diff options
Diffstat (limited to 'example')
| -rwxr-xr-x | example/asm_arm.py | 68 | ||||
| -rwxr-xr-x | example/asm_x86.py | 76 | ||||
| -rwxr-xr-x | example/disas_and_graph.py | 79 | ||||
| -rw-r--r-- | example/sandbox_elf.py | 117 | ||||
| -rw-r--r-- | example/sandbox_pe.py | 125 |
5 files changed, 465 insertions, 0 deletions
diff --git a/example/asm_arm.py b/example/asm_arm.py new file mode 100755 index 00000000..b146a362 --- /dev/null +++ b/example/asm_arm.py @@ -0,0 +1,68 @@ +#! /usr/bin/env python + +from miasm.arch.arm_arch import arm_mn +from miasm.core.bin_stream import bin_stream +from miasm.core import parse_asm +from miasm.core import asmbloc +import struct + +my_mn = arm_mn + + +####filelogger sc#### + +all_bloc, symbol_pool = parse_asm.parse_txt(my_mn,r''' +toto: + STMFD SP!, {R0-R12, LR}^ + MOV R11, LR + MOV R11, R0, ROR 4 + STC P2,C3, [R5, 24]! + MOV R1, R0 + LDR R2, [PC, R0 ROR 0x2] + CMP R2, R3 + BLE tutu + ORR R0, R1, R2 + ORRLE R0, R0, R0 + ORR R0, R0, R0 + LDR R3, [R11, 0x98] + LDR R3, [R11, -0x98] + STMFD SP!, {R4-R6,R11,R12,LR,PC} + STMFD SP!, {R0-R12, SP, LR, PC} + LDMIA R9, {R9, R12} + BLE tutu + LDMFD SP, {R4-R8,R11,SP,PC} + +tutu: + LDMFD SP!, {R0-R12, LR} + BX LR +''') + +g = asmbloc.bloc2graph(all_bloc[0]) +open("graph.txt" , "w").write(g) + + + +for b in all_bloc[0]: + print b +symbol_pool.add(asmbloc.asm_label('base_address', 0x0)) +symbol_pool.getby_name("toto").offset = 0x0 + +resolved_b, patches = asmbloc.asm_resolve_final(my_mn, all_bloc[0], symbol_pool) +print patches + +f = open('uu.bin', 'w') +for p, v in patches.items(): + f.seek(p) + f.write(v) + +f.close() + +print 'DISASSEMBLE FILE' +data = open('uu.bin', 'rb').read() +in_str = bin_stream(data) +job_done = set() +symbol_pool = asmbloc.asm_symbol_pool() +all_bloc = asmbloc.dis_bloc_all(my_mn, in_str, 0, job_done, symbol_pool, follow_call = False, lines_wd = 20) +g = asmbloc.bloc2graph(all_bloc) +open("graph2.txt" , "w").write(g) + diff --git a/example/asm_x86.py b/example/asm_x86.py new file mode 100755 index 00000000..8e911676 --- /dev/null +++ b/example/asm_x86.py @@ -0,0 +1,76 @@ +#! /usr/bin/env python + +from miasm.arch.ia32_arch import * +from miasm.core.bin_stream import bin_stream +from miasm.core import parse_asm +from elfesteem import * + +from miasm.core import asmbloc +import struct + +my_mn = x86_mn + + + + +my_mn = x86_mn + +e = pe_init.PE() +e.SHList.add_section(name = "text", addr = 0x1000, rawsize = 0x4000) + +####filelogger sc#### +all_bloc, symbol_pool = parse_asm.parse_txt(my_mn,r''' +main: + jmp end +getstr: + pop ebp + push 0xb + pop eax + cdq + + push edx + mov cx, 0x632d + push cx + mov edi, esp + + push 0xAA68732f + push 0x6e69622f + mov ebx, esp + push edx + + push ebp + mov byte ptr [ebp+eend-mystr], dl + push edi + push ebx + mov byte ptr [ebx+7], dl + mov ecx, esp + int 0x80 +end: + call getstr +mystr: +.string "cat /etc/passwd> /tmp/ooo; ls;" +eend: + nop +''') + +#fix shellcode addr +symbol_pool.add(asmbloc.asm_label('base_address', 0x400000)) +symbol_pool.getby_name("main").offset = 0x401000 + +for b in all_bloc[0]: + print b +####graph sc#### +g = asmbloc.bloc2graph(all_bloc[0]) +open("graph.txt" , "w").write(g) + +print "symbols" +print symbol_pool +#dont erase from start to shell code padading +resolved_b, patches = asmbloc.asm_resolve_final(my_mn, all_bloc[0], symbol_pool) +print patches + +for offset, raw in patches.items(): + e.virt[offset] = raw + +open('uu.bin', 'wb').write(str(e)) + diff --git a/example/disas_and_graph.py b/example/disas_and_graph.py new file mode 100755 index 00000000..0763f824 --- /dev/null +++ b/example/disas_and_graph.py @@ -0,0 +1,79 @@ +#! /usr/bin/env python +import os +from elfesteem import * +from miasm.tools.pe_helper import * +from miasm.tools import seh_helper +from miasm.core import bin_stream +import inspect +from