[insight-vmi] r1992 committed - We now take shared data/code pages into account.
0 views
Skip to first unread message
insig...@googlecode.com
Jun 24, 2013, 5:44:24 AM6/24/13
to insight-v...@googlegroups.com
Revision: 1992
Author: vo...@in.tum.de
Date: Mon Jun 24 02:44:11 2013
Log: We now take shared data/code pages into account.
http://code.google.com/p/insight-vmi/source/detail?r=1992
Modified:
/trunk/libinsight/detect.cpp
=======================================
--- /trunk/libinsight/detect.cpp Mon Jun 24 02:37:22 2013
+++ /trunk/libinsight/detect.cpp Mon Jun 24 02:44:11 2013
@@ -165,6 +165,7 @@
quint64 changedDataPages = 0;
quint64 newPages = 0;
quint64 totalVerified = 0;
+ quint64 firstChange = 0;
// quint64 changes = 0;
// Prepare status output
@@ -233,7 +234,21 @@
if (ExecutablePages->value(currentPages.at(i).address).hash !=
currentPages.at(i).hash) {
- if (currentPages.at(i).type == KERNEL_CODE) {
+ // Find the first changed byte
+ firstChange = 0;
+ for (int j = 0; j < currentPages.at(i).data.size(); ++j) {
+
+ if (currentPages.at(i).data[j] !=
+
ExecutablePages->value(currentPages.at(i).address).data[j]) {
+
+ firstChange = j;
+ break;
+ }
+ }
+
+
+ if (currentPages.at(i).type == KERNEL_CODE &&
+ currentPages.at(i).address + firstChange <=
_kernel_code_end) {
changedPages++;
Console::out()
@@ -435,7 +450,7 @@
// Vsyscall page?
if (i == _vsyscall_page) {
- currentHashes->insert(i, ExecutablePage(i,
KERNEL_CODE, "kernel", hash.result(), data));
+ currentHashes->insert(i, ExecutablePage(i,
KERNEL_CODE, "kernel (code)", hash.result(), data));
continue;
}
Author: vo...@in.tum.de
Date: Mon Jun 24 02:44:11 2013
Log: We now take shared data/code pages into account.
http://code.google.com/p/insight-vmi/source/detail?r=1992
Modified:
/trunk/libinsight/detect.cpp
=======================================
--- /trunk/libinsight/detect.cpp Mon Jun 24 02:37:22 2013
+++ /trunk/libinsight/detect.cpp Mon Jun 24 02:44:11 2013
@@ -165,6 +165,7 @@
quint64 changedDataPages = 0;
quint64 newPages = 0;
quint64 totalVerified = 0;
+ quint64 firstChange = 0;
// quint64 changes = 0;
// Prepare status output
@@ -233,7 +234,21 @@
if (ExecutablePages->value(currentPages.at(i).address).hash !=
currentPages.at(i).hash) {
- if (currentPages.at(i).type == KERNEL_CODE) {
+ // Find the first changed byte
+ firstChange = 0;
+ for (int j = 0; j < currentPages.at(i).data.size(); ++j) {
+
+ if (currentPages.at(i).data[j] !=
+
ExecutablePages->value(currentPages.at(i).address).data[j]) {
+
+ firstChange = j;
+ break;
+ }
+ }
+
+
+ if (currentPages.at(i).type == KERNEL_CODE &&
+ currentPages.at(i).address + firstChange <=
_kernel_code_end) {
changedPages++;
Console::out()
@@ -435,7 +450,7 @@
// Vsyscall page?
if (i == _vsyscall_page) {
- currentHashes->insert(i, ExecutablePage(i,
KERNEL_CODE, "kernel", hash.result(), data));
+ currentHashes->insert(i, ExecutablePage(i,
KERNEL_CODE, "kernel (code)", hash.result(), data));
continue;
}
Reply all
Reply to author
Forward
0 new messages