Skip to content

Commit

Permalink
Merge branch 'log_interrupts' (Issue #34)
Browse files Browse the repository at this point in the history
  • Loading branch information
@hasherezade
hasherezade committed Aug 6, 2023
2 parents 2eb0cee + aa8f175 commit 74ea1c5
Show file tree
Hide file tree
Showing 3 changed files with 69 additions and 11 deletions.
66 changes: 62 additions & 4 deletions TinyTracer.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -276,6 +276,7 @@ VOID SaveTransitions(const ADDRINT prevVA, const ADDRINT Address, BOOL isIndirec
VOID RdtscCalled(const CONTEXT* ctxt)
{
PinLocker locker;
const std::string mnem = "RDTSC";

const ADDRINT Address = (ADDRINT)PIN_GetContextReg(ctxt, REG_INST_PTR);

Expand All @@ -284,20 +285,21 @@ VOID RdtscCalled(const CONTEXT* ctxt)

if (wType == WatchedType::WATCHED_MY_MODULE) {
ADDRINT rva = addr_to_rva(Address); // convert to RVA
traceLog.logRdtsc(0, rva);
traceLog.logInstruction(0, rva, mnem);
}
if (wType == WatchedType::WATCHED_SHELLCODE) {
const ADDRINT start = query_region_base(Address);
ADDRINT rva = Address - start;
if (start != UNKNOWN_ADDR) {
traceLog.logRdtsc(start, rva);
traceLog.logInstruction(start, rva, mnem);
}
}
}

VOID CpuidCalled(const CONTEXT* ctxt)
{
PinLocker locker;
const std::string mnem = "CPUID";

const ADDRINT Address = (ADDRINT)PIN_GetContextReg(ctxt, REG_INST_PTR);

Expand All @@ -307,13 +309,58 @@ VOID CpuidCalled(const CONTEXT* ctxt)
ADDRINT Param = (ADDRINT)PIN_GetContextReg(ctxt, REG_GAX);
if (wType == WatchedType::WATCHED_MY_MODULE) {
ADDRINT rva = addr_to_rva(Address); // convert to RVA
traceLog.logCpuid(0, rva, Param);
traceLog.logInstruction(0, rva, mnem, Param);
}
if (wType == WatchedType::WATCHED_SHELLCODE) {
const ADDRINT start = query_region_base(Address);
ADDRINT rva = Address - start;
if (start != UNKNOWN_ADDR) {
traceLog.logCpuid(start, rva, Param);
traceLog.logInstruction(start, rva, mnem, Param);
}
}
}

VOID InterruptCalled(const CONTEXT* ctxt)
{
PinLocker locker;
const ADDRINT Address = (ADDRINT)PIN_GetContextReg(ctxt, REG_INST_PTR);
unsigned char copyBuf[2] = { 0 };
int fetchedSize = 1;
std::string mnem;
if (PIN_FetchCode(copyBuf, (void*)Address, fetchedSize, NULL)) {
if (copyBuf[0] == 0xCD) { // INT
fetchedSize = 2;
PIN_FetchCode(copyBuf, (void*)Address, fetchedSize, NULL);
}
switch (copyBuf[0]) {
case 0xCC:
mnem = "INT3"; break;
case 0xCE:
mnem = "INT0"; break;
case 0xF1:
mnem = "INT1"; break;
case 0xCD:
{
std::stringstream ss;
ss << std::hex << (unsigned int)copyBuf[1];
mnem = "INT:" + ss.str();
break;
}
}
}
const WatchedType wType = isWatchedAddress(Address);
if (wType == WatchedType::NOT_WATCHED) return;

ADDRINT Param = (ADDRINT)PIN_GetContextReg(ctxt, REG_GAX);
if (wType == WatchedType::WATCHED_MY_MODULE) {
ADDRINT rva = addr_to_rva(Address); // convert to RVA
traceLog.logInstruction(0, rva, mnem);
}
if (wType == WatchedType::WATCHED_SHELLCODE) {
const ADDRINT start = query_region_base(Address);
ADDRINT rva = Address - start;
if (start != UNKNOWN_ADDR) {
traceLog.logInstruction(start, rva, mnem);
}
}
}
Expand Down Expand Up @@ -381,6 +428,8 @@ VOID SyscallCalled(THREADID tid, CONTEXT* ctxt, SYSCALL_STANDARD std, VOID* v)
if (wType == WatchedType::NOT_WATCHED) return;

const ADDRINT syscallNum = PIN_GetSyscallNumber(ctxt, std);
if (syscallNum == (-1)) return; //invalid

std::string funcName = m_Settings.syscallsTable.getName(syscallNum);

if (wType == WatchedType::WATCHED_MY_MODULE) {
Expand Down Expand Up @@ -603,6 +652,15 @@ VOID InstrumentInstruction(INS ins, VOID *v)
);
}

if (INS_IsInterrupt(ins)) {
INS_InsertCall(
ins,
IPOINT_BEFORE, (AFUNPTR)InterruptCalled,
IARG_CONTEXT,
IARG_END
);
}

if (INS_IsRDTSC(ins)) {
if (m_Settings.traceRDTSC) {
INS_InsertCall(
Expand Down
10 changes: 5 additions & 5 deletions TraceLog.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ void TraceLog::logIndirectCall(const ADDRINT prevModuleBase, const ADDRINT prevA
<< std::endl;
}

void TraceLog::logRdtsc(const ADDRINT base, const ADDRINT rva)
void TraceLog::logInstruction(const ADDRINT base, const ADDRINT rva, const std::string& mnem, const ADDRINT param)
{
if (!createFile()) return;
if (base) {
Expand All @@ -102,12 +102,13 @@ void TraceLog::logRdtsc(const ADDRINT base, const ADDRINT rva)
m_traceFile
<< std::hex << rva
<< DELIMITER
<< "RDTSC"
<< mnem << ":"
<< std::hex << param
<< std::endl;
m_traceFile.flush();
}

void TraceLog::logCpuid(const ADDRINT base, const ADDRINT rva, const ADDRINT param)
void TraceLog::logInstruction(const ADDRINT base, const ADDRINT rva, const std::string& mnem)
{
if (!createFile()) return;
if (base) {
Expand All @@ -116,8 +117,7 @@ void TraceLog::logCpuid(const ADDRINT base, const ADDRINT rva, const ADDRINT par
m_traceFile
<< std::hex << rva
<< DELIMITER
<< "CPUID:"
<< std::hex << param
<< mnem
<< std::endl;
m_traceFile.flush();
}
Expand Down
4 changes: 2 additions & 2 deletions TraceLog.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,8 @@ class TraceLog
void logSectionChange(const ADDRINT addr, std::string &sectionName);
void logNewSectionCalled(const ADDRINT addFrom, const std::string &prevSection, const std::string &currSection);
void logIndirectCall(const ADDRINT prevModuleBase, const ADDRINT prevAddr, bool isRVA, const ADDRINT calledBase, const ADDRINT callRVA);
void logRdtsc(const ADDRINT base, const ADDRINT rva);
void logCpuid(const ADDRINT base, const ADDRINT rva, const ADDRINT param);
void logInstruction(const ADDRINT base, const ADDRINT rva, const std::string& mnem, const ADDRINT param);
void logInstruction(const ADDRINT base, const ADDRINT rva, const std::string& mnem);
void logSyscall(const ADDRINT base, const ADDRINT rva, const ADDRINT param, const std::string &funcName);

void logLine(const std::string &str);
Expand Down

0 comments on commit 74ea1c5

Please sign in to comment.