//--------------------------------------------------------------------------
void rpc_debmod_t::neterr(const char *module)
{
int code = irs_error(irs);
error("%s: %s", module, winerr(code));
}
//--------------------------------------------------------------------------
void neterr(idarpc_stream_t *irs, const char *module)
{
int code = irs_error(irs);
qeprintf("%s: %s\n", module, winerr(code));
exit(1);
}
u8 *process_read(u8 *pname, int *fdlen) {
#ifdef WIN32
HANDLE process;
DWORD pid,
size;
int len;
u8 *baddr,
*buff;
if(!pname && !pname[0] && !pid) return(NULL);
if(pname) {
len = 0;
sscanf(pname, "%lu%n", &pid, &len);
if(len != strlen(pname)) pid = 0;
}
baddr = process_list(pid ? NULL : pname, &pid, &size);
if(!baddr) {
printf("\nError: process name/PID not found, use -p\n");
exit(1);
}
fixed_rva = (u32)baddr;
printf(
"- pid %u\n"
"- base address 0x%08x\n",
(u32)pid, fixed_rva);
process = OpenProcess(
PROCESS_VM_READ,
FALSE,
pid);
if(!process) winerr();
buff = malloc(size);
if(!buff) std_err();
if(!ReadProcessMemory(
process,
(LPCVOID)baddr,
buff,
size,
&size)
) winerr();
CloseHandle(process);
#else
pid_t pid;
u32 rva,
size,
memsize,
data;
u8 *buff;
pid = atoi(pname);
rva = 0x8048000; // sorry, not completely supported at the moment
fixed_rva = rva;
printf(
"- pid %u\n"
"- try using base address 0x%08x\n",
pid, fixed_rva);
if(ptrace(PTRACE_ATTACH, pid, NULL, NULL) < 0) std_err();
size = 0;
memsize = 0;
buff = NULL;
for(errno = 0; ; size += 4) {
if(!(size & 0xfffff)) fputc('.', stdout);
data = ptrace(PTRACE_PEEKDATA, pid, (void *)rva + size, NULL);
if(errno) {
if(errno != EIO) std_err();
break;
}
if(size >= memsize) {
memsize += 0x7ffff;
buff = realloc(buff, memsize);
if(!buff) std_err();
}
memcpy(buff + size, &data, 4);
}
fputc('\n', stdout);
buff = realloc(buff, size);
if(!buff) std_err();
if(ptrace(PTRACE_DETACH, pid, NULL, NULL) < 0) std_err();
#endif
*fdlen = size;
return(buff);
}
int idaapi maclnx_launch_process(
debmod_t *debmod,
const char *path,
const char *args,
const char *startdir,
int flags,
const char *input_path,
uint32 input_file_crc32,
void **child_pid)
{
// immediately switch to the startdir because path/input_path may be relative.
if ( startdir[0] != '\0' && chdir(startdir) == -1 )
{
debmod->dmsg("chdir '%s': %s\n", startdir, winerr(errno));
return -2;
}
// input file specified in the database does not exist
if ( input_path[0] != '\0' && !qfileexist(input_path) )
return -2;
// temporary thing, later we will retrieve the real file name
// based on the process id
debmod->input_file_path = input_path;
debmod->is_dll = (flags & DBG_PROC_IS_DLL) != 0;
// Parse the program path and extract in/out redirection info
qstring wpath, redir_in, redir_out;
bool append_out;
if ( parse_apppath(path, &wpath, &redir_in, &redir_out, &append_out) )
path = wpath.c_str();
if ( !qfileexist(path) )
{
debmod->dmsg("%s: %s\n", path, winerr(errno));
return -1;
}
int mismatch = 0;
if ( !debmod->check_input_file_crc32(input_file_crc32) )
mismatch = CRC32_MISMATCH;
launch_process_params_t lpi;
lpi.cb = sizeof(lpi);
// Input redir?
if ( !redir_in.empty() )
{
lpi.in_handle = open(redir_in.c_str(), O_RDONLY);
if ( lpi.in_handle == -1 )
{
debmod->dmsg("Failed to open input redirection file '%s': %s\n", redir_in.c_str(), winerr(errno));
return -1;
}
}
// Output redir?
