vm.all_pages[p.paddr].append((a, p))
for addr, pages in vm.all_pages.iteritems():
if len(pages) > 1:
log("fsm", "match for 0x%x" % addr)
for ads, pg in pages:
log("fsm", "ads 0x%x: %s" % (ads, pg))
return True
##
## Main
##
peer = "172.16.131.128:1337"
vm = VM(CPUFamily.Intel, peer)
vm.nr_cr3 = 5
vm.ads = {}
log.setup(info=True,
fail=True,
gdb=False,
vm=True,
brk=True,
evt=False,
fsm=(True, log.blue))
vm.attach()
vm.stop()
#check if they have another mapping with user privilege
fmt = "U ads 0x%x match K ads 0x%x:\n (user) %s\n (krnl) %s"
for klst in vm.kppg.itervalues():
for ka,kp in klst:
for a in vm.ads:
ulst = vm.ads[a].search_paddr(kp.paddr,user=True)
if len(ulst) != 0:
for p in ulst:
log("fkm", fmt % (a,ka,p,kp))
##
## Main
##
peer = "172.16.131.128:1337"
vm = VM(CPUFamily.Intel, peer)
vm.nr_cr3 = 1
vm.ads = {}
#keep track of every kernel physical pages
vm.kppg = defaultdict(list)
log.setup(info=True, fail=True,
gdb=False, vm=True,
brk=True, evt=False,
fkm=(True,log.blue))
vm.attach()
vm.stop()
vm.cpu.filter_write_cr(3, wcr3)
process_name = sys.argv[1]
# Some offsets for debian 2.6.32-5-486 kernel
settings = {
"thread_size": 8192,
"comm": 540,
"next": 240,
"mm": 268,
"pgd": 36
}
os = OSFactory(OSAffinity.Linux26, settings)
hook = os.find_process_filter(process_name)
##
## Main
##
peer = "172.16.131.128:1337"
vm = VM(CPUFamily.Intel, peer)
vm.attach()
vm.stop()
vm.cpu.filter_write_cr(3, hook)
while not vm.resume():
continue
vm.cpu.release_write_cr(3)
vm.cpu.set_active_cr3(os.get_process_cr3(), True, OSAffinity.Linux26)
log("info", "active cr3 installed for %#x" % os.get_process_cr3())
vm.detach()
#!/usr/bin/env python # # Enter interactive 'shell' mode # from ramooflax.core import VM, CPUFamily, log ## ## Main ## peer = "172.16.131.128:1337" vm = VM(CPUFamily.Intel, peer) log.setup(all=True) vm.run(dict(globals(), **locals()))
#
# This script uses amoco engine (https://github.com/bdcht/amoco)
#
from amoco.arch.x86 import cpu_x86 as am
from ramooflax.core import VM, CPUFamily, log
from ramooflax.utils import disassemble
def disasm_wrapper(addr, data):
return am.disassemble(data, address=addr)
def sstep_disasm(vm):
insns = disassemble(vm, disasm_wrapper, vm.cpu.code_location())
print insns.split('\n')[0]
return True
##
## Main
##
peer = "172.16.131.128:1337"
vm = VM(CPUFamily.Intel, peer)
log.setup(info=True, fail=True, gdb=False)
vm.attach()
vm.stop()
vm.cpu.filter_singlestep(sstep_disasm)
log("info", "\n####\n#### type: vm.singlestep()\n####\n")
vm.interact(dict(globals(), **locals()))
vm.detach()
if len(sys.argv) < 2:
log("fail", "gimme prog name")
sys.exit(-1)
# Target process
process_name = sys.argv[1]
# Some offsets for debian 2.6.32-5-486 kernel
settings = {"thread_size":8192, "comm":540, "next":240, "mm":268, "pgd":36}
os = OSFactory(OSAffinity.Linux26, settings)
hook = os.find_process_filter(process_name)
##
## Main
##
peer = "172.16.131.128:1337"
vm = VM(CPUFamily.Intel, peer)
vm.attach()
vm.stop()
vm.cpu.filter_write_cr(3, hook)
while not vm.resume():
continue
vm.cpu.release_write_cr(3)
vm.cpu.set_active_cr3(os.get_process_cr3(), True, OSAffinity.Linux26)
log("info", "active cr3 installed for %#x" % os.get_process_cr3())
vm.detach()
#!/usr/bin/env python
#
# Pretty print the GDT/IDT
#
import struct
from ramooflax.core import VM, CPUFamily, log
from ramooflax.utils import SegmentDescriptor, InterruptDescriptor
##
## Main
##
peer = "172.16.131.128:1337"
vm = VM(CPUFamily.Intel, peer)
log.setup(info=True, fail=True, gdb=False, vm=True, brk=True, evt=False)
# Retrieve 32 bits GDT/IDT content
vm.attach()
vm.stop()
gdt_sz = vm.cpu.sr.gdtr_limit + 1
gdt_mm = vm.mem.vread(vm.cpu.sr.gdtr_base, gdt_sz)
idt_sz = vm.cpu.sr.idtr_limit + 1
idt_mm = vm.mem.vread(vm.cpu.sr.idtr_base, idt_sz)
vm.detach()
# Pretty print GDT/IDT content
dts = (("-= GDT =-", SegmentDescriptor, gdt_mm, gdt_sz),
for p in vm.ads[a].iter_pages(user=True):
vm.all_pages[p.paddr].append((a,p))
for addr,pages in vm.all_pages.iteritems():
if len(pages) > 1:
log("fsm", "match for 0x%x" % addr)
for ads,pg in pages:
log("fsm", "ads 0x%x: %s" % (ads,pg))
return True
##
## Main
##
peer = "172.16.131.128:1337"
vm = VM(CPUFamily.Intel, peer)
vm.nr_cr3 = 5
vm.ads = {}
log.setup(info=True, fail=True, gdb=False,
vm=True, brk=True, evt=False,
fsm=(True,log.blue))
vm.attach()
vm.stop()
vm.cpu.filter_write_cr(3, wcr3)
log("info", "ready!")
