Move mem image to module, output to file for debug

AFLplusplus · Aug 23, 2024 · 17c3ccf · 17c3ccf
1 parent a50bc30
commit 17c3ccf
Show file tree

Hide file tree

Showing 2 changed files with 74 additions and 18 deletions.
diff --git a/libafl_qemu/src/modules/systemmode/intel_pt.rs b/libafl_qemu/src/modules/systemmode/intel_pt.rs
@@ -1,5 +1,7 @@
+use std::{fmt::Debug, fs::OpenOptions, io::Write};
+
 use libafl::{inputs::UsesInput, observers::ObserversTuple, HasMetadata};
-use libafl_qemu_sys::{CPUArchStatePtr, GuestVirtAddr};
+use libafl_qemu_sys::CPUArchStatePtr;
 use libipt::Image;
 
 use crate::{
@@ -8,14 +10,33 @@ use crate::{
     EmulatorModules, NewThreadHook,
 };
 
-#[derive(Debug)]
+//#[derive(Debug)]
 pub struct IntelPTModule {
     pt: Option<IntelPT>,
+    image: Option<Image<'static>>,
+}
+
+impl Debug for IntelPTModule {
+    // TODO image is not debug
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.debug_struct("IntelPTModule")
+            .field("pt", &self.pt)
+            .finish()
+    }
 }
 
 impl IntelPTModule {
     pub fn new() -> Self {
-        Self { pt: None }
+        Self {
+            pt: None,
+            image: None,
+        }
+    }
+}
+
+impl Default for IntelPTModule {
+    fn default() -> Self {
+        Self::new()
     }
 }
 
@@ -39,8 +60,14 @@ where
     }
 
     intel_pt_module.pt = Some(IntelPT::try_new(tid as i32).unwrap());
+    intel_pt_module
+        .pt
+        .as_mut()
+        .unwrap()
+        .enable_tracing()
+        .unwrap();
 
-    // What does this bool mean?
+    // What does this bool mean? ignore for the moment
     true
 }
 
@@ -54,9 +81,21 @@ where
     {
         emulator_modules.thread_creation(NewThreadHook::Function(intel_pt_new_thread::<ET, S>));
         // TODO emulator_modules.thread_teradown
-        // emulator_modules.cpu_runs(
-        //     CpuPostRunHook::Function(...),
-        // );
+    }
+
+    fn pre_exec<ET>(
+        &mut self,
+        emulator_modules: &mut EmulatorModules<ET, S>,
+        _input: &<S as UsesInput>::Input,
+    ) where
+        ET: EmulatorModuleTuple<S>,
+    {
+        if self.image.is_none() {
+            // emulator_modules.qemu()
+            // we need the memory map to decode the traces here take it in prexec. use QemuMemoryChunk
+            // TODO handle self modifying code
+            self.image = Some(Image::new(Some("empty_image")).expect("Failed to create image"));
+        }
     }
 
     fn post_exec<OT, ET>(
@@ -73,17 +112,25 @@ where
             panic!("Intel PT module not initialized.");
         }
 
-        // we need the memory map to decode the traces here
-        // TODO handle self modifying code
-        let mut image = Image::new(Some("empty_image")).expect("Failed to create image");
+        if self.image.is_none() {
+            panic!("Intel PT module: memory image not initialized.");
+        }
+
+        let mut buff = Vec::new();
+        let block_ips = self
+            .pt
+            .as_mut()
+            .unwrap()
+            .decode(&mut self.image.as_mut().unwrap(), Some(&mut buff));
 
-        let block_ips = self.pt.as_mut().unwrap().decode(&mut image, None);
+        let trace_path = "trace.out";
+        let mut file = OpenOptions::new()
+            .append(true)
+            .create(true)
+            .open(trace_path)
+            .expect("Failed to open trace output file");
 
-        // 2. update map
-        for ip in block_ips {
-            // unsafe {
-            //     EDGES_MAP[idx] += 1;
-            // }
-        }
+        file.write_all(&buff).unwrap();
+        println!("Block IPs: {:#x?}", block_ips);
     }
 }
diff --git a/libafl_qemu/src/qemu/systemmode/intel_pt.rs b/libafl_qemu/src/qemu/systemmode/intel_pt.rs
@@ -290,7 +290,7 @@ impl IntelPT {
 
         // official way of knowing if perf_event_open() support is enabled
         // https://man7.org/linux/man-pages/man2/perf_event_open.2.html
-        let perf_event_support_path: &str = "/proc/sys/kernel/perf_event_paranoid";
+        let perf_event_support_path = "/proc/sys/kernel/perf_event_paranoid";
         if !Path::new(perf_event_support_path).exists() {
             reasons.push(format!(
                 "perf_event_open() support is not enabled: {perf_event_support_path} not found"
@@ -580,6 +580,15 @@ mod test {
         ips.sort();
         ips.dedup();
         println!("Intel PT traces unique non kernel block ips: {:#x?}", ips);
+        // TODO: it seems like some userspace traces are not decoded
+        // probably because of smth like this in the traces:
+        // PSB
+        // kernel stuff -> ERROR: not in memory image! sync to next PSB
+        // ...                          |
+        // userspace skipped stuff      |
+        // ...                          |
+        // PSB                      <----
+        // ...
     }
 
     fn dump_trace_to_file(buff: &[u8]) -> Result<(), Error> {