if ( !redir_out.empty() )
{
lpi.out_handle = open(
redir_out.c_str(),
O_CREAT | O_WRONLY | (append_out ? O_APPEND : 0),
S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
if ( lpi.out_handle == -1 )
{
if ( lpi.in_handle != -1 )
close(lpi.in_handle);
debmod->dmsg("Failed to open output redirection file '%s': %s\n", redir_out.c_str(), winerr(errno));
return -1;
}
lpi.err_handle = lpi.out_handle;
}
qstring errbuf;
lpi.path = path;
lpi.args = args;
lpi.flags = LP_TRACE;
*child_pid = launch_process(lpi, &errbuf);
// Close redir files
if ( lpi.in_handle != -1 )
close(lpi.in_handle);
if ( lpi.out_handle != -1 )
close(lpi.out_handle);
if ( *child_pid == NULL )
{
debmod->dmsg("launch_process: %s", errbuf.c_str());
return -1;
}
return 1 | mismatch;
}
static void neterr(const char *module)
{
int code = get_network_error();
error("%s: %s", module, winerr(code));
}
//-------------------------------------------------------------------------
idarpc_stream_t *init_client_irs(const char *hostname, int port_number)
{
if ( hostname[0] == '\0' )
{
warning("AUTOHIDE NONE\n"
"Please specify the hostname in Debugger, Process options");
return NULL;
}
if ( !init_irs_layer() )
{
warning("AUTOHIDE NONE\n"
"Could not initialize sockets: %s", winerr(get_network_error()));
return NULL;
}
struct addrinfo ai, *res, *e;
char port[33];
// try to enumerate all possible addresses
memset(&ai,0, sizeof(ai));
ai.ai_flags = AI_CANONNAME;
ai.ai_family = PF_UNSPEC;
ai.ai_socktype = SOCK_STREAM;
qsnprintf(port, sizeof(port), "%d", port_number);
bool ok = false;
const char *errstr = NULL;
SOCKET sock = INVALID_SOCKET;
int code = getaddrinfo(hostname, port, &ai, &res);
if ( code != 0 )
{ // failed to resolve the name
errstr = gai_strerror(code);
}
else
{
for ( e = res; !ok && e != NULL; e = e->ai_next )
{
char uaddr[INET6_ADDRSTRLEN+1];
char uport[33];
if ( getnameinfo(e->ai_addr, e->ai_addrlen, uaddr, sizeof(uaddr),
uport, sizeof(uport), NI_NUMERICHOST | NI_NUMERICSERV) != 0 )
{
NETERR:
errstr = winerr(get_network_error());
continue;
}
sock = socket(e->ai_family, e->ai_socktype, e->ai_protocol);
if ( sock == INVALID_SOCKET )
goto NETERR;
setup_irs((idarpc_stream_t*)sock);
if ( connect(sock, e->ai_addr, e->ai_addrlen) == SOCKET_ERROR )
{
errstr = winerr(get_network_error());
closesocket(sock);
continue;
}
ok = true;
}
freeaddrinfo(res);
}
if ( !ok )
{
msg("Could not connect to %s: %s\n", hostname, errstr);
return NULL;
}
return (idarpc_stream_t*)sock;
}
BOOL
load_config(const char *config)
{
char *section = NULL, *p;
DWORD n, pids[100];
BOOL result = FALSE;
int line, chain, i;
if (!read_config(config))
return FALSE;
// save config to global variable (for get_host_by_name)
g_config_file = config;
// load information about users
if (!load_users(config)) {
error("start: Fatal error! Can't load users information!\n");
goto done;
}
// parse & add rules default and process-related
section = (char *)malloc(MAX_SECTION_SIZE);
if (section == NULL) {
liberr("malloc");
goto done;
}
GetPrivateProfileSection("_main_", section, MAX_SECTION_SIZE, config);
// get lines
chain = 0;
for (p = section, line = 1; *p != '\0'; p += strlen(p) + 1, line++) {
char *p2;
if (*p == ';' || *p == '#')
continue; // comment
p2 = strchr(p, '=');
if (p2 == NULL) {
error("%s:[_main_]:%d: invalid line format (no '=' character)", config, line);
continue;
}
if (chain >= MAX_CHAINS_COUNT) {
error("%s:[_main_]:%d: too many rules lines!", config, line);
break;
}
*p2 = '\0'; // temporary kill '='
add_rules_name(p, config, chain);
*p2 = '='; // recover '=' to make strlen(p) works right
chain++;
}
// try to get names for existing processes
if (pEnumProcesses != NULL && pEnumProcesses(pids, sizeof(pids), &n)) {
DWORD i;
n /= sizeof(DWORD);
for (i = 0; i < n; i++) {
char pname[MAX_PATH];
if (get_pname_by_pid(pids[i], pname + sizeof(DWORD), sizeof(pname) - sizeof(DWORD))) {
// send information to driver about pid and pname
DWORD nn;
*(DWORD *)pname = pids[i];
if (!DeviceIoControl(g_device, IOCTL_CMD_SETPNAME, pname,
sizeof(DWORD) + strlen(pname + sizeof(DWORD)) + 1,
NULL, 0, &nn, NULL))
winerr("DeviceIoControl");
}
}
}
// activate all chains!
for (i = 0; i < chain; i++) {
// activate chain #i
if (!DeviceIoControl(g_device, IOCTL_CMD_ACTIVATECHAIN, &i, sizeof(i),
NULL, 0, &n, NULL))
winerr("start: DeviceIoControl");
}
result = TRUE;
done:
free(section);
return result;
}
//--------------------------------------------------------------------------
// Read/write a model specific register using the driver provided by WinDbg.
