diff options
| -rw-r--r-- | miasm2/analysis/sandbox.py | 10 | ||||
| -rw-r--r-- | miasm2/jitter/jitload.py | 5 | ||||
| -rw-r--r-- | miasm2/jitter/loader/elf.py | 6 | ||||
| -rw-r--r-- | miasm2/jitter/loader/pe.py | 11 | ||||
| -rw-r--r-- | miasm2/jitter/vm_mngr.c | 51 | ||||
| -rw-r--r-- | miasm2/jitter/vm_mngr.h | 3 | ||||
| -rw-r--r-- | miasm2/jitter/vm_mngr_py.c | 13 | ||||
| -rw-r--r-- | miasm2/os_dep/common.py | 4 | ||||
| -rw-r--r-- | miasm2/os_dep/win_api_x86_32.py | 15 | ||||
| -rw-r--r-- | miasm2/os_dep/win_api_x86_32_seh.py | 24 |
10 files changed, 97 insertions, 45 deletions
diff --git a/miasm2/analysis/sandbox.py b/miasm2/analysis/sandbox.py index eef83e85..aae8aac1 100644 --- a/miasm2/analysis/sandbox.py +++ b/miasm2/analysis/sandbox.py @@ -187,7 +187,9 @@ class OS_Win(OS): # Load main pe with open(self.fname) as fstream: self.pe = vm_load_pe(self.jitter.vm, fstream.read(), - load_hdr=self.options.load_hdr, **kwargs) + load_hdr=self.options.load_hdr, + name=self.fname, + **kwargs) self.name2module[fname_basename] = self.pe # Load library @@ -258,7 +260,8 @@ class OS_Linux(OS): self.libs = libimp_elf() with open(self.fname) as fstream: - self.elf = vm_load_elf(self.jitter.vm, fstream.read(), **kwargs) + self.elf = vm_load_elf(self.jitter.vm, fstream.read(), + name=self.fname, **kwargs) preload_elf(self.jitter.vm, self.elf, self.libs) self.entry_point = self.elf.Ehdr.entry @@ -284,7 +287,8 @@ class OS_Linux_str(OS): data = open(self.fname).read() self.options.load_base_addr = int(self.options.load_base_addr, 0) self.jitter.vm.add_memory_page( - self.options.load_base_addr, PAGE_READ | PAGE_WRITE, data) + self.options.load_base_addr, PAGE_READ | PAGE_WRITE, data, + "Initial Str") # Library calls handler self.jitter.add_lib_handler(libs, methods) diff --git a/miasm2/jitter/jitload.py b/miasm2/jitter/jitload.py index 86c7b07a..312dcb2e 100644 --- a/miasm2/jitter/jitload.py +++ b/miasm2/jitter/jitload.py @@ -20,6 +20,8 @@ log_func = logging.getLogger('jit function call') log_func.addHandler(hnd) log_func.setLevel(logging.CRITICAL) + + try: from miasm2.jitter.jitcore_tcc import JitCore_Tcc except ImportError: @@ -362,7 +364,8 @@ class jitter: def init_stack(self): self.vm.add_memory_page( - self.stack_base, PAGE_READ | PAGE_WRITE, "\x00" * self.stack_size) + self.stack_base, PAGE_READ | PAGE_WRITE, "\x00" * self.stack_size, + "Stack") sp = self.arch.getsp(self.attrib) setattr(self.cpu, sp.name, self.stack_base + self.stack_size) # regs = self.cpu.get_gpreg() diff --git a/miasm2/jitter/loader/elf.py b/miasm2/jitter/loader/elf.py index 08df632a..db0f1cb7 100644 --- a/miasm2/jitter/loader/elf.py +++ b/miasm2/jitter/loader/elf.py @@ -47,7 +47,7 @@ def preload_elf(vm, e, runtime_lib, patch_vm_imp=True): return runtime_lib, dyn_funcs -def vm_load_elf(vm, fdata, **kargs): +def vm_load_elf(vm, fdata, name="", **kargs): """ Very dirty elf loader TODO XXX: implement real loader @@ -56,6 +56,7 @@ def vm_load_elf(vm, fdata, **kargs): e = elf_init.ELF(fdata, **kargs) i = interval() all_data = {} + for p in e.ph.phlist: if p.ph.type != elf_csts.PT_LOAD: continue @@ -72,7 +73,8 @@ def vm_load_elf(vm, fdata, **kargs): i += [(a_addr, b_addr - 2)] for a, b in i.intervals: # print hex(a), hex(b) - vm.add_memory_page(a, PAGE_READ | PAGE_WRITE, "\x00" * (b + 2 - a)) + vm.add_memory_page(a, PAGE_READ | PAGE_WRITE, "\x00" * (b + 2 - a), + repr(name)) for r_vaddr, data in all_data.items(): vm.set_mem(r_vaddr, data) diff --git a/miasm2/jitter/loader/pe.py b/miasm2/jitter/loader/pe.py index 1d33f9b8..c40e8e38 100644 --- a/miasm2/jitter/loader/pe.py +++ b/miasm2/jitter/loader/pe.py @@ -101,7 +101,7 @@ def get_export_name_addr_list(e): return out -def vm_load_pe(vm, fdata, align_s=True, load_hdr=True, **kargs): +def vm_load_pe(vm, fdata, align_s=True, load_hdr=True, name="", **kargs): """Load a PE in memory (@vm) from a data buffer @fdata @vm: VmMngr instance @fdata: data buffer to parse @@ -136,7 +136,7 @@ def vm_load_pe(vm, fdata, align_s=True, load_hdr=True, **kargs): pe_hdr = pe.content[:hdr_len] + max( 0, (min_len - hdr_len)) * "\x00" vm.add_memory_page(pe.NThdr.ImageBase, PAGE_READ | PAGE_WRITE, - pe_hdr) + pe_hdr, "%r: PE Header" % name) # Align sections size if align_s: @@ -160,7 +160,8 @@ def vm_load_pe(vm, fdata, align_s=True, load_hdr=True, **kargs): attrib = PAGE_READ if section.flags & 0x80000000: attrib |= PAGE_WRITE - vm.add_memory_page(pe.rva2virt(section.addr), attrib, data) + vm.add_memory_page(pe.rva2virt(section.addr), attrib, data, + "%r: %r" % (name, section.name)) return pe @@ -217,7 +218,7 @@ def vm_load_pe_lib(vm, fname_in, libs, lib_path_base, **kargs): fname = os.path.join(lib_path_base, fname_in) with open(fname) as fstream: - pe = vm_load_pe(vm, fstream.read(), **kargs) + pe = vm_load_pe(vm, fstream.read(), name=fname_in, **kargs) libs.add_export_lib(pe, fname_in) return pe @@ -484,7 +485,7 @@ def vm_load_pe_and_dependencies(vm, fname, name2module, runtime_lib, try: with open(fname) as fstream: log.info('Loading module name %r', fname) - pe_obj = vm_load_pe(vm, fstream.read(), **kwargs) + pe_obj = vm_load_pe(vm, fstream.read(), name=fname, **kwargs) except IOError: log.error('Cannot open %s' % fname) name2module[name] = None diff --git a/miasm2/jitter/vm_mngr.c b/miasm2/jitter/vm_mngr.c index fd5b870d..a0c2f5a3 100644 --- a/miasm2/jitter/vm_mngr.c +++ b/miasm2/jitter/vm_mngr.c @@ -1268,26 +1268,35 @@ uint64_t double_to_mem_64(double d) return m; } -struct memory_page_node * create_memory_page_node(uint64_t ad, unsigned int size, unsigned int access) +struct memory_page_node * create_memory_page_node(uint64_t ad, unsigned int size, unsigned int access, char* name) { struct memory_page_node * mpn; - void* p; + void* ad_hp; mpn = malloc(sizeof(*mpn)); if (!mpn){ fprintf(stderr, "Error: cannot alloc mpn\n"); return NULL; } - p = malloc(size); - if (!p){ + ad_hp = malloc(size); + if (!ad_hp){ free(mpn); fprintf(stderr, "Error: cannot alloc %d\n", size); return NULL; } + mpn->name = malloc(strlen(name) + 1); + if (!mpn->name){ + free(mpn); + free(ad_hp); + fprintf(stderr, "Error: cannot alloc\n"); + return NULL; + } + mpn->ad = ad; mpn->size = size; mpn->access = access; - mpn->ad_hp = p; + mpn->ad_hp = ad_hp; + strcpy(mpn->name, name); return mpn; } @@ -1440,31 +1449,41 @@ void add_memory_page(vm_mngr_t* vm_mngr, struct memory_page_node* mpn_a) /* Return a char* representing the repr of vm_mngr_t object */ char* dump(vm_mngr_t* vm_mngr) { - char buf[100]; + char buf[0x100]; int length; - int total_len = 0; char *buf_final; int i; + char buf_addr[0x20]; + char buf_size[0x20]; struct memory_page_node * mpn; + /* 0x1234567812345678 0x1234567812345678 */ + char* intro = "Addr Size Access Comment\n"; + int total_len = strlen(intro) + 1; - buf_final = malloc(1); + buf_final = malloc(total_len); if (buf_final == NULL) { fprintf(stderr, "Error: cannot alloc\n"); exit(0); } - buf_final[0] = '\x00'; - + strcpy(buf_final, intro); for (i=0; i< vm_mngr->memory_pages_number; i++) { mpn = &vm_mngr->memory_pages_array[i]; - length = snprintf(buf, sizeof(buf), - "ad 0x%"PRIX64" size 0x%"PRIX64" %c%c%c\n", - (uint64_t)mpn->ad, - (uint64_t)mpn->size, + snprintf(buf_addr, sizeof(buf_addr), + "0x%"PRIX64, (uint64_t)mpn->ad); + snprintf(buf_size, sizeof(buf_size), + "0x%"PRIX64, (uint64_t)mpn->size); + + length = snprintf(buf, sizeof(buf) - 1, + "%-18s %-18s %c%c%c %s", + buf_addr, + buf_size, mpn->access & PAGE_READ? 'R':'_', mpn->access & PAGE_WRITE? 'W':'_', - mpn->access & PAGE_EXEC? 'X':'_' + mpn->access & PAGE_EXEC? 'X':'_', + mpn->name ); - total_len += length+1; + strcat(buf, "\n"); + total_len += length + 1 + 1; buf_final = realloc(buf_final, total_len); if (buf_final == NULL) { fprintf(stderr, "Error: cannot alloc\n"); diff --git a/miasm2/jitter/vm_mngr.h b/miasm2/jitter/vm_mngr.h index 02b5de73..acea4875 100644 --- a/miasm2/jitter/vm_mngr.h +++ b/miasm2/jitter/vm_mngr.h @@ -70,6 +70,7 @@ struct memory_page_node { uint64_t size; uint64_t access; void* ad_hp; + char* name; }; @@ -258,7 +259,7 @@ void hexdump(char* m, unsigned int l); struct code_bloc_node * create_code_bloc_node(uint64_t ad_start, uint64_t ad_stop); void add_code_bloc(vm_mngr_t* vm_mngr, struct code_bloc_node* cbp); -struct memory_page_node * create_memory_page_node(uint64_t ad, unsigned int size, unsigned int access);//memory_page* mp); +struct memory_page_node * create_memory_page_node(uint64_t ad, unsigned int size, unsigned int access, char* name);//memory_page* mp); void init_memory_page_pool(vm_mngr_t* vm_mngr); void init_code_bloc_pool(vm_mngr_t* vm_mngr); void reset_memory_page_pool(vm_mngr_t* vm_mngr); diff --git a/miasm2/jitter/vm_mngr_py.c b/miasm2/jitter/vm_mngr_py.c index 0a22c397..fdadf7f1 100644 --- a/miasm2/jitter/vm_mngr_py.c +++ b/miasm2/jitter/vm_mngr_py.c @@ -86,16 +86,18 @@ PyObject* vm_add_memory_page(VmMngr* self, PyObject* args) PyObject *addr; PyObject *access; PyObject *item_str; + PyObject *name=NULL; uint64_t buf_size; char* buf_data; Py_ssize_t length; uint64_t ret = 0x1337beef; uint64_t page_addr; uint64_t page_access; + char* name_ptr; struct memory_page_node * mpn; - if (!PyArg_ParseTuple(args, "OOO", &addr, &access, &item_str)) + if (!PyArg_ParseTuple(args, "OOO|O", &addr, &access, &item_str, &name)) return