// R0 is command (label or query) // R1 is buf_start // R2 is length // R3 is offset (not currently implemented) void arm_hypercall_callback(CPUState *env){ target_ulong buf_start = env->regs[1]; target_ulong buf_len = env->regs[2]; if (env->regs[0] == 7 || env->regs[0] == 8){ //Taint label if (!taintEnabled){ printf("Taint plugin: Label operation detected\n"); printf("Enabling taint processing\n"); __taint_enable_taint(); } TaintOpBuffer *tempBuf = tob_new(buf_len * sizeof(TaintOp)); add_taint_ram(env, shadow, tempBuf, (uint64_t)buf_start, (int)buf_len); tob_delete(tempBuf); } else if (env->regs[0] == 9){ //Query taint on label if (taintEnabled){ printf("Taint plugin: Query operation detected\n"); Addr a = make_maddr(buf_start); bufplot(env, shadow, &a, (int)buf_len); } //printf("Disabling taint processing\n"); //taintEnabled = false; //taintJustDisabled = true; //printf("Label occurrences on HD: %d\n", shad_dir_occ_64(shadow->hd)); } }
static int user_read(abi_long ret, abi_long fd, void *p){ if (ret > 0 && fd == infd){ TaintOpBuffer *tempBuf = tob_new(5*1048576 /* 1MB */); add_taint(shadow, tempBuf, (uint64_t)p /*pointer*/, ret /*length*/); tob_delete(tempBuf); } return 0; }
void i386_hypercall_callback(CPUState *env){ target_ulong buf_start = env->regs[R_EBX]; target_ulong buf_len = env->regs[R_ECX]; long label = env->regs[R_EDI]; // call to label data // EBX contains addr of that data // ECX contains size of data // EDI is the label integer // EDX = starting offset (for positional labels only) // -mostly not used, this is managed in pirate_utils if (env->regs[R_EAX] == 7 || env->regs[R_EAX] == 8){ if (!taintEnabled){ printf("Taint plugin: Label operation detected\n"); printf("Enabling taint processing\n"); __taint_enable_taint(); } TaintOpBuffer *tempBuf = tob_new( buf_len * sizeof(TaintOp)); if (env->regs[R_EAX] == 7){ // Standard buffer label add_taint_ram_single_label(env, shadow, tempBuf, (uint64_t)buf_start, (int)buf_len, label); } else if (env->regs[R_EAX] == 8){ // Positional buffer label add_taint_ram_pos(env, shadow, tempBuf, (uint64_t)buf_start, (int)buf_len); } tob_delete(tempBuf); } //mz Query taint on this buffer //mz EBX = start of buffer (VA) //mz ECX = size of buffer (bytes) // EDX = starting offset - for file queries // -mostly not used, this is managed in pirate_utils else if (env->regs[R_EAX] == 9){ //Query taint on label if (taintEnabled){ printf("Taint plugin: Query operation detected\n"); Addr a = make_maddr(buf_start); bufplot(env, shadow, &a, (int)buf_len); } //printf("Disabling taint processing\n"); //taintEnabled = false; //taintJustDisabled = true; //printf("Label occurrences on HD: %d\n", shad_dir_occ_64(shadow->hd)); } else if (env->regs[R_EAX] == 10){ // Guest util done - reset positional label counter taint_pos_count = 0; } }
void uninit_plugin(void *self) { printf ("uninit taint plugin\n"); if (tainted_instructions) { for ( auto &kvp : shadow->tpc ) { uint64_t asid = kvp.first; printf ("asid = %lx\n", asid); for ( auto &pc : kvp.second ) { printf ("instr is tainted : asid=0x%lx : pc=0x%lx \n", asid, pc); } } } /* * XXX: Here, we unload our pass from the PassRegistry. This seems to work * fine, until we reload this plugin again into QEMU and we get an LLVM * assertion saying the pass is already registered. This seems like a bug * with LLVM. Switching between TCG and LLVM works fine when passes aren't * added to LLVM. */ llvm::PassRegistry *pr = llvm::PassRegistry::getPassRegistry(); const llvm::PassInfo *pi = //pr->getPassInfo(&llvm::PandaInstrFunctionPass::ID); pr->getPassInfo(llvm::StringRef("PandaInstr")); if (!pi){ printf("Unable to find 'PandaInstr' pass in pass registry\n"); } else { pr->unregisterPass(*pi); } if (taintfpm) delete taintfpm; // Delete function pass manager and pass if (shadow) tp_free(shadow); if (tob_io_thread) tob_delete(tob_io_thread); panda_disable_llvm(); panda_disable_memcb(); panda_enable_tb_chaining(); }
