-
-
Notifications
You must be signed in to change notification settings - Fork 251
/
gumstalker.h
290 lines (223 loc) · 9.79 KB
/
gumstalker.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
/*
* Copyright (C) 2009-2024 Ole André Vadla Ravnås <[email protected]>
* Copyright (C) 2010 Karl Trygve Kalleberg <[email protected]>
* Copyright (C) 2023 Håvard Sørbø <[email protected]>
*
* Licence: wxWindows Library Licence, Version 3.1
*/
#ifndef __GUM_STALKER_H__
#define __GUM_STALKER_H__
#include <capstone.h>
#include <gum/arch-x86/gumx86writer.h>
#include <gum/arch-arm/gumarmwriter.h>
#include <gum/arch-arm/gumthumbwriter.h>
#include <gum/arch-arm64/gumarm64writer.h>
#include <gum/arch-mips/gummipswriter.h>
#include <gum/gumdefs.h>
#include <gum/gumeventsink.h>
#include <gum/gumprocess.h>
G_BEGIN_DECLS
#define GUM_TYPE_STALKER (gum_stalker_get_type ())
GUM_DECLARE_FINAL_TYPE (GumStalker, gum_stalker, GUM, STALKER, GObject)
#define GUM_TYPE_STALKER_TRANSFORMER (gum_stalker_transformer_get_type ())
GUM_DECLARE_INTERFACE (GumStalkerTransformer, gum_stalker_transformer, GUM,
STALKER_TRANSFORMER, GObject)
#define GUM_TYPE_DEFAULT_STALKER_TRANSFORMER \
(gum_default_stalker_transformer_get_type ())
GUM_DECLARE_FINAL_TYPE (GumDefaultStalkerTransformer,
gum_default_stalker_transformer,
GUM, DEFAULT_STALKER_TRANSFORMER,
GObject)
#define GUM_TYPE_CALLBACK_STALKER_TRANSFORMER \
(gum_callback_stalker_transformer_get_type ())
GUM_DECLARE_FINAL_TYPE (GumCallbackStalkerTransformer,
gum_callback_stalker_transformer,
GUM, CALLBACK_STALKER_TRANSFORMER,
GObject)
#define GUM_TYPE_STALKER_OBSERVER (gum_stalker_observer_get_type ())
GUM_DECLARE_INTERFACE (GumStalkerObserver, gum_stalker_observer, GUM,
STALKER_OBSERVER, GObject)
typedef struct _GumStalkerIterator GumStalkerIterator;
typedef struct _GumStalkerOutput GumStalkerOutput;
typedef struct _GumBackpatch GumBackpatch;
typedef struct _GumBackpatchInstruction GumBackpatchInstruction;
typedef void (* GumStalkerIncrementFunc) (GumStalkerObserver * self);
typedef void (* GumStalkerNotifyBackpatchFunc) (GumStalkerObserver * self,
const GumBackpatch * backpatch, gsize size);
typedef void (* GumStalkerSwitchCallbackFunc) (GumStalkerObserver * self,
gpointer from_address, gpointer start_address, gpointer from_insn,
gpointer * target);
typedef union _GumStalkerWriter GumStalkerWriter;
typedef void (* GumStalkerTransformerCallback) (GumStalkerIterator * iterator,
GumStalkerOutput * output, gpointer user_data);
typedef void (* GumStalkerCallout) (GumCpuContext * cpu_context,
gpointer user_data);
typedef guint GumProbeId;
typedef struct _GumCallDetails GumCallDetails;
typedef void (* GumCallProbeCallback) (GumCallDetails * details,
gpointer user_data);
typedef void (* GumStalkerRunOnThreadFunc) (const GumCpuContext * cpu_context,
gpointer user_data);
#ifndef GUM_DIET
struct _GumStalkerTransformerInterface
{
GTypeInterface parent;
void (* transform_block) (GumStalkerTransformer * self,
GumStalkerIterator * iterator, GumStalkerOutput * output);
};
struct _GumStalkerObserverInterface
{
GTypeInterface parent;
/* Common */
GumStalkerIncrementFunc increment_total;
GumStalkerIncrementFunc increment_call_imm;
GumStalkerIncrementFunc increment_call_reg;
