def analyze(self): try: self.__offset = int(self.__options.offset, 16) if self.__options.offset else 0 except ValueError: print("[Error] The offset must be in hexadecimal") return False if self.__options.console: if self.__options.binary: self.__binary = Binary(self.__options) if self.__checksBeforeManipulations() == False: return False self.cmdloop() return True self.__binary = Binary(self.__options) if self.__checksBeforeManipulations() == False: return False if self.__options.string: return self.__lookingForAString(self.__options.string) elif self.__options.opcode: return self.__lookingForOpcodes(self.__options.opcode) elif self.__options.memstr: return self.__lookingForMemStr(self.__options.memstr) else: self.__getGadgets() self.__lookingForGadgets() if self.__options.ropchain: ROPMaker(self.__binary, self.__gadgets, self.__offset) return True
def analyze_to_get_gadgets(self): if os.path.isfile('rop_core.cache'): try: self.c._Core__offset = int(self.c._Core__options.offset, 16) if self.c._Core__options.offset else 0 except ValueError: print("[Error] The offset must be in hexadecimal") return Fa self.c._Core__binary = Binary(self.c._Core__options) if self.c._Core__checksBeforeManipulations() == False: return False print '[+] loading rop core from disk' with open('rop_core.cache','rb') as f: self.c._Core__gadgets = pickle.load(f) else: try: self.c._Core__offset = int(self.c._Core__options.offset, 16) if self.c._Core__options.offset else 0 except ValueError: print("[Error] The offset must be in hexadecimal") return Fa self.c._Core__binary = Binary(self.c._Core__options) if self.c._Core__checksBeforeManipulations() == False: return False else: print 'getting all gadgets' self.c._Core__getAllgadgets() print '[+] dumping rop core to disk' with open('rop_core.cache','wb') as f: for agadget in self.c.gadgets(): agadget['decodes'] = None pickle.dump(self.c.gadgets(), f, -1)
def __init__(self, binary, depth=20): self.__opt = PseudoOpt(binary, depth) self.__binary = Binary(self.__opt) self.__rpg_core = Gadgets(self.__binary, self.__opt, 0) self.__gadget_list = [] self.__serach_gadget()
def analyze(self): try: self.__offset = int(self.__options.offset, 16) if self.__options.offset else 0 except ValueError: print("[Error] The offset must be in hexadecimal") return False if self.__options.console: if self.__options.binary: self.__binary = Binary(self.__options) if self.__checksBeforeManipulations() == False: return False self.cmdloop() return True self.__binary = Binary(self.__options) if self.__checksBeforeManipulations() == False: return False if self.__options.string: return self.__lookingForAString(self.__options.string) elif self.__options.opcode: return self.__lookingForOpcodes(self.__options.opcode) elif self.__options.memstr: return self.__lookingForMemStr(self.__options.memstr) else: self.__getAllgadgets() self.__lookingForGadgets() if self.__options.ropchain: ROPMaker(self.__binary, self.__gadgets, self.__offset) return True
def custom_analysis(core): try: core._Core__offset = int(core._Core__options.offset, 16) if core._Core__options.offset else 0 except ValueError: print("[Error] The offset must be in hexadecimal") return Fa if core._Core__options.console: if core._Core__options.binary: core._Core__binary = Binary(core._Core__options) if core._Core__checksBeforeManipulations() == False: return False core.cmdloop() return T core._Core__binary = Binary(core._Core__options) if core._Core__checksBeforeManipulations() == False: return Fa if core._Core__options.string: return core._Core__lookingForAString(core._Core__options.string) elif core._Core__options.opcode: return core._Core__lookingForOpcodes(core._Core__options.opcode) elif core._Core__options.memstr: return core._Core__lookingForMemStr(core._Core__options.memstr) else: core._Core__getAllgadgets() core._Core__lookingForGadgets() #custom_looingForGadgets(core) if core._Core__options.ropchain: ROPMaker(core._Core__binary, core.__gadgets, core.__offset) return True
