|
| 1 | +/*********************IMPORTANT DRAKVUF LICENSE TERMS*********************** |
| 2 | + * * |
| 3 | + * DRAKVUF (C) 2014-2024 Tamas K Lengyel. * |
| 4 | + * Tamas K Lengyel is hereinafter referred to as the author. * |
| 5 | + * This program is free software; you may redistribute and/or modify it * |
| 6 | + * under the terms of the GNU General Public License as published by the * |
| 7 | + * Free Software Foundation; Version 2 ("GPL"), BUT ONLY WITH ALL OF THE * |
| 8 | + * CLARIFICATIONS AND EXCEPTIONS DESCRIBED HEREIN. This guarantees your * |
| 9 | + * right to use, modify, and redistribute this software under certain * |
| 10 | + * conditions. If you wish to embed DRAKVUF technology into proprietary * |
| 11 | + * software, alternative licenses can be acquired from the author. * |
| 12 | + * * |
| 13 | + * Note that the GPL places important restrictions on "derivative works", * |
| 14 | + * yet it does not provide a detailed definition of that term. To avoid * |
| 15 | + * misunderstandings, we interpret that term as broadly as copyright law * |
| 16 | + * allows. For example, we consider an application to constitute a * |
| 17 | + * derivative work for the purpose of this license if it does any of the * |
| 18 | + * following with any software or content covered by this license * |
| 19 | + * ("Covered Software"): * |
| 20 | + * * |
| 21 | + * o Integrates source code from Covered Software. * |
| 22 | + * * |
| 23 | + * o Reads or includes copyrighted data files. * |
| 24 | + * * |
| 25 | + * o Is designed specifically to execute Covered Software and parse the * |
| 26 | + * results (as opposed to typical shell or execution-menu apps, which will * |
| 27 | + * execute anything you tell them to). * |
| 28 | + * * |
| 29 | + * o Includes Covered Software in a proprietary executable installer. The * |
| 30 | + * installers produced by InstallShield are an example of this. Including * |
| 31 | + * DRAKVUF with other software in compressed or archival form does not * |
| 32 | + * trigger this provision, provided appropriate open source decompression * |
| 33 | + * or de-archiving software is widely available for no charge. For the * |
| 34 | + * purposes of this license, an installer is considered to include Covered * |
| 35 | + * Software even if it actually retrieves a copy of Covered Software from * |
| 36 | + * another source during runtime (such as by downloading it from the * |
| 37 | + * Internet). * |
| 38 | + * * |
| 39 | + * o Links (statically or dynamically) to a library which does any of the * |
| 40 | + * above. * |
| 41 | + * * |
| 42 | + * o Executes a helper program, module, or script to do any of the above. * |
| 43 | + * * |
| 44 | + * This list is not exclusive, but is meant to clarify our interpretation * |
| 45 | + * of derived works with some common examples. Other people may interpret * |
| 46 | + * the plain GPL differently, so we consider this a special exception to * |
| 47 | + * the GPL that we apply to Covered Software. Works which meet any of * |
| 48 | + * these conditions must conform to all of the terms of this license, * |
| 49 | + * particularly including the GPL Section 3 requirements of providing * |
| 50 | + * source code and allowing free redistribution of the work as a whole. * |
| 51 | + * * |
| 52 | + * Any redistribution of Covered Software, including any derived works, * |
| 53 | + * must obey and carry forward all of the terms of this license, including * |
| 54 | + * obeying all GPL rules and restrictions. For example, source code of * |
| 55 | + * the whole work must be provided and free redistribution must be * |
| 56 | + * allowed. All GPL references to "this License", are to be treated as * |
| 57 | + * including the terms and conditions of this license text as well. * |
| 58 | + * * |
| 59 | + * Because this license imposes special exceptions to the GPL, Covered * |
