forked from panda-re/hypernvram
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcheck_hc.py
More file actions
executable file
·81 lines (64 loc) · 2.5 KB
/
check_hc.py
File metadata and controls
executable file
·81 lines (64 loc) · 2.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#!/usr/bin/env python3
'''
Test the hypercall interface
'''
from sys import argv
from pandare import Panda
from rich import print
# Single arg of arch, defaults to i386
arch = "arm" if len(argv) <= 1 else argv[1]
panda = Panda(generic=arch)
target = ["x86_64-unknown-linux-musl", "i686-unknown-linux-musl", "mips-unknown-linux-musl", "mipsel-unknown-linux-musl", "arm-unknown-linux-musleabi", "aarch64-unknown-linux-musl", "mips64-unknown-linux-muslabi64", "mips64el-unknown-linux-muslabi64"]
matching = [i for i in target if arch in i]
if not matching:
if "i386" in arch:
matching = "i686-unknown-linux-musl"
else:
matching = matching[0]
'''
serve files:
python -m http.server 8809
collect debug info:
nc -q 0 -l -p 8889 | tar -xv
'''
debug = False
host = "IP_ADDR"
host_serve_port = 8809
host_debug_port = 8889
@panda.queue_blocking
def run_cmd():
panda.revert_sync("root")
target = f"simple-{matching}"
# networking fails on x86_64 target without dhclient
if arch == "x86_64":
print(panda.run_serial_cmd("dhclient"))
# if we're seriously debugging let's get core dumps
if debug:
print(panda.run_serial_cmd("ulimit -c unlimited"))
print(panda.run_serial_cmd("sudo sysctl -w kernel.core_pattern=/tmp/core"))
print(panda.run_serial_cmd(f"wget http://{host}:{host_serve_port}/{target}"))
panda.run_serial_cmd(f"chmod +x {target}")
print(panda.run_serial_cmd(f"./{target}"))
# if we're seriously debugging let's send core dumps back to the host
if debug:
print(panda.run_serial_cmd(f"tar -cvf - /tmp/core | nc {host} {host_debug_port}"))
panda.end_analysis()
'''
This is the real test for the system. We should see an output of 0x1000,
a string of "Hello, world!", and a length of 13.
'''
MAGIC_VAL = 0x31838188
ERROR_VAL = 0x12345678
@panda.cb_guest_hypercall
def hypercall(cpu):
if panda.arch.get_arg(cpu, 0, convention="syscall") != MAGIC_VAL:
if debug:
print(f"Found hypercall, but value was {hex(panda.arch.get_arg(cpu, 0, convention='syscall'))}")
return False
if panda.arch.get_retval(cpu, convention="syscall") != MAGIC_VAL:
print(f"ERROR VALUE FAILING {hex(panda.arch.get_retval(cpu, convention='syscall'))}")
print(f"len {panda.arch.get_arg(cpu, 1, convention='syscall')}")
print(f"got output '{panda.read_str(cpu, panda.arch.get_arg(cpu, 2, convention='syscall')).strip()}'")
panda.arch.set_retval(cpu, 0x1000, convention="syscall")
return True
panda.run()