[insight-vmi] r2001 committed - Even more stats.
0 views
Skip to first unread message
insig...@googlecode.com
Jul 11, 2013, 1:56:14 PM7/11/13
to insight-v...@googlegroups.com
Revision: 2001
Author: vo...@in.tum.de
Date: Thu Jul 11 10:55:55 2013
Log: Even more stats.
http://code.google.com/p/insight-vmi/source/detail?r=2001
Modified:
/trunk/libinsight/detect.cpp
/trunk/libinsight/include/insight/detect.h
/trunk/libinsight/memorymap.cpp
=======================================
--- /trunk/libinsight/detect.cpp Thu Jul 11 00:43:25 2013
+++ /trunk/libinsight/detect.cpp Thu Jul 11 10:55:55 2013
@@ -18,7 +18,8 @@
Detect::Detect(KernelSymbols &sym) :
_kernel_code_begin(0), _kernel_code_end(0), _kernel_data_exec_end(0),
- _vsyscall_page(0), ExecutableSections(0), Functions(0), _sym(sym)
+ _vsyscall_page(0), ExecutableSections(0), Functions(0), _sym(sym),
+ _current_index(0)
{
// Get data from System.map
_kernel_code_begin = _sym.memSpecs().systemMap.value("_text").address;
@@ -325,7 +326,7 @@
if (Functions)
Functions->clear();
else
- Functions = new QMultiHash<quint64, const Function *>();
+ Functions = new QMultiHash<quint64, FunctionInfo>();
NodeList roots = map->roots();
@@ -333,10 +334,26 @@
if (roots.at(i)->type()->type() == rtFunction) {
const Function* f = dynamic_cast<const
Function*>(roots.at(i)->type());
- if (f)
- Functions->insert(f->pcLow(), f);
+ if (f) {
+ Functions->insert(f->pcLow(), FunctionInfo(MEMORY_MAP, f));
+ }
}
}
+
+ // It seems like we do not have all functions within the map.
+ // Parser bug?
+ // However, we have the system map. Thus lets add the functions in
there as well
+ SystemMapEntryList list = _sym.memSpecs().systemMapToList();
+
+
+ for (int i = 0; i < list.size(); ++i) {
+ if (list.at(i).type == QString("t").toAscii().at(0) ||
+ list.at(i).type == QString("T").toAscii().at(0)) {
+ Functions->insert(list.at(i).address, FunctionInfo(SYSTEM_MAP,
list.at(i).name));
+ }
+ }
+
+
}
bool Detect::pointsToKernelFunction(MemoryMap *map, Instance &funcPointer)
@@ -349,6 +366,53 @@
return false;
}
+
+bool Detect::pointsToModuleCode(Instance &functionPointer)
+{
+ // Target
+ quint64 pointsTo = (quint64)functionPointer.toPointer();
+
+ VirtualMemory *vmem = _sym.memDumps().at(_current_index)->vmem();
+ const Variable *varModules = _sym.factory().findVarByName("modules");
+ const Structured *typeModule = dynamic_cast<const Structured *>
+ (_sym.factory().findBaseTypeByName("module"));
+ assert(varModules != 0);
+ assert(typeModule != 0);
+
+ // Don't depend on the rule engine
+ const int listOffset = typeModule->memberOffset("list");
+ Instance firstModule = varModules->toInstance(vmem).member("next",
BaseType::trAny, -1, ksNone);
+ firstModule.setType(typeModule);
+ firstModule.addToAddress(-listOffset);
+
+ Instance currentModule;
+ quint64 currentModuleCore = 0;
+ quint64 currentModuleCoreSize = 0;
+
+ // Don't depend on the rule engine
+ currentModule = varModules->toInstance(vmem).member("next",
BaseType::trAny, -1, ksNone);
+ currentModule.setType(typeModule);
+ currentModule.addToAddress(-listOffset);
+
+ do {
+ currentModuleCore =
(quint64)currentModule.member("module_core").toPointer();
+ currentModuleCoreSize =
(quint64)currentModule.member("core_text_size").toPointer();
+
+ if (pointsTo >= currentModuleCore &&
+ pointsTo <= (currentModuleCore + currentModuleCoreSize)) {
+ return true;
+ }
+
