about summary refs log tree commit diff stats
path: root/example/jitter
diff options
context:
space:
mode:
Diffstat (limited to 'example/jitter')
-rw-r--r--example/jitter/arm.py31
-rw-r--r--example/jitter/arm_sc.py46
-rw-r--r--example/jitter/mips32.py76
-rw-r--r--example/jitter/msp430.py69
-rw-r--r--example/jitter/sandbox_pe_x86_32.py23
-rw-r--r--example/jitter/unpack_upx.py117
-rw-r--r--example/jitter/x86_32.py41
7 files changed, 403 insertions, 0 deletions
diff --git a/example/jitter/arm.py b/example/jitter/arm.py
new file mode 100644
index 00000000..5342ee6d
--- /dev/null
+++ b/example/jitter/arm.py
@@ -0,0 +1,31 @@
+#!/usr/bin/env python
+#-*- coding:utf-8 -*-
+import logging
+from pdb import pm
+
+from miasm2.analysis.sandbox import Sandbox_Linux_arml
+
+# Get arguments
+parser = Sandbox_Linux_arml.parser(description="""Sandbox an elf binary with arm
+ engine (ex: jit_arm.py samples/md5_arm -a A684)""")
+parser.add_argument("filename", help="ELF Filename")
+parser.add_argument('-v', "--verbose", help="verbose mode", action="store_true")
+options = parser.parse_args()
+
+# Prepare the sandbox
+sb = Sandbox_Linux_arml(options.filename, options, globals())
+
+# Handle 'verbose' option
+if options.verbose is True:
+    logging.basicConfig(level=logging.INFO)
+else:
+    logging.basicConfig(level=logging.WARNING)
+
+if options.verbose is True:
+    sb.jitter.vm.dump_memory_page_pool()
+
+if options.address is None:
+    raise ValueError('Invalid address')
+
+# Run the code
+sb.run()
diff --git a/example/jitter/arm_sc.py b/example/jitter/arm_sc.py
new file mode 100644
index 00000000..80714641
--- /dev/null
+++ b/example/jitter/arm_sc.py
@@ -0,0 +1,46 @@
+#!/usr/bin/env python
+#-*- coding:utf-8 -*-
+from miasm2.analysis import debugging, gdbserver
+
+from miasm2.analysis.sandbox import Sandbox_Linux_armb_str
+from miasm2.analysis.sandbox import Sandbox_Linux_arml_str
+from miasm2.analysis.machine import Machine
+from elfesteem.strpatchwork import StrPatchwork
+import logging
+
+from pdb import pm
+
+parser = Sandbox_Linux_arml_str.parser(description="""Sandbox an elf binary with arm engine
+(ex: jit_arm_sc.py example/demo_arm_l.bin)""")
+parser.add_argument("filename", help="string Filename")
+parser.add_argument("endianess", help="endianness [b/l]")
+parser.add_argument('-v', "--verbose",
+                    help="verbose mode", action="store_true")
+
+options = parser.parse_args()
+
+if options.endianess == 'b':
+    sandbox = Sandbox_Linux_armb_str
+elif options.endianess == 'l':
+    sandbox = Sandbox_Linux_arml_str
+else:
+    raise ValueError("Bad endianess!")
