static void
init_commands(void)
{
attr_init();
bmap_init();
fadvise_init();
file_init();
freeze_init();
fsync_init();
getrusage_init();
help_init();
imap_init();
inject_init();
madvise_init();
mincore_init();
mmap_init();
open_init();
parent_init();
pread_init();
prealloc_init();
fiemap_init();
pwrite_init();
quit_init();
resblks_init();
sendfile_init();
shutdown_init();
truncate_init();
}
void main()
{
pid_t pID;
char device[20];
strcpy(device, "lo");
//strcpy(device, "eth0");
/** Time to split into two processes
* 1. the child Process is for capturing (incoming)
* 2. the parent process is for injecting frames (outgoing)
*/
pID = fork();
if (pID == 0) // child -- Capture process
{
// Code only executed by child process
PRINT_DEBUG("child started to capture \n");
//sleep(2);
capture_init(device);
}
else if (pID < 0) // failed to fork
{
PRINT_DEBUG ("Failed to Fork \n");
exit(1);
}
else // parent
{
// Code only executed by parent process
/** inject handler is supposed to be initialized earlier to make sure that forwarding
* feature is able to work even if the parent process did not start injecting yet
* we fix this by sleeping the capturing process for a while. To give the injection
* process a lead
*/
PRINT_DEBUG("parent started to Inject \n");
inject_init(device);
// while (1);
}
/**
if (inject_handle != NULL);
pcap_close(inject_handle);
if (capture_handle != NULL);
pcap_close(capture_handle);
*/
return;
}
/* pass non-NULL for thandle if you want this routine to use
* Get/SetThreadContext to get the context -- you must still pass
* in a pointer to a cxt
*/
BOOL
inject_into_thread(HANDLE phandle, CONTEXT *cxt, HANDLE thandle,
char *dynamo_path)
{
size_t nbytes;
BOOL success = FALSE;
ptr_uint_t dynamo_entry_esp;
ptr_uint_t dynamo_path_esp;
LPVOID load_dynamo_code = NULL; /* = base of code allocation */
ptr_uint_t addr;
reg_t *bufptr;
char buf[MAX_PATH];
uint old_prot;
ASSERT(cxt != NULL);
#ifndef NOT_DYNAMORIO_CORE_PROPER
/* FIXME - if we were early injected we couldn't call inject_init during
* startup because kernel32 wasn't loaded yet, so we call it here which
* isn't safe because it uses app locks. If we want to support a mix
* of early and late follow children injection we should change load_dynamo
* to use Nt functions (which we can link) rather then kernel32 functions
* (which we have to look up). We could also use module.c code to safely
* walk the exports of kernel32.dll (we can cache its mod handle when it
* is loaded). */
if (!inject_initialized) {
SYSLOG_INTERNAL_WARNING("Using late inject follow children from early injected process, unsafe LdrLock usage");
SELF_UNPROTECT_DATASEC(DATASEC_RARELY_PROT);
inject_init();
SELF_PROTECT_DATASEC(DATASEC_RARELY_PROT);
}
#else
ASSERT(inject_initialized);
#endif
/* soon we'll start using alternative injection with case 102 - leaving block */
{
reg_t app_xsp;
if (thandle != NULL) {
/* grab the context of the app's main thread */
cxt->ContextFlags = CONTEXT_DR_STATE;
if (!NT_SUCCESS(nt_get_context(thandle, cxt))) {
display_error("GetThreadContext failed");
goto error;
}
}
app_xsp = cxt->CXT_XSP;
/* copy load_dynamo() into the address space of the new process */
ASSERT(BUFFER_SIZE_BYTES(buf) > SIZE_OF_LOAD_DYNAMO);
memcpy(buf, (char*)load_dynamo, SIZE_OF_LOAD_DYNAMO);
