libinject/

lib.rs

//! # Libinject
//! A static library crate which is linked with inject.dll and winafl.dll. Note that libinject can
//! only be compiled for a Windows target.
//!
//! Contains:
//!
//! - Rust bindings for the DynamoRIO C library (auto-generated from the C bindings using rust-bindgen).
//! - A CLI interface for initiating DynamoRIO runs along a given trajectory of the Network Event Tree (NET).
//! - Instrumentation to interpose on network API calls, using the parsed trajectory to decide how to respond to each network event (e.g. whether to accept or reject a connect call, and what responses to provide to a given request).
//! - Instrumentation to collect additional, fine-grained coverage information when fuzzing.

pub mod cli;
pub mod cmp;
pub mod connections;
pub mod drcore;
pub mod drwrap;
pub mod ffi;
pub mod fuzzer;
pub mod instrument;
pub mod network;
pub mod pipe;
pub mod socket;
pub mod trajectory;
pub mod utils;
pub mod wrappers;

use drcore::{get_proc_address, log, utf8_name_of_module};
use enum_iterator::all;
use ffi::{app_pc, module_data_t};
use navigator::pipe_event::PipeEvent;
use std::ffi::CStr;
use std::os::raw::{c_char, c_void};
use std::panic;
use std::sync::{LazyLock, Mutex};
use utils::Boolean;

static MOD_BASE_ADDR: LazyLock<Mutex<Option<usize>>> = LazyLock::new(|| Mutex::new(None));
static MOD_SIZE: LazyLock<Mutex<Option<usize>>> = LazyLock::new(|| Mutex::new(None));

unsafe extern "C" {
    pub static tls_idx: ::std::os::raw::c_int;
}

#[unsafe(no_mangle)]
pub extern "C" fn libinject_init(id: ffi::client_id_t) {
    // Override the panic hook to log the DynamoRio logger when a panic occurs.
    panic::set_hook(Box::new(|panic_info| {
        log(&format!("panic occurred: {panic_info}"));
    }));

    // Parse the cli args.
    let args = unsafe { cli::parse(id) };
    log(&format!("CLI args parsed as:\n {:?}", args));

    // Initialise the trajectory module with the run config containing
    // the serialised graph trajectory for this run.
    if let Some(trajectory) = args.trajectory {
        trajectory::init(trajectory);
    } else if let Some(trajectory) = args.trajectory_file {
        trajectory::init(trajectory);
    }
    // Initialise the pipe back to the parent process.
    pipe::init(args.pipe);
}

#[unsafe(no_mangle)]
pub extern "C" fn libinject_exit() {
    network::dump(network::DumpFormat::CSV)
        .expect("Failed to dump traffic captured on the spoofed network");
}

#[unsafe(no_mangle)]
pub extern "C" fn libinject_warn(msg: *const c_char) {
    unsafe {
        if msg.is_null() {
            pipe::send(&PipeEvent::Warning("Warning msg ptr is null!".to_string()));
        } else {
            if let Ok(s) = CStr::from_ptr(msg).to_str() {
                pipe::send(&PipeEvent::Warning(s.to_string()));
            } else {
                pipe::send(&PipeEvent::Warning(
                    "Warning msg is an invalid UTF-8 string!".to_string(),
                ));
            }
        }
    }
}

/// Called by DynamoRio when each C module is loaded.
/// Each .dll will be a module, and the main binary itself will be comprised of one or more
/// modules.
#[unsafe(no_mangle)]
pub extern "C" fn module_load_event(
    _drctx: *mut c_void,
    module_ptr: *const module_data_t,
    _loaded: bool,
) {
    let module;
    unsafe {
        module = *module_ptr;
    }
    let mod_name = match utf8_name_of_module(module) {
        Ok(name) => name,
        Err(utf8_name_error) => {
            log(&format!(
                "[module load] failed to read the module name: {:?}",
                utf8_name_error
            ));
            return;
        }
    };
    log(&format!("[module load] loading {mod_name}"));

