diff options
| -rw-r--r-- | miasm2/arch/x86/sem.py | 22 | ||||
| -rw-r--r-- | miasm2/os_dep/win_api_x86_32.py | 171 |
2 files changed, 103 insertions, 90 deletions
diff --git a/miasm2/arch/x86/sem.py b/miasm2/arch/x86/sem.py index 12f2ef2a..1fceab30 100644 --- a/miasm2/arch/x86/sem.py +++ b/miasm2/arch/x86/sem.py @@ -16,6 +16,7 @@ # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # +import logging import miasm2.expression.expression as m2_expr from miasm2.expression.simplifications import expr_simp from miasm2.arch.x86.regs import * @@ -29,6 +30,13 @@ import math import struct +LOG_X86_SEM = logging.getLogger("x86_sem") +CONSOLE_HANDLER = logging.StreamHandler() +CONSOLE_HANDLER.setFormatter(logging.Formatter("%(levelname)-5s: %(message)s")) +LOG_X86_SEM.addHandler(CONSOLE_HANDLER) +LOG_X86_SEM.setLevel(logging.WARNING) + + # SemBuilder context ctx = {'mRAX': mRAX, 'mRBX': mRBX, @@ -2833,7 +2841,7 @@ def sidt(ir, instr, dst): if not isinstance(dst, m2_expr.ExprMem) or dst.size != 32: raise ValueError('not exprmem 32bit instance!!') ptr = dst.arg - print "DEFAULT SIDT ADDRESS %s!!" % str(dst) + LOG_X86_SEM.warning("DEFAULT SIDT ADDRESS %s!!", str(dst)) e.append(m2_expr.ExprAff(ir.ExprMem(ptr, 32), m2_expr.ExprInt(0xe40007ff, 32))) e.append( @@ -2843,7 +2851,7 @@ def sidt(ir, instr, dst): def sldt(_, instr, dst): - print "DEFAULT SLDT ADDRESS %s!!" % str(dst) + LOG_X86_SEM.warning("DEFAULT SLDT ADDRESS %s!!", str(dst)) e = [m2_expr.ExprAff(dst, m2_expr.ExprInt(0, dst.size))] return e, [] @@ -4047,6 +4055,14 @@ def pmovmskb(_, instr, dst, src): return e, [] +def smsw(ir, instr, dst): + e = [] + LOG_X86_SEM.warning("DEFAULT SMSW %s!!", str(dst)) + e.append(m2_expr.ExprAff(dst, m2_expr.ExprInt(0x80050033, 32)[:dst.size])) + return e, [] + + + mnemo_func = {'mov': mov, 'xchg': xchg, 'movzx': movzx, @@ -4530,6 +4546,8 @@ mnemo_func = {'mov': mov, "pmovmskb": pmovmskb, + "smsw": smsw, + } diff --git a/miasm2/os_dep/win_api_x86_32.py b/miasm2/os_dep/win_api_x86_32.py index 2d10d3d0..0c27652a 100644 --- a/miasm2/os_dep/win_api_x86_32.py +++ b/miasm2/os_dep/win_api_x86_32.py @@ -23,6 +23,8 @@ import string import logging from zlib import crc32 from StringIO import StringIO +import time +import datetime try: from Crypto.Hash import MD5, SHA @@ -41,6 +43,7 @@ console_handler.setFormatter(logging.Formatter("%(levelname)-5s: %(message)s")) log.addHandler(console_handler) log.setLevel(logging.WARN) +DATE_1601_TO_1970 = 116444736000000000 MAX_PATH = 260 @@ -61,7 +64,7 @@ typedef struct tagPROCESSENTRY32 { """ -access_dict = {0x0: 0, +ACCESS_DICT = {0x0: 0, 0x1: 0, 0x2: PAGE_READ, 0x4: PAGE_READ | PAGE_WRITE, @@ -73,7 +76,7 @@ access_dict = {0x0: 0, 0x100: 0 } -access_dict_inv = dict([(x[1], x[0]) for x in access_dict.items()]) +ACCESS_DICT_INV = dict((x[1], x[0]) for x in ACCESS_DICT.iteritems()) class whandle(): @@ -170,6 +173,11 @@ class c_winobjs: self.env_variables = {} self.events_pool = {} self.find_data = None + + self.current_datetime = datetime.datetime(year=2017, month=8, day=21, + hour=13, minute=37, + second=11, microsecond=123456) + winobjs = c_winobjs() @@ -538,7 +546,7 @@ def kernel32_CreateFile(jitter, funcname, get_str): log.debug("%r %r", fname.lower(), winobjs.module_path.lower()) is_original_file = fname.lower() == winobjs.module_path.lower() - if fname.upper() in [r"\\.\SICE", r"\\.\NTICE", r"\\.\SIWVID"]: + if fname.upper() in [r"\\.\SICE", r"\\.\NTICE", r"\\.\SIWVID", r'\\.