/* R-X protection is adequate for our non-self modifying code,
* and we'll update that after we're done with
* nt_write_virtual_memory() calls */
/* get allocation, this will be freed by os_heap_free, so make sure
* is compatible allocation method */
if (!NT_SUCCESS(nt_remote_allocate_virtual_memory(phandle, &load_dynamo_code,
SIZE_OF_LOAD_DYNAMO,
PAGE_EXECUTE_READWRITE,
MEMORY_COMMIT))) {
display_error("Failed to allocate memory for injection code");
goto error;
}
if (!nt_write_virtual_memory(phandle, load_dynamo_code, buf,
SIZE_OF_LOAD_DYNAMO, &nbytes)) {
display_error("WriteMemory failed");
goto error;
}
/* Xref PR 252745 & PR 252008 - we can use the app's stack to hold our data
* even on WOW64 and 64-bit since we're using set context to set xsp. */
/* copy the DYNAMORIO_ENTRY string to the app's stack */
_snprintf(buf, BUFFER_SIZE_ELEMENTS(buf), "%s", DYNAMORIO_ENTRY);
NULL_TERMINATE_BUFFER(buf);
nbytes = strlen(buf) + 1; // include the trailing '\0'
/* keep esp at pointer-sized alignment */
cxt->CXT_XSP -= ALIGN_FORWARD(nbytes, XSP_SZ);
dynamo_entry_esp = cxt->CXT_XSP;
if (!nt_write_virtual_memory(phandle, (LPVOID)cxt->CXT_XSP,
buf, nbytes, &nbytes)) {
display_error("WriteMemory failed");
goto error;
}
/* copy the dynamorio_path string to the app's stack */
_snprintf(buf, BUFFER_SIZE_ELEMENTS(buf), "%s", dynamo_path);
NULL_TERMINATE_BUFFER(buf);
nbytes = strlen(buf) + 1; // include the trailing '\0'
/* keep esp at pointer-sized byte alignment */
cxt->CXT_XSP -= ALIGN_FORWARD(nbytes, XSP_SZ);
dynamo_path_esp = cxt->CXT_XSP;
if (!nt_write_virtual_memory(phandle, (LPVOID)cxt->CXT_XSP,
buf, nbytes, &nbytes)) {
display_error("WriteMemory failed");
goto error;
}
/* copy the current context to the app's stack. Only need the
* control registers, so we use a dr_mcontext_t layout.
*/
bufptr = (reg_t*) buf;
*bufptr++ = cxt->CXT_XDI;
*bufptr++ = cxt->CXT_XSI;
*bufptr++ = cxt->CXT_XBP;
*bufptr++ = app_xsp;
*bufptr++ = cxt->CXT_XBX;
*bufptr++ = cxt->CXT_XDX;
*bufptr++ = cxt->CXT_XCX;
*bufptr++ = cxt->CXT_XAX;
#ifdef X64
*bufptr++ = cxt->R8;
*bufptr++ = cxt->R9;
*bufptr++ = cxt->R10;
*bufptr++ = cxt->R11;
*bufptr++ = cxt->R12;
*bufptr++ = cxt->R13;
*bufptr++ = cxt->R14;
*bufptr++ = cxt->R15;
#endif
/* It would be nice to use preserve_xmm_caller_saved(), but we'd need to
* link proc.c and deal w/ messy dependencies to get it into arch_exports.h,
* so we do our own check. We go ahead and put in the xmm slots even
* if the underlying processor has no xmm support: no harm done.
*/
if (IF_X64_ELSE(true, is_wow64_process(NT_CURRENT_PROCESS))) {
/* PR 264138: preserve xmm0-5. We fill in all slots even though
* for 32-bit we don't use them (PR 306394).
*/
int i, j;
for (i = 0; i < NUM_XMM_SLOTS; i++) {
for (j = 0; j < IF_X64_ELSE(2,4); j++) {
*bufptr++ = CXT_XMM(cxt, i)->reg[j];
}
}
} else {
/* skip xmm slots */
bufptr += XMM_SLOTS_SIZE/sizeof(*bufptr);
}
*bufptr++ = cxt->CXT_XFLAGS;
*bufptr++ = cxt->CXT_XIP;
ASSERT((char *)bufptr - (char *)buf == sizeof(dr_mcontext_t));
*bufptr++ = (ptr_uint_t)load_dynamo_code;
*bufptr++ = SIZE_OF_LOAD_DYNAMO;
nbytes = sizeof(dr_mcontext_t) + 2*sizeof(reg_t);
cxt->CXT_XSP -= nbytes;
#ifdef X64
/* We need xsp to be aligned prior to each call, but we can only pad
* before the context as all later users assume the info they need is
* at TOS.