// The following requirements are imposed by this code:
// - debugger module should be run with admin privileges
// - System must be loaded with /debug switch (use bcdedit.exe to turn it on)
// - Windbg local kernel debugging should be used at least once
// This code is based on a sample kindly provided by Alex Ionescu.
int win32_debmod_t::kldbgdrv_access_msr(SYSDBG_MSR *msr, bool write)
{
NTSTATUS code;
IO_STATUS_BLOCK IoStatusBlock;
if ( DriverHandle == NULL )
{
//
// Acquire 'load driver' privilege
//
BOOLEAN Old;
code = RtlAdjustPrivilege(SE_LOAD_DRIVER_PRIVILEGE, TRUE, FALSE, &Old);
if ( FAILED(code) )
{
dwarning("AUTOHIDE NONE\n"
"Failed to acquire 'load driver' privilege, please run as admin!\n"
"Error: %s\n", winerr(code));
return code;
}
//
// And need this for the driver to accept our commands
// Additionally, system must be booted in /DEBUG mode
//
code = RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE, &Old);
if ( FAILED(code) )
{
dwarning("AUTOHIDE NONE\n"
"Failed to acquire 'debug' privilege, is system booted in /debug mode?\n"
"Error: %s\n", winerr(code));
return code;
}
//
// Now load the driver
//
code = NtLoadDriver(&DriverPath);
if ( FAILED(code) && code != STATUS_IMAGE_ALREADY_LOADED )
{
dwarning("AUTOHIDE NONE\n"
"Failed to load 'kldbgdrv', please use local kernel debugging at least once!\n"
"Error: %s\n", winerr(code));
return code;
}
//
// Open a handle to it
//
OBJECT_ATTRIBUTES ObjectAttributes;
InitializeObjectAttributes(&ObjectAttributes, &DriverName, OBJ_CASE_INSENSITIVE, NULL, NULL);
code = NtCreateFile(&DriverHandle,
GENERIC_READ | GENERIC_WRITE,
&ObjectAttributes,
&IoStatusBlock,
NULL,
FILE_ATTRIBUTE_NORMAL,
0,
FILE_CREATE,
FILE_NON_DIRECTORY_FILE,
NULL,
0);
if ( FAILED(code) )
{
dwarning("AUTOHIDE NONE\n"
"Failed to open 'kldbgdrv'\n"
"Error: %s\n", winerr(code));
return code;
}
}
//
// Package the input parameters into the private structure
//
KLDD_DATA_DEBUG_CONTROL KldDebugCommand;
KldDebugCommand.Command = write ? SysDbgWriteMsr : SysDbgReadMsr;
KldDebugCommand.InputBuffer = msr;
KldDebugCommand.InputBufferLength = sizeof(*msr);
//
// Send the request -- output isn't packaged, just specify directly the buffer
//
code = NtDeviceIoControlFile(DriverHandle,
NULL,
NULL,
NULL,
&IoStatusBlock,
KLDD_CODE_DEBUG_CONTROL,
&KldDebugCommand,
sizeof(KldDebugCommand),
msr,
sizeof(*msr));
if ( FAILED(code) )
{
dwarning("AUTOHIDE NONE\n"
"Failed to access model specific register, is system booted in /debug mode?\n"
"Error: %s\n", winerr(code));
return code;
}
// all ok!