+
+sb = sandbox(options.filename, options, globals())
+
+if options.address is None:
+    raise ValueError('invalid address')
+
+sb.run()
+
+# test correct de xor
+start = sb.jitter.cpu.R0
+stop = sb.jitter.cpu.R1
+s = sb.jitter.vm.get_mem(start, stop-start)
+s = StrPatchwork(s)
+for i, c in enumerate(s):
+    s[i] = chr(ord(c)^0x11)
+s = str(s)
+assert(s == "test string\x00")
+
+
diff --git a/example/jitter/mips32.py b/example/jitter/mips32.py
new file mode 100644
index 00000000..e41096cc
--- /dev/null
+++ b/example/jitter/mips32.py
@@ -0,0 +1,76 @@
+#!/usr/bin/env python
+#-*- coding:utf-8 -*-
+from argparse import ArgumentParser
+from miasm2.analysis import debugging, gdbserver
+from miasm2.jitter.csts import *
+from miasm2.analysis.machine import Machine
+
+from pdb import pm
+
+parser = ArgumentParser(
+    description="""Sandbox raw binary with mips32 engine
+(ex: jit_mips32.py example/mips32_sc_l.bin 0)""")
+parser.add_argument("-r", "--log-regs",
+                    help="Log registers value for each instruction",
+                    action="store_true")
+parser.add_argument("-m", "--log-mn",
+                    help="Log desassembly conversion for each instruction",
+                    action="store_true")
+parser.add_argument("-n", "--log-newbloc",
+                    help="Log basic blocks processed by the Jitter",
+                    action="store_true")
+parser.add_argument("-j", "--jitter",
+                    help="Jitter engine. Possible values are : tcc (default), llvm",
+                    default="tcc")
+parser.add_argument("-d", "--debugging",
+                    help="Attach a CLI debugguer to the sandboxed programm",
+                    action="store_true")
+parser.add_argument("binary",
+                    help="binary to run")
+parser.add_argument("addr",
+                    help="start exec on addr")
+
+machine = Machine("mips32l")
+
+def code_sentinelle(jitter):
+    jitter.run = False
+    jitter.pc = 0
+    return True
+
+def jit_mips32_binary(args):
+    filepath, entryp = args.binary, int(args.addr, 16)
+    myjit = machine.jitter(jit_type = args.jitter)
+    myjit.init_stack()
+
+    # Log level (if available with jitter engine)
+    myjit.jit.log_regs = args.log_regs
+    myjit.jit.log_mn = args.log_mn
+    myjit.jit.log_newbloc = args.log_newbloc
+
+    myjit.vm.add_memory_page(0, PAGE_READ | PAGE_WRITE, open(filepath).read())
+    myjit.add_breakpoint(0x1337BEEF, code_sentinelle)
+
+
+    # for stack
+    myjit.vm.add_memory_page(0xF000, PAGE_READ | PAGE_WRITE, "\x00"*0x1000)
+
+    myjit.cpu.SP = 0xF800
+
+    myjit.cpu.RA = 0x1337BEEF
+    myjit.init_run(entryp)
+
+
+
+    # Handle debugging
+    if args.debugging is True:
+        dbg = debugging.Debugguer(myjit)
+        cmd = debugging.DebugCmd(dbg)
+        cmd.cmdloop()
+
+    else:
+        print(myjit.continue_run())
+    return myjit
+if __name__ == '__main__':
+    from sys import stderr
+    args = parser.parse_args()
+    myjit = jit_mips32_binary(args)
diff --git a/example/jitter/msp430.py b/example/jitter/msp430.py
new file mode 100644
index 00000000..d752ef8c
--- /dev/null
+++ b/example/jitter/msp430.py
@@ -0,0 +1,69 @@
+#!/usr/bin/env python
+#-*- coding:utf-8 -*-
+from argparse import ArgumentParser
+from miasm2.analysis import debugging, gdbserver
+from miasm2.jitter.csts import *
+from miasm2.analysis.machine import Machine
+
+parser = ArgumentParser(
+    description="""Sandbox raw binary with msp430 engine
+(ex: jit_msp430.py example/msp430_sc.bin 0)""")
+parser.add_argument("-r", "--log-regs",
+                    help="Log registers value for each instruction",