*/
cxt->CXT_XSP = ALIGN_BACKWARD(cxt->CXT_XSP, XMM_ALIGN);
#endif
if (!nt_write_virtual_memory(phandle, (LPVOID)cxt->CXT_XSP,
buf, nbytes, &nbytes)) {
display_error("WriteMemory failed");
goto error;
}
/* push the address of the DYNAMORIO_ENTRY string on the app's stack */
cxt->CXT_XSP -= XSP_SZ;
if (!nt_write_virtual_memory(phandle, (LPVOID)cxt->CXT_XSP,
&dynamo_entry_esp, sizeof(dynamo_entry_esp),
&nbytes)) {
display_error("WriteMemory failed");
goto error;
}
/* push the address of GetProcAddress on the app's stack */
ASSERT(addr_getprocaddr);
addr = addr_getprocaddr;
cxt->CXT_XSP -= XSP_SZ;
if (!nt_write_virtual_memory(phandle, (LPVOID)cxt->CXT_XSP,
&addr, sizeof(addr), &nbytes)) {
display_error("WriteMemory failed");
goto error;
}
/* push the address of the dynamorio_path string on the app's stack */
cxt->CXT_XSP -= XSP_SZ;
if (!nt_write_virtual_memory(phandle, (LPVOID)cxt->CXT_XSP,
&dynamo_path_esp, sizeof(dynamo_path_esp),
&nbytes)) {
display_error("WriteMemory failed");
goto error;
}
/* push the address of LoadLibraryA on the app's stack */
ASSERT(addr_loadlibrarya);
addr = addr_loadlibrarya;
cxt->CXT_XSP -= XSP_SZ;
if (!nt_write_virtual_memory(phandle, (LPVOID)cxt->CXT_XSP,
&addr, sizeof(addr), &nbytes)) {
display_error("WriteMemory failed");
goto error;
}
#ifdef LOAD_DYNAMO_DEBUGBREAK
/* push the address of DebugBreak on the app's stack */
ASSERT(addr_debugbreak);
addr = addr_debugbreak;
cxt->CXT_XSP -= XSP_SZ;
if (!nt_write_virtual_memory(phandle, (LPVOID)cxt->CXT_XSP,
&addr, sizeof(addr), &nbytes)) {
display_error("WriteMemory failed");
goto error;
}
#endif
/* make the code R-X now */
if (!nt_remote_protect_virtual_memory(phandle, load_dynamo_code,
SIZE_OF_LOAD_DYNAMO,
PAGE_EXECUTE_READ, &old_prot)) {
display_error("Failed to make injection code R-X");
goto error;
}
ASSERT(old_prot == PAGE_EXECUTE_READWRITE);
/* now change Eip to point to the entry point of load_dynamo(), so that
when we resume, load_dynamo is invoked automatically */
cxt->CXT_XIP = (ptr_uint_t)load_dynamo_code;
cxt->CXT_XFLAGS = 0;
if (thandle != NULL) {
if (!NT_SUCCESS(nt_set_context(thandle, cxt))) {
display_error("SetThreadContext failed");
goto error;
}
}
success = TRUE;
}
error:
/* we do not recover any changes in the child's address space */
return success;
}
void main()
{
(void) signal(SIGINT, termination_handler);
print_app_banner();
// ADDED mrd015 !!!!!
