def PrintFuncs(funcs, end='\n'):
_t = funcs
#print(type(_t))
if not isinstance(_t, (list, tuple)):
_t = [_t]
for tmp in _t:
printf("%x - %s" % (tmp.addr, tmp.name), end=end)
def pwntools_agent(cmd):
cmd = cmd.replace('"', '\\"')
cmd = 'python -c "from pwn import *;%s"' % cmd
#printf("PWNTOOLS AGENT got cmd:%s" % cmd , verbose=LOG_LEVEL_DEBUG)
out = command_agent(cmd)
printf(out, verbose=LOG_LEVEL_DEBUG)
return out.strip('\n')
def command_agent(cmd):
if INFO_SYSTEM == 'windows':
cmd = 'wsl -- ' + cmd
proc = subprocess.Popen(cmd,
stderr=subprocess.PIPE,
stdout=subprocess.PIPE,
shell=True)
out, err = proc.communicate()
if err.strip() != '':
printf(err, verbose=LOG_LEVEL_ERR)
#raise FatalErrorException()
return out
def __init__(self):
from AEGconfig import DANGER_FUNCS_FILE, WORKING_DIR
import json, os
_tpath = os.path.join(WORKING_DIR, "config", DANGER_FUNCS_FILE)
#printf("dangerous func file path:%s" % _tpath , verbose=LOG_LEVEL_DEBUG )
with open(_tpath, 'r') as f:
self.FUNCS = json.loads(f.read())
if len(self.FUNCS) > 0:
printf("Load dangerous funcs successfully!",
verbose=LOG_LEVEL_DEBUG)
else:
printf("Load dangerous funcs failed",
verbose=LOG_LEVEL_ERR,
output_to_file=True)
def get_stack_arg_offset(addr, arg, base=None):
'''
Refernce : https://gist.github.com/syndrowm/2968620
'''
stack = GetFrame(addr)
size = GetStrucSize(stack)
names = []
for i in range(size):
n = GetMemberName(stack, i)
if n and not n in names:
names.append(n)
#printf(arg , verbose=LOG_LEVEL_DEBUG)
printf('names: %s' % names, verbose=LOG_LEVEL_DEBUG)
if ' s' in names and arg in names:
offset = GetMemberOffset(stack, arg) - GetMemberOffset(stack, ' s')
if base:
return GetRegValue(base) + offset
else:
return offset
return None
def DangerousFunction(type_constrain=None):
ret = []
global _Danger_funcs_preset
if _Danger_funcs_preset is None:
_Danger_funcs_preset = DangerFuncsPreset().GetFuncs()
for func in AEG_GetAllFunctions():
for key in _Danger_funcs_preset.keys():
_func_name = AEG_GetFuncName(func)
if _func_name == key:
if type_constrain:
if _Danger_funcs_preset[_func_name][
'type'] == type_constrain:
ret.append(func)
else:
ret.append(func)
if len(ret):
ret = list(set(ret))
funcname_list = map(AEG_GetFuncName, ret)
return map(DangerousFuncs, ret, funcname_list,
list(_Danger_funcs_preset[i] for i in funcname_list))
else:
printf("No Danger funcs found in given binary.",
verbose=LOG_LEVEL_INFO)
return ret
def Getoffset_SP2BP(addr, gdb_script=None):
'''
运行一次gdb得到 $sp - $bp 的偏移。相当于一次动态调试
注意:这里默认可以直接运行到指定栈帧。如果有其他条件(TODO)
'''
global offset_SP2BP
if offset_SP2BP is not None:
return offset_SP2BP
if gdb_script is None:
_gdb_script = '''b *0x%x\nr\nset logging file gdboutput.txt\nset logging on\np/x $%ssp\np/x $%sbp\nset logging off\n'''
else:
_gdb_script = gdb_script
_prefix = 'e' if INFO_BITS == 32 else 'r'
printf(_gdb_script % (addr, _prefix, _prefix), verbose=LOG_LEVEL_DEBUG)
gdb_agent(_gdb_script % (addr, _prefix, _prefix))
with open('gdboutput.txt', 'r') as f2:
lines = f2.read().split('\n')
sp = int(lines[0].split('=')[1].strip(), base=16)
bp = int(lines[1].split('=')[1].strip(), base=16)
offset = bp - sp
offset_SP2BP = offset
printf("calc offset SP 2 BP : %d" % offset)
return offset