def test_add_rw_data_patch(self, tlen=5):
p1 = AddRWDataPatch(tlen, "added_data_rw")
added_code = '''
li r3, 0x41
li r4, 0x0
li r5, %d
lis r6, {added_data_rw}@h
ori r6, r6, {added_data_rw}@l
_loop:
cmpw r4, r5
beq _exit
stb r3, 0(r6)
addi r4, r4, 1
addi r6, r6, 1
b _loop
_exit:
li r0, 4
li r3, 0x1
lis r4, {added_data_rw}@h
ori r4, r4, {added_data_rw}@l
sc
''' % tlen
p2 = InsertCodePatch(0x100004f8, added_code, "modify_and_print")
self.run_test("printf_nopie", [p1, p2],
expected_output=b"A" * tlen + b"Hi",
expected_returnCode=0)
def test_add_label_patch(self):
p1 = AddLabelPatch(0x400649, "added_label")
added_code = '''
mov x8, 0x40
mov x0, 0x1
ldr x1, ={added_label}
mov x2, 1
svc 0
'''
p2 = InsertCodePatch(0x400580, added_code)
self.run_test("printf_nopie", [p1, p2], expected_output=b"sHi", expected_returnCode=0)
def test_add_ro_data_patch(self, tlen=5):
p1 = AddRODataPatch(b"A"*tlen, "added_data")
added_code = '''
mov x8, 0x40
mov x0, 0x1
ldr x1, ={added_data}
mov x2, %d
svc 0
''' % tlen
p2 = InsertCodePatch(0x400580, added_code, "added_code")
self.run_test("printf_nopie", [p1, p2], expected_output=b"A"*tlen + b"Hi", expected_returnCode=0x0)
def test_c_compilation(self):
added_code = '''
li $a0, 0
%s
move $a0, $v0
li $v0, 4004
la $a1, 0x400935
li $a2, 1
syscall
''' % DetourBackendMips.get_c_function_wrapper_code("c_function")
self.run_test("printf_nopie", [InsertCodePatch(0x40076c, added_code, name="p1", priority=1), AddCodePatch("__attribute__((fastcall)) int func(int a){ return a + 1; }", "c_function", is_c=True, compiler_flags="")], expected_output=b"sHi", expected_returnCode=0x0)
def test_add_label_patch(self):
p1 = AddLabelPatch(0x400935, "added_label")
added_code = '''
li $v0, 4004
li $a0, 1
la $a1, {added_label}
li $a2, 1
syscall
'''
p2 = InsertCodePatch(0x40076c, added_code)
self.run_test("printf_nopie", [p1, p2], expected_output=b"sHi", expected_returnCode=0)
def test_add_ro_data_patch(self, tlen=5):
p1 = AddRODataPatch(b"A"*tlen, "added_data")
added_code = '''
li $v0, 4004
li $a0, 1
la $a1, {added_data}
li $a2, %d
syscall
''' % tlen
p2 = InsertCodePatch(0x40076c, added_code, "added_code")
self.run_test("printf_nopie", [p1, p2], expected_output=b"A"*tlen + b"Hi", expected_returnCode=0x0)
def test_c_compilation(self):
added_code = '''
mov x8, 0x40
mov x0, 0x0
%s
ldr x1, =0x400649
mov x2, 1
svc 0
''' % DetourBackendAarch64.get_c_function_wrapper_code("c_function")
self.run_test("printf_nopie", [InsertCodePatch(0x400580, added_code, name="p1", priority=1), AddCodePatch("__attribute__((fastcall)) int func(int a){ return a + 1; }", "c_function", is_c=True, compiler_flags="")], expected_output=b"sHi", expected_returnCode=0x0)
def test_insert_code_patch(self):
test_str = b"qwertyuiop\n\x00"
added_code = '''
mov x8, 0x40
mov x0, 0x1
ldr x1, ={added_data}
mov x2, %d
svc 0
''' % (len(test_str))
p1 = InsertCodePatch(0x400580, added_code)
p2 = AddRODataPatch(test_str, "added_data")
self.run_test("printf_nopie", [p1, p2], expected_output=b"qwertyuiop\n\x00Hi", expected_returnCode=0)
def test_insert_code_patch(self):