// trying to put code from fins_ethernet.sh here. This should allow mkfifo to be called w/o building coreutils for android?
printf("\n\nAttempting to make " FINS_TMP_ROOT "\n");
if(system("mkdir " FINS_TMP_ROOT) != 0){
printf(FINS_TMP_ROOT " already exists! Cleaning...\n");
// if cannot create directory, assume it contains files and try to delete them
if(system("cd " FINS_TMP_ROOT ";rm *") != 0){
printf("Cannot remove files in " FINS_TMP_ROOT "!\n");
}else {
printf(FINS_TMP_ROOT " was cleaned successfully.\n\n");
}
}
if(mkfifo(INCOME_PIPE, 0777) != 0){
PRINT_DEBUG("Failed to mkfifo(INCOME_PIPE, 0777)");
exit(1);
}
if(mkfifo(INJECT_PIPE, 0777) != 0){
PRINT_DEBUG("Failed to mkfifo(INJECT_PIPE, 0777)");
exit(1);
}
//^^^^^END^^^^^ !!!!!
fflush(stdout);
pid_t pID;
char device[20];
//strcpy(device, "lo"); //original !!!!!
strcpy(device, "eth0"); //changed to this !!!!!
//strcpy(device, "eth1"); //changed to this !!!!!
//strcpy(device, "wlan0");
/** Time to split into two processes
* 1. the child Process is for capturing (incoming)
* 2. the parent process is for injecting frames (outgoing)
*/
pID = fork();
if (pID == 0) // child -- Capture process
{
// Code only executed by child process
PRINT_DEBUG("child started to capture \n");
//sleep(2);
capture_init(device);
}
else if (pID < 0) // failed to fork
{
PRINT_DEBUG ("Failed to Fork \n");
exit(1);
}
else // parent
{
// Code only executed by parent process
/** inject handler is supposed to be initialized earlier to make sure that forwarding
* feature is able to work even if the parent process did not start injecting yet
* we fix this by sleeping the capturing process for a while. To give the injection
* process a lead
*/
PRINT_DEBUG("parent started to Inject \n");
inject_init(device);
// while (1);
}
/**
if (inject_handle != NULL);
pcap_close(inject_handle);
if (capture_handle != NULL);
pcap_close(capture_handle);
*/
// return;
}
/* udp_out test */
int main(int argc, char *argv[]) {
struct udp_metadata_parsed meta;
struct finsFrame* pff;
struct finsFrame ff;
unsigned short checksum = 0;
IP4_init(argc, argv);
char str[20] = "TESTING";
ff.dataFrame.pdu = &str[0];
meta.u_IPdst = IP4_ADR_P2N(192,168,1,28);
meta.u_IPsrc = IP4_ADR_P2N(192,168,1,28);
meta.u_destPort = 13;
meta.u_srcPort = 1087;
ff.dataFrame.pduLength = 7;
ff.dataOrCtrl = DATA;
ff.destinationID = UDPID;
ff.dataFrame.directionFlag = DOWN;
memcpy(&ff.dataFrame.metaData, &meta, 16);
pff = &ff;
// printf("The metadata's value for the length is %d\n", pseudoheader2.u_pslen);
// printf("The UDP packet's value for the length is %d\n", packet2.u_len);
/* Time to split into two processes
* 1) the child Process is for capturing (incoming)
* 2) the parent process is for injecting frames (outgoing)
*/
/* inject handler is initialized earlier to make sure that forwarding
* feature is able to work even if the parent process did not start injecting yet
*/
inject_init();
pid_t pID = fork();
int status;
if (pID == 0) // child
{
// Code only executed by child process
/* PRINT_DEBUG("child started to capture");
capture_init();
pcap_close ( capture_handle );
*/
}
else if (pID < 0) // failed to fork
{
PRINT_DEBUG("\n Error while forking, program will exit");
exit(1);
// Throw exception
}
else // parent
{
// Code only executed by parent process
PRINT_DEBUG("parent started to inject");
int i=0;
for ( i=0; i< 20; i++ )
{
sleep(1);
PRINT_DEBUG("#%d",i);
udp_out_fdf(pff);
PRINT_DEBUG("UDP done");
}
/* terminate the wifi module */
wifi_terminate();
/* wait until the child return */
wait(&status);
if (WIFEXITED(status))
{
PRINT_DEBUG("Parent: child has exited normally with status %d", WEXITSTATUS(status));
}
else
{
PRINT_DEBUG("Parent: child has not terminated normally");
}
}
return (0);
}