Loading...
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 | from xnu import * from utils import * import sys current_KDP_mode = "swhosted" def GetKDPPacketHeaderInt(request=0, is_reply=False, seq=0, length=0, key=0): """ create a 64 bit number that could be saved as pkt_hdr_t params: request:int - 7 bit kdp_req_t request type is_reply:bool - False => request, True => reply seq: int - 8 sequence number within session length: int - 16 bit length of entire pkt including hdr key: int - session key returns: int - 64 bit number to be saved in memory """ retval = request if is_reply: retval = 1<<7 |retval retval = (seq << 8) | retval retval = (length << 16) | retval #retval = (retval << 32) | key retval = (key << 32) | retval return retval def KDPDumpInfo(subcmd, file_name="", dest_ip="", router_ip="", port=0): """ Setup the state for DUMP INFO commands for sending coredump etc """ if "kdp" != GetConnectionProtocol(): print("Target is not connected over kdp. Nothing to do here.") return False input_address = unsigned(addressof(kern.globals.manual_pkt.input)) len_address = unsigned(addressof(kern.globals.manual_pkt.len)) data_address = unsigned(addressof(kern.globals.manual_pkt.data)) if not WriteInt32ToMemoryAddress(0, input_address): return False kdp_pkt_size = GetType('kdp_dumpinfo_req_t').GetByteSize() if not WriteInt32ToMemoryAddress(kdp_pkt_size, len_address): return False data_addr = int(addressof(kern.globals.manual_pkt)) pkt = kern.GetValueFromAddress(data_addr, 'kdp_dumpinfo_req_t *') if len(file_name) > 49: file_name = file_name[:49] if len(dest_ip) > 15: dest_ip = dest_ip[:15] if len(router_ip) > 15: router_ip = router_ip[:15] header_value =GetKDPPacketHeaderInt(request=GetEnumValue('kdp_req_t::KDP_DUMPINFO'), length=kdp_pkt_size) # 0x1f is same as KDP_DUMPINFO if ( WriteInt64ToMemoryAddress((header_value), int(addressof(pkt.hdr))) and WriteInt32ToMemoryAddress(subcmd, int(addressof(pkt.type))) and WriteStringToMemoryAddress(file_name, int(addressof(pkt.name))) and WriteStringToMemoryAddress(dest_ip, int(addressof(pkt.destip))) and WriteStringToMemoryAddress(router_ip, int(addressof(pkt.routerip))) ): #We have saved important data successfully if port > 0: if not WriteInt32ToMemoryAddress(port, int(addressof(pkt.port))): return False if WriteInt32ToMemoryAddress(1, input_address): return True return False @lldb_command('sendcore') def KDPSendCore(cmd_args=None): """ Configure kernel to send a coredump to the specified IP Syntax: sendcore <IP address> [filename] Configure the kernel to transmit a kernel coredump to a server (kdumpd) at the specified IP address. This is useful when the remote target has not been previously configured to transmit coredumps, and you wish to preserve kernel state for later examination. NOTE: You must issue a "continue" command after using this macro to trigger the kernel coredump. The kernel will resume waiting in the debugger after completion of the coredump. You may disable coredumps by executing the "disablecore" macro. You can optionally specify the filename to be used for the generated core file. """ if cmd_args is None or len(cmd_args) == 0: raise ArgumentError() ip_address = cmd_args[0] filename="" if len(cmd_args) >=2: filename = cmd_args[1].strip() retval = KDPDumpInfo(GetEnumValue('kdp_dumpinfo_t::KDP_DUMPINFO_CORE'), file_name=filename, dest_ip=ip_address) if retval: print("Remote system has been setup for coredump. Please detach/continue the system. ") return True else: print("Something went wrong. Failed to setup the coredump on the target.") return False @lldb_command('sendsyslog') def KDPSendSyslog(cmd_args=None): """ Configure kernel to send a system log to the specified IP Syntax: