update for vmi

Makefile.objs

@@ -431,11 +431,11 @@ QEMU_CFLAGS+=$(GLIB_CFLAGS)
 QEMU_CPPFLAGS+=$(QEMU_CFLAGS)
 #LOK: moved the callback interface into the shared directory
 libdecaf-y=DECAF_callback.o DECAF_main.o DECAF_cmds.o
-libdecaf-y+=procmod.o read_linux.o hookapi.o windows_vmi.o vmi.o
+libdecaf-y+=procmod.o read_linux.o hookapi.o windows_vmi.o vmi.o linux_vmi.o
 libdecaf-y+=function_map.o
 libdecaf-y+=tainting/reduce_taint.o tainting/taintcheck_opt.o tainting/tainting.o 
 libdecaf-y+=tainting/taint_memory.o tainting/tcg_taint.o tainting/analysis_log.o
-libdecaf-y+=sqlite3/sqlite3.o
+#libdecaf-y+=sqlite3/sqlite3.o
 libdecaf-y+=DECAF_vm_compress.o
 libdecaf-y+=utils/HashtableWrapper.o
 libdecaf-y+=utils/Output.o

cpu-exec.c

@@ -204,7 +204,7 @@ int cpu_exec(CPUState *env)
     }
 
     // AWH - TEMU updating
-    DECAF_update_cpustate();
+    //DECAF_update_cpustate();
 
 #if defined(TARGET_I386)
     /* put eflags in CPU temporary format */

shared/DECAF_callback.c

@@ -251,12 +251,14 @@ DECAF_Handle DECAF_registerOptimizedBlockBeginCallback(
     gva_t addr,
     OCB_t type)
 {
-
   callback_struct_t * cb_struct = (callback_struct_t *)malloc(sizeof(callback_struct_t));
   if (cb_struct == NULL)
   {
     return (DECAF_NULL_HANDLE);
   }
+
+  //Heng: Optimization on OCB_CONST is not stable. We use OCB_ALL instead for now.
+  if (type == OCB_CONST) type = OCB_ALL;
 
   //pre-populate the info
   cb_struct->callback = cb_func;
@@ -494,7 +496,11 @@ DECAF_errno_t DECAF_unregisterOptimizedBlockBeginCallback(DECAF_Handle handle)
         }
         if (CountingHashtable_remove(pOBBTable, cb_struct->from) == 0)
         {
-          DECAF_flushTranslationBlock(cb_struct->from);
+          //Heng: Comment out the line below, so we don't flush the translation block immediately.
+          //Guest kernel reboot is observed if we immediately flush the translation block. So I 
+          //decide not to do so. It may even help to improve performance in certain cases.
+
+          //DECAF_flushTranslationBlock(cb_struct->from);
         }
         break;
       }
@@ -506,7 +512,8 @@ DECAF_errno_t DECAF_unregisterOptimizedBlockBeginCallback(DECAF_Handle handle)
         }
         if (CountingHashtable_remove(pOBBPageTable, cb_struct->from) == 0)
         {
-          DECAF_flushTranslationPage(cb_struct->from);
+          //Heng: Comment out the line below, so we don't flush the translation page immediately.
+          //DECAF_flushTranslationPage(cb_struct->from);
         }
         break;
       }
@@ -662,6 +669,7 @@ PUSH_ALL()
     // invoke this callback
     if(!cb_struct->enabled || *cb_struct->enabled)
     {
+      params.cbhandle = (DECAF_Handle)cb_struct;
       switch (cb_struct->ocb_type)
       {
         default:
@@ -707,6 +715,8 @@ PUSH_ALL()
 