+                    action="store_true")
+parser.add_argument("-m", "--log-mn",
+                    help="Log desassembly conversion for each instruction",
+                    action="store_true")
+parser.add_argument("-n", "--log-newbloc",
+                    help="Log basic blocks processed by the Jitter",
+                    action="store_true")
+parser.add_argument("-j", "--jitter",
+                    help="Jitter engine. Possible values are : tcc (default), llvm",
+                    default="tcc")
+parser.add_argument("-d", "--debugging",
+                    help="Attach a CLI debugguer to the sandboxed programm",
+                    action="store_true")
+parser.add_argument("binary",
+                    help="binary to run")
+parser.add_argument("addr",
+                    help="start exec on addr")
+
+machine = Machine("msp430")
+
+def jit_msp430_binary(args):
+    filepath, entryp = args.binary, int(args.addr, 16)
+    myjit = machine.jitter(jit_type = args.jitter)
+    myjit.init_stack()
+
+    # Log level (if available with jitter engine)
+    myjit.jit.log_regs = args.log_regs
+    myjit.jit.log_mn = args.log_mn
+    myjit.jit.log_newbloc = args.log_newbloc
+
+    myjit.vm.add_memory_page(0, PAGE_READ | PAGE_WRITE, open(filepath).read())
+    myjit.add_breakpoint(0x1337, lambda _: exit(0))
+
+
+    # for stack
+    myjit.vm.add_memory_page(0xF000, PAGE_READ | PAGE_WRITE, "\x00"*0x1000)
+
+    myjit.cpu.SP = 0xF800
+
+    myjit.push_uint16_t(0x1337)
+    myjit.init_run(entryp)
+
+
+
+    # Handle debugging
+    if args.debugging is True:
+        dbg = debugging.Debugguer(myjit)
+        cmd = debugging.DebugCmd(dbg)
+        cmd.cmdloop()
+
+    else:
+        print(myjit.continue_run())
+
+if __name__ == '__main__':
+    from sys import stderr
+    args = parser.parse_args()
+    jit_msp430_binary(args)
diff --git a/example/jitter/sandbox_pe_x86_32.py b/example/jitter/sandbox_pe_x86_32.py
new file mode 100644
index 00000000..738e0778
--- /dev/null
+++ b/example/jitter/sandbox_pe_x86_32.py
@@ -0,0 +1,23 @@
+import os
+from pdb import pm
+from miasm2.analysis.sandbox import Sandbox_Win_x86_32
+
+# Python auto completion
+filename = os.environ.get('PYTHONSTARTUP')
+if filename and os.path.isfile(filename):
+    execfile(filename)
+
+# Insert here user defined methods
+
+# Parse arguments
+parser = Sandbox_Win_x86_32.parser(description="PE sandboxer")
+parser.add_argument("filename", help="PE Filename")
+options = parser.parse_args()
+
+# Create sandbox
+sb = Sandbox_Win_x86_32(options.filename, options, globals())
+
+# Run
+sb.run()
+
+assert(sb.jitter.run is False)
diff --git a/example/jitter/unpack_upx.py b/example/jitter/unpack_upx.py
new file mode 100644
index 00000000..313f75a2
--- /dev/null
+++ b/example/jitter/unpack_upx.py
@@ -0,0 +1,117 @@
+import os
+import logging
+from pdb import pm
+from elfesteem import pe
+from miasm2.analysis.sandbox import Sandbox_Win_x86_32
+from miasm2.core import asmbloc
+
+filename = os.environ.get('PYTHONSTARTUP')
+if filename and os.path.isfile(filename):
+    execfile(filename)
+
+
+# User defined methods
+
+def kernel32_GetProcAddress(jitter):
+    ret_ad, args = jitter.func_args_stdcall(2)
+    libbase, fname = args
+
+    dst_ad = jitter.cpu.EBX
+    logging.info('EBX ' + hex(dst_ad))
+
+    if fname < 0x10000:
+        fname = fname
+    else:
+        fname = jitter.get_str_ansi(fname)
+    logging.info(fname)
+
+    ad = sb.libs.lib_get_add_func(libbase, fname, dst_ad)
+    jitter.func_ret_stdcall(ret_ad, ad)
+
+
+
+parser = Sandbox_Win_x86_32.parser(description="Generic UPX unpacker")