+ // Don't depend on the rule engine
+ currentModule = currentModule.member("list").member("next",
BaseType::trAny, -1, ksNone);
+ currentModule.setType(typeModule);
+ currentModule.addToAddress(-listOffset);
+
+ } while (currentModule.address() != firstModule.address() &&
+ currentModule.address() != varModules->offset() - listOffset);
+
+ return false;
+}
void Detect::verifyFunctionPointer(MemoryMap *map, Instance &funcPointer,
FunctionPointerStats &stats)
@@ -381,7 +445,8 @@
// For NX
struct PageTableEntries ptEntries;
int pageSize = 0;
- map->vmem()->virtualToPhysical(pointsTo, &pageSize, false, &ptEntries);
+ VirtualMemory *vmem = _sym.memDumps().at(_current_index)->vmem();
+ vmem->virtualToPhysical(pointsTo, &pageSize, false, &ptEntries);
if (!ptEntries.isExecutable()) {
// Points to is not executeable
@@ -389,10 +454,18 @@
return;
}
- if (!pointsToKernelFunction(map, funcPointer)) {
- stats.pointsNotToKernelFunction++;
+ if (pointsToKernelFunction(map, funcPointer)) {
+ stats.pointToKernelFunction++;
+ return;
+ }
+
+ if (pointsToModuleCode(funcPointer)) {
+ stats.pointToModule++;
return;
}
+
+ // Seems to be invalid
+ stats.unkown++;
}
void Detect::verifyFunctionPointers(MemoryMap *map)
@@ -471,11 +544,13 @@
Console::out() << "\t Found " << Console::color(ctNumber)
<< stats.defaultValue << Console::color(ctReset) << "
pointer with default values." << endl;
Console::out() << "\t Found " << Console::color(ctNumber)
- << stats.total - (stats.userlandPointer +
stats.defaultValue + stats.invalidAddress +
- stats.pointToNXMemory +
stats.pointsNotToKernelFunction)
+ << stats.pointToKernelFunction
<< Console::color(ctReset) << " point to the beginning
of a function within kernelspace." << endl;
+ Console::out() << "\t Found " << Console::color(ctNumber)
+ << stats.pointToModule
+ << Console::color(ctReset) << " point into the code
section of a module." << endl;
Console::out() << "\t Detected " << Console::color(ctError)
- << stats.invalidAddress + stats.pointToNXMemory +
stats.pointsNotToKernelFunction
+ << stats.invalidAddress + stats.pointToNXMemory +
stats.unkown
<< Console::color(ctReset) << " invalid Function
Pointers." << endl;
Console::out() << "\t\t " << Console::color(ctError)
<< stats.invalidAddress
@@ -484,8 +559,8 @@
<< stats.pointToNXMemory
<< Console::color(ctReset) << " point to a NX region."
<< endl;
Console::out() << "\t\t " << Console::color(ctError)
- << stats.pointsNotToKernelFunction
- << Console::color(ctReset) << " point NOT to the
beginning of a kernel function.\n" << endl;
+ << stats.unkown
+ << Console::color(ctReset) << " do neither point to
module or kernel code.\n" << endl;
}
@@ -523,6 +598,9 @@
_current_page = begin;
_final_page = end;
+ // Set index
+ _current_index = index;
+
// Statistics
quint64 processed_pages = 0;
quint64 executeable_pages = 0;
=======================================
--- /trunk/libinsight/include/insight/detect.h Thu Jul 11 00:43:25 2013
+++ /trunk/libinsight/include/insight/detect.h Thu Jul 11 10:55:55 2013
@@ -17,6 +17,13 @@
UNDEFINED
};
+ enum FunctionSource
+ {
+ MEMORY_MAP,
+ SYSTEM_MAP,
+ UNKOWN
+ };
+
struct ExecutablePage
{
ExecutablePage() : address(0), type(UNDEFINED), module(""),
@@ -49,7 +56,8 @@
struct FunctionPointerStats
{
FunctionPointerStats() : total(0), userlandPointer(0),
defaultValue(0),
- invalidAddress(0), pointToNXMemory(0),
