def PrintFuncs(funcs, end='\n'): _t = funcs #print(type(_t)) if not isinstance(_t, (list, tuple)): _t = [_t] for tmp in _t: printf("%x - %s" % (tmp.addr, tmp.name), end=end)
def pwntools_agent(cmd): cmd = cmd.replace('"', '\\"') cmd = 'python -c "from pwn import *;%s"' % cmd #printf("PWNTOOLS AGENT got cmd:%s" % cmd , verbose=LOG_LEVEL_DEBUG) out = command_agent(cmd) printf(out, verbose=LOG_LEVEL_DEBUG) return out.strip('\n')
def command_agent(cmd): if INFO_SYSTEM == 'windows': cmd = 'wsl -- ' + cmd proc = subprocess.Popen(cmd, stderr=subprocess.PIPE, stdout=subprocess.PIPE, shell=True) out, err = proc.communicate() if err.strip() != '': printf(err, verbose=LOG_LEVEL_ERR) #raise FatalErrorException() return out
def __init__(self): from AEGconfig import DANGER_FUNCS_FILE, WORKING_DIR import json, os _tpath = os.path.join(WORKING_DIR, "config", DANGER_FUNCS_FILE) #printf("dangerous func file path:%s" % _tpath , verbose=LOG_LEVEL_DEBUG ) with open(_tpath, 'r') as f: self.FUNCS = json.loads(f.read()) if len(self.FUNCS) > 0: printf("Load dangerous funcs successfully!", verbose=LOG_LEVEL_DEBUG) else: printf("Load dangerous funcs failed", verbose=LOG_LEVEL_ERR, output_to_file=True)
def get_stack_arg_offset(addr, arg, base=None): ''' Refernce : https://gist.github.com/syndrowm/2968620 ''' stack = GetFrame(addr) size = GetStrucSize(stack) names = [] for i in range(size): n = GetMemberName(stack, i) if n and not n in names: names.append(n) #printf(arg , verbose=LOG_LEVEL_DEBUG) printf('names: %s' % names, verbose=LOG_LEVEL_DEBUG) if ' s' in names and arg in names: offset = GetMemberOffset(stack, arg) - GetMemberOffset(stack, ' s') if base: return GetRegValue(base) + offset else: return offset return None
def DangerousFunction(type_constrain=None): ret = [] global _Danger_funcs_preset if _Danger_funcs_preset is None: _Danger_funcs_preset = DangerFuncsPreset().GetFuncs() for func in AEG_GetAllFunctions(): for key in _Danger_funcs_preset.keys(): _func_name = AEG_GetFuncName(func) if _func_name == key: if type_constrain: if _Danger_funcs_preset[_func_name][ 'type'] == type_constrain: ret.append(func) else: ret.append(func) if len(ret): ret = list(set(ret)) funcname_list = map(AEG_GetFuncName, ret) return map(DangerousFuncs, ret, funcname_list, list(_Danger_funcs_preset[i] for i in funcname_list)) else: printf("No Danger funcs found in given binary.", verbose=LOG_LEVEL_INFO) return ret
def Getoffset_SP2BP(addr, gdb_script=None): ''' 运行一次gdb得到 $sp - $bp 的偏移。相当于一次动态调试 注意:这里默认可以直接运行到指定栈帧。如果有其他条件(TODO) ''' global offset_SP2BP if offset_SP2BP is not None: return offset_SP2BP if gdb_script is None: _gdb_script = '''b *0x%x\nr\nset logging file gdboutput.txt\nset logging on\np/x $%ssp\np/x $%sbp\nset logging off\n''' else: _gdb_script = gdb_script _prefix = 'e' if INFO_BITS == 32 else 'r' printf(_gdb_script % (addr, _prefix, _prefix), verbose=LOG_LEVEL_DEBUG) gdb_agent(_gdb_script % (addr, _prefix, _prefix)) with open('gdboutput.txt', 'r') as f2: lines = f2.read().split('\n') sp = int(lines[0].split('=')[1].strip(), base=16) bp = int(lines[1].split('=')[1].strip(), base=16) offset = bp - sp offset_SP2BP = offset printf("calc offset SP 2 BP : %d" % offset) return offset