#ifndef __POVLIB_H #define __POVLIB_H #include #include #include #include #include /* * The following functions are available to POV authors to support * POV type negotiations. */ typedef struct type1_vals_ { unsigned int ipval; unsigned int regval; } type1_vals; typedef struct type2_vals_ { unsigned int region_addr; unsigned int region_size; unsigned int read_size; } type2_vals; /* * Negotiate a type 1 pov. Caller specifies an ip bit mask, a register bit mask * and a general purpose register number (see the list below). * 0 - eax 1 - ecx 2 - edx 3 - ebx 4 - esp 5 - ebp 6 - esi 7 - edi * * Returns 0 on success. On success, the t1vals structure holds required IP * and register values that must be found when the target CB crashes. At the * time of the crash the following must hold: * (crash_eip & ipmask) == t1vals->ipval * (crash_REG & regmask) == t1vals->regval */ int cgc_type1_negotiate(unsigned int ipmask, unsigned int regmask, unsigned int regnum, type1_vals *t1vals); /* * Negotiate a type 2 pov. * Returns 0 on success. On success, the t2vals structure holds the address * (t2vals->region_addr) and size of a memory region (t2vals->region_size) * from which the POV must leak a specific number of bytes (t2vals->read_size). */ int cgc_type2_negotiate(type2_vals *t2vals); /* * Submit the len bytes in the val buffer as the results of a type 2 POV * Returns 0 on success */ int cgc_type2_submit(const unsigned char *val, cgc_size_t len); /* *------------------------------------------------------------------ */ /* * The following functions support POVs generated by pov-xml2c from * povxml files. They are not documented for the general use of POV authors */ void cgc_delay(unsigned int msec); unsigned char *cgc_append_var(const char *var, unsigned char *buf, unsigned int *buflen); unsigned char *cgc_append_slice(const char *var, int begin, int end, unsigned char *buf, unsigned int *buflen); unsigned char *cgc_append_buf(unsigned char *buf, unsigned int *buflen, unsigned char *sbuf, unsigned int sbuflen); int cgc_delimited_read(int fd, unsigned char **buf, unsigned int *size, unsigned char *delim, unsigned int delim_len); int cgc_length_read(int fd, unsigned char *buf, unsigned int len); int cgc_transmit_all(int fd, const void *buf, const cgc_size_t size); typedef struct _match_result { unsigned int match_start; unsigned int match_end; unsigned int len0; } match_result; pcre *cgc_init_regex(const char *pattern); int cgc_regex_match(pcre *regex, unsigned int group, const unsigned char *buf, unsigned int len, match_result *res); void cgc_negotiate_type1(unsigned int ipmask, unsigned int regmask, unsigned int regnum); void cgc_negotiate_type2(); void cgc_submit_type2(const char *var); cgc_size_t cgc_var_match(const unsigned char *readbuf, unsigned int buflen, const char *varName); unsigned int cgc_data_match(const unsigned char *readbuf, unsigned int buflen, const unsigned char *data, unsigned int datalen); unsigned int pcre_match(const unsigned char *readbuf, unsigned int buflen, const char *regex); void cgc_assign_from_slice(const char *var, const void *readbuf, unsigned int buflen, int low, int high, int doMax); void cgc_assign_from_pcre(const char *var, const void *readbuf, unsigned int buflen, const char *regex, int group); #endif