 #ifdef TARGET_I386
   params.be.next_pc = env->eip + env->segs[R_CS].base;
+#elif defined(TARGET_ARM)
+  params.be.next_pc = env->regs[15];
 #else
   fix this error
 #endif
@@ -717,6 +727,7 @@ PUSH_ALL()
     // invoke this callback
     if(!cb_struct->enabled || *cb_struct->enabled)
     {
+      params.cbhandle = (DECAF_Handle)cb_struct;
       if (cb_struct->to == INV_ADDR)
       {
         cb_struct->callback(&params);
@@ -754,6 +765,7 @@ PUSH_ALL()
 	LIST_FOREACH(cb_struct, &callback_list_heads[DECAF_INSN_BEGIN_CB], link) {
 		// If it is a global callback or it is within the execution context,
 		// invoke this callback
+        params.cbhandle = (DECAF_Handle)cb_struct;
 		if(!cb_struct->enabled || *cb_struct->enabled)
 			cb_struct->callback(&params);
 	}
@@ -773,6 +785,7 @@ PUSH_ALL()
 	LIST_FOREACH(cb_struct, &callback_list_heads[DECAF_INSN_END_CB], link) {
 		// If it is a global callback or it is within the execution context,
 		// invoke this callback
+	    params.cbhandle = (DECAF_Handle)cb_struct;
 		if(!cb_struct->enabled || *cb_struct->enabled)
 			cb_struct->callback(&params);
 	}
@@ -795,6 +808,7 @@ void helper_DECAF_invoke_mem_read_callback(gva_t virt_addr,gpa_t phy_addr,DATA_T
 	{
 		// If it is a global callback or it is within the execution context,
 		// invoke this callback
+	    params.cbhandle = (DECAF_Handle)cb_struct;
 		if (!cb_struct->enabled || *cb_struct->enabled) {
 			cb_struct->callback(&params);
 		}
@@ -812,6 +826,7 @@ void helper_DECAF_invoke_eip_check_callback(gva_t eip)
 	{
 		// If it is a global callback or it is within the execution context,
 		// invoke this callback
+        params.cbhandle = (DECAF_Handle)cb_struct;
 		if (!cb_struct->enabled || *cb_struct->enabled) {
 			cb_struct->callback(&params);
 		}
@@ -832,6 +847,7 @@ void helper_DECAF_invoke_keystroke_callback(int keycode,uint32_t *taint_mark)
 	{
 		// If it is a global callback or it is within the execution context,
 		// invoke this callback
+        params.cbhandle = (DECAF_Handle)cb_struct;
 		if (!cb_struct->enabled || *cb_struct->enabled) {
 			cb_struct->callback(&params);
 		}
@@ -855,6 +871,7 @@ void helper_DECAF_invoke_mem_write_callback(gva_t virt_addr,gpa_t phy_addr,DATA_
 	{
 		// If it is a global callback or it is within the execution context,
 		// invoke this callback
+        params.cbhandle = (DECAF_Handle)cb_struct;
 		if (!cb_struct->enabled || *cb_struct->enabled)
 			cb_struct->callback(&params);
 	}
@@ -875,6 +892,7 @@ void helper_DECAF_invoke_nic_rec_callback(uint8_t * buf,int size,int cur_pos,int
 	{
 		// If it is a global callback or it is within the execution context,
 		// invoke this callback
+        params.cbhandle = (DECAF_Handle)cb_struct;
 		if (!cb_struct->enabled || *cb_struct->enabled)
 			cb_struct->callback(&params);
 	}
@@ -893,10 +911,12 @@ void helper_DECAF_invoke_nic_send_callback(uint32_t addr,int size,uint8_t *buf)
 	{
 		// If it is a global callback or it is within the execution context,
 		// invoke this callback
+        params.cbhandle = (DECAF_Handle)cb_struct;
 		if (!cb_struct->enabled || *cb_struct->enabled)
 			cb_struct->callback(&params);
 	}
 }
+
 void helper_DECAF_invoke_read_taint_mem(gva_t vaddr,gpa_t paddr,uint32_t size,uint8_t *taint_info)
 {
 	callback_struct_t *cb_struct;
@@ -911,10 +931,12 @@ void helper_DECAF_invoke_read_taint_mem(gva_t vaddr,gpa_t paddr,uint32_t size,ui
 	{
 		// If it is a global callback or it is within the execution context,
 		// invoke this callback
+        params.cbhandle = (DECAF_Handle)cb_struct;
 		if (!cb_struct->enabled || *cb_struct->enabled)
 			cb_struct->callback(&params);
 	}
 }
+
 void helper_DECAF_invoke_write_taint_mem(gva_t vaddr,gpa_t paddr,uint32_t size,uint8_t *taint_info)
 {
 	callback_struct_t *cb_struct;
@@ -929,10 +951,13 @@ void helper_DECAF_invoke_write_taint_mem(gva_t vaddr,gpa_t paddr,uint32_t size,u
 	{
 		// If it is a global callback or it is within the execution context,
 		// invoke this callback
+        params.cbhandle = (DECAF_Handle)cb_struct;
 		if (!cb_struct->enabled || *cb_struct->enabled)
 			cb_struct->callback(&params);
 	}
 }
+
+
 void DECAF_callback_init(void)
 {
   int i;

