diff options
| author | Fabrice Desclaux <fabrice.desclaux@cea.fr> | 2016-08-11 12:54:07 +0200 |
|---|---|---|
| committer | Fabrice Desclaux <fabrice.desclaux@cea.fr> | 2016-08-31 18:34:24 +0200 |
| commit | 2858e916f35f0469baeea23632ddd8befdd7ca5d (patch) | |
| tree | d8ad86407e24ae9435ca4ca344ae7ec61e8568d2 | |
| parent | 39b1c59354395006deebcc5a93455e23b9596577 (diff) | |
| download | miasm-2858e916f35f0469baeea23632ddd8befdd7ca5d.tar.gz miasm-2858e916f35f0469baeea23632ddd8befdd7ca5d.zip | |
Tests: add win seh test
| -rw-r--r-- | example/jitter/test_x86_32_seh.py | 56 | ||||
| -rw-r--r-- | example/samples/x86_32_seh.S | 76 | ||||
| -rw-r--r-- | test/test_all.py | 18 |
3 files changed, 150 insertions, 0 deletions
diff --git a/example/jitter/test_x86_32_seh.py b/example/jitter/test_x86_32_seh.py new file mode 100644 index 00000000..5277807d --- /dev/null +++ b/example/jitter/test_x86_32_seh.py @@ -0,0 +1,56 @@ +import os +from pdb import pm +from miasm2.analysis.sandbox import Sandbox_Win_x86_32 +from miasm2.os_dep import win_api_x86_32_seh +from miasm2.jitter.csts import * + +def deal_exception_access_violation(jitter): + jitter.pc = win_api_x86_32_seh.fake_seh_handler(jitter, win_api_x86_32_seh.EXCEPTION_ACCESS_VIOLATION) + return True + +def deal_exception_breakpoint(jitter): + jitter.pc = win_api_x86_32_seh.fake_seh_handler(jitter, win_api_x86_32_seh.EXCEPTION_BREAKPOINT) + return True + +def deal_exception_div(jitter): + jitter.pc = win_api_x86_32_seh.fake_seh_handler(jitter, win_api_x86_32_seh.EXCEPTION_INT_DIVIDE_BY_ZERO) + return True + +def deal_exception_privileged_instruction(jitter): + jitter.pc = win_api_x86_32_seh.fake_seh_handler(jitter, win_api_x86_32_seh.EXCEPTION_PRIV_INSTRUCTION) + return True + +def deal_exception_illegal_instruction(jitter): + jitter.pc = win_api_x86_32_seh.fake_seh_handler(jitter, win_api_x86_32_seh.EXCEPTION_ILLEGAL_INSTRUCTION) + return True + + +def return_from_seh(jitter): + win_api_x86_32_seh.return_from_seh(jitter) + return True + +# Insert here user defined methods + +# Parse arguments +parser = Sandbox_Win_x86_32.parser(description="PE sandboxer") +parser.add_argument("filename", help="PE Filename") +options = parser.parse_args() +options.usesegm = True +options.use_seh = True + +# Create sandbox +sb = Sandbox_Win_x86_32(options.filename, options, globals()) + +# Install Windows SEH callbacks +sb.jitter.add_exception_handler(EXCEPT_ACCESS_VIOL, deal_exception_access_violation) +sb.jitter.add_exception_handler(EXCEPT_SOFT_BP, deal_exception_breakpoint) +sb.jitter.add_exception_handler(EXCEPT_DIV_BY_ZERO, deal_exception_div) +sb.jitter.add_exception_handler(1<<17, deal_exception_privileged_instruction) +sb.jitter.add_exception_handler(EXCEPT_UNK_MNEMO, deal_exception_illegal_instruction) + +sb.jitter.add_breakpoint(win_api_x86_32_seh.return_from_exception, return_from_seh) + +# Run +sb.run() + +assert(sb.jitter.run is False) diff --git