def analyze(self): try: self.__offset = int(self.__options.offset, 16) if self.__options.offset else 0 except ValueError: print("[Error] The offset must be in hexadecimal") return False if self.__options.console: if self.__options.binary: self.__binary = Binary(self.__options) if self.__checksBeforeManipulations() == False: return False self.cmdloop() return True self.__binary = Binary(self.__options) if self.__checksBeforeManipulations() == False: return False if self.__options.string: return self.__lookingForAString(self.__options.string) elif self.__options.opcode: return self.__lookingForOpcodes(self.__options.opcode) elif self.__options.memstr: return self.__lookingForMemStr(self.__options.memstr) else: self.__getGadgets() if (self.__options.microgadgets): self.__checkingForClasses() # print self.__options else: self.__lookingForGadgets() if self.__options.ropchain: ROPMaker(self.__binary, self.__gadgets, self.__offset) elif self.__options.fns: arch = self.__binary.getArchMode() if arch != CS_MODE_32: self.functions().show() else: print("Not implemented on 32 bit yet.") elif self.__options.fns2map: arch = self.__binary.getArchMode() if arch != CS_MODE_32: self.functions().map() else: print("Not implemented on 32 bit yet.") elif self.__options.fns2list: arch = self.__binary.getArchMode() if arch != CS_MODE_32: self.functions().list() else: print("Not implemented on 32 bit yet.") elif self.__options.fns2lines: arch = self.__binary.getArchMode() if arch != CS_MODE_32: self.functions().lines() else: print("Not implemented on 32 bit yet.") return True
class RPG: def __init__(self, binary, depth=20): self.__opt = PseudoOpt(binary, depth) self.__binary = Binary(self.__opt) self.__rpg_core = Gadgets(self.__binary, self.__opt, 0) self.__gadget_list = [] self.__serach_gadget() @property def gadget_list(self): return self.__gadget_list def __serach_gadget(self): exec_sections = self.__binary.getExecSections() for sct in exec_sections: self.__gadget_list += self.__rpg_core.addROPGadgets(sct) self.__gadget_list += self.__rpg_core.addSYSGadgets(sct) self.__gadget_list += self.__rpg_core.addJOPGadgets(sct) self.__gadget_list = self.__rpg_core.passClean(self.__gadget_list, False) self.__gadget_list = alphaSortgadgets(self.__gadget_list) def dump_gadget(self): print(self.__gadget_list[0]) for gadget in self.__gadget_list: print(f"{gadget['vaddr']:x}: {gadget['gadget']}")
def do_binary(self, s, silent=False): # Do not split the filename with spaces since it might contain # whitespaces if len(s) == 0: if not silent: return self.help_binary() return False binary = s self.__options.binary = binary self.__binary = Binary(self.__options) if self.__checksBeforeManipulations() == False: return False if not silent: print("[+] Binary loaded")
class Core(cmd.Cmd): def __init__(self, options): cmd.Cmd.__init__(self) self.__options = options self.__binary = None self.__gadgets = [] self.__offset = 0 self.prompt = '(ROPgadget)> ' def __checksBeforeManipulations(self): if self.__binary == None or self.__binary.getBinary() == None or self.__binary.getArch() == None or self.__binary.getArchMode() == None or self.__binary.getEndian() == None: return False return True def _sectionInRange(self, section): """ given a section and a range, edit the section so that all opcodes are within the range """ if self.__options.range == "0x0-0x0": return section rangeStart, rangeEnd = map(lambda x:int(x, 16), self.__options.range.split('-')) sectionStart = section['vaddr'] sectionEnd = sectionStart + section['size'] opcodes = section['opcodes'] if rangeEnd < sectionStart or rangeStart > sectionEnd: return None if rangeStart > sectionStart: diff = rangeStart - sectionStart opcodes = opcodes[diff:] section['vaddr'] += diff section['offset'] += diff section['size'] -= diff if rangeEnd < sectionEnd: diff = sectionEnd - rangeEnd opcodes = opcodes[:-diff] section['size'] -= diff if not section['size']: return None section['opcodes'] = opcodes return section def __getGadgets(self): if self.__checksBeforeManipulations() == False: return False G = Gadgets(self.