diff options
Diffstat (limited to 'frida_mode/src/cmplog/cmplog.c')
| -rw-r--r-- | frida_mode/src/cmplog/cmplog.c | 149 |
1 files changed, 78 insertions, 71 deletions
diff --git a/frida_mode/src/cmplog/cmplog.c b/frida_mode/src/cmplog/cmplog.c index 3df7d13d..0e3fbe53 100644 --- a/frida_mode/src/cmplog/cmplog.c +++ b/frida_mode/src/cmplog/cmplog.c @@ -1,7 +1,9 @@ #include <errno.h> #include <fcntl.h> #include <limits.h> -#include <syscall.h> +#include <sys/mman.h> +#include <sys/syscall.h> +#include <unistd.h> #include "frida-gum.h" @@ -10,18 +12,21 @@ #include "util.h" #define DEFAULT_MMAP_MIN_ADDR (32UL << 10) -#define FD_TMP_MAX_SIZE 65536 +#define MAX_MEMFD_SIZE (64UL << 10) extern struct cmp_map *__afl_cmp_map; +static GArray * cmplog_ranges = NULL; +static GHashTable * hash_yes = NULL; +static GHashTable * hash_no = NULL; -static GArray *cmplog_ranges = NULL; -static int fd_tmp = -1; -static ssize_t fd_tmp_size = 0; +static long page_size = 0; +static long page_offset_mask = 0; +static long page_mask = 0; static gboolean cmplog_range(const GumRangeDetails *details, gpointer user_data) { - UNUSED_PARAMETER(user_data); + GArray * cmplog_ranges = (GArray *)user_data; GumMemoryRange range = *details->range; g_array_append_val(cmplog_ranges, range); return TRUE; @@ -35,54 +40,46 @@ static gint cmplog_sort(gconstpointer a, gconstpointer b) { } -static int cmplog_create_temp(void) { +static void cmplog_get_ranges(void) { - const char *tmpdir = g_get_tmp_dir(); - OKF("CMPLOG Temporary directory: %s", tmpdir); - gchar *fname = g_strdup_printf("%s/frida-cmplog-XXXXXX", tmpdir); - OKF("CMPLOG Temporary file template: %s", fname); - int fd = mkstemp(fname); - OKF("CMPLOG Temporary file: %s", fname); + OKF("CMPLOG - Collecting ranges"); - if (fd < 0) { - - FATAL("Failed to create temp file: %s, errno: %d", fname, errno); + cmplog_ranges = g_array_sized_new(false, false, sizeof(GumMemoryRange), 100); + gum_process_enumerate_ranges(GUM_PAGE_READ, cmplog_range, cmplog_ranges); + g_array_sort(cmplog_ranges, cmplog_sort); - } +} - if (unlink(fname) < 0) { +void cmplog_init(void) { - FATAL("Failed to unlink temp file: %s (%d), errno: %d", fname, fd, errno); + if (__afl_cmp_map != NULL) { OKF("CMPLOG mode enabled"); } - } + cmplog_get_ranges(); - if (ftruncate(fd, 0) < 0) { + for (guint i = 0; i < cmplog_ranges->len; i++) { - FATAL("Failed to ftruncate temp file: %s (%d), errno: %d", fname, fd, - errno); + GumMemoryRange *range = &g_array_index(cmplog_ranges, GumMemoryRange, i); + OKF("CMPLOG Range - %3u: 0x%016" G_GINT64_MODIFIER + "X - 0x%016" G_GINT64_MODIFIER "X", + i, range->base_address, range->base_address + range->size); } - g_free(fname); + page_size = sysconf(_SC_PAGE_SIZE); + page_offset_mask = page_size - 1; + page_mask = ~(page_offset_mask); - return fd; - -} + hash_yes = g_hash_table_new(g_direct_hash, g_direct_equal); + if (hash_yes == NULL) { -void cmplog_init(void) { - - if (__afl_cmp_map != NULL) { OKF("CMPLOG mode enabled"); } + FATAL("Failed to g_hash_table_new, errno: %d", errno); - cmplog_ranges = g_array_sized_new(false, false, sizeof(GumMemoryRange), 100); - gum_process_enumerate_ranges(GUM_PAGE_READ, cmplog_range, NULL); - g_array_sort(cmplog_ranges, cmplog_sort); + } - for (guint i = 0; i < cmplog_ranges->len; i++) { + hash_no = g_hash_table_new(g_direct_hash, g_direct_equal); + if (hash_no == NULL) { - GumMemoryRange *range = &g_array_index(cmplog_ranges, GumMemoryRange, i); - OKF("CMPLOG Range - 0x%016" G_GINT64_MODIFIER "X - 0x%016" G_GINT64_MODIFIER - "X", - range->base_address, range->base_address + range->size); + FATAL("Failed to g_hash_table_new, errno: %d", errno); } @@ -102,6 +99,45 @@ static gboolean cmplog_contains(GumAddress inner_base, GumAddress inner_limit, } +gboolean cmplog_test_addr(guint64 addr, size_t size) { + + if (g_hash_table_contains(hash_yes, (gpointer)addr)) { return true; } + if (g_hash_table_contains(hash_no, (gpointer)addr)) { return false; } + + void * page_addr = (void *)(addr & page_mask); + size_t page_offset = addr & page_offset_mask; + + /* If it spans a page, then bail */ + if (page_size - page_offset < size) { return false; } + + /* + * Our address map can change (e.g. stack growth), use msync as a fallback to + * validate our address. + */ + if (msync(page_addr, page_offset + size, MS_ASYNC) < 0) { + + if (!g_hash_table_add(hash_no, (gpointer)addr)) { + + FATAL("Failed - g_hash_table_add"); + + } + + return false; + + } else { + + if (!g_hash_table_add(hash_yes, (gpointer)addr)) { + + FATAL("Failed - g_hash_table_add"); + + } + + return true; + + } + +} + gboolean cmplog_is_readable(guint64 addr, size_t size) { if (cmplog_ranges == NULL) FATAL("CMPLOG not initialized"); @@ -125,45 +161,16 @@ gboolean cmplog_is_readable(guint64 addr, size_t size) { for (guint i = 0; i < cmplog_ranges->len; i++) { GumMemoryRange *range = &g_array_index(cmplog_ranges, GumMemoryRange, i); - GumAddress outer_base = range->base_address; - GumAddress outer_limit = outer_base + range->size; + + GumAddress outer_base = range->base_address; + GumAddress outer_limit = outer_base + range->size; if (cmplog_contains(inner_base, inner_limit, outer_base, outer_limit)) return true; } - /* - * Our address map can change (e.g. stack growth), use write as a fallback to - * validate our address. - */ - ssize_t written = syscall(__NR_write, fd_tmp, (void *)addr, size); - - /* - * If the write succeeds, then the buffer must be valid otherwise it would - * return EFAULT - */ - if (written > 0) { - - fd_tmp_size += written; - if (fd_tmp_size > FD_TMP_MAX_SIZE) { - - /* - * Truncate the file, we don't want our temp file to continue growing! - */ - if (ftruncate(fd_tmp, 0) < 0) { - - FATAL("Failed to truncate fd_tmp (%d), errno: %d", fd_tmp, errno); - - } - - fd_tmp_size = 0; - - } - - if ((size_t)written == size) { return true; } - - } + if (cmplog_test_addr(addr, size)) { return true; } return false; |