/* x86 only */
GumStalkerIncrementFunc increment_call_mem;
/* Arm64 only */
GumStalkerIncrementFunc increment_excluded_call_reg;
/* x86 only */
GumStalkerIncrementFunc increment_ret_slow_path;
/* Arm64 only */
GumStalkerIncrementFunc increment_ret;
/* Common */
GumStalkerIncrementFunc increment_post_call_invoke;
GumStalkerIncrementFunc increment_excluded_call_imm;
/* Common */
GumStalkerIncrementFunc increment_jmp_imm;
GumStalkerIncrementFunc increment_jmp_reg;
/* x86 only */
GumStalkerIncrementFunc increment_jmp_mem;
GumStalkerIncrementFunc increment_jmp_cond_imm;
GumStalkerIncrementFunc increment_jmp_cond_mem;
GumStalkerIncrementFunc increment_jmp_cond_reg;
GumStalkerIncrementFunc increment_jmp_cond_jcxz;
/* Arm64 only */
GumStalkerIncrementFunc increment_jmp_cond_cc;
GumStalkerIncrementFunc increment_jmp_cond_cbz;
GumStalkerIncrementFunc increment_jmp_cond_cbnz;
GumStalkerIncrementFunc increment_jmp_cond_tbz;
GumStalkerIncrementFunc increment_jmp_cond_tbnz;
/* Common */
GumStalkerIncrementFunc increment_jmp_continuation;
/* x86 only */
GumStalkerIncrementFunc increment_sysenter_slow_path;
GumStalkerNotifyBackpatchFunc notify_backpatch;
GumStalkerSwitchCallbackFunc switch_callback;
};
#endif
union _GumStalkerWriter
{
gpointer instance;
GumX86Writer * x86;
GumArmWriter * arm;
GumThumbWriter * thumb;
GumArm64Writer * arm64;
GumMipsWriter * mips;
};
struct _GumStalkerOutput
{
GumStalkerWriter writer;
GumInstructionEncoding encoding;
};
struct _GumCallDetails
{
gpointer target_address;
gpointer return_address;
gpointer stack_data;
GumCpuContext * cpu_context;
};
GUM_API gboolean gum_stalker_is_supported (void);
GUM_API void gum_stalker_activate_experimental_unwind_support (void);
GUM_API GumStalker * gum_stalker_new (void);
GUM_API void gum_stalker_exclude (GumStalker * self,
const GumMemoryRange * range);
GUM_API gint gum_stalker_get_trust_threshold (GumStalker * self);
GUM_API void gum_stalker_set_trust_threshold (GumStalker * self,
gint trust_threshold);
GUM_API void gum_stalker_flush (GumStalker * self);
GUM_API void gum_stalker_stop (GumStalker * self);
GUM_API gboolean gum_stalker_garbage_collect (GumStalker * self);
GUM_API void gum_stalker_follow_me (GumStalker * self,
GumStalkerTransformer * transformer, GumEventSink * sink);
GUM_API void gum_stalker_unfollow_me (GumStalker * self);
GUM_API gboolean gum_stalker_is_following_me (GumStalker * self);
GUM_API void gum_stalker_follow (GumStalker * self, GumThreadId thread_id,
GumStalkerTransformer * transformer, GumEventSink * sink);
GUM_API void gum_stalker_unfollow (GumStalker * self, GumThreadId thread_id);
GUM_API void gum_stalker_activate (GumStalker * self, gconstpointer target);
GUM_API void gum_stalker_deactivate (GumStalker * self);
GUM_API void gum_stalker_set_observer (GumStalker * self,
GumStalkerObserver * observer);
GUM_API void gum_stalker_prefetch (GumStalker * self, gconstpointer address,
gint recycle_count);
GUM_API void gum_stalker_prefetch_backpatch (GumStalker * self,
const GumBackpatch * notification);
GUM_API void gum_stalker_recompile (GumStalker * self, gconstpointer address);
GUM_API gpointer gum_stalker_backpatch_get_from (
const GumBackpatch * backpatch);
GUM_API gpointer gum_stalker_backpatch_get_to (