int guest_hypercall_callback(CPUState *env) { #ifdef TARGET_I386 if(env->regs[R_EAX] == 0xdeadbeef) { target_ulong buf_start = env->regs[R_ECX]; target_ulong buf_len = env->regs[R_EDX]; if(env->regs[R_EBX] == 0) { //Taint label TaintOpBuffer *tempBuf = tob_new(5*1048576 /* 1MB */); add_taint(shadow, tempBuf, (uint64_t)buf_start, (int)buf_len); tob_delete(tempBuf); } else if(env->regs[R_EBX] == 1) { //Query taint on label bufplot(shadow, (uint64_t)buf_start, (int)buf_len); } } #endif return 1; }
int guest_hypercall_callback(CPUState *env){ #ifdef TARGET_I386 if (env->regs[R_EAX] == 0xdeadbeef){ target_ulong buf_start = env->regs[R_ECX]; target_ulong buf_len = env->regs[R_EDX]; if (env->regs[R_EBX] == 0){ //Taint label if (!taintEnabled){ printf("Taint plugin: Label operation detected\n"); printf("Enabling taint processing\n"); taintJustEnabled = true; taintEnabled = true; enable_taint(); } TaintOpBuffer *tempBuf = tob_new(5*1048576 /* 5MB */); #ifndef CONFIG_SOFTMMU add_taint(shadow, tempBuf, (uint64_t)buf_start, (int)buf_len); #else add_taint(shadow, tempBuf, cpu_get_phys_addr(env, buf_start), (int)buf_len); #endif //CONFIG_SOFTMMU tob_delete(tempBuf); } else if (env->regs[R_EBX] == 1){ //Query taint on label #ifndef CONFIG_SOFTMMU bufplot(shadow, (uint64_t)buf_start, (int)buf_len); #else bufplot(shadow, cpu_get_phys_addr(env, buf_start), (int)buf_len); #endif //CONFIG_SOFTMMU printf("Taint plugin: Query operation detected\n"); printf("Disabling taint processing\n"); taintEnabled = false; taintJustDisabled = true; } } #endif // TARGET_I386 return 1; }
// XXX: Support all features of label and query program void i386_hypercall_callback(CPUState *env){ target_ulong buf_start = env->regs[R_EBX]; target_ulong buf_len = env->regs[R_ECX]; // call to iferret to label data // EBX contains addr of that data // ECX contains size of data // EDI is a pointer to a buffer containing the label string // ESI contains the length of that label // EDX = starting offset (for positional labels only) if (env->regs[R_EAX] == 7 || env->regs[R_EAX] == 8){ if (!taintEnabled){ printf("Taint plugin: Label operation detected\n"); printf("Enabling taint processing\n"); __taint_enable_taint(); } TaintOpBuffer *tempBuf = tob_new( buf_len * sizeof(TaintOp)); add_taint_ram(env, shadow, tempBuf, (uint64_t)buf_start, (int)buf_len); tob_delete(tempBuf); } //mz Query taint on this buffer //mz EBX = start of buffer (VA) //mz ECX = size of buffer (bytes) // EDI is a pointer to a buffer containing the filename or another name for this query // ESI contains the length of that string // EDX = starting offset - for file queries else if (env->regs[R_EAX] == 9){ //Query taint on label if (taintEnabled){ printf("Taint plugin: Query operation detected\n"); Addr a = make_maddr(buf_start); bufplot(env, shadow, &a, (int)buf_len); } //printf("Disabling taint processing\n"); //taintEnabled = false; //taintJustDisabled = true; //printf("Label occurrences on HD: %d\n", shad_dir_occ_64(shadow->hd)); } }
// R0 is command (label or query) // R1 is buf_start // R2 is length // R3 is offset (not currently implemented, managed in pirate_utils) // R4 is the label integer void arm_hypercall_callback(CPUState *env){ target_ulong buf_start = env->regs[1]; target_ulong buf_len = env->regs[2]; long label = env->regs[4]; if (env->regs[0] == 7 || env->regs[0] == 8){ if (!taintEnabled){ printf("Taint plugin: Label operation detected\n"); printf("Enabling taint processing\n"); __taint_enable_taint(); } TaintOpBuffer *tempBuf = tob_new( buf_len * sizeof(TaintOp)); if (env->regs[0] == 7){ // Standard buffer label add_taint_ram_single_label(env, shadow, tempBuf, (uint64_t)buf_start, (int)buf_len, label); } else if (env->regs[0] == 8){ // Positional buffer label add_taint_ram_pos(env, shadow, tempBuf, (uint64_t)buf_start, (int)buf_len); } tob_delete(tempBuf); } else if (env->regs[0] == 9){ //Query taint on label if (taintEnabled){ printf("Taint plugin: Query operation detected\n"); Addr a = make_maddr(buf_start); bufplot(env, shadow, &a, (int)buf_len); } //printf("Disabling taint processing\n"); //taintEnabled = false; //taintJustDisabled = true; //printf("Label occurrences on HD: %d\n", shad_dir_occ_64(shadow->hd)); } else if (env->regs[0] == 10){ // Guest util done - reset positional label counter taint_pos_count = 0; } }