NULL; PyGetInt(addr, page_addr); @@ -107,7 +109,14 @@ PyObject* vm_add_memory_page(VmMngr* self, PyObject* args) buf_size = PyString_Size(item_str); PyString_AsStringAndSize(item_str, &buf_data, &length); - mpn = create_memory_page_node(page_addr, buf_size, page_access); + if (name == NULL) { + name_ptr = (char*)""; + } else { + if (!PyString_Check(name)) + RAISE(PyExc_TypeError,"name must be str"); + name_ptr = PyString_AsString(name); + } + mpn = create_memory_page_node(page_addr, buf_size, page_access, name_ptr); if (mpn == NULL) RAISE(PyExc_TypeError,"cannot create page"); if (is_mpn_in_tab(&self->vm_mngr, mpn)) { diff --git a/miasm2/os_dep/common.py b/miasm2/os_dep/common.py index d70cdccf..9c0377a9 100644 --- a/miasm2/os_dep/common.py +++ b/miasm2/os_dep/common.py @@ -1,6 +1,7 @@ import os from miasm2.jitter.csts import PAGE_READ, PAGE_WRITE +from miasm2.core.utils import get_caller_name BASE_SB_PATH = "file_sb" @@ -71,7 +72,8 @@ class heap(object): combination of them); default is PAGE_READ|PAGE_WRITE """ addr = self.next_addr(size) - vm.add_memory_page(addr, perm, "\x00" * size) + vm.add_memory_page(addr, perm, "\x00" * size, + "Heap alloc by %s" % get_caller_name(2)) return addr diff --git a/miasm2/os_dep/win_api_x86_32.py b/miasm2/os_dep/win_api_x86_32.py index 9b536ec7..a6041b15 100644 --- a/miasm2/os_dep/win_api_x86_32.py +++ b/miasm2/os_dep/win_api_x86_32.py @@ -738,7 +738,8 @@ def kernel32_VirtualAlloc(jitter): if args.lpvoid == 0: alloc_addr = winobjs.heap.next_addr(args.dwsize) jitter.vm.add_memory_page( - alloc_addr, access_dict[args.flprotect], "\x00" * args.dwsize) + alloc_addr, access_dict[args.flprotect], "\x00" * args.dwsize, + "Alloc in %s ret 0x%X" % (whoami(), ret_ad)) else: all_mem = jitter.vm.get_all_memory() if args.lpvoid in all_mem: @@ -748,7 +749,8 @@ def kernel32_VirtualAlloc(jitter): alloc_addr = winobjs.heap.next_addr(args.dwsize) # alloc_addr = args.lpvoid jitter.vm.add_memory_page( - alloc_addr, access_dict[args.flprotect], "\x00" * args.dwsize) + alloc_addr, access_dict[args.flprotect], "\x00" * args.dwsize, + "Alloc in %s ret 0x%X" % (whoami(), ret_ad)) log.debug('Memory addr: %x', alloc_addr) jitter.func_ret_stdcall(ret_ad, alloc_addr) @@ -1354,7 +1356,8 @@ def ntoskrnl_ExAllocatePoolWithTagPriority(jitter): "tag", "priority"]) alloc_addr = winobjs.heap.next_addr(args.nbr_of_bytes) jitter.vm.add_memory_page( - alloc_addr, PAGE_READ | PAGE_WRITE, "\x00" * args.nbr_of_bytes) + alloc_addr, PAGE_READ | PAGE_WRITE, "\x00" * args.nbr_of_bytes, + "Alloc in %s ret 0x%X" % (whoami(), ret_ad)) jitter.func_ret_stdcall(ret_ad, alloc_addr) @@ -1707,7 +1710,8 @@ def ntdll_ZwAllocateVirtualMemory(jitter): alloc_addr = winobjs.heap.next_addr(dwsize) jitter.vm.add_memory_page( - alloc_addr, access_dict[args.flprotect], "\x00" * dwsize) + alloc_addr, access_dict[args.flprotect], "\x00" * dwsize, + "Alloc in %s ret 0x%X" % (whoami(), ret_ad)) jitter.vm.set_mem(args.lppvoid, pck32(alloc_addr)) jitter.func_ret_stdcall(ret_ad, 0) @@ -1740,7 +1744,8 @@ def