starting loaded x64

panda-re · Nov 15, 2024 · 0b3ee96 · 0b3ee96
1 parent 85555d5
commit 0b3ee96
Showing 1 changed file with 51 additions and 7 deletions.
diff --git a/panda/plugins/loaded/loaded.cpp b/panda/plugins/loaded/loaded.cpp
@@ -18,6 +18,7 @@ PANDAENDCOMMENT */
 #include <cstdio>
 #include <map>
 #include <memory>
+#include <sys/mman.h>
 
 #include "panda/plugin.h"
 #include "panda/plugin_plugin.h"
@@ -80,7 +81,7 @@ uint32_t guest_strncpy(CPUState *cpu, char *buf, size_t maxlen, target_ulong gue
     return i;
 }
 
-#if defined(TARGET_I386) && !defined(TARGET_X86_64)
+#if defined(TARGET_I386)
 // 125 long sys_mprotect ['unsigned long start', ' size_t len', 'unsigned long prot']
 void linux_mprotect_return(CPUState* cpu,target_ulong pc,uint32_t start,uint32_t len,uint32_t prot) {
     if (debug) {
@@ -108,25 +109,59 @@ void linux_mmap_pgoff_return(CPUState *cpu,target_ulong pc,uint32_t addr,uint32_
     OsiProc proc = running_procs[asid];
     char *filename = osi_linux_fd_to_filename(cpu, &proc, fd);
     // gets us offset into the file.  could be useful
-    //uint64_t pos = osi_linux_fd_to_pos(env, &proc, fd);
+    // uint64_t pos = osi_linux_fd_to_pos(env, &proc, fd);
     // if a filename exists and permission is executable
-    // TODO: fix this magic constant of 0x04 for PROT_EXEC
-    if (filename != NULL && ((prot & 0x04) == 0x04)) {
+    if (filename != NULL && ((prot & PROT_EXEC) == PROT_EXEC)) {
         if (debug) {
             printf ("[loaded] linux_mmap_pgoff(fd=%d filename=[%s] "
                     "len=%d prot=%x flags=%x "
                     "pgoff=%d)=" TARGET_FMT_lx "\n", (int) fd,
                     filename, len, prot, flags, pgoff, env->regs[R_EAX]);
         }
-        PPP_RUN_CB(on_library_load, cpu, pc, filename, env->regs[R_EAX], len)
-    } else if ((prot & 0x04) == 0x04) {
+        PPP_RUN_CB(on_library_load, cpu, pc, filename, env->regs[R_EAX], len);
+    } else if ((prot & PROT_EXEC) == PROT_EXEC) {
         printf("[loaded] mapped executable section without a filename!\n");
         printf ("[loaded] linux_mmap_pgoff(fd=%d "
                 "len=%d prot=%x flags=%x "
                 "pgoff=%d)=" TARGET_FMT_lx "\n", (int) fd,
                 len, prot, flags, pgoff, env->regs[R_EAX]);
     }
 }
+// https://man7.org/linux/man-pages/man2/mmap.2.html
+// https://github.com/panda-re/panda/blob/dev/panda/plugins/syscalls2/generated/syscalls_ext_typedefs_x64.h#L7405-L7412
+#elif defined(TARGET_X86_64)
+void linux_mmap_return(CPUState *cpu, target_ulong pc,
+                        uint64_t addr, uint64_t len, uint64_t prot, 
+                        uint64_t flags, uint64_t fd, uint64_t offset) {
+
+    CPUArchState *env = (CPUArchState*)cpu->env_ptr;
+    target_ulong asid = panda_current_asid(cpu);
+    if (running_procs.count(asid) == 0) {
+        //printf ("linux_mmap_pgoff_enter for asid=0x%x fd=%d -- dont know about that asid.  discarding \n", (unsigned int) asid, (int) fd);
+        return;
+    }
+    if ((int32_t) fd == -1) {
+        //printf ("linux_mmap_pgoff_enter for asid=0x%x fd=%d flags=%x -- not valid fd . . . \n", (unsigned int) asid, (int) fd, flags);
+        return;
+    }
+    OsiProc proc = running_procs[asid];
+    char *filename = osi_linux_fd_to_filename(cpu, &proc, fd);
+    // gets us offset into the file.  could be useful
+    // uint64_t pos = osi_linux_fd_to_pos(env, &proc, fd);
+    // if a filename exists and permission is executable
+    if (filename != NULL && ((prot & PROT_EXEC) == PROT_EXEC)) {
+        if (debug) {
+            printf("[loaded] linux_mmap_pgoff(fd=%lu filename=[%s] len=%lu prot=%lx flags=%lx pgoff=%lu)=%lx\n", 
+                   fd, filename, len, prot, flags, offset, (unsigned long)env->regs[R_EAX]);
+        }
+        PPP_RUN_CB(on_library_load, cpu, pc, filename, env->regs[R_EAX], len);
+    } 
+    else if ((prot & PROT_EXEC) == PROT_EXEC) {
+        printf("[loaded] mapped executable section without a filename!\n");
+        printf("[loaded] linux_mmap_pgoff(fd=%lu len=%lu prot=%lx flags=%lx pgoff=%lu)=%lx\n", 
+               fd, len, prot, flags, offset, (unsigned long)env->regs[R_EAX]);
+    }
+}
 #endif
 
 // get current process before each bb execs
@@ -174,7 +209,7 @@ bool init_plugin(void *self) {
     assert(init_osi_linux_api());
     panda_require("syscalls2");
 
-#if defined(TARGET_I386) && !defined(TARGET_X86_64)
+#if defined(TARGET_I386)
     {
         panda_cb pcb;
         pcb.before_block_exec = osi_foo;
@@ -185,6 +220,15 @@ bool init_plugin(void *self) {
     // don't use these at them moment
     //PPP_REG_CB("syscalls2", on_sys_old_mmap_return, linux_old_mmap_return);
     //PPP_REG_CB("syscalls2", on_sys_mprotect_return, linux_mprotect_return);
+#elif defined(TARGET_X86_64)
+    {
+        panda_cb pcb;
+        pcb.before_block_exec = osi_foo;
+        panda_register_callback(self, PANDA_CB_BEFORE_BLOCK_EXEC, pcb);
+    }
+    // Tell Plugin 'syscall2', that if a systemcall 'mmap' occurs, then run the code in ;'linux_mmap_return'
+    // https://www.linuxquestions.org/questions/linux-general-1/difference-between-mmap2-syscall-and-mmap_pgoff-syscall-for-32-bit-linux-4175622986/
+    PPP_REG_CB("syscalls2", on_sys_mmap_return, linux_mmap_return);
 #else
     fprintf(stderr, "The loaded plugin is not currently supported on this platform.\n");
     return false;