Skip to content

Instantly share code, notes, and snippets.

@moyix

moyix/argnums.h

Created August 28, 2015 14:15
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save moyix/43d3ea40e8dedea103a4 to your computer and use it in GitHub Desktop.
Save moyix/43d3ea40e8dedea103a4 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
argnums.h
// Derived from ntoskrnl and win32k debug symbols using
// pdbparse's pdb_get_syscall_table.py (modified to work
// with 64-bit PDB)
static const int win7_32_nt_args[] = {6, 8, 11, 11, 16, 11, 16, 17, 3, 2, 2, 6,
6, 2, 1, 1, 3, 3, 4, 6, 9, 3, 11, 3, 6, 4, 3, 3, 3, 3, 3, 3, 2, 3, 6, 6, 5, 6,
3, 8, 4, 2, 2, 2, 3, 2, 3, 3, 2, 1, 1, 3, 2, 2, 2, 2, 3, 1, 1, 8, 2, 4, 3, 8, 5,
3, 11, 4, 3, 3, 7, 4, 8, 8, 4, 14, 4, 5, 4, 8, 9, 9, 10, 7, 7, 5, 4, 8, 11, 4,
13, 10, 6, 11, 5, 10, 2, 3, 2, 1, 1, 1, 1, 1, 3, 1, 2, 10, 0, 1, 1, 7, 6, 0, 2,
2, 6, 3, 5, 6, 2, 6, 3, 2, 2, 3, 1, 0, 4, 0, 3, 4, 1, 2, 10, 2, 0, 2, 3, 5, 6,
5, 7, 4, 7, 1, 2, 3, 3, 1, 4, 2, 0, 0, 2, 1, 2, 3, 8, 10, 2, 1, 4, 1, 1, 6, 3,
3, 10, 1, 1, 9, 10, 12, 8, 3, 5, 3, 3, 6, 3, 3, 3, 4, 3, 4, 5, 3, 12, 4, 4, 3,
4, 5, 3, 3, 3, 3, 4, 4, 5, 3, 5, 6, 3, 5, 2, 2, 2, 2, 3, 5, 6, 4, 3, 5, 2, 2, 2,
2, 2, 2, 1, 11, 7, 2, 9, 5, 2, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 1, 2, 5, 5,
5, 6, 5, 5, 2, 4, 2, 0, 9, 5, 6, 5, 5, 3, 4, 5, 4, 6, 1, 5, 3, 6, 6, 5, 5, 6, 3,
6, 9, 9, 2, 6, 5, 2, 1, 1, 5, 1, 4, 2, 3, 1, 5, 6, 2, 2, 2, 3, 3, 2, 4, 5, 2, 2,
3, 2, 3, 3, 1, 2, 2, 2, 2, 2, 2, 3, 3, 9, 0, 2, 2, 2, 3, 1, 2, 1, 2, 4, 2, 1, 1,
1, 5, 4, 5, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 2, 5, 6, 6, 1, 1, 4, 3, 2, 5, 3, 3, 2,
2, 7, 4, 3, 1, 6, 5, 1, 2, 4, 2, 1, 1, 1, 2, 6, 2, 2, 2, 0, 0, 0, 6, 4, 4, 1, 1,
1, 2, 2, 5, 4, 2, 2, 4, 4, 5, 5, 3, 2, 1, 1, 1, 9, 9, 6, 5, 0};
static const int win7_32_win32k_args[] = {1, 1, 6, 4, 5, 2, 3, 12, 6, 0, 1, 10,
2, 1, 11, 1, 8, 1, 2, 2, 6, 4, 3, 1, 4, 2, 5, 5, 1, 1, 8, 3, 1, 6, 11, 9, 4, 1,
3, 1, 5, 2, 3, 4, 4, 6, 6, 2, 4, 1, 1, 1, 7, 1, 3, 3, 2, 2, 3, 2, 2, 2, 1, 8, 8,
