm = NULL;
dm = locate_module(eip,cr3,name);
if(!dm)
return;
if(param->rt.size <=4)
DECAF_printf("READ 0x%08x 0x%08x 0x%08x %s\n",param->rt.vaddr,param->rt.paddr,*((uint32_t *)param->rt.taint_info),dm->name);
else
DECAF_printf("READ 0x%08x 0x%08x 0x%16x %s\n",param->rt.vaddr,param->rt.paddr,*((uint32_t *)param->rt.taint_info),dm->name);
}
static int gsynth_read_module(FILE *fp)
{
ModuleInfo *mi;
Module *mod = NULL;
char basename[32];
char modulename[32];
int module_id;
fread(&module_id, 4, 1, fp); module_id = ntohl(module_id);
fread(basename, 32, 1, fp);
fread(modulename, 32, 1, fp);
if(module_id) {
mi = locate_module(basename);
if(mi) mod = gsynth_editor->CreateModule(mi);
if(mod) mod->GetSModule()->set_id(module_id);
}
else mod = gsynth_editor->GetMaster();
if(!mod) {
fprintf(stderr, "Can't load module \"%s\". Aborting load.\n", basename);
return 0;
}
int x, y;
fread(&x, 4, 1, fp); x = ntohl(x);
fread(&y, 4, 1, fp); y = ntohl(y);
mod->Move((float)x/GSYNTH_FLOAT_SCALE, (float)y/GSYNTH_FLOAT_SCALE);
mod->SetName(modulename);
int num_patterns;
fread(&num_patterns, 4, 1, fp); num_patterns = ntohl(num_patterns);
for(;num_patterns;num_patterns--)
gsynth_read_pattern(fp, mod->GetSModule());
int num_entries;
fread(&num_entries, 4, 1, fp); num_entries = ntohl(num_entries);
for(;num_entries;num_entries--) {
int row, patID;
gsynth_Pattern *p;
fread(&row, 4, 1, fp); row = ntohl(row);
fread(&patID, 4, 1, fp); patID = ntohl(patID);
p = locate_pattern(patID, mod->GetSModule());
mod->GetSModule()->sequence.SetEntry(p, row);
}
return 1;
}
void tracing_block_begin(DECAF_Callback_Params* params)
{
char current_proc[512] = "";
CPUState* env = NULL;
if (params != NULL)
{
env = params->bb.env;
}
/* Get thread id (needs to be done before checking hooks) */
// TODO: Are hooks checked before or after invoking block begin handler?
current_tid = get_current_tid(env);
// Let DECAF now that we want to hook the instructions in this block
should_monitor =
(decaf_plugin->monitored_cr3 == DECAF_cpu_cr[3]) &&
(!DECAF_is_in_kernel() || tracing_kernel());
/* If not right context, return */
if (!should_monitor)
return;
/* No need to check if we are tracing, otherwise block_begin unregistered */
//if ((tracepid == 0) && (!procname_is_set()))
// return;
/* If tracing module, check if we are in traced module */
if (modname_is_set()) {
// Get current module name
tmodinfo_t *mi =
locate_module(*DECAF_cpu_eip, DECAF_cpu_cr[3], current_proc);
// Check if right module
if (mi && (modname_match(mi->name))) {
tracing_start_condition = 1;
modname_clear();
}
}
return;
}
/*!
* This is not clear how Temu define a block, however, both Hookfinder
* & the sample plugin use this function to check if they are working
* on the monitored process or not.
*/
int detector_block_begin()
{
// We care for nothing
if (monitored_proc[0] == 0) { goto _finished; }
uint32_t eip, esp, cr3;
// Get the value of EIP register
TEMU_read_register(eip_reg, &eip);
// Get the value of CR3 register
TEMU_read_register(cr3_reg, &cr3);
// Get the value of ESP register
TEMU_read_register(esp_reg, &esp);
// Get the current process using the above registers
tmodinfo_t * mi = locate_module(eip, cr3, current_proc);
// Get the current working module inside the current process
strcpy(current_mod, mi ? mi->name : "<unknown>");
if (0x00 == strcasecmp(current_mod, monitored_proc)) {
// Save the base address
checked_module_base = mi->base;
// Save the size
checked_module_size = mi->size;
// We are inside the monitored module
in_checked_module = LOC_INSIDE;
goto _handle;
}
uint32_t phys_addr = TEMU_get_phys_addr(eip);
// Check what ?
taint_record_t records[0x04];
uint64_t taint = taintcheck_memory_check(phys_addr, 1, (uint8_t *) records);
if (taint) {
// This may be generated code
in_checked_module = LOC_GEN;
// Log
fprintf( loghandle,
"Tainted code: %s!%s eip=%08x\n",
current_proc,
mi ? mi->name: "<unknown>",
eip);
goto _handle;
}
// Get the id of the current thread
current_thread_id = get_current_tid();
// Get the information about the current thread
current_thread_node = (current_thread_id != -1UL) ? get_thread_info(current_thread_id) : NULL;
// In system call
if (current_thread_node) {
if (current_thread_node->origin == 1 || current_thread_node->origin == 2) {
// Jump out of malicious code
if (((current_thread_node->esp & 0x80000000) == (esp & 0x80000000)) &&
(current_thread_node->esp < esp))
{
// Return from malware
delete_thread_info(current_thread_id);
current_thread_node = NULL;
goto _finished;
}
if (((current_thread_node->esp & 0x80000000) == (esp & 0x80000000)) &&
(current_thread_node->esp > esp))
{
// External call - set the caller
current_thread_node->entry_eip = eip;
// Follow the Hookfinder style
current_thread_node->origin = 3;
goto _finished;
}
}
}
// Skip the rest
goto _finished;
_handle:
// This is not the monitored process
if(current_thread_id == -1UL) {
goto _finished;
}
// Set the current thread info
if (! current_thread_node) {
thread_info_t info;
// Zero-out
bzero( &info, sizeof(info) );
// Set its members
info.cr3 = cr3;
info.esp = esp;
// Why set its value to 0 ?
info.eip = 0x00;
info.origin = (uint32_t)in_checked_module;
// Save the thread info
write_thread_info(current_thread_id, &info);
// and refer to the newly updated current thread
current_thread_node = get_thread_info(current_thread_id);
}
current_thread_node->eip = 0;
current_thread_node->out_eip = 0;
current_thread_node->entry_eip = 0;
current_thread_node->origin = (uint32_t)in_checked_module;
_finished:
//we should always check if there is a hook at this point,
//no matter we are in the monitored context or not, because
//some hooks are global.
hookapi_check_call(should_monitor);
// Thread ?
in_checked_module = current_thread_node ? (enum location_t)current_thread_node->origin : LOC_NOWHERE;
// Done
return 0;
}
