static int strcmp_call(void *opaque)
{
int read_err = 0;
int i = 0;
strcmp_value *scv=malloc(sizeof (strcmp_value));
if(tracepid == 0)
{
return 0;
}
read_reg(esp_reg, &esp);
read_reg(eip_reg, &eip);
read_err = read_mem(esp, 4, (unsigned char*)buf);
if (read_err)
return 0;
scv->string1=buf[1];
scv->string2=buf[2];
char string_cmd[20];
char string_list[20];
bool read_cmd =read_mem(scv->string1, 20, (unsigned char*)string_cmd);
bool read_list=read_mem(scv->string2, 20, (unsigned char*)string_list);
scv->hook_handle=hookapi_hook_return(buf[0], strcmp_ret, scv, sizeof(scv));
return 0;
}
static void alloca_probe_call(void *opaque)
{
uint32_t ret_eip;
DECAF_read_mem(NULL, DECAF_cpu_regs[R_ESP], 4, &ret_eip);
uint32_t *hook_handle = malloc(sizeof(uint32_t));
if(hook_handle) {
*hook_handle = hookapi_hook_return(ret_eip, alloca_probe_ret,
hook_handle, sizeof(uint32_t));
}
}
static void VirtualAlloc_call(void *opaque)
{
DECAF_printf("VirtualAlloc entry\n");
NtCreateFile_hook_context_t *ctx = (NtCreateFile_hook_context_t*)
malloc(sizeof(NtCreateFile_hook_context_t));
if(!ctx) //run out of memory
return;
DECAF_read_mem(NULL, cpu_single_env->regs[R_ESP], 12*4, ctx->call_stack);
ctx->hook_handle = hookapi_hook_return(ctx->call_stack[0],
VirtualAlloc_ret, ctx, sizeof(*ctx));
}
/* Call hook (executed before any instruction in the function) */
static int getsockname_call(void *opaque)
{
uint32_t esp;
uint32_t eip;
uint32_t buf[7]; // Assumes that all stack parameters are 4-byte long
int read_err = 0;
/* If not tracing yet, return */
if (tracepid == 0) return 0;
/* Read stack starting at ESP */
read_reg(esp_reg, &esp);
read_err = read_mem(esp, sizeof(buf), (unsigned char*)buf);
if (read_err) return 0;
/*
BUF INDEX -> PARAMETER
ws2_32.dll getsockname
int getsockname(SOCKET s,struct sockaddr* name,int* namelen);
0 -> return address
1 -> IN socket descriptor
2 -> OUT Address structure with socket information
3 -> IN-OUT On call, size of the name buffer, in bytes.
On return, size in bytes of the name parameter
*/
/* Check which function we are jumping to */
read_reg(eip_reg, &eip);
char mod_name[512];
char fun_name[512];
get_function_name(eip,(char *)&mod_name,(char *)&fun_name);
/* Print some information to monitor */
WRITE("tracenetlog","Getting socket info using function %s::%s\n"
"\tFD: %u BufStart: 0x%08x BufMaxLen: %d\n",
mod_name, fun_name,buf[1],buf[2],(int)buf[3]);
/* Store parameters so that they can be used by return hook */
getsockname_t *s = malloc(sizeof(getsockname_t));
if (s == NULL) return 0;
s->eip = eip;
s->sd = buf[1];
s->bufStart = buf[2];
s->bufMaxLen = buf[3];
s->bufLenPtr = esp+12;
/* Hook return of function */
s->hook_handle = hookapi_hook_return(buf[0], getsockname_ret, s,
sizeof(getsockname_t));
return 0;
}