| 60 | + * Work may not be combined (even as part of a larger work) with plain GPL * |
| 61 | + * software. The terms, conditions, and exceptions of this license must * |
| 62 | + * be included as well. This license is incompatible with some other open * |
| 63 | + * source licenses as well. In some cases we can relicense portions of * |
| 64 | + * DRAKVUF or grant special permissions to use it in other open source * |
| 65 | + * software. Please contact tamas.k.lengyel@gmail.com with any such * |
| 66 | + * requests. Similarly, we don't incorporate incompatible open source * |
| 67 | + * software into Covered Software without special permission from the * |
| 68 | + * copyright holders. * |
| 69 | + * * |
| 70 | + * If you have any questions about the licensing restrictions on using * |
| 71 | + * DRAKVUF in other works, are happy to help. As mentioned above, * |
| 72 | + * alternative license can be requested from the author to integrate * |
| 73 | + * DRAKVUF into proprietary applications and appliances. Please email * |
| 74 | + * tamas.k.lengyel@gmail.com for further information. * |
| 75 | + * * |
| 76 | + * If you have received a written license agreement or contract for * |
| 77 | + * Covered Software stating terms other than these, you may choose to use * |
| 78 | + * and redistribute Covered Software under those terms instead of these. * |
| 79 | + * * |
| 80 | + * Source is provided to this software because we believe users have a * |
| 81 | + * right to know exactly what a program is going to do before they run it. * |
| 82 | + * This also allows you to audit the software for security holes. * |
| 83 | + * * |
| 84 | + * Source code also allows you to port DRAKVUF to new platforms, fix bugs, * |
| 85 | + * and add new features. You are highly encouraged to submit your changes * |
| 86 | + * on https://github.com/tklengyel/drakvuf, or by other methods. * |
| 87 | + * By sending these changes, it is understood (unless you specify * |
| 88 | + * otherwise) that you are offering unlimited, non-exclusive right to * |
| 89 | + * reuse, modify, and relicense the code. DRAKVUF will always be * |
| 90 | + * available Open Source, but this is important because the inability to * |
| 91 | + * relicense code has caused devastating problems for other Free Software * |
| 92 | + * projects (such as KDE and NASM). * |
| 93 | + * To specify special license conditions of your contributions, just say * |
| 94 | + * so when you send them. * |
| 95 | + * * |
| 96 | + * This program is distributed in the hope that it will be useful, but * |
| 97 | + * WITHOUT ANY WARRANTY; without even the implied warranty of * |
| 98 | + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the DRAKVUF * |
| 99 | + * license file for more details (it's in a COPYING file included with * |
| 100 | + * DRAKVUF, and also available from * |
| 101 | + * https://github.com/tklengyel/drakvuf/COPYING) * |
| 102 | + * * |
| 103 | + ***************************************************************************/ |
| 104 | + |
| 105 | + |
| 106 | +#include "linux.h" |
| 107 | + |
| 108 | +using namespace syscalls_ns; |
| 109 | + |
| 110 | +namespace syscalls_ns |
| 111 | +{ |
| 112 | + |
| 113 | +static void parse_linux_char_ptr( |
| 114 | + void* base_ptr, |
| 115 | + void* original_args_ptr, |
| 116 | + void* extra_args_ptr, |
| 117 | + const syscall_t* sc, |
| 118 | + const arg_t& arg, |
| 119 | + void* info_ptr, |
| 120 | + uint64_t value, |
| 121 | + const void* all_args_ptr) |
| 122 | +{ |
| 123 | + if (value == 0) return; |
| 124 | + |
| 125 | + auto* base = static_cast<syscalls_base*>(base_ptr); |
| 126 | + auto& original_args = *static_cast<syscalls_base::fmt_args_t*>(original_args_ptr); |
| 127 | + auto* info = static_cast<drakvuf_trap_info_t*>(info_ptr); |
| 128 | + |
| 129 | + char* cstr = drakvuf_read_ascii_str(base->drakvuf, info, value); |
| 130 | + if (cstr) |
| 131 | + { |
