diff options
| -rw-r--r-- | README.md | 47 | ||||
| -rw-r--r-- | example/expression/get_read_write.py | 11 | ||||
| -rw-r--r-- | example/ida/graph_ir.py | 4 | ||||
| -rw-r--r-- | miasm2/arch/aarch64/regs.py | 32 | ||||
| -rw-r--r-- | miasm2/os_dep/win_api_x86_32.py | 52 |
5 files changed, 70 insertions, 76 deletions
diff --git a/README.md b/README.md index 8b1c371e..51890054 100644 --- a/README.md +++ b/README.md @@ -108,8 +108,8 @@ Add instruction to the pool: Print current pool: ``` ->>> for lbl, b in ira.blocs.items(): -... print b +>>> for lbl, irblock in ira.blocks.items(): +... print irblock ... loc_0000000000000000:0x00000000 @@ -119,19 +119,19 @@ loc_0000000000000000:0x00000000 ``` Working with IR, for instance by getting side effects: ``` ->>> from miasm2.expression.expression import get_rw ->>> for lbl, b in ira.blocs.items(): -... for irs in b.irs: -... o_r, o_w = get_rw(irs) -... print 'read: ', [str(x) for x in o_r] -... print 'written:', [str(x) for x in o_w] -... print +>>> for lbl, irblock in ira.blocks.iteritems(): +... for assignblk in irblock: +... rw = assignblk.get_rw() +... for dst, reads in rw.iteritems(): +... print 'read: ', [str(x) for x in reads] +... print 'written:', dst +... print ... read: ['R8', 'R0'] -written: ['R2'] +written: R2 read: ['loc_0000000000000004:0x00000004'] -written: ['IRDst'] +written: IRDst ``` Emulation @@ -165,9 +165,9 @@ Disassembling the shellcode at address `0`: >>> from miasm2.analysis.machine import Machine >>> machine = Machine('x86_32') >>> mdis = machine.dis_engine(c.bin_stream) ->>> blocs = mdis.dis_multiblock(0) ->>> for b in blocs: -... print b +>>> blocks = mdis.dis_multiblock(0) +>>> for block in blocks: +... print block ... loc_0000000000000000:0x00000000 LEA ECX, DWORD PTR [ECX+0x4] @@ -198,7 +198,8 @@ Initializing the Jit engine with a stack: Add the shellcode in an arbitrary memory location: ``` >>> run_addr = 0x40000000 ->>> myjit.vm.add_memory_page(run_addr, PAGE_READ | PAGE_WRITE, s) +>>> from miasm2.jitter.csts import PAGE_READ, PAGE_WRITE +>>> jitter.vm.add_memory_page(run_addr, PAGE_READ | PAGE_WRITE, s) ``` Create a sentinelle to catch the return of the shellcode: @@ -268,22 +269,22 @@ Initializing the IR pool: ``` >>> ira = machine.ira() ->>> for b in blocs: -... ira.add_bloc(b) +>>> for block in blocks: +... ira.add_block(block) ... ``` Initializing the engine with default symbolic values: ``` ->>> from miasm2.ir.symbexec import symbexec ->>> sb = symbexec(ira, machine.mn.regs.regs_init) +>>> from miasm2.ir.symbexec import SymbolicExecutionEngine +>>> sb = SymbolicExecutionEngine(ira, machine.mn.regs.regs_init) ``` Launching the execution: ``` ->>> symbolic_pc = sb.emul_ir_blocs(ira, 0) +>>> symbolic_pc = sb.run_at(0) >>> print symbolic_pc ((ECX_init+0x4)[0:8]+0xFF)?