2, 6, 1, 1, 2, 2, 1, 2, 5, 2, 2, 2, 2, 2, 3, 2, 2, 2, 2, 2, 2, 3, 2, 11, 2, 2,
1, 2, 2, 2, 2, 3, 3, 3, 2, 2, 2, 3, 2, 2, 2, 2, 2, 4, 2, 2, 2, 2, 2, 2, 2, 2, 4,
2, 3, 2, 6, 1, 1, 2, 1, 4, 1, 2, 4, 6, 4, 5, 1, 1, 3, 1, 1, 8, 4, 2, 7, 5, 11,
3, 8, 5, 3, 3, 9, 1, 3, 1, 0, 2, 5, 5, 4, 2, 3, 2, 3, 4, 3, 6, 6, 1, 6, 2, 2, 1,
3, 3, 1, 2, 3, 2, 2, 2, 9, 2, 3, 5, 5, 5, 7, 5, 6, 8, 3, 3, 3, 2, 3, 2, 2, 2, 2,
4, 4, 3, 3, 2, 2, 3, 2, 7, 4, 5, 1, 5, 2, 1, 3, 5, 8, 4, 3, 3, 6, 7, 10, 0, 2,
2, 2, 7, 6, 5, 8, 0, 0, 5, 2, 3, 5, 2, 13, 3, 1, 4, 3, 3, 8, 6, 5, 1, 11, 4, 5,
4, 3, 3, 3, 1, 5, 2, 2, 6, 1, 5, 2, 2, 7, 1, 6, 6, 2, 2, 2, 2, 2, 2, 3, 4, 3, 2,
4, 2, 2, 2, 16, 1, 3, 3, 3, 3, 1, 3, 1, 1, 3, 2, 4, 2, 5, 2, 3, 5, 3, 4, 1, 12,
16, 1, 1, 1, 5, 11, 2, 1, 1, 1, 1, 2, 1, 3, 3, 3, 2, 8, 1, 4, 7, 4, 4, 2, 2, 2,
3, 3, 2, 4, 1, 2, 3, 2, 4, 3, 5, 6, 1, 1, 3, 1, 2, 3, 4, 1, 0, 1, 1, 3, 2, 3, 0,
2, 4, 6, 1, 4, 15, 8, 5, 8, 2, 3, 1, 2, 1, 1, 1, 1, 1, 0, 0, 3, 5, 4, 4, 7, 11,
5, 0, 3, 3, 2, 0, 2, 4, 4, 4, 1, 2, 4, 3, 5, 1, 2, 6, 2, 1, 1, 2, 0, 1, 5, 3, 2,
3, 0, 0, 0, 1, 2, 3, 4, 3, 4, 1, 1, 3, 0, 0, 2, 2, 6, 4, 4, 2, 2, 3, 2, 1, 1, 3,
1, 1, 4, 2, 4, 4, 5, 5, 0, 2, 0, 3, 5, 4, 3, 3, 3, 2, 1, 1, 2, 1, 3, 3, 3, 2, 2,
1, 2, 2, 2, 1, 3, 1, 4, 1, 2, 2, 4, 12, 3, 2, 3, 3, 1, 1, 2, 8, 1, 1, 0, 2, 4,
4, 7, 3, 0, 2, 2, 6, 3, 4, 4, 2, 3, 3, 4, 2, 1, 3, 5, 2, 4, 4, 3, 2, 4, 2, 1, 2,
3, 6, 2, 4, 7, 2, 4, 4, 3, 1, 1, 1, 1, 3, 2, 1, 4, 7, 8, 3, 3, 1, 2, 1, 1, 4, 3,
3, 1, 1, 2, 4, 1, 5, 1, 2, 4, 4, 1, 3, 2, 3, 1, 4, 2, 1, 2, 3, 4, 2, 4, 2, 2, 3,
1, 2, 2, 4, 0, 2, 2, 2, 4, 2, 7, 3, 3, 3, 3, 6, 4, 3, 8, 1, 3, 2, 2, 0, 2, 4, 1,
2, 6, 7, 1, 6, 5, 5, 6, 3, 2, 1, 1, 1, 1, 3, 0, 2, 3, 3, 10, 4, 4, 1, 3, 1, 2,
1, 3, 3, 1, 0, 2, 2, 0, 3, 4, 0, 0, 3, 2, 0, 3, 1, 0, 2, 3, 4, 2, 2, 3, 0, 2, 2,
4, 1, 3, 2, 4, 1, 4, 4, 5, 2, 3, 2, 5, 6, 3, 6, 4, 4, 6, 3, 6, 1, 1, 3, 1, 1,
11, 11, 11, 1, 8, 7, 10, 5, 9, 7, 10, 8, 10, 13, 4, 2, 1, 3, 5, 1, 1, 0, 1, 1,
2, 1, 1, 5, 2, 3, 1, 5, 1, 1, 2, 2, 2, 3, 3, 4, 1, 1, 2, 2, 1, 4, 3, 1, 1, 4, 6,
1, 4, 2, 1, 3, 3, 4, 4, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 2,