shared/DECAF_callback_common.h

@@ -173,23 +173,26 @@ typedef struct _DECAF_Read_Write_Mem
 }DECAF_Write_Taint_Mem;
 
 //LOK: A dummy type
-typedef union _DECAF_Callback_Params
+typedef struct _DECAF_Callback_Params
 {
-  DECAF_Block_Begin_Params bb;
-  DECAF_Block_End_Params be;
-  DECAF_Insn_Begin_Params ib;
-  DECAF_Insn_End_Params ie;
-  DECAF_Mem_Read_Params mr;
-  DECAF_Mem_Write_Params mw;
-  DECAF_EIP_Check_Params ec;
-  DECAF_Keystroke_Params ks;
-  DECAF_Nic_Rec_Params nr;
-  DECAF_Nic_Send_Params ns;
+	DECAF_Handle cbhandle;
+	union{
+		DECAF_Block_Begin_Params bb;
+		DECAF_Block_End_Params be;
+		DECAF_Insn_Begin_Params ib;
+		DECAF_Insn_End_Params ie;
+		DECAF_Mem_Read_Params mr;
+		DECAF_Mem_Write_Params mw;
+		DECAF_EIP_Check_Params ec;
+		DECAF_Keystroke_Params ks;
+		DECAF_Nic_Rec_Params nr;
+		DECAF_Nic_Send_Params ns;
 #ifdef CONFIG_VMI_ENABLE
-  DECAF_Tlb_Exec_Params tx;
+		DECAF_Tlb_Exec_Params tx;
 #endif
-  DECAF_Read_Taint_Mem rt;
-  DECAF_Write_Taint_Mem wt;
+		DECAF_Read_Taint_Mem rt;
+		DECAF_Write_Taint_Mem wt;
+	};
 } DECAF_Callback_Params;
 
 typedef void (*DECAF_callback_func_t)(DECAF_Callback_Params*);

shared/DECAF_callback_to_QEMU.h

@@ -41,6 +41,15 @@ int DECAF_is_BlockEndCallback_needed(gva_t from, gva_t to);
 void DECAF_invoke_tlb_exec_callback(CPUState *env, gva_t vaddr);
 #endif
 
+void helper_DECAF_invoke_nic_rec_callback(uint8_t * buf,int size,int cur_pos,int start,int stop);
+void helper_DECAF_invoke_nic_send_callback(uint32_t addr,int size,uint8_t *buf);
+void helper_DECAF_invoke_mem_read_callback(gva_t virt_addr,gpa_t phy_addr,DATA_TYPE data_type);
+void helper_DECAF_invoke_mem_write_callback(gva_t virt_addr,gpa_t phy_addr,DATA_TYPE data_type);
+void helper_DECAF_invoke_keystroke_callback(int keycode,uint32_t *taint_mark);
+void helper_DECAF_invoke_read_taint_mem(gva_t vaddr,gpa_t paddr,uint32_t size,uint8_t *taint_info);
+void helper_DECAF_invoke_write_taint_mem(gva_t vaddr,gpa_t paddr,uint32_t size,uint8_t *taint_info);
+
+
 //The following prototypes are not needed since they are defined in
 // helper.h
 //void helper_DECAF_invoke_block_begin_callback(CPUState* env, TranslationBlock* tb);

shared/DECAF_main.c

@@ -28,6 +28,7 @@
 #include "shared/DECAF_main_internal.h"
 #include "shared/DECAF_vm_compress.h"
 #include "shared/DECAF_cmds.h"
+#include "shared/DECAF_callback_to_QEMU.h"
 #include "shared/hookapi.h"
 #include "DECAF_target.h"
 #include "procmod.h" //remove this later
@@ -45,6 +46,8 @@ static void *plugin_handle = NULL;
 static char decaf_plugin_path[PATH_MAX] = "";
 static FILE *decaflog = NULL;
 
