124 lines
3.5 KiB
C
124 lines
3.5 KiB
C
/*
|
|
|
|
Copyright (C) 2017 Sergej Schumilo
|
|
|
|
This file is part of QEMU-PT (kAFL).
|
|
|
|
QEMU-PT is free software: you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation, either version 2 of the License, or
|
|
(at your option) any later version.
|
|
|
|
QEMU-PT is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with QEMU-PT. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
*/
|
|
|
|
#ifndef REDQUEEN_H
|
|
#define REDQUEEN_H
|
|
|
|
#include <stddef.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <stdint.h>
|
|
#include <stdbool.h>
|
|
#include "qemu/osdep.h"
|
|
#include <linux/kvm.h>
|
|
#include <capstone/capstone.h>
|
|
#include <capstone/x86.h>
|
|
#include "redqueen_trace.h"
|
|
#include "khash.h"
|
|
#include "page_cache.h"
|
|
|
|
//#define RQ_DEBUG
|
|
|
|
#define REDQUEEN_MAX_STRCMP_LEN 64
|
|
#define REDQUEEN_TRAP_LIMIT 16
|
|
|
|
#define REG64_NUM 16
|
|
#define REG32_NUM 16
|
|
//seems we don't want to include rip, since this index is used to acces the qemu cpu structure or something?
|
|
#define REG16_NUM 16
|
|
#define REG8L_NUM 16
|
|
#define REG8H_NUM 8
|
|
|
|
#define EXTRA_REG_RIP 16
|
|
#define EXTRA_REG_NOP 17
|
|
|
|
#define REDQUEEN_NO_INSTRUMENTATION 0
|
|
#define REDQUEEN_LIGHT_INSTRUMENTATION 1
|
|
#define REDQUEEN_SE_INSTRUMENTATION 2
|
|
#define REDQUEEN_WHITELIST_INSTRUMENTATION 3
|
|
|
|
enum reg_types{RAX, RCX, RDX, RBX, RSP, RBP, RSI, RDI, R8, R9, R10, R11, R12, R13, R14, R15};
|
|
|
|
#define CMP_BITMAP_NOP 0x0000000UL
|
|
#define CMP_BITMAP_RQ_INSTRUCTION 0x1000000UL
|
|
#define CMP_BITMAP_SE_INSTRUCTION 0x2000000UL
|
|
#define CMP_BITMAP_BLACKLISTED 0x4000000UL
|
|
#define CMP_BITMAP_TRACE_ENABLED 0x8000000UL
|
|
#define CMP_BITMAP_SHOULD_HOOK_SE (CMP_BITMAP_SE_INSTRUCTION|CMP_BITMAP_TRACE_ENABLED)
|
|
#define CMP_BITMAP_SHOULD_HOOK_RQ (CMP_BITMAP_RQ_INSTRUCTION)
|
|
|
|
KHASH_MAP_INIT_INT64(RQ, uint32_t)
|
|
|
|
typedef struct redqueen_s{
|
|
khash_t(RQ) *lookup;
|
|
bool intercept_mode;
|
|
bool singlestep_enabled;
|
|
int hooks_applied;
|
|
CPUState *cpu;
|
|
uint64_t last_rip;
|
|
uint64_t next_rip;
|
|
uint64_t *breakpoint_whitelist;
|
|
uint64_t num_breakpoint_whitelist;
|
|
redqueen_trace_t* trace_state;
|
|
page_cache_t* page_cache;
|
|
} redqueen_t;
|
|
|
|
typedef struct redqueen_workdir_s{
|
|
char* redqueen_results;
|
|
char* symbolic_results;
|
|
char* pt_trace_results;
|
|
char* redqueen_patches;
|
|
char* breakpoint_white;
|
|
char* breakpoint_black;
|
|
char* target_code_dump;
|
|
} redqueen_workdir_t;
|
|
|
|
extern redqueen_workdir_t redqueen_workdir;
|
|
|
|
void setup_redqueen_workdir(char* workdir);
|
|
|
|
redqueen_t* new_rq_state(CPUState *cpu, page_cache_t* page_cache);
|
|
void destroy_rq_state(redqueen_t* self);
|
|
|
|
void set_rq_instruction(redqueen_t* self, uint64_t addr);
|
|
void set_rq_blacklist(redqueen_t* self, uint64_t addr);
|
|
|
|
void handle_hook(redqueen_t* self);
|
|
void handel_se_hook(redqueen_t* self);
|
|
|
|
void enable_rq_intercept_mode(redqueen_t* self);
|
|
void disable_rq_intercept_mode(redqueen_t* self);
|
|
|
|
|
|
void set_se_instruction(redqueen_t* self, uint64_t addr);
|
|
|
|
void dump_se_registers(redqueen_t* self);
|
|
void dump_se_memory_access(redqueen_t* self, cs_insn* insn);
|
|
void dump_se_return_access(redqueen_t* self, cs_insn* insn);
|
|
void dump_se_memory_access_at(redqueen_t* self, uint64_t instr_addr, uint64_t mem_addr);
|
|
|
|
void redqueen_insert_hooks(redqueen_t* self);
|
|
void redqueen_remove_hooks(redqueen_t* self);
|
|
|
|
void redqueen_callback(void* opaque, disassembler_mode_t mode, uint64_t start_addr, uint64_t end_addr);
|
|
|
|
#endif
|