__binary, self.__options, self.__offset) execSections = self.__binary.getExecSections() # Find ROP/JOP/SYS gadgets self.__gadgets = [] for section in execSections: section = self._sectionInRange(section) if not section: continue if not self.__options.norop: self.__gadgets += G.addROPGadgets(section) if not self.__options.nojop: self.__gadgets += G.addJOPGadgets(section) if not self.__options.nosys: self.__gadgets += G.addSYSGadgets(section) # Delete duplicate gadgets if not self.__options.all and not self.__options.noinstr: self.__gadgets = rgutils.deleteDuplicateGadgets(self.__gadgets) # Applicate some Options self.__gadgets = Options(self.__options, self.__binary, self.__gadgets).getGadgets() # Sorted alphabetically if not self.__options.noinstr: self.__gadgets = rgutils.alphaSortgadgets(self.__gadgets) return True def __lookingForGadgets(self): if self.__checksBeforeManipulations() == False: return False if self.__options.silent: return True arch = self.__binary.getArchMode() print("Gadgets information\n============================================================") for gadget in self.__gadgets: vaddr = gadget["vaddr"] insts = gadget.get("gadget", "") bytesStr = " // " + binascii.hexlify(gadget["bytes"]).decode('utf8') if self.__options.dump else "" print(("0x%08x" %(vaddr) if arch == CS_MODE_32 else "0x%016x" %(vaddr)) + (" : %s" %(insts) if insts else "") + bytesStr) print("\nUnique gadgets found: %d" %(len(self.__gadgets))) return True def __lookingForAString(self, string): if self.__checksBeforeManipulations() == False: return False if self.__options.silent: return True dataSections = self.__binary.getDataSections() arch = self.__binary.getArchMode() print("Strings information\n============================================================") for section in dataSections: section = self._sectionInRange(section) if not section: continue allRef = [m.start() for m in re.finditer(string.encode(), section["opcodes"])] for ref in allRef: vaddr = self.__offset + section["vaddr"] + ref match = section["opcodes"][ref:ref+len(string)] print(("0x%08x" %(vaddr) if arch == CS_MODE_32 else "0x%016x" %(vaddr)) + " : %s" %(match.decode())) return True def __lookingForOpcodes(self, opcodes): import binascii if self.__checksBeforeManipulations() == False: return False if self.__options.silent: return True execSections = self.__binary.getExecSections() arch = self.__binary.getArchMode() print("Opcodes information\n============================================================") for section in execSections: section = self._sectionInRange(section) if not section: continue allRef = [m.start() for m in re.finditer(re.escape(binascii.unhexlify(opcodes)), section["opcodes"])] for ref in allRef: vaddr = self.__offset + section["vaddr"] + ref print(("0x%08x" %(vaddr) if arch == CS_MODE_32 else "0x%016x" %(vaddr)) + " : %s" %(opcodes)) return True def __lookingForMemStr(self, memstr): if self.__checksBeforeManipulations() == False: return False if self.__options.silent: return True sections = self.__binary.getExecSections() sections += self.__binary.getDataSections() arch = self.__binary.getArchMode() print("Memory bytes information\n=======================================================") chars = list(memstr) for char in chars: try: for section in sections: section = self._sectionInRange(section) if not section: continue allRef = [m.start() for m in re.finditer(char.encode('utf-8'), section["opcodes"])] for ref in allRef: vaddr = self.__offset + section["vaddr"] + ref print(("0x%08x" %(vaddr) if arch == CS_MODE_32 else "0x%016x" %(vaddr)) + " : '%c'" %(char)) raise except: pass return True def analyze(self): try: self.__offset = int(self.__options.offset, 16) if self.__options.offset else 0 except ValueError: print("[Error] The offset must be in hexadecimal") return False if self.__options.console: if self.__options.binary: self.__binary = Binary(self.__options) if self.__checksBeforeManipulations() == False: return False self.cmdloop() return True self.__binary = Binary(self.