| 132 | + syscalls_base::find_replace_arg(original_args, std::string(arg.name), fmt::Estr(std::string(cstr))); |
| 133 | + g_free(cstr); |
| 134 | + } |
| 135 | +} |
| 136 | + |
| 137 | +static void parse_linux_prot_flags( |
| 138 | + void* base_ptr, |
| 139 | + void* original_args_ptr, |
| 140 | + void* extra_args_ptr, |
| 141 | + const syscall_t* sc, |
| 142 | + const arg_t& arg, |
| 143 | + void* info_ptr, |
| 144 | + uint64_t value, |
| 145 | + const void* all_args_ptr) |
| 146 | +{ |
| 147 | + auto* base = static_cast<syscalls_base*>(base_ptr); |
| 148 | + auto& original_args = *static_cast<syscalls_base::fmt_args_t*>(original_args_ptr); |
| 149 | + |
| 150 | + linux_syscalls* linux_base = dynamic_cast<linux_syscalls*>(base); |
| 151 | + if (!linux_base) return; |
| 152 | + |
| 153 | + if (value == 0) |
| 154 | + { |
| 155 | + syscalls_base::find_replace_arg(original_args, std::string(arg.name), fmt::Qstr("PROT_NONE")); |
| 156 | + } |
| 157 | + else |
| 158 | + { |
| 159 | + syscalls_base::find_replace_arg(original_args, std::string(arg.name), |
| 160 | + fmt::Qstr(parse_flags(value, mmap_prot, linux_base->m_output_format))); |
| 161 | + } |
| 162 | +} |
| 163 | + |
| 164 | +static void parse_linux_prctl_option( |
| 165 | + void* base_ptr, |
| 166 | + void* original_args_ptr, |
| 167 | + void* extra_args_ptr, |
| 168 | + const syscall_t* sc, |
| 169 | + const arg_t& arg, |
| 170 | + void* info_ptr, |
| 171 | + uint64_t value, |
| 172 | + const void* all_args_ptr) |
| 173 | +{ |
| 174 | + auto& original_args = *static_cast<syscalls_base::fmt_args_t*>(original_args_ptr); |
| 175 | + |
| 176 | + if (prctl_option.find(value) != prctl_option.end()) |
| 177 | + { |
| 178 | + syscalls_base::find_replace_arg(original_args, std::string(arg.name), fmt::Qstr(prctl_option.at(value))); |
| 179 | + } |
| 180 | +} |
| 181 | + |
| 182 | +static void parse_linux_arch_prctl_code( |
| 183 | + void* base_ptr, |
| 184 | + void* original_args_ptr, |
| 185 | + void* extra_args_ptr, |
| 186 | + const syscall_t* sc, |
| 187 | + const arg_t& arg, |
| 188 | + void* info_ptr, |
| 189 | + uint64_t value, |
| 190 | + const void* all_args_ptr) |
| 191 | +{ |
| 192 | + auto& original_args = *static_cast<syscalls_base::fmt_args_t*>(original_args_ptr); |
| 193 | + |
| 194 | + if (arch_prctl_code.find(value) != arch_prctl_code.end()) |
| 195 | + { |
| 196 | + syscalls_base::find_replace_arg(original_args, std::string(arg.name), fmt::Qstr(arch_prctl_code.at(value))); |
| 197 | + } |
| 198 | +} |
| 199 | + |
| 200 | +static void register_parsers_for_table(const syscall_t** syscalls, unsigned int count) |
| 201 | +{ |
| 202 | + for (unsigned int i = 0; i < count; i++) |
| 203 | + { |
| 204 | + const syscall_t* sc = syscalls[i]; |
| 205 | + if (!sc) continue; |
| 206 | + |
| 207 | + arg_t* args = const_cast<arg_t*>(sc->args); |
| 208 | + |
| 209 | + for (unsigned int j = 0; j < sc->num_args; j++) |
| 210 | + { |
| 211 | + // Type-based parsers |
| 212 | + if (!args[j].parser) |
| 213 | + { |
| 214 | + switch (args[j].type) |
| 215 | + { |
| 216 | + case linux_char_ptr: |
| 217 | + args[j].parser = parse_linux_char_ptr; |
| 218 | + break; |
| 219 | + case linux_intmask_prot_: |
| 220 | + args[j].parser = parse_linux_prot_flags; |
| 221 | + break; |
| 222 | + case linux_intopt_pr_: |
| 223 | + args[j].parser = parse_linux_prctl_option; |
| 224 | + break; |
| 225 | + case linux_intopt_arch_: |
| 226 | + args[j].parser = parse_linux_arch_prctl_code; |
| 227 | + break; |
| 228 | + default: |
| 229 | + break; |
| 230 | + } |
| 231 | + } |
| 232 | + } |
| 233 | + } |
| 234 | +} |
| 235 | + |
| 236 | +} // namespace syscalls_ns |
| 237 | + |
| 238 | +void linux_syscalls::register_parsers() |
| 239 | +{ |
| 240 | + register_parsers_for_table(linuxsc::linux_syscalls_table_x32, NUM_SYSCALLS_LINUX_X32); |
| 241 | + register_parsers_for_table(linuxsc::linux_syscalls_table_x64, NUM_SYSCALLS_LINUX_X64); |
| 242 | +} |
0 commit comments