1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 1, 2, 4, 3, 1,
5, 3, 1, 2, 3, 2, 4, 2, 2, 0, 2, 1, 2, 4, 4, 4, 4};
static const int win7_64_nt_args[] = {3, 3, 3, 9, 10, 9, 5, 3, 4, 2, 4, 2, 1, 5,
5, 3, 6, 3, 2, 5, 6, 6, 5, 5, 9, 4, 7, 4, 2, 2, 5, 3, 6, 4, 5, 4, 5, 10, 11, 2,
5, 2, 1, 9, 5, 4, 2, 6, 6, 2, 11, 4, 3, 5, 10, 5, 3, 7, 2, 1, 5, 3, 6, 6, 2, 1,
5, 0, 3, 5, 5, 7, 2, 2, 9, 8, 2, 5, 5, 2, 2, 6, 11, 5, 6, 3, 16, 1, 5, 4, 2, 4,
5, 6, 2, 7, 6, 8, 11, 11, 16, 17, 2, 2, 6, 2, 1, 1, 3, 3, 4, 9, 3, 11, 3, 6, 4,
3, 3, 3, 3, 3, 3, 2, 3, 6, 6, 5, 6, 3, 8, 4, 2, 2, 3, 3, 2, 2, 2, 2, 3, 4, 1, 8,
4, 3, 8, 3, 4, 3, 3, 8, 4, 8, 4, 14, 4, 5, 4, 8, 9, 10, 7, 5, 4, 11, 4, 13, 10,
6, 11, 5, 10, 2, 3, 1, 1, 1, 1, 1, 3, 1, 2, 0, 1, 1, 0, 2, 2, 3, 5, 2, 6, 2, 3,
1, 0, 4, 0, 3, 1, 2, 2, 0, 2, 3, 5, 6, 5, 7, 4, 7, 1, 3, 3, 1, 4, 0, 0, 2, 1, 2,
3, 8, 10, 2, 1, 4, 1, 1, 6, 3, 1, 1, 9, 10, 12, 8, 5, 3, 3, 3, 4, 4, 5, 3, 3,
12, 4, 3, 5, 3, 3, 3, 4, 3, 5, 6, 3, 2, 2, 2, 2, 3, 6, 5, 4, 3, 2, 2, 2, 2, 7,
2, 9, 2, 5, 5, 5, 5, 5, 5, 5, 5, 1, 2, 5, 5, 6, 5, 2, 4, 0, 9, 6, 5, 5, 3, 4, 5,
6, 3, 6, 3, 6, 2, 2, 1, 1, 5, 1, 4, 1, 6, 2, 2, 2, 3, 3, 2, 2, 2, 3, 3, 1, 2, 2,
2, 2, 2, 3, 3, 9, 0, 2, 2, 2, 3, 1, 2, 1, 2, 4, 1, 1, 5, 4, 4, 4, 4, 4, 4, 4, 4,
2, 5, 6, 6, 1, 1, 4, 3, 2, 5, 3, 3, 2, 2, 4, 3, 1, 5, 1, 2, 4, 2, 1, 1, 1, 2, 6,
2, 0, 0, 0, 6, 4, 1, 1, 1, 2, 2, 5, 4, 2, 4, 4, 2, 1, 1, 1};
static const int win7_64_win32k_args[] = {1, 5, 2, 1, 3, 1, 4, 7, 11, 1, 1, 4,
0, 2, 2, 4, 2, 3, 0, 4, 2, 2, 1, 2, 4, 2, 1, 2, 7, 3, 4, 1, 5, 2, 0, 1, 7, 1, 2,
3, 3, 16, 3, 3, 3, 4, 3, 1, 4, 12, 4, 2, 4, 2, 1, 1, 9, 2, 2, 1, 0, 3, 3, 3, 3,
3, 4, 2, 1, 3, 2, 6, 5, 1, 4, 3, 3, 3, 4, 6, 2, 1, 3, 8, 3, 1, 0, 4, 2, 2, 6, 4,
4, 5, 6, 4, 11, 2, 3, 3, 1, 7, 2, 2, 4, 13, 7, 7, 5, 5, 5, 5, 1, 2, 5, 3, 6, 3,
15, 2, 1, 7, 3, 3, 12, 3, 3, 2, 4, 16, 3, 1, 4, 9, 3, 1, 4, 4, 3, 1, 6, 4, 1, 2,
5, 1, 3, 3, 5, 2, 3, 5, 6, 5, 9, 1, 2, 1, 3, 11, 2, 1, 2, 8, 4, 2, 1, 3, 1, 2,
2, 11, 2, 4, 4, 4, 7, 3, 2, 4, 3, 1, 0, 3, 2, 5, 1, 3, 3, 2, 8, 3, 4, 4, 3, 6,
