diff options
| -rw-r--r-- | miasm/tools/nux_api.py | 2 | ||||
| -rw-r--r-- | miasm/tools/seh_helper.py | 175 | ||||
| -rw-r--r-- | miasm/tools/to_c_helper.py | 6 |
3 files changed, 174 insertions, 9 deletions
diff --git a/miasm/tools/nux_api.py b/miasm/tools/nux_api.py index 07a7aca9..569a0f3b 100644 --- a/miasm/tools/nux_api.py +++ b/miasm/tools/nux_api.py @@ -693,6 +693,8 @@ def parse_fmt(s): i+=1 while fmt[i+j] in "0123456789$.": j+=1 + if fmt[i+j] in ['l']: + j +=1 if fmt[i+j] == "h": x = fmt[i+j:i+j+2] else: diff --git a/miasm/tools/seh_helper.py b/miasm/tools/seh_helper.py index c0d95d3f..bbab2cab 100644 --- a/miasm/tools/seh_helper.py +++ b/miasm/tools/seh_helper.py @@ -17,6 +17,7 @@ # #from codenat import * from to_c_helper import * +from elfesteem import * import to_c_helper FS_0_AD = 0x7ff70000 @@ -32,10 +33,12 @@ peb_ldr_data_offset = 0x1ea0 peb_ldr_data_address = LDR_AD + peb_ldr_data_offset#PEB_AD + 0x1000 -InInitializationOrderModuleList_offset = 0x1f48 +modules_list_offset = 0x1f00 + +InInitializationOrderModuleList_offset = 0x1ee0 #0x1f48 InInitializationOrderModuleList_address = LDR_AD + InInitializationOrderModuleList_offset#PEB_AD + 0x2000 -InLoadOrderModuleList_offset = 0x1f48 + MAX_MODULES*0x1000 +InLoadOrderModuleList_offset = 0x1ee0+MAX_MODULES*0x1000#0x1f48 + MAX_MODULES*0x1000 InLoadOrderModuleList_address = LDR_AD + InLoadOrderModuleList_offset#PEB_AD + 0x2000 #in_load_order_module_1 = LDR_AD + in_load_order_module_list_offset#PEB_AD + 0x3000 @@ -113,7 +116,7 @@ def build_fake_peb(): return o -def build_fake_ldr_data(): +def build_fake_ldr_data(modules_info): """ +0x000 Length : Uint4B +0x004 Initialized : UChar @@ -127,9 +130,31 @@ def build_fake_ldr_data(): o += "\x00" * peb_ldr_data_offset o += "\x00"*0xc #text XXX - o += pdw(InLoadOrderModuleList_address) + pdw(0) - o += pdw(InInitializationOrderModuleList_address+8) + pdw(0) - o += pdw(InInitializationOrderModuleList_address+0x10) + pdw(0) + + # get main pe info + m_e = None + for bname, (addr, e) in modules_info.items(): + if e == main_pe: + m_e = (e, bname, addr) + break + if not m_e: + fds + + print 'inloadorder first', hex(m_e[2]) + o += pdw(m_e[2]) + pdw(0) + + # get ntdll + ntdll_e = None + for bname, (addr, e) in modules_info.items(): + if bname[::2].lower() == "ntdll.dll": + ntdll_e = (e, bname, addr) + continue + if not ntdll_e: + fds + + print 'ntdll', hex(ntdll_e[2]) + o += pdw(ntdll_e[2]+0x10) + pdw(0) # XXX TODO + o += pdw(ntdll_e[2]+0x10) + pdw(0) return o @@ -237,6 +262,131 @@ def build_fake_InInitializationOrderModuleList(modules_name): return o +dummy_e = pe_init.PE() +dummy_e.NThdr.ImageBase = 0 +dummy_e.Opthdr.AddressOfEntryPoint = 0 +dummy_e.NThdr.sizeofimage = 0 + +def create_modules_chain(modules_name): + modules_info = {} + base_addr = LDR_AD + modules_list_offset #XXXX + offset_name = 0x500 + offset_path = 0x600 + + + out = "" + for i, m in enumerate([(main_pe_name, main_pe), ("", dummy_e)] + modules_name): + addr = base_addr + i*0x1000 + #fname = os.path.join('win_dll', m) + if isinstance(m, tuple): + fname, e = m + else: + fname, e = m, None + bpath = fname.replace('/', '\\') + bname = os.path.split(fname)[1].lower() + bname = "\x00".join(bname)+"\x00" + print "add module", repr(bname), repr(bpath) + #print hex(InInitializationOrderModuleList_address+i*0x1000) + if e == None: + e = pe_init.PE(open(fname, 'rb').read()) + modules_info[bname] = addr, e + + m_o = "" + m_o += pdw(0) + m_o += pdw(0) + m_o += pdw(0) + m_o += pdw(0) + m_o += pdw(0) + m_o += pdw(0) + m_o += pdw(e.NThdr.ImageBase) + m_o += pdw(e.rva2virt(e.Opthdr.AddressOfEntryPoint)) + m_o += pdw(e.NThdr.sizeofimage) + + m_o += (0x24 - len(m_o))*"A" + print hex(len(bname)), repr(bname) + m_o += struct.pack('HH', len(bname), len(bname)+2) + m_o += pdw(addr+offset_path) + + m_o += (0x2C - len(m_o))*"A" + m_o += struct.pack('HH', len(bname), len(bname)+2) + m_o += pdw(addr + offset_name) + + m_o += (offset_name - len(m_o))*"B" + m_o += bname + m_o += "\x00"*3 + + m_o += (offset_path - len(m_o))*"B" + m_o += "\x00".join(bpath)+"\x00" + m_o += "\x00"*3 + #out += m_o + vm_set_mem(addr, m_o) + return modules_info + + +def fix_InLoadOrderModuleList(module_info): + # first binary is PE + # last is dumm_e + olist =[] + m_e = None + d_e = None + for bname, (addr, e) in module_info.items(): + print bname + if e == main_pe: + m_e = (e, bname, addr) + continue + elif e == dummy_e: + d_e = (e, bname, addr) + continue + olist.append((e, bname, addr)) + if not m_e or not d_e: + fds + + olist[0:0] =[m_e] + olist.append(d_e) + + last_addr = 0 + for i in xrange(len(olist)): + e, bname, addr = olist[i] + p_e, p_bname, p_addr = olist[(i-1)%len(olist)] + n_e, n_bname, n_addr = olist[(i+1)%len(olist)] + vm_set_mem(addr+0, pdw(p_addr)+pdw(n_addr)) + + + +def fix_InInitializationOrderModuleList(module_info): + # first binary is ntdll + # second binary is kernel32 + olist =[] + ntdll_e = None + kernel_e= None + for bname, (addr, e) in module_info.items(): + if bname[::2].lower() == "ntdll.dll": + ntdll_e = (e, bname, addr) + continue + elif bname[::2].lower() == "kernel32.dll": + kernel_e = (e, bname, addr) + continue + elif e == dummy_e: + d_e = (e, bname, addr) + continue + elif e == main_pe: + continue + olist.append((e, bname, addr)) + if not ntdll_e or not kernel_e or not d_e: + fds + + olist[0:0] =[ntdll_e] + olist[1:1] =[kernel_e] + olist.append(d_e) + + last_addr = 0 + for i in xrange(len(olist)): + e, bname, addr = olist[i] + p_e, p_bname, p_addr = olist[(i-1)%len(olist)] + n_e, n_bname, n_addr = olist[(i+1)%len(olist)] + vm_set_mem(addr+0x10, pdw(p_addr)+pdw(n_addr)) + + def build_fake_InLoadOrderModuleList(modules_name): """ +0x000 Flink : Ptr32 -+ This distance @@ -349,13 +499,22 @@ def init_seh(): vm_add_memory_page(peb_address, PAGE_READ | PAGE_WRITE, build_fake_peb()) #vm_add_memory_page(peb_ldr_data_address, PAGE_READ | PAGE_WRITE, p(0) * 3 + p(in_load_order_module_list_address) + p(0) * 0x20) - ldr_data = build_fake_ldr_data() + """ ldr_data += "\x00"*(InInitializationOrderModuleList_offset - len(ldr_data)) ldr_data += build_fake_InInitializationOrderModuleList(loaded_modules) ldr_data += "\x00"*(InLoadOrderModuleList_offset - len(ldr_data)) ldr_data += build_fake_InLoadOrderModuleList(loaded_modules) + """ + vm_add_memory_page(LDR_AD, PAGE_READ | PAGE_WRITE, "\x00"*MAX_MODULES*0x1000) + module_info = create_modules_chain(loaded_modules) + fix_InLoadOrderModuleList(module_info) + fix_InInitializationOrderModuleList(module_info) + + ldr_data = build_fake_ldr_data(module_info) + vm_set_mem(LDR_AD, ldr_data) + + #fds - vm_add_memory_page(LDR_AD, PAGE_READ | PAGE_WRITE, ldr_data) #vm_add_memory_page(in_load_order_module_list_address, PAGE_READ | PAGE_WRITE, p(0) * 40) # vm_add_memory_page(in_load_order_module_list_address, PAGE_READ | PAGE_WRITE, build_fake_inordermodule(loaded_modules)) vm_add_memory_page(default_seh, PAGE_READ | PAGE_WRITE, p(0xffffffff) + p(0x41414141) + p(0x42424242)) diff --git a/miasm/tools/to_c_helper.py b/miasm/tools/to_c_helper.py index e80a7067..1bb7cd43 100644 --- a/miasm/tools/to_c_helper.py +++ b/miasm/tools/to_c_helper.py @@ -1219,7 +1219,11 @@ def load_pe_in_vm(fname_in, options, all_imp_dll = None, **kargs): if 'stack_size' in kargs: stack_size = kargs['stack_size'] - stack_base_ad = kargs.get('stack_base_ad', 0x1230000) + stack_base = 0x1230000 + if 'stack_base' in kargs: + stack_base = kargs['stack_base'] + + stack_base_ad = kargs.get('stack_base_ad', stack_base) stack_size = kargs.get('stack_size', stack_size) vm_add_memory_page(stack_base_ad, codenat.PAGE_READ|codenat.PAGE_WRITE, |