def _handle_sigaction(self, mu, sig, act, oact): ''' struct sigaction { union { void (*sa_handler)(int); void (*sa_sigaction)(int, siginfo_t *, void *); }, sigset_t sa_mask; int sa_flags; void (*sa_restorer)(void); }; ''' act_off = act sa_handler = memory_helpers.read_ptr(mu, act_off) act_off += 4 sa_mask = memory_helpers.read_ptr(mu, act_off) act_off += 4 sa_flag = memory_helpers.read_ptr(mu, act_off) act_off += 4 sa_restorer = memory_helpers.read_ptr(mu, act_off) logging.warning( "sa_handler [0x%08X] sa_mask [0x%08X] sa_flag [0x%08X] sa_restorer [0x%08X]" % (sa_handler, sa_mask, sa_flag, sa_restorer)) self._sig_maps[sig] = (sa_handler, sa_mask, sa_flag, sa_restorer) return 0
def __process_vm_readv(self, mu, pid, local_iov, liovcnt, remote_iov, riovcnt, flag): ''' struct iovec { void *iov_base; /* Starting address */ size_t iov_len; /* Number of bytes to transfer */ }; ''' if (pid != self._getpid(mu)): raise NotImplementedError("__process_vm_readv return other process not support...") off_r = remote_iov b = b'' for i in range(0, riovcnt): rbase = memory_helpers.read_ptr(mu, off_r) iov_len = memory_helpers.read_ptr(mu, off_r+4) tmp = memory_helpers.read_byte_array(mu, rbase, iov_len) b+=tmp #for j in range(0, liovcnt) off_r+=8 # off_l = local_iov has_read = 0 for j in range(0, liovcnt): lbase = memory_helpers.read_ptr(mu, off_l) liov_len = memory_helpers.read_ptr(mu, off_l+4) tmp = b[has_read:liov_len] has_read += len(tmp) off_l += 8 # print(b) return has_read
def _handle_writev(self, mu, fd, vec, vlen): n = 0 for i in range(0, vlen): addr = memory_helpers.read_ptr(mu, (i * 8) + vec) size = memory_helpers.read_ptr(mu, (i * 8) + vec + 4) data = bytes(mu.mem_read(addr, size)) n += os.write(fd, data) logger.info('Writev %r' % data) # return n
def _handle_writev(self, mu, fd, vec, vlen): if fd == 2: for i in range(0, vlen): addr = memory_helpers.read_ptr(mu, (i * 8) + vec) size = memory_helpers.read_ptr(mu, (i * 8) + vec + 4) sys.stderr.buffer.write(mu.mem_read(addr, size)) return 0 raise NotImplementedError()
def _handle_writev(self, mu, fd, vec, vlen): if fd == 2: for i in range(0, vlen): addr = memory_helpers.read_ptr(mu, (i * 8) + vec) size = memory_helpers.read_ptr(mu, (i * 8) + vec + 4) data = bytes(mu.mem_read(addr, size)).decode(encoding='UTF-8') logger.error('Writev %s' % data) return 0 return 0
def __execve(self, mu, filename_ptr, argv_ptr, envp_ptr): filename = memory_helpers.read_utf8(mu, filename_ptr) ptr = argv_ptr params = [] logger.info("execve run") while True: off = memory_helpers.read_ptr(mu, ptr) param = memory_helpers.read_utf8(mu, off) if (len(param) == 0): break params.append(param) ptr += 4 # logging.warning("execve %s %r" % (filename, params)) cmd = " ".join(params) pkg_name = config.global_config_get("pkg_name") pm = "pm path %s" % (pkg_name, ) if (cmd.find(pm) > -1): output = "package:/data/app/%s-1.apk" % pkg_name logger.info("write to stdout [%s]" % output) os.write(1, output.encode("utf-8")) sys.exit(0) # else: raise NotImplementedError()
def vfprintf(self, uc, FILE, format, va_list): # int vfprintf ( FILE * stream, const char * format, va_list arg ); struct_FILE = memory_helpers.read_byte_array(uc, FILE, 18) c_string = memory_helpers.read_utf8(uc, format) args = [] result_string = "" for i in range(0, len(c_string)): if c_string[i] == '%': if c_string[i + 1] == "d": args.append(memory_helpers.read_uints(uc, va_list, 1)[0]) elif c_string[i + 1] == "c": args.append( chr(memory_helpers.read_byte_array(uc, va_list, 1)[0])) elif c_string[i + 1] == "s": s_addr = memory_helpers.read_ptr(uc, va_list) args.append(memory_helpers.read_cString(uc, s_addr)[0]) else: result_string += c_string[i:i + 2] # TODO more format support va_list += 4 result_string += "{0[" + str(len(args) - 1) + "]}" continue if i >= 1: if c_string[i - 1] == '%' or c_string[i] == '%': continue result_string += c_string[i] result_string = result_string.format(args) logger.debug("Called vfprintf(%r)" % result_string)
def register_natives(self, mu, env, clazz_id, methods, methods_count): logger.debug("JNIEnv->RegisterNatives(%d, 0x%08x, %d) was called" % (clazz_id, methods, methods_count)) clazz = self.get_local_reference(clazz_id) if not isinstance(clazz, jclass): raise ValueError('Expected a jclass.') clazz = clazz.value for i in range(0, methods_count): ptr_name = memory_helpers.read_ptr(mu, (i * 12) + methods) ptr_sign = memory_helpers.read_ptr(mu, (i * 12) + methods + 4) ptr_func = memory_helpers.read_ptr(mu, (i * 12) + methods + 8) name = memory_helpers.read_utf8(mu, ptr_name) signature = memory_helpers.read_utf8(mu, ptr_sign) clazz.register_native(name, signature, ptr_func) return JNI_OK