return code;
}
BOOL
load_users(const char *config)
{
BOOL result = FALSE;
char *section, *p, *all_sids = NULL;
int line, sid_id;
ULONG all_sids_len = 0, all_sids_size = 0, n;
section = (char *)malloc(MAX_SECTION_SIZE);
if (section == NULL) {
liberr("malloc");
return FALSE;
}
GetPrivateProfileSection("_users_", section, MAX_SECTION_SIZE, config);
// get lines
sid_id = 0;
for (p = section, line = 1; *p != '\0'; p += strlen(p) + 1, line++) {
char *p2, *p3, *authority, *principal, domain[100];
char *sid_buf;
DWORD sid_size, domain_size;
SID_NAME_USE use;
if (*p == ';')
continue; // comment
p2 = strchr(p, '=');
if (p2 == NULL) {
error("%s:[_users_]:%d: invalid line format (no '=' character)", config, line);
continue;
}
*p2 = '\0'; // temporary kill '='
if (sid_id != 0) {
// not _default_
p3 = strchr(p, '\\');
if (p3 != NULL) {
*p3 = '\0';
authority = p;
if (strcmp(authority, "NT AUTHORITY") == 0)
authority = NULL;
principal = p3 + 1;
} else {
authority = NULL;
principal = p;
}
// try to get SID size
sid_size = 0;
domain_size = 0;
LookupAccountName(authority, principal, NULL, &sid_size, NULL, &domain_size, &use);
} else
sid_size = 0; // empty SID for default
if (all_sids_len + sid_size + sizeof(ULONG) >= all_sids_size) {
all_sids_size += sid_size + sizeof(ULONG) + 4096;
all_sids = (char *)realloc(all_sids, all_sids_size);
if (all_sids == NULL) {
liberr("malloc");
goto done;
}
}
sid_buf = all_sids + all_sids_len;
all_sids_len += sid_size + sizeof(ULONG);
*(ULONG *)sid_buf = sid_size;
if (sid_id != 0) {
domain_size = sizeof(domain);
if (!LookupAccountName(authority, principal,
(PSID)(sid_buf + sizeof(ULONG)), &sid_size, domain, &domain_size, &use)) {
winerr("LookupAccountName");
error("%s:[_users_]:%d: Error getting SID for %s\\%s", config, line,
(authority != NULL ? authority : "."), principal);
goto done;
}
if (use != SidTypeUser && use != SidTypeWellKnownGroup) {
error("%s:[_users_]:%d: Invalid SID type (%d) for %s\\%s", config, line, use,
(authority != NULL ? authority : "."), principal);
goto done;
}
if (p3 != NULL)
*p3 = '\\';
}
*p2 = '='; // recover '=' to make strlen(p) works right
sid_id++;
}
// send all_sids buffer to filter driver!
result = DeviceIoControl(g_device, IOCTL_CMD_SET_SIDS, all_sids, all_sids_len,
NULL, 0, &n, NULL);
if (!result)
winerr("DeviceIoControl");
done:
free(all_sids);
free(section);
return result;
}
/* log filter request from filter driver */
void
dispatch_request(struct flt_request *request)
{
u_long from_ip, to_ip;
u_short from_port, to_port;
char msg[1024], pname_buf[MAX_PATH], addr_from[100], addr_to[100], *pname, uname[200];
if (request->log_skipped != 0) {
if (_snprintf(msg, sizeof(msg), "SKIP\t%u", request->log_skipped) == -1)
msg[sizeof(msg) - 1] = '\0';
log_msg(msg, MSGTYPE_ERROR);
}
if (request->pid != (ULONG)-1) {
if (request->pname == NULL) {
// try to resolve pid to pname
if (get_pname_by_pid(request->pid, pname_buf + sizeof(DWORD), sizeof(pname_buf) - sizeof(DWORD))) {
// send message to driver to send process name next time
DWORD n;
pname = pname_buf + sizeof(DWORD);
*(DWORD *)pname_buf = request->pid;
if (!DeviceIoControl(g_device, IOCTL_CMD_SETPNAME, pname_buf,
sizeof(DWORD) + strlen(pname) + 1,
NULL, 0, &n, NULL))
winerr("DeviceIoControl");
} else {
error("PROCESS\tCan't resolve pid %u!", request->pid);
sprintf(pname_buf, "pid:%u", request->pid);
pname = pname_buf;
}
} else
pname = (char *)&request[1];
} else
pname = "";
if (request->sid_a != NULL) {
SID_AND_ATTRIBUTES *sa;
char user[100], domain[100];
DWORD size1, size2;
SID_NAME_USE type;
if (request->pname != NULL) {
char *buf = (char *)&request[1];
buf += strlen(buf) + 1;
sa = (SID_AND_ATTRIBUTES *)buf;
} else
sa = (SID_AND_ATTRIBUTES *)&request[1];
// convert sid from relative pointer to absolute
sa->Sid = (PSID)((char *)sa + (ULONG)sa->Sid);