a/example/samples/x86_32_seh.S b/example/samples/x86_32_seh.S new file mode 100644 index 00000000..7bb2c3cd --- /dev/null +++ b/example/samples/x86_32_seh.S @@ -0,0 +1,76 @@ + +main: + PUSH error + PUSH DWORD PTR FS:[0x0] + MOV DWORD PTR FS:[0x0], ESP + XOR EAX, EAX + +;; Access violation +lbl_err_0: + MOV DWORD PTR [EAX], 0x0 +lbl_err_end0: + NOP + + +;; Breakpoint +lbl_err_1: + INT 0x3 +lbl_err_end1: + NOP + +;; Divide by 0 + XOR EAX, EAX +lbl_err_2: + DIV EAX +lbl_err_end2: + NOP + +;; Privileged instruction +lbl_err_3: + STI +lbl_err_end3: + NOP + +;; Unknown instruction (Bad LEA encoding) +lbl_err_4: + .byte 0x8D, 0xC0 +lbl_err_end4: + NOP + + POP DWORD PTR FS:[0x0] + ADD ESP, 4 + RET + +error: + MOV ECX, DWORD PTR [ESP+0xC] + MOV EAX, DWORD PTR [ECX+0xB8] + MOV EBX, DWORD PTR [err_num] + CMP EAX, DWORD PTR [labels_err + 4*EBX] + JZ error_address_ok + INT 0x3 +error_address_ok: + INC DWORD PTR [err_num] + MOV EAX, DWORD PTR [labels_err_end + 4*EBX] + MOV DWORD PTR [ECX+0xB8], EAX + XOR EAX, EAX + RET + + + +err_num: +.dword 0 + +labels_err: +.dword lbl_err_0 +.dword lbl_err_end1 +.dword lbl_err_2 +.dword lbl_err_3 +.dword lbl_err_4 + + +labels_err_end: +.dword lbl_err_end0 +.dword lbl_err_end1 +.dword lbl_err_end2 +.dword lbl_err_end3 +.dword lbl_err_end4 diff --git a/test/test_all.py b/test/test_all.py index a487900f..c9401552 100644 --- a/test/test_all.py +++ b/test/test_all.py @@ -398,6 +398,8 @@ test_mips32l = ExampleShellcode(["mips32l", "mips32.S", "mips32_sc_l.bin"]) test_x86_64 = ExampleShellcode(["x86_64", "x86_64.S", "demo_x86_64.bin", "--PE"]) test_x86_32_if_reg = ExampleShellcode(['x86_32', 'x86_32_if_reg.S', "x86_32_if_reg.bin"]) +test_x86_32_seh = ExampleShellcode(["x86_32", "x86_32_seh.S", "x86_32_seh.bin", + "--PE"]) testset += test_armb testset += test_arml @@ -412,6 +414,7 @@ testset += test_mips32b testset += test_mips32l testset += test_x86_64 testset += test_x86_32_if_reg +testset += test_x86_32_seh class ExampleDisassembler(Example): """Disassembler examples specificities: @@ -553,6 +556,14 @@ class ExampleJitter(Example): jitter_engines = ["tcc", "llvm", "python", "gcc"] +class ExampleJitterNoPython(ExampleJitter): + """Jitter examples specificities: + - script path begins with "jitter/" + Run jitting script without python support + """ + jitter_engines = ["tcc", "llvm", "gcc"] + + for jitter in ExampleJitter.jitter_engines: # Take 5 min on a Core i5 tags = {"python": [TAGS["long"]], @@ -587,6 +598,13 @@ for script, dep in [(["x86_32.py", Example.get_sample("x86_32_sc.bin")], []), testset += ExampleJitter(script + ["--jitter", jitter], depends=dep, tags=tags) + +for jitter in ExampleJitterNoPython.jitter_engines: + tags = [TAGS[jitter]] if jitter in TAGS else [] + testset += ExampleJitterNoPython(["test_x86_32_seh.py", Example.get_sample("x86_32_seh.bin")] + ["--jitter", jitter], + depends=[test_x86_32_seh], + tags=tags) + testset += ExampleJitter(["example_types.py"]) |