__options) if self.__checksBeforeManipulations() == False: return False if self.__options.string: return self.__lookingForAString(self.__options.string) elif self.__options.opcode: return self.__lookingForOpcodes(self.__options.opcode) elif self.__options.memstr: return self.__lookingForMemStr(self.__options.memstr) else: self.__getGadgets() self.__lookingForGadgets() if self.__options.ropchain: ROPMaker(self.__binary, self.__gadgets, self.__offset) return True def gadgets(self): return self.__gadgets # Console methods ============================================ def do_binary(self, s, silent=False): # Do not split the filename with spaces since it might contain # whitespaces if len(s) == 0: if not silent: return self.help_binary() return False binary = s self.__options.binary = binary self.__binary = Binary(self.__options) if self.__checksBeforeManipulations() == False: return False if not silent: print("[+] Binary loaded") def help_binary(self): print("Syntax: binary <file> -- Load a binary") return False def do_EOF(self, s, silent=False): return self.do_quit(s, silent) def do_quit(self, s, silent=False): return True def help_quit(self): print("Syntax: quit -- Terminates the application") return False def do_load(self, s, silent=False): if self.__binary == None: if not silent: print("[-] No binary loaded.") return False if not silent: print("[+] Loading gadgets, please wait...") self.__getGadgets() if not silent: print("[+] Gadgets loaded !") def help_load(self): print("Syntax: load -- Load all gadgets") return False def do_display(self, s, silent=False): self.__lookingForGadgets() def help_display(self): print("Syntax: display -- Display all gadgets loaded") return False def do_depth(self, s, silent=False): try: depth = int(s.split()[0]) except: if not silent: return self.help_depth() return False if depth <= 0: if not silent: print("[-] The depth value must be > 0") return False self.__options.depth = int(depth) if not silent: print("[+] Depth updated. You have to reload gadgets") def help_depth(self): print("Syntax: depth <value> -- Set the depth search engine") return False def do_badbytes(self, s, silent=False): try: bb = s.split()[0] except: if not silent: return self.help_badbytes() else: return False self.__options.badbytes = bb if not silent: print("[+] Bad bytes updated. You have to reload gadgets") def help_badbytes(self): print("Syntax: badbytes <badbyte1|badbyte2...> -- ") return False def __withK(self, listK, gadget): if len(listK) == 0: return True for a in listK: if a not in gadget: return False return True def __withoutK(self, listK, gadget): for a in listK: if a in gadget: return False return True def do_search(self, s, silent=False): args = s.split() if not len(args): return self.help_search() withK, withoutK = [], [] for a in args: if a[0:1] == "!": withoutK += [a[1:]] else: withK += [a] if self.__checksBeforeManipulations() == False: if not silent: print("[-] You have to load a binary") return False arch = self.__binary.getArchMode() for gadget in self.__gadgets: vaddr = gadget["vaddr"] insts = gadget["gadget"] if self.__withK(withK, insts) and self.__withoutK(withoutK, insts): # What to do if silent = True? print(("0x%08x" %(vaddr) if arch == CS_MODE_32 else "0x%016x" %(vaddr)) + " : %s" %(insts)) def help_search(self): print("Syntax: search <keyword1 keyword2 keyword3...> -- Filter with or without keywords") print("keyword = with") print("!keyword = without") return False def count(self): return len(self.__gadgets) def do_count(self, s, silent=False): if not silent: print("[+] %d loaded gadgets." % self.count()) def help_count(self): print("Shows the number of loaded gadgets.") return False def do_filter(self, s, silent=False): try: self.__options.filter = s.split()[0] except: if not silent: return self.help_filter() return False if not silent: print("[+] Filter setted. You have to reload gadgets") def help_filter(self): print("Syntax: filter <filter1|filter2|...> - Suppress specific mnemonics") return False def do_only(self, s, silent=False): try: if s.lower() == "none": self.