static int user_write(CPUState *env, abi_long ret, abi_long fd, void *p){
if (ret > 0 && fd == outfd){
Addr a = make_maddr((uint64_t)p);
bufplot(env, shadow, &a /*pointer*/, ret /*length*/);
}
return 0;
}
// R0 is command (label or query)
// R1 is buf_start
// R2 is length
// R3 is offset (not currently implemented)
void arm_hypercall_callback(CPUState *env){
target_ulong buf_start = env->regs[1];
target_ulong buf_len = env->regs[2];
if (env->regs[0] == 7 || env->regs[0] == 8){ //Taint label
if (!taintEnabled){
printf("Taint plugin: Label operation detected\n");
printf("Enabling taint processing\n");
__taint_enable_taint();
}
TaintOpBuffer *tempBuf = tob_new(buf_len * sizeof(TaintOp));
add_taint_ram(env, shadow, tempBuf, (uint64_t)buf_start, (int)buf_len);
tob_delete(tempBuf);
}
else if (env->regs[0] == 9){ //Query taint on label
if (taintEnabled){
printf("Taint plugin: Query operation detected\n");
Addr a = make_maddr(buf_start);
bufplot(env, shadow, &a, (int)buf_len);
}
//printf("Disabling taint processing\n");
//taintEnabled = false;
//taintJustDisabled = true;
//printf("Label occurrences on HD: %d\n", shad_dir_occ_64(shadow->hd));
}
}
int guest_hypercall_callback(CPUState *env){
#ifdef TARGET_I386
if (env->regs[R_EAX] == 0xdeadbeef){
target_ulong buf_start = env->regs[R_ECX];
target_ulong buf_len = env->regs[R_EDX];
if (env->regs[R_EBX] == 0){ //Taint label
if (!taintEnabled){
printf("Taint plugin: Label operation detected\n");
printf("Enabling taint processing\n");
taintJustEnabled = true;
taintEnabled = true;
enable_taint();
}
TaintOpBuffer *tempBuf = tob_new(5*1048576 /* 5MB */);
#ifndef CONFIG_SOFTMMU
add_taint(shadow, tempBuf, (uint64_t)buf_start, (int)buf_len);
#else
add_taint(shadow, tempBuf, cpu_get_phys_addr(env, buf_start),
(int)buf_len);
#endif //CONFIG_SOFTMMU
tob_delete(tempBuf);
}
else if (env->regs[R_EBX] == 1){ //Query taint on label
#ifndef CONFIG_SOFTMMU
bufplot(shadow, (uint64_t)buf_start, (int)buf_len);
#else
bufplot(shadow, cpu_get_phys_addr(env, buf_start), (int)buf_len);
#endif //CONFIG_SOFTMMU
printf("Taint plugin: Query operation detected\n");
printf("Disabling taint processing\n");
taintEnabled = false;
taintJustDisabled = true;
}
}
#endif // TARGET_I386
return 1;
}
void i386_hypercall_callback(CPUState *env){
target_ulong buf_start = env->regs[R_EBX];
target_ulong buf_len = env->regs[R_ECX];
long label = env->regs[R_EDI];
// call to label data
// EBX contains addr of that data
// ECX contains size of data
// EDI is the label integer
// EDX = starting offset (for positional labels only)
// -mostly not used, this is managed in pirate_utils
if (env->regs[R_EAX] == 7 || env->regs[R_EAX] == 8){
if (!taintEnabled){
printf("Taint plugin: Label operation detected\n");
printf("Enabling taint processing\n");
__taint_enable_taint();
}
TaintOpBuffer *tempBuf = tob_new( buf_len * sizeof(TaintOp));
if (env->regs[R_EAX] == 7){
// Standard buffer label
add_taint_ram_single_label(env, shadow, tempBuf,
(uint64_t)buf_start, (int)buf_len, label);
}
else if (env->regs[R_EAX] == 8){
// Positional buffer label
add_taint_ram_pos(env, shadow, tempBuf, (uint64_t)buf_start, (int)buf_len);
}
tob_delete(tempBuf);
}
//mz Query taint on this buffer
//mz EBX = start of buffer (VA)
//mz ECX = size of buffer (bytes)
// EDX = starting offset - for file queries
// -mostly not used, this is managed in pirate_utils
else if (env->regs[R_EAX] == 9){ //Query taint on label
if (taintEnabled){
printf("Taint plugin: Query operation detected\n");
Addr a = make_maddr(buf_start);
bufplot(env, shadow, &a, (int)buf_len);
}
//printf("Disabling taint processing\n");
//taintEnabled = false;