size1 = sizeof(user);
size2 = sizeof(domain);
if (LookupAccountSid(NULL, sa->Sid, user, &size1, domain, &size2, &type)) {
if (_snprintf(uname, sizeof(uname), "{%s\\%s}", domain, user) == -1)
uname[sizeof(uname) - 1] = '\0';
} else
strcpy(uname, "{??\\??}"); // TODO: convert SID to string
} else
uname[0] = '\0';
// check is it request type "TYPE_RESOLVE_PID"
if (request->type == TYPE_RESOLVE_PID) {
if (_snprintf(msg, sizeof(msg), "PROCESS\t%u\t%s\t%s", request->pid, pname, uname) == -1)
msg[sizeof(msg) - 1] = '\0';
log_msg(msg, MSGTYPE_ALLOW);
} else if (request->type == TYPE_LISTEN || request->type == TYPE_NOT_LISTEN) {
// using from_ip & from_port as listen_ip & listen_port
from_ip = ((struct sockaddr_in *)&request->addr.from)->sin_addr.s_addr;
from_port = ntohs(((struct sockaddr_in *)&request->addr.from)->sin_port);
prepare_addr(addr_from, sizeof(addr_from), from_ip);
sprintf(addr_from + strlen(addr_from), ":%d", from_port);
if (_snprintf(msg, sizeof(msg),
"%s\tTCP\t%s\t%s\t%s",
(request->type == TYPE_LISTEN) ? "LISTEN" : "NOT_LISTEN",
addr_from, pname, uname) == -1)
msg[sizeof(msg) - 1] = '\0';
log_msg(msg, MSGTYPE_ALLOW);
} else {
// prepare message
from_ip = ((struct sockaddr_in *)&request->addr.from)->sin_addr.s_addr;
from_port = ntohs(((struct sockaddr_in *)&request->addr.from)->sin_port);
to_ip = ((struct sockaddr_in *)&request->addr.to)->sin_addr.s_addr;
to_port = ntohs(((struct sockaddr_in *)&request->addr.to)->sin_port);
// prepare address "from" & "to"
if (from_ip == 0) {
// try to route "to" addr to get "from"
from_ip = get_if_ip(to_ip);
}
prepare_addr(addr_from, sizeof(addr_from), from_ip);
if (to_ip == 0) {
// some kind of "reverse route" :-)
to_ip = get_if_ip(from_ip);
}
prepare_addr(addr_to, sizeof(addr_to), to_ip);
// add ports if nonzero
if (from_port != 0)
sprintf(addr_from + strlen(addr_from), ":%d", from_port);
if (to_port != 0)
sprintf(addr_to + strlen(addr_to), ":%d", to_port);
if (request->result == FILTER_ALLOW || request->result == FILTER_DENY ||
request->result == FILTER_DISCONNECT) {
// log it! (TDI message)
char tdi_msg[100 + RULE_ID_SIZE], size_str[64], *direction;
switch (request->result) {
case FILTER_ALLOW:
strcpy(tdi_msg, "ALLOW");
break;
case FILTER_DENY:
strcpy(tdi_msg, "DENY");
break;
default:
strcpy(tdi_msg, "CLOSED");
}
if (request->result != FILTER_DISCONNECT) {
int size;
size_str[0] = '\0';
switch (request->type) {
case TYPE_CONNECT_CANCELED:
strcat(tdi_msg, "(CANCELED)");
break;
case TYPE_CONNECT_RESET:
strcat(tdi_msg, "(RESET)");
break;
case TYPE_CONNECT_TIMEOUT:
strcat(tdi_msg, "(TIMEOUT)");
break;
case TYPE_CONNECT_UNREACH:
strcat(tdi_msg, "(UNREACH)");
break;
case TYPE_CONNECT_ERROR:
sprintf(tdi_msg + strlen(tdi_msg), "(ERR:%x)", request->status);
break;
case TYPE_DATAGRAM:
size = (request->direction == DIRECTION_IN) ? request->log_bytes_in : request->log_bytes_out;
if (size != (ULONG)-1)
sprintf(size_str, "%u", size);
break;
}
strcat(tdi_msg, "\t[");
size = strlen(tdi_msg);
memcpy(tdi_msg + size, request->log_rule_id, RULE_ID_SIZE);
tdi_msg[size + RULE_ID_SIZE + 1] = '\0'; // string can be not zero-terminated
strcat(tdi_msg, "]");
} else
sprintf(size_str, "%u/%u", request->log_bytes_out, request->log_bytes_in);
switch (request->direction) {
case DIRECTION_IN:
direction = "IN";
break;
case DIRECTION_OUT:
direction = "OUT";
break;
case DIRECTION_ANY:
direction = "*";
break;
default:
direction = "?";
}
if (_snprintf(msg, sizeof(msg),
"%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s",
tdi_msg,
(request->proto == IPPROTO_TCP) ? "TCP" :
(request->proto == IPPROTO_UDP ? "UDP" : "RawIP"),
direction,
addr_from, addr_to, size_str, pname, uname) == -1)
msg[sizeof(msg) - 1] = '\0';
// sound it!
if (request->result == FILTER_DENY) {
// TODO: try to sound it by voice of user!
