diff options
Diffstat (limited to 'miasm/tools')
| -rw-r--r-- | miasm/tools/emul_lib/libcodenat.h | 38 | ||||
| -rw-r--r-- | miasm/tools/to_c_helper.py | 142 | ||||
| -rw-r--r-- | miasm/tools/win_api.py | 59 |
3 files changed, 207 insertions, 32 deletions
diff --git a/miasm/tools/emul_lib/libcodenat.h b/miasm/tools/emul_lib/libcodenat.h index d4047f16..9ae1408c 100644 --- a/miasm/tools/emul_lib/libcodenat.h +++ b/miasm/tools/emul_lib/libcodenat.h @@ -152,7 +152,6 @@ typedef struct { unsigned int float_c2_new; unsigned int float_c3_new; - unsigned int float_stack_ptr; unsigned int float_stack_ptr_new; @@ -172,6 +171,43 @@ typedef struct { unsigned int cr3; unsigned int cr3_new; + uint8_t pfmem08_0; + uint8_t pfmem08_1; + uint8_t pfmem08_2; + uint8_t pfmem08_3; + uint8_t pfmem08_4; + uint8_t pfmem08_5; + uint8_t pfmem08_6; + uint8_t pfmem08_7; + + uint16_t pfmem16_0; + uint16_t pfmem16_1; + uint16_t pfmem16_2; + uint16_t pfmem16_3; + uint16_t pfmem16_4; + uint16_t pfmem16_5; + uint16_t pfmem16_6; + uint16_t pfmem16_7; + + uint32_t pfmem32_0; + uint32_t pfmem32_1; + uint32_t pfmem32_2; + uint32_t pfmem32_3; + uint32_t pfmem32_4; + uint32_t pfmem32_5; + uint32_t pfmem32_6; + uint32_t pfmem32_7; + + uint64_t pfmem64_0; + uint64_t pfmem64_1; + uint64_t pfmem64_2; + uint64_t pfmem64_3; + uint64_t pfmem64_4; + uint64_t pfmem64_5; + uint64_t pfmem64_6; + uint64_t pfmem64_7; + + }vm_cpu_t; diff --git a/miasm/tools/to_c_helper.py b/miasm/tools/to_c_helper.py index 7c45f50d..aa2ba091 100644 --- a/miasm/tools/to_c_helper.py +++ b/miasm/tools/to_c_helper.py @@ -38,6 +38,43 @@ def id2new(i): mask_int = 0xffffffffffffffff +pfmem08_0 = ExprId("pfmem08_0", 8) +pfmem08_1 = ExprId("pfmem08_1", 8) +pfmem08_2 = ExprId("pfmem08_2", 8) +pfmem08_3 = ExprId("pfmem08_3", 8) +pfmem08_4 = ExprId("pfmem08_4", 8) +pfmem08_5 = ExprId("pfmem08_5", 8) +pfmem08_6 = ExprId("pfmem08_6", 8) +pfmem08_7 = ExprId("pfmem08_7", 8) + +pfmem16_0 = ExprId("pfmem16_0", 16) +pfmem16_1 = ExprId("pfmem16_1", 16) +pfmem16_2 = ExprId("pfmem16_2", 16) +pfmem16_3 = ExprId("pfmem16_3", 16) +pfmem16_4 = ExprId("pfmem16_4", 16) +pfmem16_5 = ExprId("pfmem16_5", 16) +pfmem16_6 = ExprId("pfmem16_6", 16) +pfmem16_7 = ExprId("pfmem16_7", 16) + +pfmem32_0 = ExprId("pfmem32_0", 32) +pfmem32_1 = ExprId("pfmem32_1", 32) +pfmem32_2 = ExprId("pfmem32_2", 32) +pfmem32_3 = ExprId("pfmem32_3", 32) +pfmem32_4 = ExprId("pfmem32_4", 32) +pfmem32_5 = ExprId("pfmem32_5", 32) +pfmem32_6 = ExprId("pfmem32_6", 32) +pfmem32_7 = ExprId("pfmem32_7", 32) + +pfmem64_0 = ExprId("pfmem64_0", 64) +pfmem64_1 = ExprId("pfmem64_1", 64) +pfmem64_2 = ExprId("pfmem64_2", 64) +pfmem64_3 = ExprId("pfmem64_3", 64) +pfmem64_4 = ExprId("pfmem64_4", 64) +pfmem64_5 = ExprId("pfmem64_5", 64) +pfmem64_6 = ExprId("pfmem64_6", 64) +pfmem64_7 = ExprId("pfmem64_7", 64) + + my_C_id = [ eax, ebx, @@ -93,7 +130,7 @@ my_C_id = [ #i_d_new, #my_tick, float_control, - cond, + #cond, ds, #vm_exception_flags, #vm_exception_flags_new, @@ -119,6 +156,42 @@ my_C_id = [ cr3, float_stack_ptr, + pfmem08_0, + pfmem08_1, + pfmem08_2, + pfmem08_3, + pfmem08_4, + pfmem08_5, + pfmem08_6, + pfmem08_7, + + pfmem16_0, + pfmem16_1, + pfmem16_2, + pfmem16_3, + pfmem16_4, + pfmem16_5, + pfmem16_6, + pfmem16_7, + + pfmem32_0, + pfmem32_1, + pfmem32_2, + pfmem32_3, + pfmem32_4, + pfmem32_5, + pfmem32_6, + pfmem32_7, + + pfmem64_0, + pfmem64_1, + pfmem64_2, + pfmem64_3, + pfmem64_4, + pfmem64_5, + pfmem64_6, + pfmem64_7, + ] float_id_e = [ @@ -134,7 +207,7 @@ float_id_e = [ id2Cid = {} for x in my_C_id: - id2Cid[x] = ExprId('vmcpu.'