test_str = b"qwertyuiop\n\x00"
added_code = '''
li $v0, 4004
li $a0, 1
la $a1, {added_data}
li $a2, %d
syscall
''' % (len(test_str))
p1 = InsertCodePatch(0x40076c, added_code)
p2 = AddRODataPatch(test_str, "added_data")
self.run_test("printf_nopie", [p1, p2], expected_output=b"qwertyuiop\n\x00Hi", expected_returnCode=0)
def test_add_label_patch(self):
p1 = AddLabelPatch(0x10451, "added_label")
added_code = '''
mov r7, 0x4
mov r0, 0x1
ldr r1, ={added_label}
mov r2, 1
svc 0
'''
p2 = InsertCodePatch(0x103ec, added_code)
self.run_test("printf_nopie", [p1, p2],
expected_output=b"sHi",
expected_returnCode=0)
def test_add_label_patch(self):
p1 = AddLabelPatch(0x120000cf9, "added_label")
added_code = '''
dli $v0, 5001
dli $a0, 1
dla $a1, {added_label}
dli $a2, 1
syscall
'''
p2 = InsertCodePatch(0x120000b20, added_code)
self.run_test("printf_nopie", [p1, p2],
expected_output=b"sHi",
expected_returnCode=0)
def test_add_rw_init_data_patch(self, tlen=5):
p1 = AddRWInitDataPatch(b"A" * tlen, "added_data_rw")
added_code = '''
mov r7, 0x4
mov r0, 0x1
ldr r1, ={added_data_rw}
mov r2, %d
svc 0
''' % tlen
p2 = InsertCodePatch(0x103ec, added_code, "print")
self.run_test("printf_nopie", [p1, p2],
expected_output=b"A" * tlen + b"Hi",
expected_returnCode=0)
def test_add_rw_init_data_patch(self, tlen=5):
p1 = AddRWInitDataPatch(b"A" * tlen, "added_data_rw")
added_code = '''
mov eax,0x4
mov ebx,0x1
mov edx, %d
mov ecx, {added_data_rw}
int 0x80
''' % tlen
p2 = InsertCodePatch(0x8048457, added_code, "print")
self.run_test("printf_nopie", [p1, p2],
expected_output=b"A" * tlen + b"Hi",
expected_returnCode=0)
def test_add_ro_data_patch(self, tlen=5):
p1 = AddRODataPatch(b"A" * tlen, "added_data")
added_code = '''
mov eax, 4 ;sys_write
mov ebx, 1 ;fd = stdout
mov ecx, {added_data} ;buf
mov edx, %d ;len
int 0x80
''' % tlen
p2 = InsertCodePatch(0x8048457, added_code, "added_code")
self.run_test("printf_nopie", [p1, p2],
expected_output=b"A" * tlen + b"Hi",
expected_returnCode=0x0)
def test_add_rw_init_data_patch(self, tlen=5):
p1 = AddRWInitDataPatch(b"A" * tlen, "added_data_rw")
added_code = '''
dli $v0, 5001
dli $a0, 1
dla $a1, {added_data_rw}
dli $a2, %d
syscall
''' % tlen
p2 = InsertCodePatch(0x120000b20, added_code, "print")
self.run_test("printf_nopie", [p1, p2],
expected_output=b"A" * tlen + b"Hi",
expected_returnCode=0)
def test_insert_code_patch(self):
test_str = b"qwertyuiop\n\x00"
added_code = '''
mov eax, 4
mov ebx, 1
mov ecx, {added_data}
mov edx, %d
int 0x80
''' % (len(test_str))
p1 = InsertCodePatch(0x8048457, added_code)
p2 = AddRODataPatch(test_str, "added_data")
self.run_test("printf_nopie", [p1, p2],
expected_output=b"qwertyuiop\n\x00Hi",
expected_returnCode=0)
def test_add_label_patch(self):
p1 = AddLabelPatch(0x10000759, "added_label")
added_code = '''
li r0, 4
li r3, 1
lis r4, {added_label}@h
ori r4, r4, {added_label}@l
li r5, 1
sc
'''
p2 = InsertCodePatch(0x100004f8, added_code)
self.run_test("printf_nopie", [p1, p2],
expected_output=b"sHi",
expected_returnCode=0)
def test_add_ro_data_patch(self, tlen=5):
p1 = AddRODataPatch(b"A" * tlen, "added_data")
added_code = '''
li r0, 4
li r3, 1
lis r4, {added_data}@h
ori r4, r4, {added_data}@l
li r5, %d
sc
''' % tlen
p2 = InsertCodePatch(0x100004f8, added_code, "added_code")
self.run_test("printf_nopie", [p1, p2],
expected_output=b"A" * tlen + b"Hi",
expected_returnCode=0x0)
def test_insert_code_patch(self):
test_str = b"qwertyuiop\n\x00"
added_code = '''
li r0, 4
li r3, 1
lis r4, {added_data}@h
ori r4, r4, {added_data}@l
li r5, %d
sc
''' % (len(test_str))
p1 = InsertCodePatch(0x100004f8, added_code)
p2 = AddRODataPatch(test_str, "added_data")
self.run_test("printf_nopie", [p1, p2],
expected_output=b"qwertyuiop\n\x00Hi",
expected_returnCode=0)
def test_sample_pie(self):
patches = []
transmit_code = '''
pop rsi
pop rax
push rsi
sub rsi, rax
sub rsi, 0xa
add rsi, {transmitted_string}
mov rax, 1
mov rdi, 1
syscall
mov rbx, (rsp)
add rsp, 8
pop r9
pop r8
pop r10
pop rdx
pop rsi
pop rdi
pop rax
mov (rsp), rbx
ret
'''
injected_code = '''
push rax
push rdi
push rsi
push rdx
push r10
push r8
push r9
mov rdx, 10
push $
call {transmit_function}
'''
patches.append(AddCodePatch(transmit_code, name="transmit_function"))
patches.append(
AddRODataPatch(b"---HI---\x00", name="transmitted_string"))
patches.append(
InsertCodePatch(0x400665,
injected_code,
name="injected_code_after_receive"))
self.run_test("sample_x86-64_pie",
patches,
expected_output=b'---HI---\x00\x00Purdue')
def test_double_patch_collision(self):
test_str1 = b"1111111111\n\x00"
test_str2 = b"2222222222\n\x00"
added_code1 = '''
li r0, 4
li r3, 1
lis r4, {str1}@h
ori r4, r4, {str1}@l
li r5, %d
sc
''' % (len(test_str1))
added_code2 = '''
li r0, 4
li r3, 1
lis r4, {str2}@h
ori r4, r4, {str2}@l
li r5, %d
sc
''' % (len(test_str2))
p1 = InsertCodePatch(0x100004f8, added_code1, name="p1", priority=100)
p2 = InsertCodePatch(0x100004f8, added_code2, name="p2", priority=1)
p3 = AddRODataPatch(test_str1, "str1")
p4 = AddRODataPatch(test_str2, "str2")
self.run_test("printf_nopie", [p1, p2, p3, p4],
expected_output=test_str1 + b"Hi",
try_without_cfg=False)
p1 = InsertCodePatch(0x100004f8, added_code1, name="p1", priority=1)
p2 = InsertCodePatch(0x100004f8, added_code2, name="p2", priority=100)
p3 = AddRODataPatch(test_str1, "str1")
p4 = AddRODataPatch(test_str2, "str2")
backend = self.run_test("printf_nopie", [p1, p2, p3, p4],
expected_output=test_str2 + b"Hi",
try_without_cfg=False)
self.assertNotIn(p1, backend.added_patches)
self.assertIn(p2, backend.added_patches)
p1 = InsertCodePatch(0x100004f8, added_code1, name="p1", priority=1)
p2 = InsertCodePatch(0x100004f8 + 0x4,
added_code2,
name="p2",
priority=100)
p3 = AddRODataPatch(test_str1, "str1")
p4 = AddRODataPatch(test_str2, "str2")
backend = self.run_test("printf_nopie", [p1, p2, p3, p4],
expected_output=test_str2 + b"Hi",
try_without_cfg=False)
self.assertNotIn(p1, backend.added_patches)
self.assertIn(p2, backend.added_patches)
def test_c_compilation(self):
added_code = '''
mov ecx, 0x4
%s
mov ebx, 1
lea ecx, [0x080484f4]
mov edx, 1
int 0x80
''' % patcherex.utils.get_nasm_c_wrapper_code("c_function",
get_return=True)
self.run_test("printf_nopie", [
InsertCodePatch(0x8048457, added_code, name="p1", priority=1),
AddCodePatch(
"__attribute__((fastcall)) int func(int a){ return a; }",
"c_function",
is_c=True)
],
expected_output=b"sHi",
expected_returnCode=0x0)
def test_double_patch_collision(self):
test_str1 = b"1111111111\n\x00"
test_str2 = b"2222222222\n\x00"
added_code1 = '''
dli $v0, 5001
dli $a0, 1
dla $a1, {str1}
dli $a2, %d
syscall
''' % (len(test_str1))
added_code2 = '''
dli $v0, 5001
dli $a0, 1
dla $a1, {str2}
dli $a2, %d
syscall
''' % (len(test_str2))
p1 = InsertCodePatch(0x120000b20, added_code1, name="p1", priority=100)
p2 = InsertCodePatch(0x120000b20, added_code2, name="p2", priority=1)
p3 = AddRODataPatch(test_str1, "str1")
p4 = AddRODataPatch(test_str2, "str2")
self.run_test("printf_nopie", [p1, p2, p3, p4],
expected_output=test_str1 + b"Hi",
try_without_cfg=False)
p1 = InsertCodePatch(0x120000b20, added_code1, name="p1", priority=1)
p2 = InsertCodePatch(0x120000b20, added_code2, name="p2", priority=100)
p3 = AddRODataPatch(test_str1, "str1")
p4 = AddRODataPatch(test_str2, "str2")
backend = self.run_test("printf_nopie", [p1, p2, p3, p4],
expected_output=test_str2 + b"Hi",
try_without_cfg=False)
self.assertNotIn(p1, backend.added_patches)
self.assertIn(p2, backend.added_patches)
p1 = InsertCodePatch(0x120000b20, added_code1, name="p1", priority=1)
p2 = InsertCodePatch(0x120000b20 + 0x4,
added_code2,
name="p2",
priority=100)
p3 = AddRODataPatch(test_str1, "str1")
p4 = AddRODataPatch(test_str2, "str2")
backend = self.run_test("printf_nopie", [p1, p2, p3, p4],
expected_output=test_str2 + b"Hi",
try_without_cfg=False)
self.assertNotIn(p1, backend.added_patches)
self.assertIn(p2, backend.added_patches)
def test_c_compilation(self):
added_code = '''
li r3, 0
%s
li r0, 4
lis r4, 0x10000759@h
ori r4, r4, 0x10000759@l
li r5, 1
sc
''' % DetourBackendPpc.get_c_function_wrapper_code("c_function")
self.run_test("printf_nopie", [
InsertCodePatch(0x100004f8, added_code, name="p1", priority=1),
AddCodePatch(
"__attribute__((fastcall)) int func(int a){ return a + 1; }",
"c_function",
is_c=True,
compiler_flags="")
],
expected_output=b"sHi",
expected_returnCode=0x0)
def test_add_rw_data_patch(self, tlen=5):
p1 = AddRWDataPatch(tlen, "added_data_rw")
added_code = '''
mov eax, 4
mov ebx, 1
xor ecx, ecx
mov edx, %d
_loop:
cmp ecx, edx
je _exit
mov BYTE [{added_data_rw}+ecx], 0x41
add ecx, 1
jmp _loop
_exit
mov ecx, {added_data_rw}
int 0x80
''' % tlen
p2 = InsertCodePatch(0x8048457, added_code, "modify_and_print")
self.run_test("printf_nopie", [p1, p2],
expected_output=b"A" * tlen + b"Hi",
expected_returnCode=0)
def test_add_rw_data_patch(self, tlen=5):
p1 = AddRWDataPatch(tlen, "added_data_rw")
added_code = '''
li $a0, 0x41
li $a1, 0x0
li $a2, %d
la $a3, {added_data_rw}
_loop:
beq $a1, $a2, _exit
sb $a0, ($a3)
addiu $a1, $a1, 1
addiu $a3, $a3, 1
b _loop
_exit:
li $v0, 4004
li $a0, 0x1
la $a1, {added_data_rw}
syscall
''' % tlen
p2 = InsertCodePatch(0x40076c, added_code, "modify_and_print")