\SIWDEBUG']: pass elif fname.upper() in ['NUL']: ret = winobjs.module_cur_hwnd @@ -710,9 +718,9 @@ def kernel32_VirtualProtect(jitter): 'lpfloldprotect']) # XXX mask hpart flnewprotect = args.flnewprotect & 0xFFF - if not flnewprotect in access_dict: + if not flnewprotect in ACCESS_DICT: raise ValueError('unknown access dw!') - jitter.vm.set_mem_access(args.lpvoid, access_dict[flnewprotect]) + jitter.vm.set_mem_access(args.lpvoid, ACCESS_DICT[flnewprotect]) # XXX todo real old protect if args.lpfloldprotect: @@ -725,37 +733,25 @@ def kernel32_VirtualAlloc(jitter): ret_ad, args = jitter.func_args_stdcall(['lpvoid', 'dwsize', 'alloc_type', 'flprotect']) - access_dict = { - 0x0: 0, - 0x1: 0, - 0x2: PAGE_READ, - 0x4: PAGE_READ | PAGE_WRITE, - 0x10: PAGE_EXEC, - 0x20: PAGE_EXEC | PAGE_READ, - 0x40: PAGE_EXEC | PAGE_READ | PAGE_WRITE, - 0x100: 0, - } - # access_dict_inv = dict([(x[1], x[0]) for x in access_dict.items()]) - - if not args.flprotect in access_dict: + if not args.flprotect in ACCESS_DICT: raise ValueError('unknown access dw!') if args.lpvoid == 0: alloc_addr = winobjs.heap.next_addr(args.dwsize) jitter.vm.add_memory_page( - alloc_addr, access_dict[args.flprotect], "\x00" * args.dwsize, + alloc_addr, ACCESS_DICT[args.flprotect], "\x00" * args.dwsize, "Alloc in %s ret 0x%X" % (whoami(), ret_ad)) else: all_mem = jitter.vm.get_all_memory() if args.lpvoid in all_mem: alloc_addr = args.lpvoid - jitter.vm.set_mem_access(args.lpvoid, access_dict[args.flprotect]) + jitter.vm.set_mem_access(args.lpvoid, ACCESS_DICT[args.flprotect]) else: alloc_addr = winobjs.heap.next_addr(args.dwsize) # alloc_addr = args.lpvoid jitter.vm.add_memory_page( - alloc_addr, access_dict[args.flprotect], "\x00" * args.dwsize, + alloc_addr, ACCESS_DICT[args.flprotect], "\x00" * args.dwsize, "Alloc in %s ret 0x%X" % (whoami(), ret_ad)) log.info('VirtualAlloc addr: 0x%x', alloc_addr) @@ -1681,9 +1677,9 @@ def ntdll_ZwProtectVirtualMemory(jitter): # XXX mask hpart flnewprotect = args.flnewprotect & 0xFFF - if not flnewprotect in access_dict: + if not flnewprotect in ACCESS_DICT: raise ValueError('unknown access dw!') - jitter.vm.set_mem_access(ad, access_dict[flnewprotect]) + jitter.vm.set_mem_access(ad, ACCESS_DICT[flnewprotect]) # XXX todo real old protect jitter.vm.set_mem(args.lpfloldprotect, pck32(0x40)) @@ -1700,25 +1696,12 @@ def ntdll_ZwAllocateVirtualMemory(jitter): # ad = upck32(jitter.vm.get_mem(args.lppvoid, 4)) dwsize = upck32(jitter.vm.get_mem(args.pdwsize, 4)) - access_dict = { - 0x0: 0, - 0x1: 0, - 0x2: PAGE_READ, - 0x4: PAGE_READ | PAGE_WRITE, - 0x10: PAGE_EXEC, - 0x20: PAGE_EXEC | PAGE_READ, - 0x40: PAGE_EXEC | PAGE_READ | PAGE_WRITE, - 0x100: 0, - } - - # access_dict_inv = dict([(x[1], x[0]) for x in access_dict.items()]) - - if not args.flprotect in access_dict: + if not args.flprotect in ACCESS_DICT: raise ValueError('unknown access dw!') alloc_addr = winobjs.heap.next_addr(dwsize) jitter.vm.add_memory_page( - alloc_addr, access_dict[args.flprotect], "\x00" * dwsize, + alloc_addr, ACCESS_DICT[args.flprotect], "\x00" * dwsize, "Alloc in %s ret 0x%X" % (whoami(), ret_ad)) jitter.vm.set_mem(args.lppvoid, pck32(alloc_addr)) @@ -2150,37 +2133,72 @@ def wsock32_WSAStartup(jitter): jitter.func_ret_stdcall(ret_ad, 0) -def kernel32_GetLocalTime(jitter): - ret_ad, args = jitter.func_args_stdcall(["lpsystemtime"]) +def get_current_filetime(): + """ + Get current filetime + https://msdn.microsoft.com/en-us/library/ms724228 + """ + curtime = winobjs.current_datetime + unixtime = int(time.mktime(curtime.timetuple())) + filetime = (int(unixtime * 1000000 + curtime.microsecond) * 10 + + DATE_1601_TO_1970) + return filetime + + +def unixtime_to_filetime(unixtime): + """ + Convert unixtime to filetime + https://msdn.microsoft.com/en-us/library/ms724228 + """ + return (unixtime * 10000000) + DATE_1601_TO_1970 + + +def filetime_to_unixtime(filetime): + """ + Convert filetime to unixtime + # https://msdn.microsoft.com/en-us/library/ms724228 + """ + return int((filetime - DATE_1601_TO_1970) / 10000000) + + +def datetime_to_systemtime(curtime): s = struct.pack('HHHHHHHH', - 2011, # year - 10, # month - 5, # dayofweek - 7, # day - 13, # hour - 37, # minutes - 00, # seconds - 999, # millisec + curtime.year, # year + curtime.month, # month + curtime.weekday(), # dayofweek + curtime.day, # day + curtime.hour, # hour + curtime.minute , # minutes + curtime.second, # seconds + int(curtime.microsecond / 1000), # millisec ) - jitter.vm.set_mem(args.lpsystemtime, s) + return s + + +def kernel32_GetSystemTimeAsFileTime(jitter): + ret_ad, args = jitter.func_args_stdcall(["lpSystemTimeAsFileTime"]) + + current_filetime = get_current_filetime() + filetime = struct.pack('II', + current_filetime & 0xffffffff, + (current_filetime>>32) & 0xffffffff) + + jitter.vm.set_mem(args.lpSystemTimeAsFileTime, filetime) + jitter.func_ret_stdcall(ret_ad, 0) + + +def kernel32_GetLocalTime(jitter): + ret_ad, args = jitter.func_args_stdcall(["lpsystemtime"]) + systemtime = datetime_to_systemtime(winobjs.current_datetime) + jitter.vm.set_mem(args.lpsystemtime, systemtime) jitter.func_ret_stdcall(ret_ad, args.lpsystemtime) def kernel32_GetSystemTime(jitter): ret_ad, args = jitter.func_args_stdcall(["lpsystemtime"]) - - s = struct.pack('HHHHHHHH', - 2011, # year - 10, # month - 5, # dayofweek - 7, # day - 13, # hour - 37, # minutes - 00, # seconds - 999, # millisec - ) - jitter.vm.set_mem(args.lpsystemtime, s) + systemtime = datetime_to_systemtime(winobjs.current_datetime) + jitter.vm.set_mem(args.lpsystemtime, systemtime) jitter.func_ret_stdcall(ret_ad, args.lpsystemtime) @@ -2231,19 +2249,8 @@ def kernel32_MapViewOfFile(jitter): length = len(data) log.debug('MapViewOfFile len: %x', len(data)) - access_dict = { - 0x0: 0, - 0x1: 0, - 0x2: PAGE_READ, - 0x4: PAGE_READ | PAGE_WRITE, - 0x10: PAGE_EXEC, - 0x20: PAGE_EXEC | PAGE_READ, - 0x40: PAGE_EXEC | PAGE_READ | PAGE_WRITE, - 0x100: 0, - } - # access_dict_inv = dict([(x[1], x[0]) for x in access_dict.items()]) - - if not args.flprotect in access_dict: + + if not args.flprotect in ACCESS_DICT: raise ValueError('unknown access dw!') alloc_addr = winobjs.heap.alloc(jitter, len(data)) @@ -2318,18 +2325,6 @@ def kernel32_GetDiskFreeSpaceW(jitter): def kernel32_VirtualQuery(jitter): ret_ad, args = jitter.func_args_stdcall(["ad", "lpbuffer", "dwl"]) - access_dict = { - 0x0: 0, - 0x1: 0, - 0x2: PAGE_READ, - 0x4: PAGE_READ | PAGE_WRITE, - 0x10: PAGE_EXEC, - 0x20: PAGE_EXEC | PAGE_READ, - 0x40: PAGE_EXEC | PAGE_READ | PAGE_WRITE, - 0x100: 0, - } - access_dict_inv = dict([(x[1], x[0]) for x in access_dict.iteritems()]) - all_mem = jitter.vm.get_all_memory() found = None for basead, m in all_mem.iteritems(): @@ -2344,10 +2339,10 @@ def kernel32_VirtualQuery(jitter): s = struct.pack('IIIIIII', args.ad, basead, - access_dict_inv[m['access']], + ACCESS_DICT_INV[m['access']], m['size'], 0x1000, - access_dict_inv[m['access']], + ACCESS_DICT_INV[m['access']], 0x01000000) jitter.vm.set_mem(args.lpbuffer, s) jitter.func_ret_stdcall(ret_ad, args.dwl) |