pointsNotToKernelFunction(0) {}
+ pointToKernelFunction(0), pointToModule(0),
+ invalidAddress(0), pointToNXMemory(0), unkown(0) {}
// Convenient
quint64 total;
@@ -57,11 +65,26 @@
// Valid
quint64 userlandPointer;
quint64 defaultValue;
+ quint64 pointToKernelFunction;
+ quint64 pointToModule;
// Invalid
quint64 invalidAddress;
quint64 pointToNXMemory;
- quint64 pointsNotToKernelFunction;
+ quint64 unkown;
+ };
+
+ struct FunctionInfo
+ {
+ FunctionInfo() : source(UNKOWN), memory_function(0),
system_function("") {}
+ FunctionInfo(FunctionSource source, const Function *f) :
+ source(source), memory_function(f), system_function("") {}
+ FunctionInfo(FunctionSource source, const QString &functionName) :
+ source(source), memory_function(0),
system_function(functionName) {}
+
+ FunctionSource source;
+ const Function *memory_function;
+ const QString &system_function;
};
Detect(KernelSymbols &sym);
@@ -81,9 +104,10 @@
QString _current_file;
QMultiHash<QString, ExecutableSection> *ExecutableSections;
- QMultiHash<quint64, const Function *> *Functions;
+ QMultiHash<quint64, FunctionInfo> *Functions;
const KernelSymbols &_sym;
+ quint64 _current_index;
static QMultiHash<quint64, ExecutablePage> *ExecutablePages;
@@ -92,6 +116,7 @@
void verifyHashes(QMultiHash<quint64, ExecutablePage> *current);
void buildFunctionList(MemoryMap *map);
bool pointsToKernelFunction(MemoryMap *map, Instance &funcPointer);
+ bool pointsToModuleCode(Instance &functionPointer);
void verifyFunctionPointer(MemoryMap *map, Instance &funcPointer,
FunctionPointerStats &stats);
void verifyFunctionPointers(MemoryMap *map);
=======================================
--- /trunk/libinsight/memorymap.cpp Mon Jun 24 07:45:33 2013
+++ /trunk/libinsight/memorymap.cpp Thu Jul 11 10:55:55 2013
@@ -410,7 +410,7 @@
checkOperationProgress();
}
- // Add all functions to the map, but no to the queue
+ // Add all functions to the map, but not to the queue
for (BaseTypeList::const_iterator it = factory()->types().begin(),
e = factory()->types().end(); it != e; ++it)
{
Author: vo...@in.tum.de
Date: Thu Jul 11 10:55:55 2013
Log: Even more stats.
http://code.google.com/p/insight-vmi/source/detail?r=2001
Modified:
/trunk/libinsight/detect.cpp
/trunk/libinsight/include/insight/detect.h
/trunk/libinsight/memorymap.cpp
=======================================
--- /trunk/libinsight/detect.cpp Thu Jul 11 00:43:25 2013
+++ /trunk/libinsight/detect.cpp Thu Jul 11 10:55:55 2013
@@ -18,7 +18,8 @@
Detect::Detect(KernelSymbols &sym) :
_kernel_code_begin(0), _kernel_code_end(0), _kernel_data_exec_end(0),
- _vsyscall_page(0), ExecutableSections(0), Functions(0), _sym(sym)
+ _vsyscall_page(0), ExecutableSections(0), Functions(0), _sym(sym),
+ _current_index(0)
{
// Get data from System.map
_kernel_code_begin = _sym.memSpecs().systemMap.value("_text").address;
@@ -325,7 +326,7 @@
if (Functions)
Functions->clear();
else
- Functions = new QMultiHash<quint64, const Function *>();
+ Functions = new QMultiHash<quint64, FunctionInfo>();
NodeList roots = map->roots();
@@ -333,10 +334,26 @@
if (roots.at(i)->type()->type() == rtFunction) {
const Function* f = dynamic_cast<const
Function*>(roots.at(i)->type());
- if (f)
- Functions->insert(f->pcLow(), f);
+ if (f) {
+ Functions->insert(f->pcLow(), FunctionInfo(MEMORY_MAP, f));
+ }
}
}
+
+ // It seems like we do not have all functions within the map.
+ // Parser bug?