__options.only = None else: self.__options.only = s.split()[0] except: if not silent: return self.help_only() return False if not silent: print("[+] Only setted. You have to reload gadgets") def help_only(self): print("Syntax: only <only1|only2|...> - Only show specific instructions") return False def do_range(self, s, silent=False): try: rangeS = int(s.split('-')[0], 16) rangeE = int(s.split('-')[1], 16) self.__options.range = s.split()[0] except: if not silent: return self.help_range() return False if rangeS > rangeE: if not silent: print("[-] The start value must be greater than the end value") return False if not silent: print("[+] Range setted. You have to reload gadgets") def help_range(self): print("Syntax: range <start-and> - Search between two addresses (0x...-0x...)") return False def do_settings(self, s, silent=False): print("All: %s" %(self.__options.all)) print("Badbytes: %s" %(self.__options.badbytes)) print("Binary: %s" %(self.__options.binary)) print("Depth: %s" %(self.__options.depth)) print("Filter: %s" %(self.__options.filter)) print("Memstr: %s" %(self.__options.memstr)) print("MultiBr: %s" %(self.__options.multibr)) print("NoJOP: %s" %(self.__options.nojop)) print("NoROP: %s" %(self.__options.norop)) print("NoSYS: %s" %(self.__options.nosys)) print("Offset: %s" %(self.__options.offset)) print("Only: %s" %(self.__options.only)) print("Opcode: %s" %(self.__options.opcode)) print("ROPchain: %s" %(self.__options.ropchain)) print("Range: %s" %(self.__options.range)) print("RawArch: %s" %(self.__options.rawArch)) print("RawMode: %s" %(self.__options.rawMode)) print("RawEndian: %s" %(self.__options.rawEndian)) print("Re: %s" %(self.__options.re)) print("String: %s" %(self.__options.string)) print("Thumb: %s" %(self.__options.thumb)) def help_settings(self): print("Display setting's environment") return False def do_nojop(self, s, silent=False): try: arg = s.split()[0] except: return self.help_nojop() if arg == "enable": self.__options.nojop = True if not silent: print("[+] NoJOP enable. You have to reload gadgets") elif arg == "disable": self.__options.nojop = False if not silent: print("[+] NoJOP disable. You have to reload gadgets") else: if not silent: return self.help_nojop() return False def help_nojop(self): print("Syntax: nojop <enable|disable> - Disable JOP search engin") return False def do_norop(self, s, silent=False): try: arg = s.split()[0] except: return self.help_norop() if arg == "enable": self.__options.norop = True if not silent: print("[+] NoROP enable. You have to reload gadgets") elif arg == "disable": self.__options.norop = False if not silent: print("[+] NoROP disable. You have to reload gadgets") else: if not silent: return self.help_norop() return False def help_norop(self): print("Syntax: norop <enable|disable> - Disable ROP search engin") return False def do_nosys(self, s, silent=False): try: arg = s.split()[0] except: return self.help_nosys() if arg == "enable": self.__options.nosys = True if not silent: print("[+] NoSYS enable. You have to reload gadgets") elif arg == "disable": self.__options.nosys = False if not silent: print("[+] NoSYS disable. You have to reload gadgets") else: if not silent: return self.help_nosys() return False def help_nosys(self): print("Syntax: nosys <enable|disable> - Disable SYS search engin") return False def do_thumb(self, s, silent=False): try: arg = s.split()[0] except: return self.help_thumb() if arg == "enable": self.__options.thumb = True if not silent: print("[+] Thumb enable. You have to reload gadgets") elif arg == "disable": self.__options.thumb = False if not silent: print("[+] Thumb disable. You have to reload gadgets") else: if not silent: return self.help_thumb() return False def help_thumb(self): print("Syntax: thumb <enable|disable> - Use the thumb mode for the search engine (ARM only)") return False def do_all(self, s, silent=False): if s == "enable": self.__options.all = True if not silent: print("[+] Showing all gadgets enabled. You have to reload gadgets") elif s == "disable": self.