2, 2, 2, 6, 3, 0, 3, 8, 2, 2, 0, 2, 1, 3, 3, 3, 3, 2, 3, 5, 0, 2, 8, 1, 3, 1, 3,
3, 1, 4, 2, 4, 1, 3, 5, 2, 3, 3, 6, 4, 3, 1, 6, 1, 3, 2, 4, 6, 0, 1, 2, 4, 0, 2,
3, 3, 2, 2, 1, 2, 1, 3, 3, 3, 8, 1, 1, 2, 2, 1, 1, 1, 2, 5, 2, 0, 5, 2, 1, 1, 4,
1, 8, 4, 1, 2, 1, 2, 1, 1, 2, 1, 1, 2, 6, 4, 3, 6, 0, 10, 2, 1, 2, 1, 1, 2, 3,
5, 1, 1, 2, 8, 2, 2, 6, 4, 2, 5, 8, 4, 3, 1, 5, 6, 6, 4, 1, 1, 1, 3, 2, 2, 5, 1,
3, 3, 3, 2, 2, 2, 2, 8, 1, 4, 2, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 2,
2, 2, 5, 2, 2, 2, 2, 2, 1, 3, 2, 2, 2, 2, 2, 2, 3, 2, 11, 2, 0, 2, 1, 2, 2, 2,
3, 3, 2, 2, 3, 2, 2, 4, 1, 1, 4, 4, 3, 2, 2, 2, 2, 4, 2, 2, 2, 2, 2, 2, 2, 2, 2,
4, 2, 6, 5, 1, 1, 3, 1, 7, 3, 11, 1, 3, 6, 6, 0, 4, 4, 6, 1, 1, 1, 1, 3, 7, 10,
9, 1, 1, 5, 11, 11, 13, 10, 8, 10, 8, 1, 8, 4, 7, 5, 2, 5, 2, 1, 1, 2, 1, 3, 1,
1, 2, 5, 5, 3, 3, 4, 3, 6, 6, 2, 1, 2, 2, 2, 1, 1, 2, 7, 0, 3, 5, 5, 7, 2, 5, 6,
8, 3, 3, 2, 3, 2, 3, 2, 2, 4, 2, 3, 4, 2, 7, 4, 5, 5, 2, 8, 6, 10, 6, 4, 4, 4,
6, 8, 4, 0, 5, 2, 4, 4, 1, 1, 4, 3, 2, 3, 1, 4, 2, 1, 11, 4, 4, 3, 3, 3, 6, 2,
5, 2, 7, 3, 3, 4, 1, 1, 6, 6, 2, 2, 2, 2, 2, 2, 2, 2, 3, 3, 3, 3, 2, 4, 2, 5, 3,
2, 3, 3, 4, 1, 1, 1, 1, 11, 4, 4, 4, 1, 1, 1, 5, 2, 4, 1, 2, 1, 3, 1, 4, 4, 5,
2, 4, 4, 3, 1, 2, 4, 1, 6, 1, 8, 3, 1, 1, 1, 1, 0, 0, 3, 5, 4, 4, 7, 5, 1, 0, 0,
1, 1, 1, 2, 1, 1, 1, 0, 2, 1, 3, 6, 3, 2, 2, 4, 2, 2, 3, 3, 1, 4, 1, 2, 4, 5, 2,
3, 5, 4, 3, 3, 1, 4, 3, 2, 2, 2, 2, 2, 3, 1, 3, 4, 1, 4, 4, 2, 12, 2, 4, 5, 2,
1, 2, 8, 1, 0, 2, 0, 2, 2, 4, 4, 2, 4, 3, 3, 3, 3, 4, 3, 2, 3, 6, 4, 2, 1, 3, 2,
2, 4, 3, 1, 2, 1, 4, 3, 4, 0, 0, 1, 1, 4, 2, 1, 3, 2, 5, 5, 5, 1, 2, 4, 4, 3, 2,
1, 2, 4, 0, 2, 4, 2, 3, 2, 2, 2, 3, 4, 1, 3, 2, 4, 3, 2, 0, 2, 2, 4, 1, 0, 2, 1,
6, 1, 1, 2, 0, 0, 3, 3, 10, 1, 3, 3, 1, 3, 1, 2, 0, 4, 4};
Raw
countsc.c
/* PANDABEGINCOMMENT
*
* Authors:
* Tim Leek tleek@ll.mit.edu
* Ryan Whelan rwhelan@ll.mit.edu
* Joshua Hodosh josh.hodosh@ll.mit.edu
* Michael Zhivich mzhivich@ll.mit.edu
* Brendan Dolan-Gavitt brendandg@gatech.edu
*
* This work is licensed under the terms of the GNU GPL, version 2.