if (request->direction == DIRECTION_IN && wave_deny_in[0] != '\0')
PlaySound(wave_deny_in, NULL, SND_FILENAME | SND_ASYNC);
if (request->direction == DIRECTION_OUT && wave_deny_out[0] != '\0')
PlaySound(wave_deny_out, NULL, SND_FILENAME | SND_ASYNC);
}
log_msg(msg, request->result == FILTER_ALLOW ? MSGTYPE_ALLOW : MSGTYPE_DENY);
} else if (request->result == FILTER_PACKET_LOG || request->result == FILTER_PACKET_BAD) {
char flags[50], proto[50];
// prepare TCP flags or ICMP type
if (request->result == FILTER_PACKET_LOG) {
if (request->proto == IPPROTO_TCP) {
UCHAR th_flags = request->packet.tcp_flags;
flags[0] = (th_flags & TH_FIN) ? 'F' : '-';
flags[1] = (th_flags & TH_SYN) ? 'S' : '-';
flags[2] = (th_flags & TH_RST) ? 'R' : '-';
flags[3] = (th_flags & TH_PUSH) ? 'P' : '-';
flags[4] = (th_flags & TH_ACK) ? 'A' : '-';
flags[5] = (th_flags & TH_URG) ? 'U' : '-';
flags[6] = '\0';
} else if (request->proto == IPPROTO_ICMP)
sprintf(flags, "%d.%d", request->packet.icmp_type, request->packet.icmp_code);
else
flags[0] = '\0';
} else
flags[0] = '\0';
switch (request->proto) {
case IPPROTO_TCP:
if (request->packet.tcp_state > TCP_STATE_NONE &&
request->packet.tcp_state < TCP_STATE_MAX)
sprintf(proto, "TCP(%s)", g_tcp_states[request->packet.tcp_state]);
else
strcpy(proto, "TCP");
break;
case IPPROTO_UDP:
strcpy(proto, "UDP");
break;
case IPPROTO_ICMP:
strcpy(proto, "ICMP");
break;
default:
sprintf(proto, "%d", request->proto);
}
// log it! (packet filter message)
if (_snprintf(msg, sizeof(msg),
"%s\t%s\t%s\t%s\t%s\t%u\t%s",
(request->result == FILTER_PACKET_LOG) ? "PACKET" : "BAD_PACKET",
proto,
(request->direction == DIRECTION_IN) ? "IN" : "OUT",
addr_from, addr_to,
(request->direction == DIRECTION_IN) ? request->log_bytes_in : request->log_bytes_out,
flags) == -1)
msg[sizeof(msg) - 1] = '\0';
log_msg(msg, request->result == FILTER_PACKET_LOG ? MSGTYPE_ALLOW : MSGTYPE_DENY);
}
}
}
// enum connections
void
enum_connect(void)
{
ULONG size;
struct tcp_conn_nfo *tn = NULL;
int i, n;
unsigned __int64 traffic[TRAFFIC_MAX];
// try to dynamically link psapi.dll
link_psapi();
/* connect with driver */
g_device = CreateFile(g_nfo_device_name, GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
if (g_device == INVALID_HANDLE_VALUE) {
winerr(g_nfo_device_name);
goto done;
}
/* get list of listening objects */
size = sizeof(*tn) * 0x10000 * 3; // this size is good enough :-)
tn = (struct tcp_conn_nfo *)malloc(size);
if (tn == NULL) {
perror("malloc");
goto done;
}
if (!DeviceIoControl(g_device, IOCTL_CMD_ENUM_TCP_CONN, NULL, 0,
tn, size, &size, NULL)) {
winerr("DeviceIoControl");
goto done;
}
n = size / sizeof(*tn);
// sort this list!
qsort(tn, n, sizeof(*tn), compare_tn);
for (i = 0; i < n ; i++) {
char pname[MAX_PATH];
if (tn[i].state >= TCP_STATE_MAX)
tn[i].state = 0;
// resolve pid!
