[panda-users] Iterate LabelSet in a plugin

Hij Krix hijkrix at gmail.com
Mon Mar 7 19:17:13 EST 2016 

Hello everyone.
We can use 'tstringsearch' to taint labels to a string. I want to know if
the origin string is tainted, what's the labels of each character of a
string generated by the origin string.
Now I have changed the tstringsearch.cpp, if there are any characters in a
string have been tainted before, display the labelset of the string rather
than taint on it.
This is what I have done:

>
> diff --git a/qemu/panda_plugins/tstringsearch/tstringsearch.cpp
> b/qemu/panda_plugins/tstringsearch/tstringsearch.cpp
> index ab4f21e..528b510 100644
> --- a/qemu/panda_plugins/tstringsearch/tstringsearch.cpp
> +++ b/qemu/panda_plugins/tstringsearch/tstringsearch.cpp
> @@ -55,6 +55,8 @@ void uninit_plugin(void *);
>
>  }
>
> +extern Shad *shadow;
> +
>  #ifdef CONFIG_SOFTMMU
>
>  bool tstringsearch_label_on = true;
> @@ -146,6 +148,32 @@ void tstringsearch_match(CPUState *env, target_ulong
> pc, target_ulong addr,
>      // yes, we can get this right. but, meh.
>      if ((memcmp((char *)thestring, (char *)matched_string,
> matched_string_length-1)) == 0) {
>          printf ("tstringsearch: string in memory @ 0x%lx\n", (long
> unsigned int) p);
> +
> +        bool tainted = false;
> +        for (unsigned i=0; i<matched_string_length; i++) {
> +            target_ulong va = p + i;
> +            target_phys_addr_t pa = cpu_get_phys_addr(cpu_single_env, va);
> +            if (taint2_query_ram(pa)) {
> +                tainted = true;
> +                break;
> +            }
> +        }
> +        if (tainted) {
> +            printf ("Tainted\n");
> +            for (unsigned i=0; i<matched_string_length; i++) {
> +                printf ("%d:", i);
> +                target_ulong va = p + i;
> +                target_phys_addr_t pa = cpu_get_phys_addr(cpu_single_env,
> va);
> +                tp_ls_ram_iter(shadow, pa, [](uint32_t el, void *stuff)
> ->int {
> +                                printf ("%d,", el);
> +                                return 0;
> +                            }, NULL);
> +                printf ("\n");
> +            }
> +            printf ("\n");
> +            return;
> +        }
> +
>          // ok this is ugly.  save pc, buffer addr and len
>          the_pc = pc;
>          the_buf = p;
>
> Now I have met two problems:
1. 'shadow' is a global variable, but because plugins are compiled
separately, the linker can't assign right address to 'shadow' here.
2. 'tp_ls_ram_iter' is declared in taint2.h, and it is written in c++, so I
can't import it with 'extern "C"'.

How to solve it, or how to change my code to make it works?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20160307/595b232b/attachment.html

More information about the panda-users mailing list