191 lines
5.2 KiB
C
191 lines
5.2 KiB
C
/*
|
|
|
|
Copyright (C) 2019 Sergej Schumilo
|
|
|
|
This file is part of QEMU-PT (HyperTrash / kAFL).
|
|
|
|
QEMU-PT is free software: you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation, either version 2 of the License, or
|
|
(at your option) any later version.
|
|
|
|
QEMU-PT is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with QEMU-PT. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
*/
|
|
|
|
#pragma once
|
|
|
|
#include "nyx/redqueen.h"
|
|
#include "nyx/redqueen_patch.h"
|
|
#include "nyx/fast_vm_reload.h"
|
|
#include "nyx/page_cache.h"
|
|
#include "nyx/synchronization.h"
|
|
#include "nyx/auxiliary_buffer.h"
|
|
#include "nyx/sharedir.h"
|
|
#include "nyx/fast_vm_reload_sync.h"
|
|
|
|
#include <libxdc.h>
|
|
|
|
#define INTEL_PT_MAX_RANGES 4
|
|
|
|
enum mem_mode {
|
|
mm_unkown,
|
|
mm_32_protected, /* 32 Bit / No MMU */
|
|
mm_32_paging, /* 32 Bit / L3 Paging */
|
|
mm_32_pae, /* 32 Bit / PAE Paging */
|
|
mm_64_l4_paging, /* 64 Bit / L4 Paging */
|
|
mm_64_l5_paging, /* 32 Bit / L5 Paging */
|
|
};
|
|
|
|
typedef struct qemu_nyx_state_s{
|
|
|
|
/* set if FDL backend is used (required to perform some additional runtime tests) */
|
|
bool nyx_fdl;
|
|
|
|
char* workdir_path;
|
|
|
|
/* FAST VM RELOAD */
|
|
bool fast_reload_enabled;
|
|
bool fast_reload_mode;
|
|
char* fast_reload_path;
|
|
char* fast_reload_pre_path;
|
|
bool fast_reload_pre_image;
|
|
fast_reload_t* fast_reload_snapshot;
|
|
fast_vm_reload_sync_t* reload_state;
|
|
|
|
/* PAGE CACHE */
|
|
page_cache_t* page_cache;
|
|
|
|
/* Decoder */
|
|
libxdc_t* decoder;
|
|
|
|
/* REDQUEEN */
|
|
bool redqueen_enable_pending;
|
|
bool redqueen_disable_pending;
|
|
int redqueen_instrumentation_mode;
|
|
bool redqueen_update_blacklist;
|
|
bool patches_enable_pending;
|
|
bool patches_disable_pending;
|
|
redqueen_t* redqueen_state;
|
|
|
|
/* Intel PT Options (not migratable) */
|
|
uint64_t pt_c3_filter;
|
|
volatile bool pt_ip_filter_enabled[4];
|
|
bool pt_trace_mode; // enabled by default; disabled if compile-time tracing is implemented by agent
|
|
|
|
/* disabled by default; enable to force usage of PT tracing
|
|
* (useful for targets that use compile-time tracing and redqueen at the same time (which obviously relies on PT traces))
|
|
* This mode is usually enabled by the fuzzing logic by enabling trace mode.
|
|
* *** THIS FEATURES IS STILL EXPERIMENTAL ***
|
|
* */
|
|
bool pt_trace_mode_force;
|
|
|
|
uint32_t pt_trace_size; // trace size counter
|
|
uint32_t bb_coverage; // trace size counter
|
|
|
|
/* mmap Options (not migratable) */
|
|
int shared_bitmap_fd;
|
|
uint32_t shared_bitmap_size; /* size of the shared memory file */
|
|
uint32_t shared_bitmap_real_size; /* actual size of the bitmap */
|
|
void* shared_bitmap_ptr;
|
|
|
|
int shared_payload_buffer_fd;
|
|
uint32_t shared_payload_buffer_size;
|
|
|
|
int shared_ijon_bitmap_fd;
|
|
uint32_t shared_ijon_bitmap_size;
|
|
void* shared_ijon_bitmap_ptr;
|
|
|
|
/* Intel PT Options (migratable) */
|
|
bool pt_ip_filter_configured[4];
|
|
uint64_t pt_ip_filter_a[4];
|
|
uint64_t pt_ip_filter_b[4];
|
|
|
|
/* OPTIONS (MIGRATABLE VIA FAST SNAPSHOTS) */
|
|
uint64_t parent_cr3;
|
|
uint8_t disassembler_word_width;
|
|
bool nested;
|
|
uint64_t payload_buffer;
|
|
uint32_t nested_payload_pages_num;
|
|
uint64_t* nested_payload_pages;
|
|
bool protect_payload_buffer;
|
|
bool discard_tmp_snapshot;
|
|
uint8_t mem_mode;
|
|
uint32_t input_buffer_size;
|
|
|
|
|
|
/* NON MIGRATABLE OPTION */
|
|
timeout_detector_t timeout_detector;
|
|
|
|
bool decoder_page_fault;
|
|
uint64_t decoder_page_fault_addr;
|
|
|
|
bool dump_page;
|
|
uint64_t dump_page_addr;
|
|
|
|
bool in_fuzzing_mode;
|
|
bool in_reload_mode;
|
|
bool starved;
|
|
|
|
bool shutdown_requested;
|
|
bool cow_cache_full;
|
|
|
|
bool in_redqueen_reload_mode;
|
|
|
|
uint32_t num_dirty_pages;
|
|
|
|
bool get_host_config_done;
|
|
bool set_agent_config_done;
|
|
|
|
/* capabilites */
|
|
uint8_t cap_timeout_detection;
|
|
uint8_t cap_only_reload_mode;
|
|
uint8_t cap_compile_time_tracing;
|
|
uint8_t cap_ijon_tracing;
|
|
uint64_t cap_cr3;
|
|
uint64_t cap_compile_time_tracing_buffer_vaddr;
|
|
uint64_t cap_ijon_tracing_buffer_vaddr;
|
|
uint64_t cap_coverage_bitmap_size;
|
|
|
|
auxilary_buffer_t* auxilary_buffer;
|
|
auxilary_buffer_config_t shadow_config;
|
|
sharedir_t* sharedir;
|
|
|
|
QTAILQ_HEAD(, kvm_sw_breakpoint) redqueen_breakpoints;
|
|
} qemu_nyx_state_t;
|
|
|
|
extern qemu_nyx_state_t global_state;
|
|
|
|
#define GET_GLOBAL_STATE() (&global_state)
|
|
|
|
void state_init_global(void);
|
|
fast_reload_t* get_fast_reload_snapshot(void);
|
|
void set_fast_reload_mode(bool mode);
|
|
void set_fast_reload_path(const char* path);
|
|
void set_fast_reload_pre_image(void);
|
|
|
|
|
|
void enable_fast_reloads(void);
|
|
|
|
/* Page Cache */
|
|
void init_page_cache(char* path);
|
|
page_cache_t* get_page_cache(void);
|
|
|
|
void init_redqueen_state(void);
|
|
|
|
redqueen_t* get_redqueen_state(void);
|
|
|
|
void init_aux_buffer(const char* filename);
|
|
void set_fast_reload_pre_path(const char* path);
|
|
|
|
void set_payload_buffer(uint64_t payload_buffer);
|
|
void set_payload_pages(uint64_t* payload_pages, uint32_t pages);
|
|
|
|
void set_workdir_path(char* workdir);
|