Skip to content

Commit

Permalink
实现内存数据自由读取
Browse files Browse the repository at this point in the history
  • Loading branch information
@SeeFlowerX
SeeFlowerX committed Jan 2, 2024
1 parent 4300f98 commit 8e2c9e8
Show file tree
Hide file tree
Showing 5 changed files with 78 additions and 61 deletions.
2 changes: 2 additions & 0 deletions src/types.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,8 @@ enum op_code_e
OP_SET_BREAK_COUNT_REG_VALUE,
OP_SET_BREAK_COUNT_POINTER_VALUE,
OP_SAVE_ADDR,
OP_ADD_REG,
OP_SUB_REG,
OP_READ_REG,
OP_SAVE_REG,
OP_READ_POINTER,
Expand Down
6 changes: 6 additions & 0 deletions src/utils.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,12 @@ static __noinline u32 read_args(program_data_t* p, point_args_t* point_args, op_
save_to_submit_buf(p->event, (void *)&op_ctx->read_addr, sizeof(op_ctx->read_addr), op_ctx->save_index);
op_ctx->save_index += 1;
break;
case OP_ADD_REG:
op_ctx->read_addr += op_ctx->reg_value;
break;
case OP_SUB_REG:
op_ctx->read_addr -= op_ctx->reg_value;
break;
case OP_READ_REG:
if (op->pre_code == OP_SET_REG_INDEX) {
op_ctx->reg_index = op->value;
Expand Down
14 changes: 14 additions & 0 deletions user/argtype/op_helper.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ const (
OP_SET_BREAK_COUNT_REG_VALUE
OP_SET_BREAK_COUNT_POINTER_VALUE
OP_SAVE_ADDR
OP_ADD_REG
OP_SUB_REG
OP_READ_REG
OP_SAVE_REG
OP_READ_POINTER
Expand Down Expand Up @@ -81,6 +83,16 @@ func Add_READ_SAVE_REG(value uint64) *OpConfig {
return OPM.AddOp(op)
}

func Add_READ_MOVE_REG(value uint64) *OpConfig {
op := &OpConfig{}
op.Name = fmt.Sprintf("%s_%d", "READ_MOVE_REG", value)
op.Code = OP_READ_REG
op.PreCode = OP_SET_REG_INDEX
op.PostCode = OP_MOVE_REG_VALUE
op.Value = value
return OPM.AddOp(op)
}

func SaveStruct(value uint64) *OpConfig {
op := &OpConfig{}
op.Name = fmt.Sprintf("%s_%d", "SAVE_STRUCT", value)
Expand Down Expand Up @@ -265,6 +277,8 @@ var OPC_SET_BREAK_COUNT = ROP("OP_SET_BREAK_COUNT", OP_SET_BREAK_COUNT)
var OPC_SET_BREAK_COUNT_REG_VALUE = ROP("SET_BREAK_COUNT_REG_VALUE", OP_SET_BREAK_COUNT_REG_VALUE)
var OPC_SET_BREAK_COUNT_POINTER_VALUE = ROP("SET_BREAK_COUNT_POINTER_VALUE", OP_SET_BREAK_COUNT_POINTER_VALUE)
var OPC_SAVE_ADDR = ROP("SAVE_ADDR", OP_SAVE_ADDR)
var OPC_ADD_REG = ROP("ADD_REG", OP_ADD_REG)
var OPC_SUB_REG = ROP("SUB_REG", OP_SUB_REG)
var OPC_READ_REG = ROP("READ_REG", OP_READ_REG)
var OPC_SAVE_REG = ROP("SAVE_REG", OP_SAVE_REG)
var OPC_READ_POINTER = ROP("READ_POINTER", OP_READ_POINTER)
Expand Down
107 changes: 50 additions & 57 deletions user/config/config_module.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,71 +136,64 @@ func (this *StackUprobeConfig) ParseArgType(arg_str string, point_arg *PointArg)
return err
}