const GumBackpatch * backpatch);
GUM_API void gum_stalker_invalidate (GumStalker * self, gconstpointer address);
GUM_API void gum_stalker_invalidate_for_thread (GumStalker * self,
GumThreadId thread_id, gconstpointer address);
GUM_API GumProbeId gum_stalker_add_call_probe (GumStalker * self,
gpointer target_address, GumCallProbeCallback callback, gpointer data,
GDestroyNotify notify);
GUM_API void gum_stalker_remove_call_probe (GumStalker * self,
GumProbeId id);
GUM_API gboolean gum_stalker_run_on_thread (GumStalker * self,
GumThreadId thread_id, GumStalkerRunOnThreadFunc func, gpointer data,
GDestroyNotify data_destroy);
GUM_API gboolean gum_stalker_run_on_thread_sync (GumStalker * self,
GumThreadId thread_id, GumStalkerRunOnThreadFunc func, gpointer data);
GUM_API GumStalkerTransformer * gum_stalker_transformer_make_default (void);
GUM_API GumStalkerTransformer * gum_stalker_transformer_make_from_callback (
GumStalkerTransformerCallback callback, gpointer data,
GDestroyNotify data_destroy);
GUM_API void gum_stalker_transformer_transform_block (
GumStalkerTransformer * self, GumStalkerIterator * iterator,
GumStalkerOutput * output);
GUM_API gboolean gum_stalker_iterator_next (GumStalkerIterator * self,
const cs_insn ** insn);
GUM_API void gum_stalker_iterator_keep (GumStalkerIterator * self);
GUM_API GumMemoryAccess gum_stalker_iterator_get_memory_access (
GumStalkerIterator * self);
GUM_API void gum_stalker_iterator_put_callout (GumStalkerIterator * self,
GumStalkerCallout callout, gpointer data, GDestroyNotify data_destroy);
GUM_API void gum_stalker_iterator_put_chaining_return (
GumStalkerIterator * self);
GUM_API csh gum_stalker_iterator_get_capstone (GumStalkerIterator * self);
#define GUM_DECLARE_OBSERVER_INCREMENT(name) \
GUM_API void gum_stalker_observer_increment_##name ( \
GumStalkerObserver * observer);
GUM_DECLARE_OBSERVER_INCREMENT (total)
GUM_DECLARE_OBSERVER_INCREMENT (call_imm)
GUM_DECLARE_OBSERVER_INCREMENT (call_reg)
GUM_DECLARE_OBSERVER_INCREMENT (call_mem)
GUM_DECLARE_OBSERVER_INCREMENT (excluded_call_reg)
GUM_DECLARE_OBSERVER_INCREMENT (ret_slow_path)
GUM_DECLARE_OBSERVER_INCREMENT (ret)
GUM_DECLARE_OBSERVER_INCREMENT (post_call_invoke)
GUM_DECLARE_OBSERVER_INCREMENT (excluded_call_imm)
GUM_DECLARE_OBSERVER_INCREMENT (jmp_imm)
GUM_DECLARE_OBSERVER_INCREMENT (jmp_reg)
GUM_DECLARE_OBSERVER_INCREMENT (jmp_mem)
GUM_DECLARE_OBSERVER_INCREMENT (jmp_cond_imm)
GUM_DECLARE_OBSERVER_INCREMENT (jmp_cond_mem)
GUM_DECLARE_OBSERVER_INCREMENT (jmp_cond_reg)
GUM_DECLARE_OBSERVER_INCREMENT (jmp_cond_jcxz)
GUM_DECLARE_OBSERVER_INCREMENT (jmp_cond_cc)
GUM_DECLARE_OBSERVER_INCREMENT (jmp_cond_cbz)
GUM_DECLARE_OBSERVER_INCREMENT (jmp_cond_cbnz)
GUM_DECLARE_OBSERVER_INCREMENT (jmp_cond_tbz)
GUM_DECLARE_OBSERVER_INCREMENT (jmp_cond_tbnz)
GUM_DECLARE_OBSERVER_INCREMENT (jmp_continuation)
GUM_DECLARE_OBSERVER_INCREMENT (sysenter_slow_path)
GUM_API void gum_stalker_observer_notify_backpatch (
GumStalkerObserver * observer, const GumBackpatch * backpatch, gsize size);
GUM_API void gum_stalker_observer_switch_callback (
GumStalkerObserver * observer, gpointer from_address,
gpointer start_address, gpointer from_insn, gpointer * target);
G_END_DECLS
#endif