    let target_mod_name = cli::get_args()
        .expect(
            "Args parsed in libinject_init, which will have been called before module_load_event",
        )
        .target_module
        .to_lowercase();

    if &mod_name.to_lowercase() == &target_mod_name {
        let (mod_base_addr, mod_end, internal_size);
        unsafe {
            mod_base_addr = module.__bindgen_anon_1.start as app_pc;
            mod_end = module.end as app_pc;
            internal_size = module.module_internal_size as usize;
        }
        let computed_size =
            internal_size.max((mod_end as usize).saturating_sub(mod_base_addr as usize));
        log(&format!(
            "[module load] TARGET_MODULE ({}) base=0x{:X} end=0x{:X} size=0x{:X}",
            target_mod_name, mod_base_addr as usize, mod_end as usize, computed_size
        ));
        {
            let mut base_lock = MOD_BASE_ADDR
                .lock()
                .expect("can't get lock on MOD_BASE_ADDR");
            *base_lock = Some(mod_base_addr as usize);
        }
        {
            let mut size_lock = MOD_SIZE.lock().expect("can't get lock on MOD_SIZE");
            *size_lock = Some(computed_size);
        }
    }

    if module.entry_point.is_null() {
        log(
            "[module load] module entry point is a null pointer, will not search for proc_addresses.",
        );
        return;
    };

    // Only hook functions in ws2_32.dll to avoid additionally hooking re-exported versions of
    // the functinos in other modules.
    if &mod_name.to_lowercase() == "ws2_32.dll" {
        let mod_base_addr = module.entry_point as app_pc;
        unsafe {
            wrap_network_symbols(mod_base_addr, "ws2_32.dll");
        }
    };
    return;
}

/// Helper function to wrap the network symbols defined (with  wrapper functions) in the
/// `wrappers` module.
unsafe fn wrap_network_symbols(mod_base_addr: app_pc, mod_name: &str) {
    unsafe {
        all::<wrappers::Symbols>().for_each(|symbol| {
            if let Some(addr) = get_proc_address(mod_base_addr, symbol.to_str()) {
                match ffi::drwrap_wrap(addr as *mut u8, Some(symbol.pre_fn()), symbol.post_fn())
                    .as_bool()
                {
                    true => {
                        log(&format!(
                            "[module load] wrapped {} in module {mod_name} @ 0x{:?}",
                            symbol.to_str(),
                            addr
                        ));
                    }
                    false => log(&format!(
                        "[module load] failed to wrap {} in module {mod_name} @ 0x{:?}",
                        symbol.to_str(),
                        addr
                    )),
                }
            };
        });
    }
}

#[unsafe(no_mangle)]
pub unsafe extern "C" fn wrap_network_symbols_extern(
    mod_base_addr: app_pc,
    module_name: *const c_char,
) {
    unsafe {
        if module_name.is_null() {
            log("[wrap_network_symbols_extern] module_name is a null pointer!");
            return;
        }

        let module_name_str = match CStr::from_ptr(module_name).to_str() {
            Ok(s) => s,
            Err(_) => return,
        };
        wrap_network_symbols(mod_base_addr, module_name_str);
    }
}

#[unsafe(no_mangle)]
pub unsafe extern "C" fn event_thread_init(drcontext: *mut c_void) {
    log("[event_thread_init] new thread!");
    let stack = Box::new(instrument::RawCallStack::new());

    unsafe {
        // Convert to raw pointer and store in TLS
        ffi::drmgr_set_tls_field(drcontext, tls_idx, Box::into_raw(stack) as *mut c_void);
    }
}

#[unsafe(no_mangle)]
pub unsafe extern "C" fn event_thread_exit(drcontext: *mut c_void) {
    unsafe {
        let ptr = ffi::drmgr_get_tls_field(drcontext, tls_idx) as *mut instrument::RawCallStack;
        drop(Box::from_raw(ptr)); // frees memory safely
    }
}