miasm.core import asmbloc +from miasm.core import parse_asm +from elfesteem import pe +from miasm.arch import ia32_arch +import pickle +import sys +fname = sys.argv[1] +dis_oep = True +print sys.argv +if len(sys.argv) >2: + ad_to_dis = int(sys.argv[2], 16) + dis_oep = False + + + +dll_dyn_funcs = {} +data = open(fname, 'rb').read() +if data.startswith("MZ"): + e = pe_init.PE(open(fname, 'rb').read()) + if dis_oep: + ad_to_dis = e.rva2virt(e.Opthdr.AddressOfEntryPoint) + in_str = bin_stream.bin_stream(e.virt) + try: + dll_dyn_funcs = get_import_address(e) + except: + print 'bug in import parsing' + + +elif data.startswith("\x7fELF") : + e = elf_init.ELF(open(fname, 'rb').read()) + if dis_oep: + ad_to_dis = e.Ehdr.entry + in_str = bin_stream.bin_stream(e.virt) + try: + dll_dyn_funcs = get_import_address_elf(e) + except: + print 'bug in import parsing' + +else: + in_str = bin_stream.bin_stream(data) + +print 'dis', fname, 'at', "0x%.8X"%ad_to_dis + + + +symbol_pool = asmbloc.asm_symbol_pool() +# test qt +from miasm.graph.graph_qt import graph_blocs + + + +#test symbols from ida +for (n,f), ad in dll_dyn_funcs.items(): + l = asmbloc.asm_label("%s_%s"%(n, f), ad) + print l + symbol_pool.add(l) + + +def my_disasm_callback(ad): + all_bloc = asmbloc.dis_bloc_ia32(in_str, ad, symbol_pool = symbol_pool) + for b in all_bloc: + for l in b.lines: + for i, a in enumerate(l.arg): + if not ia32_arch.is_ad_lookup(a): + continue + x = a[ia32_arch.x86_afs.imm] + if x in symbol_pool.s_offset: + l.arg[i][x86_afs.symb] = symbol_pool.s_offset[x] + del(l.arg[i][ia32_arch.x86_afs.imm]) + return all_bloc + +graph_blocs(ad_to_dis, all_bloc = [], dis_callback = my_disasm_callback) diff --git a/example/sandbox_elf.py b/example/sandbox_elf.py new file mode 100644 index 00000000..7550cb20 --- /dev/null +++ b/example/sandbox_elf.py @@ -0,0 +1,117 @@ +import os +from elfesteem import * +from miasm.tools.pe_helper import * +from miasm.tools import seh_helper +import inspect +from miasm.core import asmbloc +from miasm.core import parse_asm +from miasm.tools.to_c_helper import * +from elfesteem import pe +import cProfile +import code +import sys +from miasm.tools import nux_api + + +# test sandboxing pp100_05ad9efbc4b0c16f243 + +fname = sys.argv[1] +e = elf_init.ELF(open(fname, 'rb').read()) +in_str = bin_stream_vm() +vm_init_regs() +init_memory_page_pool_py() +init_code_bloc_pool_py() + +codenat_tcc_init() + +filename = os.environ.get('PYTHONSTARTUP') +if filename and os.path.isfile(filename): + execfile(filename) + +vm_load_elf(e) + +runtime_lib, lib_dyn_funcs = preload_elf(e, patch_vm_imp = True, lib_base_ad = 0x77700000) +lib_dyn_ad2name = dict([(x[1], x[0]) for x in lib_dyn_funcs.items()]) +dyn_func = {} + + +stack_base_ad = 0x1230000 +stack_size = 0x10000 +vm_add_memory_page(stack_base_ad, PAGE_READ|PAGE_WRITE, "\x00"*stack_size) +dump_memory_page_pool_py() + + + +ep = e.sh.symtab.symbols['main'].value + +ptr_esp = stack_base_ad+stack_size-0x1000 +vm_set_mem(ptr_esp, "/home/toto\x00") +ptr_arg0 = ptr_esp +ptr_esp -=0x100 +ptr_args = ptr_esp +vm_set_mem(ptr_args, struct.pack('LL', ptr_arg0, 0)) + +regs = vm_get_gpreg() +regs['eip'] = ep +regs['esp'] = ptr_esp +vm_set_gpreg(regs) +dump_gpregs_py() + +vm_push_uint32_t(ptr_args) +vm_push_uint32_t(1) +vm_push_uint32_t(0x1337beef) + +dump_memory_page_pool_py() + +symbol_pool = asmbloc.asm_symbol_pool() + +my_eip = ep + + +known_blocs = {} +code_blocs_mem_range = [] + + +log_regs = False +log_mn = log_regs +must_stop = False +def run_bin(my_eip, known_blocs, code_blocs_mem_range): + global log_regs, log_mn + last_blocs = [None for x in xrange(10)] + cpt = 0 + while True: + #dyn lib funcs + if my_eip in runtime_lib.fad2cname: + fname = runtime_lib.fad2cname[my_eip] + if not fname in nux_api.__dict__: + raise ValueError('unknown api', (hex(vm_pop_uint32_t()), hex(my_eip), fname, hex(cpt))) + nux_api.