vm.interact2(dict(globals(), **locals()))
# Some offsets for kernel 3.4.1
settings = {"thread_size":8192, "comm":0x1cc, "next":0xc0, "mm":0xc8, "pgd":0x24}
os = OSFactory(OSAffinity.Linux26, settings)
hook = os.find_process_filter("break")
# create logging for this script
log.setup(info=(True,Log.blue), fail=(True,Log.red),
brk=True, gdb=True, vm=True, evt=True)
##
## Main
##
peer = "172.16.131.128:1337"
vm = VM(CPUFamily.Intel, peer)
vm.attach()
vm.stop()
vm.cpu.breakpoints.add_data_w(vm.cpu.sr.tr_base+4, 4, hook)
while not vm.resume():
continue
vm.cpu.breakpoints.remove(1)
vm.cpu.set_active_cr3(os.get_process_cr3(), affinity=OSAffinity.Linux26)
log("info", "found break process")
#
# Breakpoints handling
#
# so that you can play with symbols
#
import sys
from ramooflax.core import VM, CPUFamily, log
from ramooflax.utils import SymTab, SymParser
##
## Main
##
if len(sys.argv) < 2:
print "give me 'system.map"
sys.exit(1)
peer = "172.16.131.128:1337"
vm = VM(CPUFamily.Intel, peer)
log.setup(info=True, fail=True,
gdb=False, vm=True,
brk=True, evt=False)
# load kernel symbols
vm.symbols = SymTab(SymParser().from_system_map(sys.argv[1]))
vm.attach()
vm.stop()
print vm.symbols[vm.cpu.code_location()]
log("info", "ready!")
vm.interact2(dict(globals(), **locals()))
from amoco.arch.x86 import cpu_x86 as am
from ramooflax.core import VM, CPUFamily, log
from ramooflax.utils import disassemble
def disasm_wrapper(addr, data):
return am.disassemble(data, address=addr)
def sstep_disasm(vm):
insns = disassemble(vm, disasm_wrapper, vm.cpu.code_location())
print insns.split('\n')[0]
return True
##
## Main
##
peer = "172.16.131.128:1337"
vm = VM(CPUFamily.Intel, peer)
log.setup(info=True, fail=True, gdb=False)
vm.attach()
vm.stop()
vm.cpu.filter_singlestep(sstep_disasm)
log("info", "\n####\n#### type: vm.singlestep()\n####\n")
vm.interact(dict(globals(), **locals()))
vm.detach()
os = OSFactory(OSAffinity.Linux26, settings)
hook = os.find_process_filter("break")
# create logging for this script
log.setup(info=(True, Log.blue),
fail=(True, Log.red),
brk=True,
gdb=True,
vm=True,
evt=True)
##
## Main
##
peer = "172.16.131.128:1337"
vm = VM(CPUFamily.Intel, peer)
vm.attach()
vm.stop()
vm.cpu.breakpoints.add_data_w(vm.cpu.sr.tr_base + 4, 4, hook)
while not vm.resume():
continue
vm.cpu.breakpoints.remove(1)
vm.cpu.set_active_cr3(os.get_process_cr3(), affinity=OSAffinity.Linux26)
log("info", "found break process")
#
# Breakpoints handling
#
#!/usr/bin/env python # # Clean up vmm debugging session (if remaining cr3 tracking) # from ramooflax.core import VM, CPUFamily ## ## Main ## peer = "172.16.131.128:1337" vm = VM(CPUFamily.Intel, peer) vm.attach() vm.stop() vm.cpu.del_active_cr3() vm.detach()
# Target process
process_name = sys.argv[1]
# Some offsets for debian 2.6.32-5-486 kernel
settings = {
"thread_size": 8192,
"comm": 540,
"next": 240,
"mm": 268,
"pgd": 36
}
os = OSFactory(OSAffinity.Linux26, settings)
hook = os.find_process_filter(process_name)
##
## Main
##
vm = VM(CPUFamily.AMD, "192.168.254.254:1234")
vm.attach()
vm.stop()
vm.cpu.breakpoints.add_data_w(vm.cpu.sr.tr_base + 4, 4, hook)
while not vm.resume():
continue
vm.cpu.breakpoints.remove(1)
log("info", "success: %#x" % os.get_process_cr3())
vm.detach()
#check if they have another mapping with user privilege
fmt = "U ads 0x%x match K ads 0x%x:\n (user) %s\n (krnl) %s"
for klst in vm.kppg.itervalues():
for ka, kp in klst:
for a in vm.ads:
ulst = vm.ads[a].search_paddr(kp.paddr, user=True)
if len(ulst) != 0:
for p in ulst:
log("fkm", fmt % (a, ka, p, kp))
##
## Main
##
peer = "172.16.131.128:1337"
vm = VM(CPUFamily.Intel, peer)
vm.nr_cr3 = 1
vm.ads = {}
#keep track of every kernel physical pages
vm.kppg = defaultdict(list)
log.setup(info=True,
fail=True,
gdb=False,
vm=True,
brk=True,
evt=False,
fkm=(True, log.blue))
vm.attach()