+str(x)) + id2Cid[x] = ExprId('vmcpu.'+str(x), x.get_size()) def patch_c_id(e): return e.reload_expr(id2Cid) @@ -142,18 +215,24 @@ def patch_c_id(e): code_deal_exception_at_instr = r""" if (vmcpu.vm_exception_flags > EXCEPT_NUM_UDPT_EIP) { - %s = 0x%X; - return vmcpu.eip; + %s = 0x%X; + return vmcpu.eip; } """ code_deal_exception_post_instr = r""" if (vmcpu.vm_exception_flags) { - %s = (vmcpu.vm_exception_flags > EXCEPT_NUM_UDPT_EIP) ? 0x%X : 0x%X; - return vmcpu.eip; + %s = (vmcpu.vm_exception_flags > EXCEPT_NUM_UDPT_EIP) ? 0x%X : 0x%X; + return vmcpu.eip; } """ - + +tab_uintsize ={8:uint8, + 16:uint16, + 32:uint32, + 64:uint64 + } + def Exp2C(exprs, l = None, addr2label = None, gen_exception_code = False): my_size_mask = {1:1, 8:0xFF, 16:0xFFFF, 32:0xFFFFFFFF, 64:0xFFFFFFFFFFFFFFFFL, 2: 3} @@ -165,6 +244,16 @@ def Exp2C(exprs, l = None, addr2label = None, gen_exception_code = False): #print [str(x) for x in exprs] dst_dict = {} + src_mem = {} + + prefect_mem_pool = {8: [pfmem08_0 ,pfmem08_1, pfmem08_2, pfmem08_3, + pfmem08_4, pfmem08_5, pfmem08_6, pfmem08_7], + 16: [pfmem16_0 ,pfmem16_1, pfmem16_2, pfmem16_3, + pfmem16_4, pfmem16_5, pfmem16_6, pfmem16_7], + 32: [pfmem32_0 ,pfmem32_1, pfmem32_2, pfmem32_3, + pfmem32_4, pfmem32_5, pfmem32_6, pfmem32_7], + 64: [pfmem64_0 ,pfmem64_1, pfmem64_2, pfmem64_3, + pfmem64_4, pfmem64_5, pfmem64_6, pfmem64_7],} new_expr = [] @@ -180,7 +269,14 @@ def Exp2C(exprs, l = None, addr2label = None, gen_exception_code = False): dst_dict[e.dst].append(e) else: new_expr.append(e) - + # search mem lookup for generate mem read prefetch + rs = e.src.get_r(mem_read=True) + for r in rs: + if (not isinstance(r, ExprMem)) or r in src_mem: + continue + pfmem = prefect_mem_pool[r.get_size()].pop(0) + src_mem[r] = pfmem + for dst, exs in dst_dict.items(): if len(exs) ==1: new_expr += exs @@ -197,19 +293,27 @@ def Exp2C(exprs, l = None, addr2label = None, gen_exception_code = False): #print known_intervals missing_i = get_missing_interval(known_intervals) #print missing_i - rest = [ExprSliceTo(ExprSlice(dst, *r), *r) for r in missing_i] final_dst = ExprCompose(e_colision+ rest) - new_expr.append(ExprAff(dst, final_dst)) - out_mem = [] - + + # first, generate mem prefetch + mem_k = src_mem.keys() + mem_k.sort() + for k in mem_k: + str_src = patch_c_id(k).toC() + str_dst = patch_c_id(src_mem[k]).toC() + out.append('%s = %s;'%(str_dst, str_src)) + src_w_len = {} + for k, v in src_mem.items(): + cast_int = tab_uintsize[k.get_size()] + src_w_len[k] = v for e in new_expr: - if True:#e.dst != eip: - src, dst = e.src, e.dst + # reload src using prefetch + src = src.reload_expr(src_w_len) str_src = patch_c_id(src).toC() str_dst = patch_c_id(dst).toC() if isinstance(dst, ExprId): @@ -224,8 +328,7 @@ def Exp2C(exprs, l = None, addr2label = None, gen_exception_code = False): elif isinstance(dst, ExprMem): str_dst = str_dst.replace('MEM_LOOKUP', 'MEM_WRITE') out_mem.append('%s, %s);'%(str_dst[:-1], str_src)) - - + if e.dst == eip : eip_is_dst = True if isinstance(e.src, ExprCond): @@ -259,7 +362,6 @@ def Exp2C(exprs, l = None, addr2label = None, gen_exception_code = False): for i in id_to_update: out.append('%s = %s;'%(patch_c_id(i), id2new(patch_c_id(i)))) - @@ -926,7 +1028,6 @@ def updt_bloc_emul(known_blocs, in_str, my_eip, symbol_pool, code_blocs_mem_rang reset_code_bloc_pool_py() for a, b in code_blocs_mem_range: vm_add_code_bloc(a, b) - #''' def updt_pe_from_emul(e): @@ -934,10 +1035,6 @@ def updt_pe_from_emul(e): sdata = vm_get_str(e.rva2virt(s.addr), s.rawsize) e.virt[e.rva2virt(s.addr)] = sdata return bin_stream(e.virt) - - return bin_stream_vm() - - def updt_automod_code(known_blocs): w_ad, w_size = vm_get_last_write_ad(), vm_get_last_write_size() @@ -951,7 +1048,6 @@ def updt_automod_code(known_blocs): vm_add_code_bloc(a, b) vm_reset_exception() - return known_blocs, code_addr diff --git a/miasm/tools/win_api.py b/miasm/tools/win_api.py index b9077ed6..e3a609b7 100644 --- a/miasm/tools/win_api.py +++ b/miasm/tools/win_api.py @@ -838,15 +838,20 @@ def kernel32_GetModuleFileName(funcname, set_str): if hmodule in [0]: p = module_path[:] else: - raise ValueError('unknown module h') + print ValueError('unknown module h', hex(hmodule)) + p = None - if nsize < len(p): + if p == None: + l = 0 + elif nsize < len(p): p = p[:nsize] - l = len(p) + l = len(p) + else: + l = len(p) - print repr(p) - vm_set_mem(lpfilename, set_str(p)) + print repr(p) + vm_set_mem(lpfilename, set_str(p)) regs = vm_get_gpreg() regs['eip'] = ret_ad @@ -946,8 +951,7 @@ def kernel32_GetProcAddress(): if fname < 0x10000: fname = fname else: - fname = vm_get_str(fname, 0x100) - fname = fname[:fname.find('\x00')] + fname = get_str_ansi(fname, 0x100) print repr(fname) ad = runtime_dll.lib_get_add_func(libbase, fname) @@ -998,6 +1002,16 @@ def kernel32_GetModuleHandleA(): regs['eax'] = eax vm_set_gpreg(regs) +def kernel32_VirtualLock(): + ret_ad = vm_pop_uint32_t() + lpaddress = vm_pop_uint32_t() + dwsize = vm_pop_uint32_t() + print whoami(), hex(ret_ad), hex(lpaddress), hex(dwsize) + regs = vm_get_gpreg() + regs['eip'] = ret_ad + regs['eax'] = 1 + vm_set_gpreg(regs) + def kernel32_GetSystemInfo(): ret_ad = vm_pop_uint32_t() @@ -2561,13 +2575,27 @@ def kernel32_TlsSetValue(): print whoami(), hex(tlsindex), hex(tlsvalue) - tls_values[tlsindex] = tlsvalue regs = vm_get_gpreg() regs['eip'] = ret_ad regs['eax'] = 1 vm_set_gpreg(regs) +def kernel32_TlsGetValue(): + global tls_index + ret_ad = vm_pop_uint32_t() + tlsindex = vm_pop_uint32_t() + + print whoami(), hex(tlsindex) + + if not tlsindex in tls_values: + raise ValueError("unknown tls val", repr(tlsindex)) + regs = vm_get_gpreg() + regs['eip'] = ret_ad + regs['eax'] = tls_values[tlsindex] + vm_set_gpreg(regs) + + def user32_GetKeyboardType(): ret_ad = vm_pop_uint32_t() typeflag = vm_pop_uint32_t() @@ -2912,3 +2940,18 @@ def kernel32_VirtualQuery(): regs['eip'] = ret_ad regs['eax'] = dwl vm_set_gpreg(regs) + +def kernel32_GetProcessAffinityMask(): + ret_ad = vm_pop_uint32_t() + hprocess = vm_pop_uint32_t() + procaffmask = vm_pop_uint32_t() + systemaffmask = vm_pop_uint32_t() + + print whoami(), hex(ret_ad), hex(hprocess), hex(procaffmask), hex(systemaffmask) + vm_set_mem(procaffmask, pdw(1)) + vm_set_mem(systemaffmask, pdw(1)) + + regs = vm_get_gpreg() + regs['eip'] = ret_ad + regs['eax'] = 1 + vm_set_gpreg(regs) |