__dict__[fname]() + regs = vm_get_gpreg() + my_eip = regs['eip'] + + continue + + + if not my_eip in known_blocs: + last_blocs.pop(0) + last_blocs.append(my_eip) + updt_bloc_emul(known_blocs, in_str, my_eip, symbol_pool, code_blocs_mem_range, log_regs = log_regs, log_mn = log_mn) + + + try: + my_eip = vm_exec_blocs(my_eip, known_blocs) + except KeyboardInterrupt: + must_stop = True + py_exception = vm_get_exception() + if py_exception: + print hex(my_eip) + if py_exception & EXCEPT_CODE_AUTOMOD: + print 'automod code' + dump_gpregs_py() + known_blocs, code_blocs_mem_range = updt_automod_code(known_blocs) + else: + print "unknown exception", py_exception + break + +print "start run" +run_bin(my_eip, known_blocs, code_blocs_mem_range) diff --git a/example/sandbox_pe.py b/example/sandbox_pe.py new file mode 100644 index 00000000..1b6457be --- /dev/null +++ b/example/sandbox_pe.py @@ -0,0 +1,125 @@ +import os +from elfesteem import * +from miasm.tools.pe_helper import * +import inspect +from miasm.core import asmbloc +from miasm.core import parse_asm +from miasm.tools.to_c_helper import * +from elfesteem import pe +import cProfile +import code +from miasm.tools import emul_helper +import sys +from miasm.tools import win_api +from miasm.arch.ia32_arch import * + + +def whoami(): + return inspect.stack()[1][3] + + +fname = sys.argv[1] +e = pe_init.PE(open(fname, 'rb').read()) + + +# /!\ no seh set for this demo + +vm_init_regs() +init_memory_page_pool_py() +init_code_bloc_pool_py() +in_str = bin_stream_vm() + +codenat_tcc_init() + +vm_load_pe(e) + +filename = os.environ.get('PYTHONSTARTUP') +if filename and os.path.isfile(filename): + execfile(filename) + + +runtime_dll, dll_dyn_funcs = preload_lib(e, patch_vm_imp = True, lib_base_ad = 0x7c811111) +# set winapi to ours +win_api.runtime_dll = runtime_dll + +dll_dyn_ad2name = dict([(x[1], x[0]) for x in dll_dyn_funcs.items()]) +dyn_func = {} + + +ep = e.rva2virt(e.Opthdr.AddressOfEntryPoint) + +stack_base_ad = 0x1230000 +stack_size = 0x10000 +vm_add_memory_page(stack_base_ad, PAGE_READ|PAGE_WRITE, "\x00"*stack_size) +dump_memory_page_pool_py() + + + + + +regs = vm_get_gpreg() +regs['eip'] = ep +regs['esp'] = stack_base_ad+stack_size +vm_set_gpreg(regs) +dump_gpregs_py() + +vm_push_uint32_t(0) +vm_push_uint32_t(0) +vm_push_uint32_t(0x1337beef) + +symbol_pool = asmbloc.asm_symbol_pool() + +known_blocs = {} +code_blocs_mem_range = [] + + +def dump_raw_e(e): + e.Opthdr.AddressOfEntryPoint = e.virt2rva(vm_get_gpreg()['eip']) + str_e = StrPatchwork(str(e)) + for s in e.SHList: + data = vm_get_str(e.rva2virt(s.addr), s.size) + svad = e.rva2virt(s.addr) + print hex(len(data)) + str_e[s.offset] = data + e.virt[e.off2virt(s.offset)] = data + open('out.bin', 'w').write(str(str_e)) + + +log_regs = True +log_mn = log_regs +def run_bin(my_eip, known_blocs, code_blocs_mem_range): + global log_regs, log_mn + while my_eip != 0x1337beef: + + #dyn dll funcs + if my_eip in runtime_dll.fad2cname: + fname = runtime_dll.fad2cname[my_eip] + if not fname in win_api.__dict__: + print repr(fname) + raise ValueError('unknown api', hex(vm_pop_uint32_t())) + win_api.__dict__[fname]() + regs = vm_get_gpreg() + my_eip = regs['eip'] + continue + + + if not my_eip in known_blocs: + updt_bloc_emul(known_blocs, in_str, my_eip, symbol_pool, code_blocs_mem_range, log_regs = log_regs, log_mn = log_mn) + try: + my_eip = vm_exec_blocs(my_eip, known_blocs) + except KeyboardInterrupt: + break + py_exception = vm_get_exception() + if py_exception: + if py_exception & EXCEPT_CODE_AUTOMOD: + print 'automod code' + dump_gpregs_py() + known_blocs, code_blocs_mem_range = updt_automod_code(known_blocs) + else: + raise ValueError("except at", hex(my_eip)) + + + +print "start emulation" +run_bin(ep, known_blocs, code_blocs_mem_range) +dump_raw_e(e) |