def init(binary): BinaryAnalysis.clear() BinaryAnalysis.path = binary BinaryAnalysis.rawData = list(open(binary, 'rb').read()) BinaryAnalysis.container = Container.from_stream(open(binary, 'rb')) BinaryAnalysis.locDB = BinaryAnalysis.container.loc_db BinaryAnalysis.machine = Machine(BinaryAnalysis.container.arch) BinaryAnalysis.iraType = BinaryAnalysis.machine.ira if isinstance(BinaryAnalysis.container, ContainerPE): BinaryAnalysis.binaryInfo = PEInfo(binary) elif isinstance(BinaryAnalysis.container, ContainerELF): BinaryAnalysis.binaryInfo = ELFInfo(binary) if BinaryAnalysis.binaryInfo.type == 'PE': if BinaryAnalysis.container.arch == 'x86_32': parser = Sandbox_Win_x86_32.parser(description="PE sandboxer") options = parser.parse_args() BinaryAnalysis.sb = Sandbox_Win_x86_32(BinaryAnalysis.path, options, globals()) elif BinaryAnalysis.container.arch == 'x86_64': parser = Sandbox_Win_x86_64.parser(description="PE sandboxer") options = parser.parse_args() BinaryAnalysis.sb = Sandbox_Win_x86_64(BinaryAnalysis.path, options, globals()) elif BinaryAnalysis.binaryInfo.type == 'ELF': if BinaryAnalysis.container.arch == 'x86_32': parser = Sandbox_Linux_x86_32.parser( description="PE sandboxer") options = parser.parse_args() BinaryAnalysis.sb = Sandbox_Linux_x86_32( BinaryAnalysis.path, options, globals()) elif BinaryAnalysis.container.arch == 'x86_64': parser = Sandbox_Linux_x86_64.parser( description="PE sandboxer") options = parser.parse_args() BinaryAnalysis.sb = Sandbox_Linux_x86_64( BinaryAnalysis.path, options, globals()) BinaryAnalysis.disasmEngine = BinaryAnalysis.machine.dis_engine( BinaryAnalysis.container.bin_stream, loc_db=BinaryAnalysis.container.loc_db) BinaryAnalysis.disasmEngine.dis_block_callback = detect_func_name BinaryAnalysis.maxSizeData = BinaryAnalysis.disasmEngine.attrib // 8 BinaryAnalysis.strings = BinaryAnalysis.binaryInfo.findStrings() BinaryAnalysis.radare = r2pipe.open(binary) BinaryAnalysis.radare.cmd('aaa;') BinaryAnalysis.detectFunctions() BinaryAnalysis.disassembly() for start, end in (BinaryAnalysis.binaryInfo.codeRange - BinaryAnalysis.doneInterval): BinaryAnalysis.data.append((start - 1, end)) for start, end in BinaryAnalysis.binaryInfo.dataRange: BinaryAnalysis.data.append((start, end - 1))
def deal_exception_single_step(jitter): jitter.pc = win_api_x86_32_seh.fake_seh_handler( jitter, win_api_x86_32_seh.EXCEPTION_SINGLE_STEP) return True def return_from_seh(jitter): win_api_x86_32_seh.return_from_seh(jitter) return True # Insert here user defined methods # Parse arguments parser = Sandbox_Win_x86_32.parser(description="PE sandboxer") parser.add_argument("filename", help="PE Filename") options = parser.parse_args() options.usesegm = True options.use_windows_structs = True # Create sandbox sb = Sandbox_Win_x86_32(options.filename, options, globals()) # Install Windows SEH callbacks sb.jitter.add_exception_handler(EXCEPT_ACCESS_VIOL, deal_exception_access_violation) sb.jitter.add_exception_handler(EXCEPT_SOFT_BP, deal_exception_breakpoint) sb.jitter.add_exception_handler(EXCEPT_DIV_BY_ZERO, deal_exception_div) sb.jitter.add_exception_handler(1 << 17, deal_exception_privileged_instruction) sb.jitter.add_exception_handler(EXCEPT_UNK_MNEMO,
from pdb import pm from miasm.analysis.sandbox import Sandbox_Win_x86_32 # Insert here user defined methods # Parse arguments parser = Sandbox_Win_x86_32.parser(description="PE sandboxer") parser.add_argument("filename", help="PE Filename") options = parser.parse_args() # Create sandbox sb = Sandbox_Win_x86_32(options.filename, options, globals()) # Run sb.run() assert(sb.jitter.run is False)
# Handle ordinal imports fname = (args.fname if args.fname < 0x10000 else jitter.get_str_ansi(args.fname)) logging.error(fname) # Get the generated address of the library, and store it in memory to # dst_ad ad = sb.libs.lib_get_add_func(args.libbase, fname, dst_ad) # Add a breakpoint in case of a call on the resolved function # NOTE: never happens in UPX, just for skeleton jitter.handle_function(ad) jitter.func_ret_stdcall(ret_ad, ad) parser = Sandbox_Win_x86_32.parser(description="Generic UPX unpacker") parser.add_argument("filename", help="PE Filename") parser.add_argument('-v', "--verbose", help="verbose mode", action="store_true") parser.add_argument("--graph", help="Export the CFG graph in graph.dot", action="store_true") options = parser.parse_args() options.load_hdr = True sb = Sandbox_Win_x86_32(options.filename, options, globals(), parse_reloc=False)
# Handle ordinal imports fname = (args.fname if args.fname < 0x10000 else jitter.get_str_ansi(args.fname)) logging.error(fname) # Get the generated address of the library, and store it in memory to # dst_ad ad = sb.libs.lib_get_add_func(args.libbase, fname, dst_ad) # Add a breakpoint in case of a call on the resolved function # NOTE: never happens in UPX, just for skeleton jitter.handle_function(ad) jitter.func_ret_stdcall(ret_ad, ad) parser = Sandbox_Win_x86_32.parser(description="Generic UPX unpacker") parser.add_argument("filename", help="PE Filename") parser.add_argument('-v', "--verbose", help="verbose mode", action="store_true") parser.add_argument("--graph", help="Export the CFG graph in graph.dot", action="store_true") options = parser.parse_args() options.load_hdr = True sb = Sandbox_Win_x86_32(options.filename, options, globals(), parse_reloc=False) if options.verbose is True: logging.basicConfig(level=logging.INFO)
from __future__ import print_function import logging from miasm.analysis.sandbox import Sandbox_Win_x86_32 from miasm.core.locationdb import LocationDB from miasm.jitter.csts import PAGE_WRITE, PAGE_READ, EXCEPT_BREAKPOINT_MEMORY parser = Sandbox_Win_x86_32.parser( description="Displays accesses to a specified memory space") parser.add_argument("filename", help="PE Filename") parser.add_argument("memory_address", help="Starting address of the memory space") parser.add_argument("size", help="Size of the address space") parser.add_argument("--access", help="Access type", choices=["r", "w", "rw"], default="rw") options = parser.parse_args() # Create sandbox loc_db = LocationDB() sb = Sandbox_Win_x86_32(loc_db, options.filename, options, globals()) # Add a memory breakpoint address = int(options.memory_address, 0) size = int(options.size, 0) access_type = 0 if 'r' in options.access: access_type |= PAGE_WRITE if 'w' in options.access: access_type |= PAGE_READ sb.jitter.vm.add_memory_breakpoint(address, size, access_type)