+int should_monitor = 1;
+
 mon_cmd_t DECAF_mon_cmds[] = {
 #include "DECAF_mon_cmds.h"
 		{ NULL, NULL , }, };
@@ -120,7 +123,7 @@ DECAF_errno_t DECAF_memory_rw(CPUState* env, uint32_t addr, void *buf, int len,
 	return 0;
 }
 
-DECAF_errno_t DECAF_memory_rw_with_cr3(CPUState* env, target_ulong cr3,
+DECAF_errno_t DECAF_memory_rw_with_pgd(CPUState* env, target_ulong pgd,
 		gva_t addr, void *buf, int len, int is_write) {
 	if (env == NULL ) {
 #ifdef DECAF_NO_FAIL_SAFE
@@ -135,7 +138,7 @@ DECAF_errno_t DECAF_memory_rw_with_cr3(CPUState* env, target_ulong cr3,
 
 	while (len > 0) {
 		page = addr & TARGET_PAGE_MASK;
-		phys_addr = DECAF_get_physaddr_with_cr3(env, cr3, page);
+		phys_addr = DECAF_get_phys_addr_with_pgd(env, pgd, page);
 		if (phys_addr == -1)
 			return -1;
 		l = (page + TARGET_PAGE_SIZE) - addr;
@@ -158,22 +161,20 @@ DECAF_errno_t DECAF_write_mem(CPUState* env, gva_t vaddr, int len, void *buf) {
 	return DECAF_memory_rw(env, vaddr, buf, len, 1);
 }
 
-DECAF_errno_t DECAF_read_mem_with_cr3(CPUState* env, target_ulong cr3,
+DECAF_errno_t DECAF_read_mem_with_pgd(CPUState* env, target_ulong cr3,
 		gva_t vaddr, int len, void *buf) {
-	return DECAF_memory_rw_with_cr3(env, cr3, vaddr, buf, len, 0);
+	return DECAF_memory_rw_with_pgd(env, cr3, vaddr, buf, len, 0);
 }
 
-DECAF_errno_t DECAF_write_mem_with_cr3(CPUState* env, target_ulong cr3,
+DECAF_errno_t DECAF_write_mem_with_pgd(CPUState* env, target_ulong cr3,
 		gva_t vaddr, int len, void *buf) {
-	return DECAF_memory_rw_with_cr3(env, cr3, vaddr, buf, len, 1);
+	return DECAF_memory_rw_with_pgd(env, cr3, vaddr, buf, len, 1);
 }
 
 //Modified from tb_find_slow
 static TranslationBlock *DECAF_tb_find_slow(CPUState *env, target_ulong pc) {
 	TranslationBlock *tb, **ptb1;
 	unsigned int h;
-	tb_page_addr_t phys_pc, phys_page1;
-	target_ulong virt_page2;
 
 	tb_invalidated_flag = 0;
 
@@ -192,7 +193,6 @@ static TranslationBlock *DECAF_tb_find_slow(CPUState *env, target_ulong pc) {
 		}
 	}
 
-	not_found:
 	//DECAF_printf("DECAF_tb_find_slow: not found!\n");
 	return NULL ;
 
@@ -224,9 +224,8 @@ void DECAF_flushTranslationBlock_env(CPUState *env, uint32_t addr) {
 	tb_phys_invalidate(tb, -1);
 }
 
-void DECAF_flushTranslationPage_env(CPUState* env, uint32_t addr) {
-	target_phys_addr_t p_addr;
-
+void DECAF_flushTranslationPage_env(CPUState* env, uint32_t addr)
+{
 	if (env == NULL ) {
 #ifdef DECAF_NO_FAIL_SAFE
 		return;
@@ -334,7 +333,10 @@ int do_unload_plugin(Monitor *mon, const QDict *qdict, QObject **ret_data) {
 
 		//Flush all the callbacks that the plugin might have registered for
 		hookapi_flush_hooks(decaf_plugin_path);
+#ifdef TARGET_I386
+		//Currently opcode-based callback mechanism is only available in x86.
 		DECAF_cleanup_insn_cbs();
+#endif
 //LOK: Created a new callback interface for procmod
 		//        loadmainmodule_notify = createproc_notify = removeproc_notify = loadmodule_notify = NULL;
 

shared/DECAF_main.h

@@ -127,7 +127,7 @@ extern gpa_t DECAF_get_physaddr_with_cr3(CPUState* env, target_ulong cr3, gva_t
 
 extern DECAF_errno_t DECAF_memory_rw(CPUState* env, gva_t addr, void *buf, int len, int is_write);
 
-DECAF_errno_t DECAF_memory_rw_with_cr3(CPUState* env, target_ulong cr3, gva_t addr, void *buf,
+DECAF_errno_t DECAF_memory_rw_with_pgd(CPUState* env, target_ulong pgd, gva_t addr, void *buf,
                             int len, int is_write);
 
 /// \brief Read from a memory region by its virtual address.
@@ -152,12 +152,10 @@ extern DECAF_errno_t DECAF_read_mem(CPUState* env, gva_t vaddr, int len, void *b
 /// into physical address. It could be either invalid address or swapped out.
 extern DECAF_errno_t DECAF_write_mem(CPUState* env, gva_t vaddr, int len, void *buf);
 
-//This implementation is NOT target specific because it uses the get phys page cr3 function above
-extern DECAF_errno_t DECAF_read_mem_with_cr3(CPUState* env, target_ulong cr3, gva_t vaddr, int len, void *buf);
-#define DECAF_read_mem_with_pgd(_env, _pgd, _vaddr, _len, _buf) DECAF_read_mem_with_cr3(_pgd, _vaddr, _len, _buf)
 
-extern DECAF_errno_t DECAF_write_mem_with_cr3(CPUState* env, target_ulong cr3, gva_t vaddr, int len, void *buf);
-#define DECAF_write_mem_with_pgd(_env, _pgd, _vaddr, _len, _buf) DECAF_write_mem_with_cr3(_pgd, _vaddr, _len, _buf)
+extern DECAF_errno_t DECAF_read_mem_with_pgd(CPUState* env, target_ulong pgd, gva_t vaddr, int len, void *buf);
+extern DECAF_errno_t DECAF_write_mem_with_pgd(CPUState* env, target_ulong pgd, gva_t vaddr, int len, void *buf);
+
 
 
 extern void * DECAF_KbdState;

shared/guest_driver/linux/linuxdrv.c

@@ -86,7 +86,7 @@ static void linuxdrv_vma_update(struct vm_area_struct *vma, unsigned long new_st
     }
     /* send message to temu to notify vma created */
     if(VMA_CREATE == state || VMA_MODIFY == state) {
-	linuxdrv_send_message("M %d %x %s %x %x %c \n",
+	linuxdrv_send_message("M %d %x \"%s\" %x %x %c \n",
 			      owner,
 			      cr3,
 			      name,
@@ -116,7 +116,7 @@ static void linuxdrv_task_update(struct task_struct *task, enum task_state state
 	linuxdrv_send_message("P - %d \n", task->pid);
     /* send message to temu to notify new task creatation */
     if(TASK_FORK == state || TASK_EXEC == state) {
-	linuxdrv_send_message("P + %d %x %s \n", task->pid, linuxdrv_get_mem_cr3(task->mm), task->comm);
+	linuxdrv_send_message("P + %d -1 %08x %s \n", task->pid, linuxdrv_get_mem_cr3(task->mm), task->comm);
 	linuxdrv_task_vma_traversing(task);
     }
 }