sendsyslog <IP address> [filename] Configure the kernel to transmit a kernel system log to a server (kdumpd) at the specified IP address. NOTE: You must issue a "continue" command after using this macro to trigger the kernel system log. The kernel will resume waiting in the debugger after completion. You can optionally specify the name to be used for the generated system log. """ if cmd_args is None or len(cmd_args) == 0: raise ArgumentError() ip_address = cmd_args[0] filename ="" if len(cmd_args) >=2: filename = cmd_args[1].strip() retval = KDPDumpInfo(GetEnumValue('kdp_dumpinfo_t::KDP_DUMPINFO_SYSTEMLOG'), file_name = filename, dest_ip = ip_address) if retval: print("Remote system has been setup to send system log. please detach/continue the system.") return True else: print("Something went wrong. Failed to setup the systemlog on the target.") return False @lldb_command('sendpaniclog') def KDPSendPaniclog(cmd_args=None): """ Configure kernel to send a panic log to the specified IP Syntax: sendpaniclog <IP address> [filename] Configure the kernel to transmit a kernel paniclog to a server (kdumpd) at the specified IP address. NOTE: You must issue a "continue" command after using this macro to trigger the kernel panic log. The kernel will resume waiting in the debugger after completion. You can optionally specify the name to be used for the generated panic log. """ if cmd_args is None or len(cmd_args) == 0: raise ArgumentError() ip_address = cmd_args[0] filename ="" if len(cmd_args) >=2: filename = cmd_args[1].strip() retval = KDPDumpInfo(GetEnumValue('kdp_dumpinfo_t::KDP_DUMPINFO_PANICLOG'), file_name = filename, dest_ip = ip_address) if retval: print("Remote system has been setup to send panic log. please detach/continue the system.") return True else: print("Something went wrong. Failed to setup the paniclog on the target.") return False @lldb_command('disablecore') def KDPDisableCore(cmd_args=None): """ Configure the kernel to disable coredump transmission Reconfigures the kernel so that it no longer transmits kernel coredumps. This complements the "sendcore" macro, but it may be used if the kernel has been configured to transmit coredumps through boot-args as well. """ retval = KDPDumpInfo(GetEnumValue('kdp_dumpinfo_t::KDP_DUMPINFO_DISABLE')) if retval : print("Disabled coredump functionality on remote system.") else: print("Failed to disable coredump functionality.") return retval @lldb_command('resume_on') def KDPResumeON(cmd_args=None): """ The target system will resume when detaching or exiting from lldb. This is the default behavior. """ subcmd = GetEnumValue('kdp_dumpinfo_t::KDP_DUMPINFO_SETINFO') | GetEnumValue('kdp_dumpinfo_t::KDP_DUMPINFO_RESUME') retval = KDPDumpInfo(subcmd) if retval : print("Target system will resume on detaching from lldb.") else: print("Failed to enable resume functionality.") return retval @lldb_command('resume_off') def KDPResumeOFF(cmd_args=None): """ The target system will not resume when detaching or exiting from lldb. """ subcmd = GetEnumValue('kdp_dumpinfo_t::KDP_DUMPINFO_SETINFO') | GetEnumValue('kdp_dumpinfo_t::KDP_DUMPINFO_NORESUME') retval = KDPDumpInfo(subcmd) if retval : print("Target system will not resume on detaching from lldb.") else: print("Failed to disable resume functionality.") return retval @lldb_command('getdumpinfo') def KDPGetDumpInfo(cmd_args=None): """ Retrieve the current remote dump settings. """ if not KDPDumpInfo(GetEnumValue('kdp_dumpinfo_t::KDP_DUMPINFO_GETINFO')): print("Failed to get dump settings.") return False dumpinfo = Cast(addressof(kern.globals.manual_pkt.data), 'kdp_dumpinfo_reply_t *') target_dump_type = int(dumpinfo.type) if target_dump_type & GetEnumValue('kdp_dumpinfo_t::KDP_DUMPINFO_REBOOT'): print("System will reboot after kernel info gets dumped.") else: print("System will not reboot after kernel info gets dumped.") if target_dump_type & GetEnumValue('kdp_dumpinfo_t::KDP_DUMPINFO_RESUME'): print("System will allow a re-attach after KDP disconnect.") else: print("System will not allow a re-attach after KDP disconnect.") target_dump_type = target_dump_type & GetEnumValue('kdp_dumpinfo_t::KDP_DUMPINFO_MASK') if target_dump_type == GetEnumValue('kdp_dumpinfo_t::KDP_DUMPINFO_DISABLE'): print("Kernel not setup for remote dumps.") else: kern_dump_type = '' if target_dump_type == GetEnumValue('kdp_dumpinfo_t::KDP_DUMPINFO_CORE'): kern_dump_type = "Core File" elif target_dump_type == GetEnumValue('kdp_dumpinfo_t::KDP_DUMPINFO_PANICLOG'): kern_dump_type = "Panic Log" elif target_dump_type == GetEnumValue('kdp_dumpinfo_t::KDP_DUMPINFO_SYSTEMLOG'): kern_dump_type = "System Log" print("Kernel dump type:" + kern_dump_type) fname = "(autogenerated)" if int(dumpinfo.name[0]) != 0: fname = str(dumpinfo.name) print("Filename: " + fname) print("Network Info: {:s} [{:d}] , Router: {:s}".format(dumpinfo.destip, dumpinfo.port, dumpinfo.routerip)) # end of get dump info @lldb_command('kdp-reenter') def KDPReenter(cmd_args=None): """ Schedules reentry into the debugger after <seconds> seconds, and resumes the target. usage: kdp-reenter <seconds> """ if len(cmd_args) < 1: raise ArgumentError("Please provide valid time in seconds") if "kdp" != GetConnectionProtocol(): print("Target is not connected over kdp. Nothing to do here.") return False num_seconds = ArgumentStringToInt(cmd_args[0]) milliseconds_to_sleep = num_seconds * 1000 if WriteInt32ToMemoryAddress(milliseconds_to_sleep, addressof(kern.globals.kdp_reentry_deadline)): lldb.debugger.HandleCommand('process continue') return True print("Failed to setup kdp-reentry.") return False @lldb_command('kdp-reboot') def KDPReboot(cmd_args=None): """ Restart the remote target """ if "kdp" != GetConnectionProtocol(): print("Target is not connected over kdp. Nothing to do here.") return False print("Rebooting the remote machine.") lldb.debugger.HandleCommand('process plugin packet send --command 0x13') lldb.debugger.HandleCommand('detach') return True @lldb_command('setdumpinfo') def KDPSetDumpInfo(cmd_args=None): """ Configure the current remote dump settings. Specify "" if you want to use the defaults (filename) or previously configured settings (ip/router). Specify 0 for the port if you wish to use the previously configured/default setting for that. Syntax: setdumpinfo <filename> <ip> <router> <port> """ if cmd_args is None or len(cmd_args) == 0: raise ArgumentError() if len(cmd_args) < 4: raise ArgumentError("Not enough arguments.") portnum = ArgumentStringToInt(cmd_args[3]) retval = KDPDumpInfo(GetEnumValue('kdp_dumpinfo_t::KDP_DUMPINFO_SETINFO'), cmd_args[0], cmd_args[1], cmd_args[2], portnum) if retval: print("Successfully saved the dumpinfo.") else: print("Failed to save the dumpinfo.") return retval @lldb_command('kdpmode') def KDPMode(cmd_args=None): """ Change KDP mode between software hosted and hardware probe. When lldb is connected to a KDP server backed by a hardware debug tool setting this to 'hwprobe' enables physical memory access. swhosted: LLDB is connected to the target using a serial or socket connection. hwprobe: LLDB is connected to the target using a hardware probe. usage: kdpmode <mode> mode: 'swhosted' or 'hwprobe' """ global current_KDP_mode if cmd_args is None or len(cmd_args) == 0: return current_KDP_mode if len(cmd_args) > 1 or cmd_args[0] not in {'swhosted', 'hwprobe'}: raise ArgumentError() else: current_KDP_mode = cmd_args[0] return |