__options.all = False if not silent: print("[+] Showing all gadgets disabled. You have to reload gadgets") else: if not silent: return self.help_all() return False def help_multibr(self): print("Syntax: multibr <enable|disable> - Enable/Disable multiple branch gadgets") return False def do_multibr(self, s, silent=False): if s == "enable": self.__options.multibr = True if not silent: print("[+] Multiple branch gadgets enabled. You have to reload gadgets") elif s == "disable": self.__options.multibr = False if not silent: print("[+] Multiple branch gadgets disabled. You have to reload gadgets") else: if not silent: return self.help_all() return False def help_all(self): print("Syntax: all <enable|disable - Show all gadgets (disable removing duplicate gadgets)") return False def help_re(self): print("Syntax: re <pattern1 | pattern2 |...> - Regular expression") return False def do_re(self, s, silent=False): if s.lower() == 'none': self.__options.re = None elif s == "": self.help_re() silent = True else: self.__options.re = s if not silent: print("[+] Re setted. You have to reload gadgets")
class Core(cmd.Cmd): def __init__(self, options): cmd.Cmd.__init__(self) self.__options = options self.__binary = None self.__gadgets = [] self.__offset = 0 self.prompt = '(ROPgadget)> ' def __checksBeforeManipulations(self): if self.__binary == None or self.__binary.getBinary() == None or self.__binary.getArch() == None or self.__binary.getArchMode() == None: return False return True def __getAllgadgets(self): if self.__checksBeforeManipulations() == False: return False G = Gadgets(self.__binary, self.__options, self.__offset) execSections = self.__binary.getExecSections() # Find ROP/JOP/SYS gadgets self.__gadgets = [] for section in execSections: if not self.__options.norop: self.__gadgets += G.addROPGadgets(section) if not self.__options.nojop: self.__gadgets += G.addJOPGadgets(section) if not self.__options.nosys: self.__gadgets += G.addSYSGadgets(section) # Pass clean single instruction and unknown instructions self.__gadgets = G.passClean(self.__gadgets, self.__options.multibr) # Delete duplicate gadgets if not self.__options.all: self.__gadgets = rgutils.deleteDuplicateGadgets(self.__gadgets) # Applicate some Options self.__gadgets = Options(self.__options, self.__binary, self.__gadgets).getGadgets() # Sorted alphabetically self.__gadgets = rgutils.alphaSortgadgets(self.__gadgets) return True def __lookingForGadgets(self): if self.__checksBeforeManipulations() == False: return False arch = self.__binary.getArchMode() print("Gadgets information\n============================================================") for gadget in self.__gadgets: vaddr = gadget["vaddr"] insts = gadget["gadget"] bytes = gadget["bytes"] bytesStr = " // " + bytes.encode('hex') if self.__options.dump else "" print(("0x%08x" %(vaddr) if arch == CS_MODE_32 else "0x%016x" %(vaddr)) + " : %s" %(insts) + bytesStr) print("\nUnique gadgets found: %d" %(len(self.__gadgets))) return True def __lookingForAString(self, string): if self.__checksBeforeManipulations() == False: return False dataSections = self.__binary.getDataSections() arch = self.__binary.getArchMode() print("Strings information\n============================================================") for section in dataSections: allRef = [m.start() for m in re.finditer(string, section["opcodes"])] for ref in allRef: vaddr = self.__offset + section["vaddr"] + ref string = section["opcodes"][ref:ref+len(string)] rangeS = int(self.__options.range.split('-')[0], 16) rangeE = int(self.__options.range.split('-')[1], 16) if (rangeS == 0 and rangeE == 0) or (vaddr >= rangeS and vaddr <= rangeE): print(("0x%08x" %(vaddr) if arch == CS_MODE_32 else "0x%016x" %(vaddr)) + " : %s" %(string)) return True def __lookingForOpcodes(self, opcodes): if self.__checksBeforeManipulations() == False: return False execSections = self.__binary.getExecSections() arch = self.