david.venhoff/QEMU-Nyx-fork
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
QEMU-Nyx-fork/nyx/state/state.h
Sergej Schumilo 1f675b053a fix crash notifier injection 
Decide which crash notifier (32bit or 64bit) to inject, based on the
current memory mode instead of the current CPU mode. Otherwise, in the
case of a 32bit loader running on a 64bit operating system, the wrong
notifier code will be injected.
2022-02-23 10:26:02 +01:00

185 lines
5.0 KiB
C
Raw Blame History

/*
Copyright (C) 2019 Sergej Schumilo
This file is part of QEMU-PT (HyperTrash / kAFL).
QEMU-PT is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 2 of the License, or
(at your option) any later version.
QEMU-PT is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with QEMU-PT. If not, see <http://www.gnu.org/licenses/>.
*/
#pragma once
#include "nyx/redqueen.h"
#include "nyx/redqueen_patch.h"
#include "nyx/fast_vm_reload.h"
#include "nyx/page_cache.h"
#include "nyx/synchronization.h"
#include "nyx/auxiliary_buffer.h"
#include "nyx/sharedir.h"
#include "nyx/fast_vm_reload_sync.h"
#include "nyx/types.h"
#include <libxdc.h>
#define INTEL_PT_MAX_RANGES 4
typedef struct qemu_nyx_state_s{
/* set if FDL backend is used (required to perform some additional runtime tests) */
bool nyx_fdl;
char* workdir_path;
uint32_t worker_id;
/* FAST VM RELOAD */
bool fast_reload_enabled;
bool fast_reload_mode;
char* fast_reload_path;
char* fast_reload_pre_path;
bool fast_reload_pre_image;
fast_reload_t* fast_reload_snapshot;
fast_vm_reload_sync_t* reload_state;
/* PAGE CACHE */
page_cache_t* page_cache;
/* Decoder */
libxdc_t* decoder;
/* REDQUEEN */
bool redqueen_enable_pending;
bool redqueen_disable_pending;
int redqueen_instrumentation_mode;
bool redqueen_update_blacklist;
bool patches_enable_pending;
bool patches_disable_pending;
redqueen_t* redqueen_state;
/* Intel PT Options (not migratable) */
uint64_t pt_c3_filter;
volatile bool pt_ip_filter_enabled[4];
bool pt_trace_mode; // enabled by default; disabled if compile-time tracing is implemented by agent
/* disabled by default; enable to force usage of PT tracing
* (useful for targets that use compile-time tracing and redqueen at the same time (which obviously relies on PT traces))
* This mode is usually enabled by the fuzzing logic by enabling trace mode.
* *** THIS FEATURES IS STILL EXPERIMENTAL ***
* */
bool pt_trace_mode_force;
uint32_t pt_trace_size; // trace size counter
uint32_t bb_coverage; // trace size counter
/* mmap Options (not migratable) */
int shared_bitmap_fd;
uint32_t shared_bitmap_size; /* size of the shared memory file */
uint32_t shared_bitmap_real_size; /* actual size of the bitmap */
void* shared_bitmap_ptr;
int shared_payload_buffer_fd;
uint32_t shared_payload_buffer_size;
int shared_ijon_bitmap_fd;
uint32_t shared_ijon_bitmap_size;
void* shared_ijon_bitmap_ptr;
/* Intel PT Options (migratable) */
bool pt_ip_filter_configured[4];
uint64_t pt_ip_filter_a[4];
uint64_t pt_ip_filter_b[4];
/* OPTIONS (MIGRATABLE VIA FAST SNAPSHOTS) */
uint64_t parent_cr3;
uint8_t disassembler_word_width;
bool nested;
uint64_t payload_buffer;
uint32_t nested_payload_pages_num;
uint64_t* nested_payload_pages;
bool protect_payload_buffer;
bool discard_tmp_snapshot;
mem_mode_t mem_mode;
uint32_t input_buffer_size;
/* NON MIGRATABLE OPTION */
timeout_detector_t timeout_detector;
bool decoder_page_fault;
uint64_t decoder_page_fault_addr;
bool dump_page;
uint64_t dump_page_addr;
bool in_fuzzing_mode;
bool in_reload_mode;
bool starved;
bool trace_mode;
bool shutdown_requested;
bool cow_cache_full;
bool in_redqueen_reload_mode;
uint32_t num_dirty_pages;
bool get_host_config_done;
bool set_agent_config_done;
/* capabilites */
uint8_t cap_timeout_detection;
uint8_t cap_only_reload_mode;
uint8_t cap_compile_time_tracing;
uint8_t cap_ijon_tracing;
uint64_t cap_cr3;
uint64_t cap_compile_time_tracing_buffer_vaddr;
uint64_t cap_ijon_tracing_buffer_vaddr;
uint64_t cap_coverage_bitmap_size;
auxilary_buffer_t* auxilary_buffer;
auxilary_buffer_config_t shadow_config;
sharedir_t* sharedir;
QTAILQ_HEAD(, kvm_sw_breakpoint) redqueen_breakpoints;
} qemu_nyx_state_t;
extern qemu_nyx_state_t global_state;
#define GET_GLOBAL_STATE() (&global_state)
void state_init_global(void);
fast_reload_t* get_fast_reload_snapshot(void);
void set_fast_reload_mode(bool mode);
void set_fast_reload_path(const char* path);
void set_fast_reload_pre_image(void);
void enable_fast_reloads(void);
/* Page Cache */
void init_page_cache(char* path);
page_cache_t* get_page_cache(void);
void init_redqueen_state(void);
redqueen_t* get_redqueen_state(void);
void init_aux_buffer(const char* filename);
void set_fast_reload_pre_path(const char* path);
void set_payload_buffer(uint64_t payload_buffer);
void set_payload_pages(uint64_t* payload_pages, uint32_t pages);
void set_workdir_path(char* workdir);
Reference in New Issue View Git Blame Copy Permalink