(0xB,0x10) ``` @@ -291,8 +292,8 @@ Launching the execution: Same, with step logs (only changes are displayed): ``` ->>> sb = symbexec(ira, machine.mn.regs.regs_init) ->>> symbolic_pc = sb.emul_ir_blocs(ira, 0, step=True) +>>> sb = SymbolicExecutionEngine(ira, machine.mn.regs.regs_init) +>>> symbolic_pc = sb.run_at(0, step=True) ________________________________________________________________________________ ECX (ECX_init+0x4) ________________________________________________________________________________ @@ -326,7 +327,7 @@ Retry execution with a concrete ECX. Here, the symbolic / concolic execution rea ``` >>> from miasm2.expression.expression import ExprInt32 >>> sb.symbols[machine.mn.regs.ECX] = ExprInt32(-3) ->>> symbolic_pc = sb.emul_ir_blocs(ira, 0, step=True) +>>> symbolic_pc = sb.run_at(0, step=True) ________________________________________________________________________________ ECX 0x1 ________________________________________________________________________________ diff --git a/example/expression/get_read_write.py b/example/expression/get_read_write.py index b4a0773b..d107cfa2 100644 --- a/example/expression/get_read_write.py +++ b/example/expression/get_read_write.py @@ -16,12 +16,13 @@ l.offset, l.l = 0, 15 ir_arch.add_instr(l) print '*' * 80 -for lbl, irblock in ir_arch.blocks.items(): +for lbl, irblock in ir_arch.blocks.iteritems(): print irblock for assignblk in irblock: - o_r, o_w = get_rw(assignblk) - print 'read: ', [str(x) for x in o_r] - print 'written:', [str(x) for x in o_w] - print + rw = assignblk.get_rw() + for dst, reads in rw.iteritems(): + print 'read: ', [str(x) for x in reads] + print 'written:', dst + print open('graph_instr.dot', 'w').write(ir_arch.graph.dot()) diff --git a/example/ida/graph_ir.py b/example/ida/graph_ir.py index 7e303aac..6dfa1f7d 100644 --- a/example/ida/graph_ir.py +++ b/example/ida/graph_ir.py @@ -121,6 +121,10 @@ def build_graph(verbose=False, simplify=False): # print hex(ad), repr(name) if name is None: continue + if (mdis.symbol_pool.getby_offset(addr) or + mdis.symbol_pool.getby_name(name)): + # Symbol alias + continue mdis.symbol_pool.add_label(name, addr) if verbose: diff --git a/miasm2/arch/aarch64/regs.py b/miasm2/arch/aarch64/regs.py index f2655ea7..bf1c5cef 100644 --- a/miasm2/arch/aarch64/regs.py +++ b/miasm2/arch/aarch64/regs.py @@ -45,9 +45,13 @@ simd128_expr, simd128_init, simd128_info = gen_regs( simd128_str, globals(), 128) -PC, PC_init = gen_reg("PC", globals(), 64) -WZR, WZR_init = gen_reg("WZR", globals(), 32) -XZR, XZR_init = gen_reg("XZR", globals(), 64) +gen_reg("PC", globals(), 64) +gen_reg("WZR", globals(), 32) +gen_reg("XZR", globals(), 64) + +PC_init = ExprId("PC_init", 64) +WZR_init = ExprId("WZR_init", 32) +XZR_init = ExprId("XZR_init", 64) reg_zf = 'zf' reg_nf = 'nf' @@ -87,11 +91,12 @@ all_regs_ids = [ X0, X1, X2, X3, X4, X5, X6, X7, X8, X9, X10, X11, X12, X13, X14, X15, X16, X17, X18, X19, X20, X21, X22, X23, X24, X25, X26, X27, X28, X29, LR, SP, - exception_flags, interrupt_num, + exception_flags, + interrupt_num, PC, WZR, + XZR, zf, nf, of, cf, - XZR ] @@ -105,22 +110,7 @@ attrib_to_regs = { all_regs_ids_byname = dict([(x.name, x) for x in all_regs_ids]) -all_regs_ids_init = (simd08_init + - simd16_init + - simd32_init + - simd64_init + - simd128_init + - gpregs32_init + - gpregs64_init + - [ - ExprInt(0, 32), - PC_init, - WZR_init, - XZR_init, - zf_init, nf_init, of_init, cf_init, - ExprInt(0, 64), ExprInt(0, 32), - ] - ) +all_regs_ids_init = [ExprId("%s_init" % x.name, x.size) for x in all_regs_ids] regs_init = {} for i, r