__binary.getArchMode() print("Opcodes information\n============================================================") for section in execSections: allRef = [m.start() for m in re.finditer(opcodes.decode("hex"), section["opcodes"])] for ref in allRef: vaddr = self.__offset + section["vaddr"] + ref rangeS = int(self.__options.range.split('-')[0], 16) rangeE = int(self.__options.range.split('-')[1], 16) if (rangeS == 0 and rangeE == 0) or (vaddr >= rangeS and vaddr <= rangeE): print(("0x%08x" %(vaddr) if arch == CS_MODE_32 else "0x%016x" %(vaddr)) + " : %s" %(opcodes)) return True def __lookingForMemStr(self, memstr): if self.__checksBeforeManipulations() == False: return False sections = self.__binary.getExecSections() sections += self.__binary.getDataSections() arch = self.__binary.getArchMode() print("Memory bytes information\n=======================================================") chars = list(memstr) for char in chars: try: for section in sections: allRef = [m.start() for m in re.finditer(char, section["opcodes"])] for ref in allRef: vaddr = self.__offset + section["vaddr"] + ref rangeS = int(self.__options.range.split('-')[0], 16) rangeE = int(self.__options.range.split('-')[1], 16) if (rangeS == 0 and rangeE == 0) or (vaddr >= rangeS and vaddr <= rangeE): print(("0x%08x" %(vaddr) if arch == CS_MODE_32 else "0x%016x" %(vaddr)) + " : '%c'" %(char)) raise except: pass return True def analyze(self): try: self.__offset = int(self.__options.offset, 16) if self.__options.offset else 0 except ValueError: print("[Error] The offset must be in hexadecimal") return False if self.__options.console: if self.__options.binary: self.__binary = Binary(self.__options) if self.__checksBeforeManipulations() == False: return False self.cmdloop() return True self.__binary = Binary(self.__options) if self.__checksBeforeManipulations() == False: return False if self.__options.string: return self.__lookingForAString(self.__options.string) elif self.__options.opcode: return self.__lookingForOpcodes(self.__options.opcode) elif self.__options.memstr: return self.__lookingForMemStr(self.__options.memstr) else: self.__getAllgadgets() self.__lookingForGadgets() if self.__options.ropchain: ROPMaker(self.__binary, self.__gadgets, self.__offset) return True def gadgets(self): return self.__gadgets # Console methods ============================================ def do_binary(self, s, silent=False): # Do not split the filename with spaces since it might contain # whitespaces if len(s) == 0: if not silent: return self.help_binary() return False binary = s self.__options.binary = binary self.__binary = Binary(self.__options) if self.__checksBeforeManipulations() == False: return False if not silent: print("[+] Binary loaded") def help_binary(self): print("Syntax: binary <file> -- Load a binary") return False def do_EOF(self, s, silent=False): return self.do_quit(s, silent) def do_quit(self, s, silent=False): return True def help_quit(self): print("Syntax: quit -- Terminates the application") return False def do_load(self, s, silent=False): if self.__binary == None: if not silent: print("[-] No binary loaded.") return False if not silent: print("[+] Loading gadgets, please wait...") self.__getAllgadgets() if not silent: print("[+] Gadgets loaded !") def help_load(self): print("Syntax: load -- Load all gadgets") return False def do_display(self, s, silent=False): self.__lookingForGadgets() def help_display(self): print("Syntax: display -- Display all gadgets loaded") return False def do_depth(self, s, silent=False): try: depth = int(s.split()[0]) except: if not silent: return self.help_depth() return False if depth <= 0: if not silent: print("[-] The depth value must be > 0") return False self.__options.depth = int(depth) if not silent: print("[+] Depth updated. You have to reload gadgets") def help_depth(self): print("Syntax: depth <value> -- Set the depth search engine") return False def do_badbytes(self, s, silent=False): try: bb = s.split()[0] except: if not silent: return self.help_badbytes() else: return False self.