//taintJustDisabled = true;
//printf("Label occurrences on HD: %d\n", shad_dir_occ_64(shadow->hd));
}
else if (env->regs[R_EAX] == 10){
// Guest util done - reset positional label counter
taint_pos_count = 0;
}
}
int guest_hypercall_callback(CPUState *env) {
#ifdef TARGET_I386
if(env->regs[R_EAX] == 0xdeadbeef) {
target_ulong buf_start = env->regs[R_ECX];
target_ulong buf_len = env->regs[R_EDX];
if(env->regs[R_EBX] == 0) { //Taint label
TaintOpBuffer *tempBuf = tob_new(5*1048576 /* 1MB */);
add_taint(shadow, tempBuf, (uint64_t)buf_start, (int)buf_len);
tob_delete(tempBuf);
}
else if(env->regs[R_EBX] == 1) { //Query taint on label
bufplot(shadow, (uint64_t)buf_start, (int)buf_len);
}
}
#endif
return 1;
}
// XXX: Support all features of label and query program
void i386_hypercall_callback(CPUState *env){
target_ulong buf_start = env->regs[R_EBX];
target_ulong buf_len = env->regs[R_ECX];
// call to iferret to label data
// EBX contains addr of that data
// ECX contains size of data
// EDI is a pointer to a buffer containing the label string
// ESI contains the length of that label
// EDX = starting offset (for positional labels only)
if (env->regs[R_EAX] == 7 || env->regs[R_EAX] == 8){
if (!taintEnabled){
printf("Taint plugin: Label operation detected\n");
printf("Enabling taint processing\n");
__taint_enable_taint();
}
TaintOpBuffer *tempBuf = tob_new( buf_len * sizeof(TaintOp));
add_taint_ram(env, shadow, tempBuf, (uint64_t)buf_start, (int)buf_len);
tob_delete(tempBuf);
}
//mz Query taint on this buffer
//mz EBX = start of buffer (VA)
//mz ECX = size of buffer (bytes)
// EDI is a pointer to a buffer containing the filename or another name for this query
// ESI contains the length of that string
// EDX = starting offset - for file queries
else if (env->regs[R_EAX] == 9){ //Query taint on label
if (taintEnabled){
printf("Taint plugin: Query operation detected\n");
Addr a = make_maddr(buf_start);
bufplot(env, shadow, &a, (int)buf_len);
}
//printf("Disabling taint processing\n");
//taintEnabled = false;
//taintJustDisabled = true;
//printf("Label occurrences on HD: %d\n", shad_dir_occ_64(shadow->hd));
}
}
// R0 is command (label or query)
// R1 is buf_start
// R2 is length
// R3 is offset (not currently implemented, managed in pirate_utils)
// R4 is the label integer
void arm_hypercall_callback(CPUState *env){
target_ulong buf_start = env->regs[1];
target_ulong buf_len = env->regs[2];
long label = env->regs[4];
if (env->regs[0] == 7 || env->regs[0] == 8){
if (!taintEnabled){
printf("Taint plugin: Label operation detected\n");
printf("Enabling taint processing\n");
__taint_enable_taint();
}
TaintOpBuffer *tempBuf = tob_new( buf_len * sizeof(TaintOp));
if (env->regs[0] == 7){
// Standard buffer label
add_taint_ram_single_label(env, shadow, tempBuf,
(uint64_t)buf_start, (int)buf_len, label);
}
else if (env->regs[0] == 8){
// Positional buffer label
add_taint_ram_pos(env, shadow, tempBuf, (uint64_t)buf_start, (int)buf_len);
}
tob_delete(tempBuf);
}
else if (env->regs[0] == 9){ //Query taint on label
if (taintEnabled){
printf("Taint plugin: Query operation detected\n");
Addr a = make_maddr(buf_start);
bufplot(env, shadow, &a, (int)buf_len);
}
//printf("Disabling taint processing\n");
//taintEnabled = false;
//taintJustDisabled = true;
//printf("Label occurrences on HD: %d\n", shad_dir_occ_64(shadow->hd));
}
else if (env->regs[0] == 10){
// Guest util done - reset positional label counter
taint_pos_count = 0;
}
}
static int user_write(abi_long ret, abi_long fd, void *p){
if (ret > 0 && fd == outfd){
bufplot(shadow, (uint64_t)p /*pointer*/, ret /*length*/);
}
return 0;
}