in enumerate(all_regs_ids): diff --git a/miasm2/os_dep/win_api_x86_32.py b/miasm2/os_dep/win_api_x86_32.py index c90d7939..a88f4a8a 100644 --- a/miasm2/os_dep/win_api_x86_32.py +++ b/miasm2/os_dep/win_api_x86_32.py @@ -1024,22 +1024,20 @@ def kernel32_IsWow64Process(jitter): jitter.func_ret_stdcall(ret_ad, 1) -def kernel32_GetCommandLineA(jitter): +def kernel32_GetCommandLine(jitter, set_str): ret_ad, _ = jitter.func_args_stdcall(0) - s = winobjs.module_path + '\x00' - s = '"%s"' % s alloc_addr = winobjs.heap.alloc(jitter, 0x1000) + s = set_str('"%s"' % winobjs.module_path) jitter.vm.set_mem(alloc_addr, s) jitter.func_ret_stdcall(ret_ad, alloc_addr) +def kernel32_GetCommandLineA(jitter): + kernel32_GetCommandLine(jitter, set_str_ansi) + + def kernel32_GetCommandLineW(jitter): - ret_ad, _ = jitter.func_args_stdcall(0) - s = winobjs.module_path + '\x00' - s = jitter.set_str_unic('"%s"' % s) - alloc_addr = winobjs.heap.alloc(jitter, 0x1000) - jitter.vm.set_mem(alloc_addr, s) - jitter.func_ret_stdcall(ret_ad, alloc_addr) + kernel32_GetCommandLine(jitter, set_str_unic) def shell32_CommandLineToArgvW(jitter): @@ -1051,10 +1049,9 @@ def shell32_CommandLineToArgvW(jitter): addr_ret = winobjs.heap.alloc(jitter, 4 * (len(tks) + 1)) o = 0 for i, t in enumerate(tks): - x = jitter.set_str_unic(t) + "\x00\x00" + jitter.set_str_unic(addr + o, t) jitter.vm.set_mem(addr_ret + 4 * i, pck32(addr + o)) - jitter.vm.set_mem(addr + o, x) - o += len(x) + 2 + o += len(t)*2 + 2 jitter.vm.set_mem(addr_ret + 4 * i, pck32(0)) jitter.vm.set_mem(args.pnumargs, pck32(len(tks))) @@ -1442,8 +1439,7 @@ def my_strcpy(jitter, funcname, get_str, set_str): def kernel32_lstrcpyW(jitter): - my_strcpy(jitter, whoami(), jitter.get_str_unic, - jitter.set_str_unic) + my_strcpy(jitter, whoami(), jitter.get_str_unic, jitter.set_str_unic) def kernel32_lstrcpyA(jitter): @@ -1591,6 +1587,20 @@ def my_GetEnvironmentVariable(jitter, funcname, get_str, set_str, mylen): jitter.func_ret_stdcall(ret_ad, mylen(v)) +def kernel32_GetEnvironmentVariableA(jitter): + my_GetEnvironmentVariable(jitter, whoami(), + jitter.get_str_ansi, + jitter.set_str_ansi, + len) + + +def kernel32_GetEnvironmentVariableW(jitter): + my_GetEnvironmentVariable(jitter, whoami(), + jitter.get_str_unic, + jitter.set_str_ansi, + len) + + def my_GetSystemDirectory(jitter, funcname, set_str): ret_ad, args = jitter.func_args_stdcall(["lpbuffer", "usize"]) s = "c:\\windows\\system32" @@ -1599,6 +1609,7 @@ def my_GetSystemDirectory(jitter, funcname, set_str): jitter.func_ret_stdcall(ret_ad, l) + def kernel32_GetSystemDirectoryA(jitter): my_GetSystemDirectory(jitter, whoami(), jitter.set_str_ansi) @@ -1621,19 +1632,6 @@ def kernel32_CreateDirectoryA(jitter): my_CreateDirectory(jitter, whoami(), jitter.get_str_ansi) -def kernel32_GetEnvironmentVariableA(jitter): - my_GetEnvironmentVariable(jitter, whoami(), - jitter.get_str_ansi, - jitter.set_str_ansi, - len) - - -def kernel32_GetEnvironmentVariableW(jitter): - my_GetEnvironmentVariable(jitter, whoami(), - jitter.get_str_unic, - jitter.set_str_ansi, - len) - def my_CreateEvent(jitter, funcname, get_str): ret_ad, args = jitter.func_args_stdcall(["lpeventattributes", |