if (!get_pname_by_pid(tn[i].pid, pname, sizeof(pname)))
pname[0] = '\0';
printf("%s\t%d.%d.%d.%d:%d\t%d.%d.%d.%d:%d\t%s (%d)\t%u/%u\n",
g_tcp_states[tn[i].state],
PRINT_IP_ADDR(tn[i].laddr), ntohs(tn[i].lport),
PRINT_IP_ADDR(tn[i].raddr), ntohs(tn[i].rport),
pname, tn[i].pid,
tn[i].bytes_out, tn[i].bytes_in);
}
// output traffic counters
get_traffic_stats(traffic);
printf(
"\n"
"Traffic counters (out/in):\n"
" Total: %I64u/%I64u\n"
" Counted: %I64u/%I64u\n",
traffic[TRAFFIC_TOTAL_OUT], traffic[TRAFFIC_TOTAL_IN],
traffic[TRAFFIC_COUNTED_OUT], traffic[TRAFFIC_COUNTED_IN]);
done:
free(tn);
if (g_device != INVALID_HANDLE_VALUE)
CloseHandle(g_device);
}
int
start(const char *config)
{
int result = FALSE;
WSADATA wsd;
DWORD thread_id;
WSAStartup(MAKEWORD(1, 1), &wsd);
// try to dynamically link psapi.dll
link_psapi();
/* connect with driver */
g_device = CreateFile(g_device_name, GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
if (g_device == INVALID_HANDLE_VALUE) {
winerr(g_device_name);
goto done;
}
/* open event for driver communication */
g_event = OpenEvent(SYNCHRONIZE, FALSE, "tdifw_request");
if (g_event == NULL) {
winerr("start: OpenEvent");
goto done;
}
/* load config & rules */
if (!load_config(config))
goto done;
/* start dispatcher thread */
g_exit_event = CreateEvent(NULL, TRUE, FALSE, NULL);
if (g_exit_event == NULL) {
winerr("start: CreateEvent");
goto done;
}
g_disp_buf = (char *)malloc(DISP_BUF_SIZE);
if (g_disp_buf == NULL) {
liberr("start: malloc");
goto done;
}
log_msg("START", MSGTYPE_ALLOW);
g_dispatcher = lib_CreateThread(NULL, 0, dispatcher, (LPVOID)config, 0, &thread_id);
if (g_dispatcher == NULL) {
winerr("start: lib_CreateThread");
goto done;
}
result = TRUE;
done:
if (!result)
stop();
return result;
}
// enum listening objects
void
enum_listen(void)
{
ULONG size;
struct listen_nfo *ln = NULL;
int i, n;
// try to dynamically link psapi.dll
link_psapi();
/* connect with driver */
g_device = CreateFile(g_nfo_device_name, GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
if (g_device == INVALID_HANDLE_VALUE) {
winerr(g_nfo_device_name);
goto done;
}
/* get list of listening objects */
size = sizeof(*ln) * 0x10000 * 3; // this size is good enough :-)
ln = (struct listen_nfo *)malloc(size);
if (ln == NULL) {
perror("malloc");
goto done;
}
if (!DeviceIoControl(g_device, IOCTL_CMD_ENUM_LISTEN, NULL, 0,
ln, size, &size, NULL)) {
winerr("DeviceIoControl");
goto done;
}
n = size / sizeof(*ln);
// sort this list!
qsort(ln, n, sizeof(*ln), compare_ln);
printf("IPProto\tAddress:Port\tProcess (pid)\n");
printf("-------\t------------\t---------------------------------------------\n");
for (i = 0; i < n ; i++) {
char *proto, pname[MAX_PATH];
if (ln[i].ipproto == IPPROTO_TCP)
proto = "TCP";
else if (ln[i].ipproto == IPPROTO_UDP)
proto = "UDP";
else if (ln[i].ipproto == IPPROTO_IP)
proto = "RawIP";
else
proto = "?";
// resolve pid!
if (!get_pname_by_pid(ln[i].pid, pname, sizeof(pname)))
pname[0] = '\0';
printf("%s\t%d.%d.%d.%d:%d\t%s (%d)\n",
proto, PRINT_IP_ADDR(ln[i].addr), ntohs(ln[i].port), pname, ln[i].pid);
}
done:
free(ln);
if (g_device != INVALID_HANDLE_VALUE)
CloseHandle(g_device);
}
//--------------------------------------------------------------------------
// ipath==input file path
static bool ask_user_and_copy(const char *ipath)
{
// check if the input file exists at the current dir of the remote host
const char *input_file = ipath;
#if DEBUGGER_ID != DEBUGGER_ID_ARM_EPOC_USER
input_file = qbasename(input_file);
#endif
int fn = -1;
// try to open remote file in the current dir if not tried before
if ( input_file != ipath )
fn = s_open_file(input_file, NULL, true);
if ( fn != -1 )
{
s_close_file(fn);
switch ( askbuttons_c("~U~se found",
"~C~opy new",
"Cancel",
1,
"IDA could not find the remote file %s.\n"
"But it could find remote file %s.\n"
"Do you want to use the found file?",
ipath, input_file) )
{
case 1:
set_root_filename(input_file);
return true;
case -1:
return false;
}
// the user wants to overwrite the old file
}
else
{
if ( askyn_c(1, "HIDECANCEL\n"
"The remote file %s could not be found.\n"
"Do you want IDA to copy the executable to the remote computer?",
ipath) <= 0 )
return false;
}
// We are to copy the input file to the remote computer's current directory
const char *lname = ipath;