* See the COPYING file in the top-level directory.
*
PANDAENDCOMMENT */
// This needs to be defined before anything is included in order to get
// the PRIx64 macro
#define __STDC_FORMAT_MACROS
#include <zlib.h>
#include "config.h"
#include "qemu-common.h"
#include "panda_plugin.h"
#include "panda_common.h"
#include "argnums.h"
bool init_plugin(void *);
void uninit_plugin(void *);
bool translate_callback(CPUState *env, target_ulong pc);
int exec_callback(CPUState *env, target_ulong pc);
gzFile sclog;
// Check if the instruction is sysenter (0F 34)
bool translate_callback(CPUState *env, target_ulong pc) {
#if defined(TARGET_I386)
unsigned char buf[2] = {};
panda_virtual_memory_rw(env, pc, buf, 2, 0);
// Check if the instruction is syscall (0F 05)
if (buf[0]== 0x0F && buf[1] == 0x05) {
return true;
}
// Check if the instruction is sysenter (0F 34)
else if (buf[0]== 0x0F && buf[1] == 0x34) {
return true;
}
#endif
return false;
}
#pragma pack(1)
typedef struct _syscall_entry {
uint32_t asid;
uint16_t ordinal;
uint16_t num_args;
uint64_t args[];
} syscall_entry;
#pragma pack()
int exec_callback(CPUState *env, target_ulong pc) {
#ifdef TARGET_I386
uint32_t syscall = EAX;
int table = (syscall >> 12) & 0xf;
int ordinal = (syscall & 0xfff);
int num_args = 0;
if (env->hflags & HF_LMA_MASK) { // 64-bit
if (table == 0) { // nt
assert(ordinal < (sizeof(win7_64_nt_args)/sizeof(win7_64_nt_args[0])));
num_args = win7_64_nt_args[ordinal];
}
else if (table == 1) { // win32k
assert(ordinal < (sizeof(win7_64_win32k_args)/sizeof(win7_64_win32k_args[0])));
num_args = win7_64_win32k_args[ordinal];
}
}
else { // 32-bit
if (table == 0) { // nt
assert(ordinal < (sizeof(win7_32_nt_args)/sizeof(win7_32_nt_args[0])));
num_args = win7_32_nt_args[ordinal];
}
else if (table == 1) { // win32k
assert(ordinal < (sizeof(win7_32_win32k_args)/sizeof(win7_32_win32k_args[0])));
num_args = win7_32_win32k_args[ordinal];
}
}
size_t sc_size = sizeof(syscall_entry) + sizeof(uint64_t)*num_args;
syscall_entry *sc = g_malloc0(sc_size);
sc->ordinal = syscall;
sc->num_args = num_args;
sc->asid = panda_current_asid(env);
if (env->hflags & HF_LMA_MASK) { // 64-bit
for (int i = 0; i < num_args; i++) {
// Some in registers, some on the stack
if (i == 0) sc->args[i] = ECX;
else if (i == 1) sc->args[i] = EDX;
else if (i == 2) sc->args[i] = env->regs[8];
else if (i == 3) sc->args[i] = env->regs[9];
else {
// 64 bit windows stack arguments:
// 8 byte return address
// 0x20 byte spill area
// first stack arg
// second stack arg
// ...
uint64_t arg = 0;
panda_virtual_memory_rw(env, ESP + 0x28 + (8*(i-4)),
(uint8_t *) &arg, 8, false);
sc->args[i] = arg;
}
}
}
else { // 32-bit
// Easy -- all on the stack
for (int i = 0; i < num_args; i++) {
uint32_t arg = 0;
// Windows 7 args are at EDX + 8
panda_virtual_memory_rw(env, EDX + 8 + (4*i),
(uint8_t *) &arg, 4, false);
sc->args[i] = arg;
}
}
gzwrite(sclog, sc, sc_size);
#endif
return 0;
}
bool init_plugin(void *self) {
panda_cb pcb;
panda_arg_list *args = panda_get_args("countsc");
const char *prefix = panda_parse_string(args, "name", "countsc");
char logfile[260] = {};
sprintf(logfile, "%s_syscalls.dat.gz", prefix);
sclog = gzopen(logfile, "w");
if (!sclog) {
perror("gzopen");
return false;
}
pcb.insn_translate = translate_callback;
panda_register_callback(self, PANDA_CB_INSN_TRANSLATE, pcb);
pcb.insn_exec = exec_callback;
panda_register_callback(self, PANDA_CB_INSN_EXEC, pcb);
return true;
}
void uninit_plugin(void *self) {
gzclose(sclog);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment