static void event_post_syscall(void *drcontext, int sysnum) { process_id_t child_pid = 0; per_thread_t *data = (per_thread_t *) drmgr_get_cls_field(drcontext, cls_idx); /* XXX i#752: should DR provide a child creation event that gives us the pid? */ #ifdef LINUX if (sysnum == SYS_fork || (sysnum == SYS_clone && !TEST(CLONE_VM, data->saved_param))) { child_pid = dr_syscall_get_result(drcontext); if (child_pid > 0) nudge_child(child_pid); } #else if (sysnum == sysnum_CreateProcess || sysnum == sysnum_CreateProcessEx || sysnum == sysnum_CreateUserProcess) { if (dr_syscall_get_result(drcontext) >= 0) { /* success */ HANDLE *hproc = (HANDLE) data->saved_param; HANDLE h; size_t read; if (dr_safe_read(hproc, sizeof(h), &h, &read) && read == sizeof(h)) data->child_pid = dr_convert_handle_to_pid(h); /* we can't nudge now b/c the child's initial thread is suspended */ } } else if (sysnum == sysnum_ResumeThread) { /* child should be alive now */ if (data->child_pid != INVALID_PROCESS_ID) nudge_child(data->child_pid); } #endif }
print_simple_value(drsys_arg_t *arg, bool leading_zeroes) { bool pointer = !TEST(DRSYS_PARAM_INLINED, arg->mode); OUTPUT(pointer ? PFX : (leading_zeroes ? PFX : PIFX), arg->value); if (pointer && ((arg->pre && TEST(DRSYS_PARAM_IN, arg->mode)) || (!arg->pre && TEST(DRSYS_PARAM_OUT, arg->mode)))) { ptr_uint_t deref = 0; ASSERT(arg->size <= sizeof(deref), "too-big simple type"); /* We assume little-endian */ if (dr_safe_read((void *)arg->value, arg->size, &deref, NULL)) OUTPUT((leading_zeroes ? " => "PFX : " => "PIFX), deref); } }
/* NOTE: the routine returns up to 64 bit memory values */ static int64 safe_read_field(buf_info_t *buf, void *addr_to_resolve, size_t addr_size, bool print_value) { int64 mem_value = 0; ASSERT(addr_size <= sizeof(mem_value), "too-big mem value to read"); if (!dr_safe_read(addr_to_resolve, addr_size, &mem_value, NULL)) { OUTPUT(buf, "<field unreadable>"); return 0; } if (print_value) OUTPUT(buf, "0x"HEX64_FORMAT_STRING, mem_value); return mem_value; }
static void do_mem_dump(file_t file, uint base_pc,uint size){ uint read; bool ok; byte * mem_values = dr_global_alloc(sizeof(byte) * size); ssize_t written; ok = dr_safe_read(base_pc, size, mem_values, &read); DR_ASSERT(ok); written = dr_write_file(file, mem_values, size); DEBUG_PRINT("read %d from %x of size %d and written %d\n", read, base_pc, size, written); dr_global_free(mem_values, sizeof(byte) * size); }
static void handle_pre_execve(void *drcontext) { #ifndef USE_DRSYMS /* PR 453867: tell postprocess.pl to watch for new logdir and * fork a new copy. * FIXME: what if syscall fails? Punting on that for now. * Note that if it fails and then a later one succeeds, postprocess.pl * will replace the first with the last. */ char logdir[MAXIMUM_PATH]; /* one reason we're not inside os_post_syscall() */ size_t bytes_read = 0; /* Not using safe_read() since we want a partial read if hits page boundary */ dr_safe_read((void *) dr_syscall_get_param(drcontext, 0), BUFFER_SIZE_BYTES(logdir), logdir, &bytes_read); if (bytes_read < BUFFER_SIZE_BYTES(logdir)) logdir[bytes_read] = '\0'; NULL_TERMINATE_BUFFER(logdir); ELOGF(0, f_fork, "EXEC path=%s\n", logdir); #endif }