+parser.add_argument("filename", help="PE Filename")
+parser.add_argument('-v', "--verbose",
+                    help="verbose mode", action="store_true")
+parser.add_argument("--graph",
+                    help="Export the CFG graph in graph.txt",
+                    action="store_true")
+options = parser.parse_args()
+sb = Sandbox_Win_x86_32(options.filename, options, globals())
+
+
+if options.verbose is True:
+    logging.basicConfig(level=logging.INFO)
+else:
+    logging.basicConfig(level=logging.WARNING)
+
+if options.verbose is True:
+    sb.jitter.vm.dump_memory_page_pool()
+
+
+ep = sb.entry_point
+
+# Ensure there is one and only one leave (for OEP discovering)
+mdis = sb.machine.dis_engine(sb.jitter.bs)
+mdis.dont_dis_nulstart_bloc = True
+ab = mdis.dis_multibloc(ep)
+
+bb = asmbloc.basicblocs(ab)
+leaves = bb.get_bad_dst()
+assert(len(leaves) == 1)
+l = leaves.pop()
+logging.info(l)
+end_label = l.label.offset
+
+logging.info('final label')
+logging.info(end_label)
+
+# Export CFG graph (dot format)
+if options.graph is True:
+    g = asmbloc.bloc2graph(ab)
+    open("graph.txt", "w").write(g)
+
+
+if options.verbose is True:
+    sb.jitter.vm.dump_memory_page_pool()
+
+
+def update_binary(jitter):
+    sb.pe.Opthdr.AddressOfEntryPoint = sb.pe.virt2rva(jitter.pc)
+    logging.info('updating binary')
+    for s in sb.pe.SHList:
+        sdata = sb.jitter.vm.get_mem(sb.pe.rva2virt(s.addr), s.rawsize)
+        sb.pe.virt[sb.pe.rva2virt(s.addr)] = sdata
+
+
+# Set callbacks
+sb.jitter.add_breakpoint(end_label, update_binary)
+
+# Run
+sb.run()
+
+# Rebuild PE
+new_dll = []
+
+sb.pe.SHList.align_sections(0x1000, 0x1000)
+logging.info(repr(sb.pe.SHList))
+
+sb.pe.DirRes = pe.DirRes(sb.pe)
+sb.pe.DirImport.impdesc = None
+logging.info(repr(sb.pe.DirImport.impdesc))
+new_dll = sb.libs.gen_new_lib(sb.pe)
+logging.info(new_dll)
+sb.pe.DirImport.impdesc = []
+sb.pe.DirImport.add_dlldesc(new_dll)
+s_myimp = sb.pe.SHList.add_section(name="myimp", rawsize=len(sb.pe.DirImport))
+logging.info(repr(sb.pe.SHList))
+sb.pe.DirImport.set_rva(s_myimp.addr)
+
+# XXXX TODO
+sb.pe.NThdr.optentries[pe.DIRECTORY_ENTRY_DELAY_IMPORT].rva = 0
+
+sb.pe.Opthdr.AddressOfEntryPoint = sb.pe.virt2rva(end_label)
+bname, fname = os.path.split(options.filename)
+fname = os.path.join(bname, fname.replace('.', '_'))
+open(fname + '_unupx.bin', 'w').write(str(sb.pe))
diff --git a/example/jitter/x86_32.py b/example/jitter/x86_32.py
new file mode 100644
index 00000000..1b2aa012
--- /dev/null
+++ b/example/jitter/x86_32.py
@@ -0,0 +1,41 @@
+import os
+from argparse import ArgumentParser
+from miasm2.jitter.csts import PAGE_READ, PAGE_WRITE
+from miasm2.analysis.machine import Machine
+
+from pdb import pm
+
+
+filename = os.environ.get('PYTHONSTARTUP')
+if filename and os.path.isfile(filename):
+    execfile(filename)
+
+parser = ArgumentParser(description="x86 32 basic Jitter")
+parser.add_argument("filename", help="x86 32 shellcode filename")
+parser.add_argument("-j", "--jitter",
+                    help="Jitter engine. Possible values are : tcc (default), llvm",
+                    default="tcc")
+args = parser.parse_args()
+
+def code_sentinelle(jitter):
+    jitter.run = False
+    jitter.pc = 0
+    return True
+
+
+myjit = Machine("x86_32").jitter(args.jitter)
+myjit.init_stack()
+
+data = open(args.filename).read()
+run_addr = 0x40000000
+myjit.vm.add_memory_page(run_addr, PAGE_READ | PAGE_WRITE, data)
+
+myjit.jit.log_regs = True
+myjit.jit.log_mn = True
+myjit.push_uint32_t(0x1337beef)
+
+myjit.add_breakpoint(0x1337beef, code_sentinelle)
+
+myjit.init_run(run_addr)
+myjit.continue_run()
+del(myjit)