ntdll_RtlAnsiStringToUnicodeString(jitter): if args.alloc_str: alloc_addr = winobjs.heap.next_addr(l) jitter.vm.add_memory_page( - alloc_addr, PAGE_READ | PAGE_WRITE, "\x00" * l) + alloc_addr, PAGE_READ | PAGE_WRITE, "\x00" * l, + "Alloc in %s ret 0x%X" % (whoami(), ret_ad)) else: alloc_addr = p_src jitter.vm.set_mem(alloc_addr, s) diff --git a/miasm2/os_dep/win_api_x86_32_seh.py b/miasm2/os_dep/win_api_x86_32_seh.py index 58cc48af..7068c4d6 100644 --- a/miasm2/os_dep/win_api_x86_32_seh.py +++ b/miasm2/os_dep/win_api_x86_32_seh.py @@ -112,7 +112,7 @@ def build_teb(jitter, teb_address): o += pck32(peb_address) o += pck32(0x11223344) - jitter.vm.add_memory_page(teb_address, PAGE_READ | PAGE_WRITE, o) + jitter.vm.add_memory_page(teb_address, PAGE_READ | PAGE_WRITE, o, "TEB") def build_peb(jitter, peb_address): @@ -140,7 +140,7 @@ def build_peb(jitter, peb_address): offset += 4 o += pck32(peb_ldr_data_address) o += pck32(process_parameters_address) - jitter.vm.add_memory_page(offset, PAGE_READ | PAGE_WRITE, o) + jitter.vm.add_memory_page(offset, PAGE_READ | PAGE_WRITE, o, "PEB") def build_ldr_data(jitter, modules_info): @@ -180,7 +180,8 @@ def build_ldr_data(jitter, modules_info): data += pck32(ntdll_addr_entry + 0x10) + pck32(0) # XXX TODO fix prev if data: - jitter.vm.add_memory_page(offset, PAGE_READ | PAGE_WRITE, data) + jitter.vm.add_memory_page(offset, PAGE_READ | PAGE_WRITE, data, + "Loader struct") class LoadedModules(object): @@ -275,19 +276,22 @@ def create_modules_chain(jitter, name2module): m_o += pck32(addr + offset_path) m_o += struct.pack('HH', len(bname), len(bname) + 2) m_o += pck32(addr + offset_name) - jitter.vm.add_memory_page(addr, PAGE_READ | PAGE_WRITE, m_o) + jitter.vm.add_memory_page(addr, PAGE_READ | PAGE_WRITE, m_o, + "Module info %r" % bname_str) m_o = "" m_o += bname m_o += "\x00" * 3 jitter.vm.add_memory_page( - addr + offset_name, PAGE_READ | PAGE_WRITE, m_o) + addr + offset_name, PAGE_READ | PAGE_WRITE, m_o, + "Module name %r" % bname_str) m_o = "" m_o += "\x00".join(bpath) + "\x00" m_o += "\x00" * 3 jitter.vm.add_memory_page( - addr + offset_path, PAGE_READ | PAGE_WRITE, m_o) + addr + offset_path, PAGE_READ | PAGE_WRITE, m_o, + "Module path %r" % bname_str) return modules_info @@ -411,7 +415,8 @@ def add_process_env(jitter): env_str += "\x00" * 0x10 jitter.vm.add_memory_page(process_environment_address, PAGE_READ | PAGE_WRITE, - env_str) + env_str, + "Process environment") jitter.vm.set_mem(process_environment_address, env_str) @@ -427,7 +432,7 @@ def add_process_parameters(jitter): o += pck32(process_environment_address) jitter.vm.add_memory_page(process_parameters_address, PAGE_READ | PAGE_WRITE, - o) + o, "Process parameters") all_seh_ad = dict([(x, None) @@ -457,7 +462,8 @@ def init_seh(jitter): add_process_parameters(jitter) jitter.vm.add_memory_page(default_seh, PAGE_READ | PAGE_WRITE, pck32( - 0xffffffff) + pck32(0x41414141) + pck32(0x42424242)) + 0xffffffff) + pck32(0x41414141) + pck32(0x42424242), + "Default seh handler") jitter.vm.add_memory_page( context_address, PAGE_READ | PAGE_WRITE, '\x00' * 0x2cc) |