static bool event_pre_syscall(void *drcontext, int sysnum) { bool modify_write = (sysnum == write_sysnum); dr_atomic_add32_return_sum(&num_syscalls, 1); #ifdef UNIX if (sysnum == SYS_execve) { /* our stats will be re-set post-execve so display now */ show_results(); # ifdef SHOW_RESULTS dr_fprintf(STDERR, "<---- execve ---->\n"); # endif } #endif #ifndef SHOW_RESULTS /* for sanity tests that don't show results we don't change the app's output */ modify_write = false; #endif if (modify_write) { /* store params for access post-syscall */ int i; per_thread_t *data = (per_thread_t *) drmgr_get_cls_field(drcontext, tcls_idx); #ifdef WINDOWS /* stderr and stdout are identical in our cygwin rxvt shell so for * our example we suppress output starting with 'H' instead */ byte *output = (byte *) dr_syscall_get_param(drcontext, 5); byte first; size_t read; bool ok = dr_safe_read(output, 1, &first, &read); if (!ok || read != 1) return true; /* data unreadable: execute normally */ if (dr_is_wow64()) { /* store the xcx emulation parameter for wow64 */ dr_mcontext_t mc = {sizeof(mc),DR_MC_INTEGER/*only need xcx*/}; dr_get_mcontext(drcontext, &mc); data->xcx = mc.xcx; } #endif for (i = 0; i < SYS_MAX_ARGS; i++) data->param[i] = dr_syscall_get_param(drcontext, i); /* suppress stderr */ if (dr_syscall_get_param(drcontext, 0) == (reg_t) STDERR #ifdef WINDOWS && first == 'H' #endif ) { /* pretend it succeeded */ #ifdef UNIX /* return the #bytes == 3rd param */ dr_syscall_result_info_t info = { sizeof(info), }; info.succeeded = true; info.value = dr_syscall_get_param(drcontext, 2); dr_syscall_set_result_ex(drcontext, &info); #else /* XXX: we should also set the IO_STATUS_BLOCK.Information field */ dr_syscall_set_result(drcontext, 0); #endif #ifdef SHOW_RESULTS dr_fprintf(STDERR, "<---- skipping write to stderr ---->\n"); #endif return false; /* skip syscall */ } else if (dr_syscall_get_param(drcontext, 0) == (reg_t) STDOUT) { if (!data->repeat) { /* redirect stdout to stderr (unless it's our repeat) */ #ifdef SHOW_RESULTS dr_fprintf(STDERR, "<---- changing stdout to stderr ---->\n"); #endif dr_syscall_set_param(drcontext, 0, (reg_t) STDERR); } /* we're going to repeat this syscall once */ data->repeat = !data->repeat; } } return true; /* execute normally */ }
static bool event_pre_syscall(void *drcontext, int sysnum) { ATOMIC_INC(num_syscalls); #ifdef LINUX if (sysnum == SYS_execve) { /* our stats will be re-set post-execve so display now */ show_results(); # ifdef SHOW_RESULTS dr_fprintf(STDERR, "<---- execve ---->\n"); # endif } #endif #ifdef SHOW_RESULTS dr_fprintf(STDERR, "[%d] "PFX" "PFX" "PFX"\n", sysnum, dr_syscall_get_param(drcontext, 0), dr_syscall_get_param(drcontext, 1), dr_syscall_get_param(drcontext, 2)); #endif if (sysnum == write_sysnum) { /* store params for access post-syscall */ int i; per_thread_t *data = (per_thread_t *) drmgr_get_cls_field(drcontext, tcls_idx); #ifdef WINDOWS /* stderr and stdout are identical in our cygwin rxvt shell so for * our example we suppress output starting with 'H' instead */ byte *output = (byte *) dr_syscall_get_param(drcontext, 5); byte first; size_t read; bool ok = dr_safe_read(output, 1, &first, &read); if (!ok || read != 1) return true; /* data unreadable: execute normally */ if (dr_is_wow64()) { /* store the xcx emulation parameter for wow64 */ dr_mcontext_t mc = {sizeof(mc),DR_MC_INTEGER/*only need xcx*/}; dr_get_mcontext(drcontext, &mc); data->xcx = mc.xcx; } #endif for (i = 0; i < SYS_MAX_ARGS; i++) data->param[i] = dr_syscall_get_param(drcontext, i); /* suppress stderr */ if (dr_syscall_get_param(drcontext, 0) == (reg_t) STDERR #ifdef WINDOWS && first == 'H' #endif ) { /* pretend it succeeded */ #ifdef LINUX /* return the #bytes == 3rd param */ dr_syscall_set_result(drcontext, dr_syscall_get_param(drcontext, 2)); #else /* we should also set the IO_STATUS_BLOCK.Information field */ dr_syscall_set_result(drcontext, 0); #endif #ifdef SHOW_RESULTS dr_fprintf(STDERR, " [%d] => skipped\n", sysnum); #endif return false; /* skip syscall */ } else if (dr_syscall_get_param(drcontext, 0) == (reg_t) STDOUT) { if (!data->repeat) { /* redirect stdout to stderr (unless it's our repeat) */ #ifdef SHOW_RESULTS dr_fprintf(STDERR, " [%d] STDOUT => STDERR\n", sysnum); #endif dr_syscall_set_param(drcontext, 0, (reg_t) STDERR); } /* we're going to repeat this syscall once */ data->repeat = !data->repeat; } } return true; /* execute normally */ }
DR_EXPORT void dr_init(client_id_t id) { char buf[MAXIMUM_PATH]; int64 pos; int i; uint prot; byte *base_pc; size_t size; size_t bytes_read, bytes_written; byte *edge, *mbuf; bool ok; byte *f_map; /* The Makefile will pass a full absolute path (for Windows and Linux) as the client * option to a dummy file in the which we use to exercise the file api routines. * TODO - these tests should be a lot more thorough, but the basic functionality * is there (should add write tests, file_exists, directory etc. tests). */ file = dr_open_file(dr_get_options(id), DR_FILE_READ); if (file == INVALID_FILE) dr_fprintf(STDERR, "Error opening file\n"); memset(buf, 0, sizeof(buf)); dr_read_file(file, buf, 10); pos = dr_file_tell(file); if (pos < 0) dr_fprintf(STDERR, "tell error\n"); dr_fprintf(STDERR, "%s\n", buf); if (!dr_file_seek(file, 0, DR_SEEK_SET)) dr_fprintf(STDERR, "seek error\n"); memset(buf, 0, sizeof(buf)); dr_read_file(file, buf, 5); dr_fprintf(STDERR, "%s\n", buf); for (i = 0; i < 100; i++) buf[i] = 0; if (!dr_file_seek(file, pos - 5, DR_SEEK_CUR)) dr_fprintf(STDERR, "seek error\n"); memset(buf, 0, sizeof(buf)); dr_read_file(file, buf, 7); dr_fprintf(STDERR, "%s\n", buf); if (!dr_file_seek(file, -6, DR_SEEK_END)) dr_fprintf(STDERR, "seek error\n"); memset(buf, 0, sizeof(buf)); /* read "x\nEOF\n" from the data file */ dr_read_file(file, buf, 6); /* check for DOS line ending */ if (buf[4] == '\r') { /* Account for two line endings: the snippet is "x\r\nEOF\r\n". * No conversion required--ctest will discard the '\r' when comparing results. */ if (!dr_file_seek(file, -8, DR_SEEK_END)) dr_fprintf(STDERR, "seek error\n"); memset(buf, 0, sizeof(buf)); dr_read_file(file, buf, 8); } dr_fprintf(STDERR, "%s\n", buf); #define EXTRA_SIZE 0x60 size = PAGE_SIZE + EXTRA_SIZE; f_map = dr_map_file(file, &size, 0, NULL, DR_MEMPROT_READ, DR_MAP_PRIVATE); if (f_map == NULL || size < (PAGE_SIZE + EXTRA_SIZE)) dr_fprintf(STDERR, "map error\n"); /* test unaligned unmap */ if (!dr_unmap_file(f_map + PAGE_SIZE, EXTRA_SIZE)) dr_fprintf(STDERR, "unmap error\n"); /* leave file open and check in exit event that it's still open after * app tries to close it */ dr_register_exit_event(event_exit); /* Test dr_rename_file. */ test_dr_rename_delete(); /* Test the memory query routines */ dummy_func(); if (!dr_memory_is_readable((byte *)dummy_func, 1) || !dr_memory_is_readable(read_only_buf+1000, 4000) || !dr_memory_is_readable(writable_buf+1000, 4000)) { dr_fprintf(STDERR, "ERROR : dr_memory_is_readable() incorrect results\n"); } if (!dr_query_memory((byte *)dummy_func, &base_pc, &size, &prot)) dr_fprintf(STDERR, "ERROR : can't find dummy_func mem region\n"); dr_fprintf(STDERR, "dummy_func is %s%s%s\n", TEST(DR_MEMPROT_READ, prot) ? "r" : "", TEST(DR_MEMPROT_WRITE, prot) ? "w" : "", TEST(DR_MEMPROT_EXEC, prot) ? "x" : ""); if (base_pc > (byte *)dummy_func || base_pc + size < (byte *)dummy_func) dr_fprintf(STDERR, "dummy_func region mismatch"); memset(writable_buf, 0, sizeof(writable_buf)); /* strip off write copy */ if (!dr_query_memory(writable_buf+100, &base_pc, &size, &prot)) dr_fprintf(STDERR, "ERROR : can't find dummy_func mem region\n"); dr_fprintf(STDERR, "writable_buf is %s%s%s\n", TEST(DR_MEMPROT_READ, prot) ? "r" : "", TEST(DR_MEMPROT_WRITE, prot) ? "w" : "", #ifdef UNIX /* Linux sometimes (probably depends on version and hardware NX * support) lists all readable regions as also exectuable in the * maps file. We just skip checking here for Linux to make * matching the template file easier. */ "" #else TEST(DR_MEMPROT_EXEC, prot) ? "x" : "" #endif ); if (base_pc > writable_buf || base_pc + size < writable_buf) dr_fprintf(STDERR, "writable_buf region mismatch\n"); if (base_pc + size < writable_buf + sizeof(writable_buf)) dr_fprintf(STDERR, "writable_buf size mismatch "PFX" "PFX" "PFX" "PFX"\n", base_pc, size, writable_buf, sizeof(writable_buf)); if (!dr_query_memory(read_only_buf+100, &base_pc, &size, &prot)) dr_fprintf(STDERR, "ERROR : can't find dummy_func mem region\n"); dr_fprintf(STDERR, "read_only_buf is %s%s\n", TEST(DR_MEMPROT_READ, prot) ? "r" : "", TEST(DR_MEMPROT_WRITE, prot) ? "w" : ""); if (base_pc > read_only_buf || base_pc + size < read_only_buf) dr_fprintf(STDERR, "read_only_buf region mismatch"); if (base_pc + size < read_only_buf + sizeof(read_only_buf)) dr_fprintf(STDERR, "read_only_buf size mismatch"); /* test the safe_read functions */ /* TODO - extend test to cover racy writes and reads (won't work on Linux yet). */ memset(safe_buf, 0xcd, sizeof(safe_buf)); if (!dr_safe_read(read_only_buf + 4000, 1000, safe_buf, &bytes_read) || bytes_read != 1000 || !memchk(safe_buf, 0, 1000) || *(safe_buf+1000) != 0xcd) { dr_fprintf(STDERR, "ERROR in plain dr_safe_read()\n"); } memset(safe_buf, 0xcd, sizeof(safe_buf)); /* read_only_buf will be in .rodata on Linux, and can be followed by string * constants with the same page protections. In order to be sure that we're * copying zeroes, we map our own memory. */ mbuf = dr_nonheap_alloc(PAGE_SIZE*3, DR_MEMPROT_READ|DR_MEMPROT_WRITE); memset(mbuf, 0, PAGE_SIZE*3); dr_memory_protect(mbuf + PAGE_SIZE*2, PAGE_SIZE, DR_MEMPROT_NONE); edge = find_prot_edge(mbuf, DR_MEMPROT_READ); bytes_read = 0xcdcdcdcd; if (dr_safe_read(edge - (PAGE_SIZE + 10), PAGE_SIZE+20, safe_buf, &bytes_read) || bytes_read == 0xcdcdcdcd || bytes_read > PAGE_SIZE+10 || !memchk(safe_buf, 0, bytes_read)) { dr_fprintf(STDERR, "ERROR in overlap dr_safe_read()\n"); } dr_nonheap_free(mbuf, PAGE_SIZE*3); dr_fprintf(STDERR, "dr_safe_read() check\n"); /* test DR_TRY_EXCEPT */ DR_TRY_EXCEPT(dr_get_current_drcontext(), { ok = false; *((int *)4) = 37; }, { /* EXCEPT */