// ./stackplz -n com.termux -l libtest.so -w 0x16254[buf:64:sp+0x20-0x8.+8.-4+0x16]
// read_op_str -> "sp+0x20-0x8.+8.-4+0x16"
// 该命令含义为
// 1. 在 libtest.so 偏移 0x16254 处hook
// 2. 计算 sp+0x20-0x8 后读取指针
// 3. 在上一步结果上 +8 后读取指针
// 4. 在上一步结果上 -4+0x16
// 5. 以上一步结果作为读取地址 读取 64 字节数据
if read_op_str != "" {
// read_op_str 0x12345[str:sp+0x20-0x8(+8(+16))]
// 即一系列 加、减、取指针 操作作为要读取类型的地址
// 后续写一个解析规则来处理
reg_name, read_offset := ParseArgIndex(read_op_str)
point_arg.SetRegIndex(GetRegIndex(reg_name))
if read_offset != "" {
var offset int64 = 0
if strings.HasPrefix(read_offset, "+") {
op_add_items := strings.Split(read_offset, "+")
for _, v := range op_add_items {
v = strings.TrimSpace(v)
if v == "" {
continue
}
op_sub_items := strings.Split(v, "-")
op_value, err := ParseStrAsNum(op_sub_items[0])
if err != nil {
return err
}
offset += int64(op_value)
if len(op_sub_items) > 1 {
for _, v2 := range op_sub_items[1:] {
v2 = strings.TrimSpace(v2)
op_value, err := ParseStrAsNum(v2)
if err != nil {
return err
}
offset -= int64(op_value)
}
}
// 即一系列 加、减、取指针 操作作为要读取类型的地址 通过以下规则来转换
has_first_op := false
for ptr_idx, op_str := range strings.Split(read_op_str, ".") {
if op_str == "" {
continue
}
if ptr_idx > 0 {
point_arg.AddExtraOp(argtype.OPC_READ_POINTER)
point_arg.AddExtraOp(argtype.OPC_MOVE_POINTER_VALUE)
}
v := op_str + "+"
last_op := ""
for {
i := strings.IndexAny(v, "+-")
if i < 0 {
break
}
} else if strings.HasPrefix(read_offset, "-") {
op_sub_items := strings.Split(read_offset, "-")
for _, v := range op_sub_items {
v = strings.TrimSpace(v)
if v == "" {
continue
}
op_add_items := strings.Split(v, "+")
op_value, err := ParseStrAsNum(op_add_items[0])
if err != nil {
return err
}
offset -= int64(op_value)
if len(op_add_items) > 1 {
for _, v2 := range op_add_items[1:] {
v2 = strings.TrimSpace(v2)
op_value, err := ParseStrAsNum(v2)
if err != nil {
return err
op := string(v[i])
token := string(v[0:i])
v = v[i+1:]
if token != "" {
if value, err := strconv.ParseUint(token, 0, 64); err == nil {
if !has_first_op {
panic(fmt.Sprintf("first op must be reg"))
}
if last_op == "-" {
point_arg.AddExtraOp(argtype.OPC_SUB_OFFSET.NewValue(value))
} else {
point_arg.AddExtraOp(argtype.OPC_ADD_OFFSET.NewValue(value))
}
} else {
reg_index := GetRegIndex(token)
point_arg.AddExtraOp(argtype.Add_READ_MOVE_REG(uint64(reg_index)))
if has_first_op {
if last_op == "-" {
point_arg.AddExtraOp(argtype.OPC_SUB_REG)
} else {
point_arg.AddExtraOp(argtype.OPC_ADD_REG)
}
offset += int64(op_value)
}
if !has_first_op {
has_first_op = true
}
}
}
} else {
return errors.New(fmt.Sprintf("parse read_offset:%s failed", read_offset))
}
if offset > 0 {
point_arg.AddExtraOp(argtype.OPC_ADD_OFFSET.NewValue(uint64(offset)))
} else if offset < 0 {
point_arg.AddExtraOp(argtype.OPC_ADD_OFFSET.NewValue(uint64(offset)))
last_op = op
}
}
point_arg.AddExtraOp(argtype.OPC_SAVE_ADDR)
}
return err
}
Expand Down
10 changes: 6 additions & 4 deletions user/config/config_point_arg.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ func (this *PointArg) SetTypeIndex(type_index uint32) {
}

func (this *PointArg) AddExtraOp(op *argtype.OpConfig) {
// fmt.Println("op info:", op.Index, argtype.OPM.GetOpInfo(op.Index))
this.ExtraOpList = append(this.ExtraOpList, op.Index)
}

Expand Down Expand Up @@ -55,11 +56,12 @@ func (this *PointArg) GetOpList() []uint32 {
if this.RegIndex == REG_ARM64_MAX {
return op_list
}
op_list = append(op_list, argtype.Add_READ_SAVE_REG(uint64(this.RegIndex)).Index)
op_list = append(op_list, argtype.OPC_MOVE_REG_VALUE.Index)
if len(this.ExtraOpList) > 0 {
// 在基址的基础上做出系列 加、减、取指针 然后读取对应的类型
panic("...")
// 类型的最终读取地址 由 ExtraOpList 提供 记得读取之前要保存下地址
op_list = append(op_list, this.ExtraOpList...)
} else {
op_list = append(op_list, argtype.Add_READ_SAVE_REG(uint64(this.RegIndex)).Index)
op_list = append(op_list, argtype.OPC_MOVE_REG_VALUE.Index)
}
if this.ReadMore() {
for _, op_key := range argtype.GetOpKeyList(this.TypeIndex) {
Expand Down

0 comments on commit 8e2c9e8

Please sign in to comment.