+ // However, we have the system map. Thus lets add the functions in
there as well
+ SystemMapEntryList list = _sym.memSpecs().systemMapToList();
+
+
+ for (int i = 0; i < list.size(); ++i) {
+ if (list.at(i).type == QString("t").toAscii().at(0) ||
+ list.at(i).type == QString("T").toAscii().at(0)) {
+ Functions->insert(list.at(i).address, FunctionInfo(SYSTEM_MAP,
list.at(i).name));
+ }
+ }
+
+
}
bool Detect::pointsToKernelFunction(MemoryMap *map, Instance &funcPointer)
@@ -349,6 +366,53 @@
return false;
}
+
+bool Detect::pointsToModuleCode(Instance &functionPointer)
+{
+ // Target
+ quint64 pointsTo = (quint64)functionPointer.toPointer();
+
+ VirtualMemory *vmem = _sym.memDumps().at(_current_index)->vmem();
+ const Variable *varModules = _sym.factory().findVarByName("modules");
+ const Structured *typeModule = dynamic_cast<const Structured *>
+ (_sym.factory().findBaseTypeByName("module"));
+ assert(varModules != 0);
+ assert(typeModule != 0);
+
+ // Don't depend on the rule engine
+ const int listOffset = typeModule->memberOffset("list");
+ Instance firstModule = varModules->toInstance(vmem).member("next",
BaseType::trAny, -1, ksNone);
+ firstModule.setType(typeModule);
+ firstModule.addToAddress(-listOffset);
+
+ Instance currentModule;
+ quint64 currentModuleCore = 0;
+ quint64 currentModuleCoreSize = 0;
+
+ // Don't depend on the rule engine
+ currentModule = varModules->toInstance(vmem).member("next",
BaseType::trAny, -1, ksNone);
+ currentModule.setType(typeModule);
+ currentModule.addToAddress(-listOffset);
+
+ do {
+ currentModuleCore =
(quint64)currentModule.member("module_core").toPointer();
+ currentModuleCoreSize =
(quint64)currentModule.member("core_text_size").toPointer();
+
+ if (pointsTo >= currentModuleCore &&
+ pointsTo <= (currentModuleCore + currentModuleCoreSize)) {
+ return true;
+ }
+
+ // Don't depend on the rule engine
+ currentModule = currentModule.member("list").member("next",
BaseType::trAny, -1, ksNone);
+ currentModule.setType(typeModule);
+ currentModule.addToAddress(-listOffset);
+
+ } while (currentModule.address() != firstModule.address() &&
+ currentModule.address() != varModules->offset() - listOffset);
+
+ return false;
+}
void Detect::verifyFunctionPointer(MemoryMap *map, Instance &funcPointer,
FunctionPointerStats &stats)
@@ -381,7 +445,8 @@
// For NX
struct PageTableEntries ptEntries;
int pageSize = 0;
- map->vmem()->virtualToPhysical(pointsTo, &pageSize, false, &ptEntries);
+ VirtualMemory *vmem = _sym.memDumps().at(_current_index)->vmem();
+ vmem->virtualToPhysical(pointsTo, &pageSize, false, &ptEntries);
if (!ptEntries.isExecutable()) {
// Points to is not executeable
@@ -389,10 +454,18 @@
return;
}
- if (!pointsToKernelFunction(map, funcPointer)) {
- stats.pointsNotToKernelFunction++;
+ if (pointsToKernelFunction(map, funcPointer)) {
+ stats.pointToKernelFunction++;
+ return;
+ }
+
+ if (pointsToModuleCode(funcPointer)) {
+ stats.pointToModule++;
return;
}
+
+ // Seems to be invalid
+ stats.unkown++;
}
void Detect::verifyFunctionPointers(MemoryMap *map)
@@ -471,11 +544,13 @@
Console::out() << "\t Found " << Console::color(ctNumber)
<< stats.defaultValue << Console::color(ctReset) << "
pointer with default values." << endl;
Console::out() << "\t Found " << Console::color(ctNumber)
- << stats.total - (stats.userlandPointer +
stats.defaultValue + stats.invalidAddress +
- stats.pointToNXMemory +
stats.pointsNotToKernelFunction)
+ << stats.pointToKernelFunction
<< Console::color(ctReset) << " point to the beginning
of a function within kernelspace." << endl;
+ Console::out() << "\t Found " << Console::color(ctNumber)
+ << stats.pointToModule
+ << Console::color(ctReset) << " point into the code
section of a module." << endl;
Console::out() << "\t Detected " << Console::color(ctError)
- << stats.invalidAddress + stats.pointToNXMemory +
stats.pointsNotToKernelFunction
+ << stats.invalidAddress + stats.pointToNXMemory +
stats.unkown
<< Console::color(ctReset) << " invalid Function
Pointers." << endl;
Console::out() << "\t\t " << Console::color(ctError)
<< stats.invalidAddress
@@ -484,8 +559,8 @@
<< stats.pointToNXMemory
<< Console::color(ctReset) << " point to a NX region."
<< endl;
Console::out() << "\t\t " << Console::color(ctError)
- << stats.pointsNotToKernelFunction
- << Console::color(ctReset) << " point NOT to the
beginning of a kernel function.\n" << endl;
+ << stats.unkown
+ << Console::color(ctReset) << " do neither point to
module or kernel code.\n" << endl;
}
@@ -523,6 +598,9 @@
_current_page = begin;
_final_page = end;
+ // Set index
+ _current_index = index;
+
// Statistics
quint64 processed_pages = 0;
quint64 executeable_pages = 0;
=======================================
--- /trunk/libinsight/include/insight/detect.h Thu Jul 11 00:43:25 2013
+++ /trunk/libinsight/include/insight/detect.h Thu Jul 11 10:55:55 2013
@@ -17,6 +17,13 @@
UNDEFINED
};
+ enum FunctionSource
+ {
+ MEMORY_MAP,
+ SYSTEM_MAP,
+ UNKOWN
+ };
+
struct ExecutablePage
{
ExecutablePage() : address(0), type(UNDEFINED), module(""),
@@ -49,7 +56,8 @@
struct FunctionPointerStats
{
FunctionPointerStats() : total(0), userlandPointer(0),
defaultValue(0),
- invalidAddress(0), pointToNXMemory(0),
pointsNotToKernelFunction(0) {}
+ pointToKernelFunction(0), pointToModule(0),
+ invalidAddress(0), pointToNXMemory(0), unkown(0) {}
// Convenient
quint64 total;
@@ -57,11 +65,26 @@
// Valid
quint64 userlandPointer;
quint64 defaultValue;
+ quint64 pointToKernelFunction;
+ quint64 pointToModule;
// Invalid
quint64 invalidAddress;
quint64 pointToNXMemory;
- quint64 pointsNotToKernelFunction;
+ quint64 unkown;
+ };
+
+ struct FunctionInfo
+ {
+ FunctionInfo() : source(UNKOWN), memory_function(0),
system_function("") {}
+ FunctionInfo(FunctionSource source, const Function *f) :
+ source(source), memory_function(f), system_function("") {}
+ FunctionInfo(FunctionSource source, const QString &functionName) :
+ source(source), memory_function(0),
system_function(functionName) {}
+
+ FunctionSource source;
+ const Function *memory_function;
+ const QString &system_function;
};
Detect(KernelSymbols &sym);
@@ -81,9 +104,10 @@
QString _current_file;
QMultiHash<QString, ExecutableSection> *ExecutableSections;
- QMultiHash<quint64, const Function *> *Functions;
+ QMultiHash<quint64, FunctionInfo> *Functions;
const KernelSymbols &_sym;
+ quint64 _current_index;
static QMultiHash<quint64, ExecutablePage> *ExecutablePages;
@@ -92,6 +116,7 @@
void verifyHashes(QMultiHash<quint64, ExecutablePage> *current);
void buildFunctionList(MemoryMap *map);
bool pointsToKernelFunction(MemoryMap *map, Instance &funcPointer);
+ bool pointsToModuleCode(Instance &functionPointer);
void verifyFunctionPointer(MemoryMap *map, Instance &funcPointer,
FunctionPointerStats &stats);
void verifyFunctionPointers(MemoryMap *map);
=======================================
--- /trunk/libinsight/memorymap.cpp Mon Jun 24 07:45:33 2013
+++ /trunk/libinsight/memorymap.cpp Thu Jul 11 10:55:55 2013
@@ -410,7 +410,7 @@
checkOperationProgress();
}
- // Add all functions to the map, but no to the queue
+ // Add all functions to the map, but not to the queue
for (BaseTypeList::const_iterator it = factory()->types().begin(),
e = factory()->types().end(); it != e; ++it)
{
Reply all
Reply to author
Forward
0 new messages