self.run_test("printf_nopie", [p1, p2], expected_output=b"A"*tlen + b"Hi", expected_returnCode=0)
def test_c_compilation(self):
added_code = '''
mov r7, 0x4
mov r0, 0x0
%s
ldr r1, =0x10451
mov r2, 1
svc 0
''' % DetourBackendArm.get_c_function_wrapper_code("c_function")
self.run_test("printf_nopie", [
InsertCodePatch(0x103ec, added_code, name="p1", priority=1),
AddCodePatch(
"__attribute__((fastcall)) int func(int a){ return a + 1; }",
"c_function",
is_c=True,
compiler_flags="",
is_thumb=True)
],
expected_output=b"sHi",
expected_returnCode=0x0)
def test_add_rw_data_patch(self, tlen=5):
p1 = AddRWDataPatch(tlen, "added_data_rw")
added_code = '''
mov x8, 0x40
mov x0, 0x41
mov x1, 0x0
mov x2, %d
ldr x3, ={added_data_rw}
_loop:
cmp x1, x2
beq _exit
str x0, [x3, x1]
add x1, x1, 1
b _loop
_exit:
mov x0, 0x1
ldr x1, ={added_data_rw}
svc 0
''' % tlen
p2 = InsertCodePatch(0x400580, added_code, "modify_and_print")
self.run_test("printf_nopie", [p1, p2], expected_output=b"A"*tlen + b"Hi", expected_returnCode=0)
def test_sample_no_pie(self):
patches = []
transmit_code = '''
mov rax, 1
mov rdi, 1
syscall
mov rbx, (rsp)
add rsp, 8
pop r9
pop r8
pop r10
pop rdx
pop rsi
pop rdi
pop rax
mov (rsp), rbx
ret
'''
patches.append(AddCodePatch(transmit_code, name="transmit_function"))
patches.append(
AddRODataPatch(b"---HI---\x00", name="transmitted_string"))
injected_code = '''
push rax
push rdi
push rsi
push rdx
push r10
push r8
push r9
mov rsi, {transmitted_string}
mov rdx, 10
call {transmit_function}
'''
patches.append(
InsertCodePatch(0x400502,
injected_code,
name="injected_code_after_receive"))
self.execute(patches, "sample_x86-64_no_pie",
b'---HI---\x00\x00Purdue')
def test_double_patch_collision(self):
test_str1 = b"1111111111\n\x00"
test_str2 = b"2222222222\n\x00"
added_code1 = '''
mov r7, 0x4
mov r0, 0x1
ldr r1, ={str1}
mov r2, %d
svc 0
''' % (len(test_str1))
added_code2 = '''
mov r7, 0x4
mov r0, 0x1
ldr r1, ={str2}
mov r2, %d
svc 0
''' % (len(test_str2))
p1 = InsertCodePatch(0x103ec, added_code1, name="p1", priority=100)
p2 = InsertCodePatch(0x103ec, added_code2, name="p2", priority=1)
p3 = AddRODataPatch(test_str1, "str1")
p4 = AddRODataPatch(test_str2, "str2")
self.run_test("printf_nopie", [p1, p2, p3, p4],
expected_output=test_str1 + b"Hi")
p1 = InsertCodePatch(0x103ec, added_code1, name="p1", priority=1)
p2 = InsertCodePatch(0x103ec, added_code2, name="p2", priority=100)
p3 = AddRODataPatch(test_str1, "str1")
p4 = AddRODataPatch(test_str2, "str2")
backend = self.run_test("printf_nopie", [p1, p2, p3, p4],
expected_output=test_str2 + b"Hi")
self.assertNotIn(p1, backend.added_patches)
self.assertIn(p2, backend.added_patches)
p1 = InsertCodePatch(0x103ec, added_code1, name="p1", priority=1)
p2 = InsertCodePatch(0x103ec + 0x4,
added_code2,
name="p2",
priority=100)
p3 = AddRODataPatch(test_str1, "str1")
p4 = AddRODataPatch(test_str2, "str2")
backend = self.run_test("printf_nopie", [p1, p2, p3, p4],
expected_output=test_str2 + b"Hi")
self.assertNotIn(p1, backend.added_patches)
self.assertIn(p2, backend.added_patches)