// check if the file path is valid on the local system
if ( !qfileexist(lname) )
{
lname = askfile_c(false, lname, "Please select the file to copy");
if ( lname == NULL )
return false;
}
#if DEBUGGER_ID == DEBUGGER_ID_ARM_EPOC_USER
const char *rname = input_file;
#else
const char *rname = qbasename(lname);
#endif
int code = copy_to_remote(lname, rname);
if ( code != 0 )
{
#if DEBUGGER_ID == DEBUGGER_ID_ARM_WINCE_USER
// Windows CE does not have errno and uses GetLastError()
const char *err = winerr(code);
#else
const char *err = qerrstr(code);
#endif
warning("Failed to copy %s -> %s\n%s", lname, rname, err);
}
set_root_filename(rname);
return true;
}
BOOL
add_rules_name(const char *main_name, const char *config, int chain)
{
char buf[1024], *p, *p2, *section = NULL;
BOOL result = FALSE;
DWORD n;
section = (char *)malloc(MAX_SECTION_SIZE);
if (section == NULL) {
liberr("malloc");
goto done;
}
/* 1. get ruleset string */
GetPrivateProfileString("_main_", main_name, "", buf, sizeof(buf), config);
if (*buf == '\0')
goto done; // no rules
// reset all rules for chain
if (!DeviceIoControl(g_device, IOCTL_CMD_CLEARCHAIN, &chain, sizeof(chain),
NULL, 0, &n, NULL)) {
winerr("DeviceIoControl");
goto done;
}
if (chain != 0) {
// set chain name
int len = sizeof(int) + MAX_PATH;
char *data = (char *)malloc(len);
if (data == NULL) {
liberr("malloc");
goto done;
}
*(int *)data = chain;
// try to extract environment variables from p to main_name
ExpandEnvironmentStrings(main_name, data + sizeof(int), MAX_PATH);
len = sizeof(int) + strlen(data + sizeof(int)) + 1;
if (!DeviceIoControl(g_device, IOCTL_CMD_SETCHAINPNAME, data, len,
NULL, 0, &n, NULL)) {
winerr("DeviceIoControl");
free(data);
goto done;
}
free(data);
}
/* 2. for each word in main_name string */
p = buf;
while (p != NULL) {
p2 = strchr(p, ' ');
if (p2 != NULL) {
while (*p2 == ' ')
*(p2++) = '\0';
}
if (*p != '\0') {
// get section by name in p
GetPrivateProfileSection(p, section, MAX_SECTION_SIZE, config);
if (*section == '\0')
error("\"%s\": unexistant or empty section %s", config, p);
else
add_rules(config, section, p, chain);
}
p = p2;
}
result = TRUE;
done:
free(section);
return result;
}
//----------------------------------------------------------------------
// Display a system error message
static void error_msg(const char *name)
{
int code = GetLastError();
if ( code != 0 )
msg("%s: %s\n", name, winerr(code));
}
int idaapi maclnx_launch_process(
debmod_t *debmod,
const char *path,
const char *args,
const char *startdir,
int flags,
const char *input_path,
uint32 input_file_crc32,
void **child_pid)
{
// prepare full path if the input_path is relative
char full_input[QMAXPATH];
if ( startdir[0] != '\0' && !qisabspath(input_path) )
{
qmake_full_path(full_input, sizeof(full_input), input_path);
input_path = full_input;
}
// input file specified in the database does not exist
if ( input_path[0] != '\0' && !qfileexist(input_path) )
{
debmod->dwarning("AUTOHIDE NONE\nInput file is missing: %s", input_path);
return -2;
}
// temporary thing, later we will retrieve the real file name
// based on the process id
debmod->input_file_path = input_path;
debmod->is_dll = (flags & DBG_PROC_IS_DLL) != 0;
if ( !qfileexist(path) )
{
debmod->dmsg("%s: %s\n", path, winerr(errno));
return -1;
}
int mismatch = 0;
if ( !debmod->check_input_file_crc32(input_file_crc32) )
mismatch = CRC32_MISMATCH;
#ifdef __EA64__
bool dbg_srv_64 = true;
#else
bool dbg_srv_64 = false;
if ( (flags & DBG_PROC_64BIT) != 0 )
{
debmod->dwarning("Cannot debug a 64bit process with the 32bit debugger server, sorry\n");
return -1;
}
#endif
launch_process_params_t lpi;
lpi.path = path;
lpi.args = args;
lpi.startdir = startdir[0] != '\0' ? startdir : NULL;
lpi.flags = LP_NO_ASLR | LP_DETACH_TTY;
if ( (flags & DBG_NO_TRACE) == 0 )
lpi.flags |= LP_TRACE;
if ( (flags & DBG_PROC_64BIT) != 0 )
{
lpi.flags |= LP_LAUNCH_64_BIT;
}
else if ( (flags & DBG_PROC_32BIT) != 0 )
{
lpi.flags |= LP_LAUNCH_32_BIT;
}
else
{
lpi.flags |= dbg_srv_64 ? LP_LAUNCH_64_BIT : LP_LAUNCH_32_BIT;
debmod->dmsg("Launching as %sbit process\n", dbg_srv_64 ? "64" : "32");
}
qstring errbuf;
*child_pid = launch_process(lpi, &errbuf);
if ( *child_pid == NULL )
{
debmod->dmsg("launch_process: %s", errbuf.c_str());
return -1;
}
return 1 | mismatch;
}