__options.badbytes = bb if not silent: print("[+] Bad bytes updated. You have to reload gadgets") def help_badbytes(self): print("Syntax: badbytes <badbyte1|badbyte2...> -- ") return False def __withK(self, listK, gadget): if len(listK) == 0: return True for a in listK: if a not in gadget: return False return True def __withoutK(self, listK, gadget): for a in listK: if a in gadget: return False return True def do_search(self, s, silent=False): args = s.split() if not len(args): return self.help_search() withK, withoutK = [], [] for a in args: if a[0:1] == "!": withoutK += [a[1:]] else: withK += [a] if self.__checksBeforeManipulations() == False: if not silent: print("[-] You have to load a binary") return False arch = self.__binary.getArchMode() for gadget in self.__gadgets: vaddr = gadget["vaddr"] insts = gadget["gadget"] if self.__withK(withK, insts) and self.__withoutK(withoutK, insts): # What to do if silent = True? print(("0x%08x" %(vaddr) if arch == CS_MODE_32 else "0x%016x" %(vaddr)) + " : %s" %(insts)) def help_search(self): print("Syntax: search <keyword1 keyword2 keyword3...> -- Filter with or without keywords") print("keyword = with") print("!keyword = witout") return False def count(self): return len(self.__gadgets) def do_count(self, s, silent=False): if not silent: print("[+] %d loaded gadgets." % self.count()) def help_count(self): print("Shows the number of loaded gadgets.") return False def do_filter(self, s, silent=False): try: self.__options.filter = s.split()[0] except: if not silent: return self.help_filter() return False if not silent: print("[+] Filter setted. You have to reload gadgets") def help_filter(self): print("Syntax: filter <filter1|filter2|...> - Suppress specific instructions") return False def do_only(self, s, silent=False): try: self.__options.only = s.split()[0] except: if not silent: return self.help_only() return False if not silent: print("[+] Only setted. You have to reload gadgets") def help_only(self): print("Syntax: only <only1|only2|...> - Only show specific instructions") return False def do_range(self, s, silent=False): try: rangeS = int(s.split('-')[0], 16) rangeE = int(s.split('-')[1], 16) self.__options.range = s.split()[0] except: if not silent: return self.help_range() return False if rangeS > rangeE: if not silent: print("[-] The start value must be greater than the end value") return False if not silent: print("[+] Range setted. You have to reload gadgets") def help_range(self): print("Syntax: range <start-and> - Search between two addresses (0x...-0x...)") return False def do_settings(self, s, silent=False): print("All: %s" %(self.__options.all)) print("Badbytes: %s" %(self.__options.badbytes)) print("Binary: %s" %(self.__options.binary)) print("Depth: %s" %(self.__options.depth)) print("Filter: %s" %(self.__options.filter)) print("Memstr: %s" %(self.__options.memstr)) print("MultiBr: %s" %(self.__options.multibr)) print("NoJOP: %s" %(self.__options.nojop)) print("NoROP: %s" %(self.__options.norop)) print("NoSYS: %s" %(self.__options.nosys)) print("Offset: %s" %(self.__options.offset)) print("Only: %s" %(self.__options.only)) print("Opcode: %s" %(self.__options.opcode)) print("ROPchain: %s" %(self.__options.ropchain)) print("Range: %s" %(self.__options.range)) print("RawArch: %s" %(self.__options.rawArch)) print("RawMode: %s" %(self.__options.rawMode)) print("String: %s" %(self.__options.string)) print("Thumb: %s" %(self.__options.thumb)) def help_settings(self): print("Display setting's environment") return False def do_nojop(self, s, silent=False): try: arg = s.split()[0] except: return self.help_nojop() if arg == "enable": self.__options.nojop = True if not silent: print("[+] NoJOP enable. You have to reload gadgets") elif arg == "disable": self.__options.nojop = False if not silent: print("[+] NoJOP disable. You have to reload gadgets") else: if not silent: return self.help_nojop() return False def help_nojop(self): print("Syntax: nojop <enable|disable> - Disable JOP search engin") return False def do_norop(self, s, silent=False): try: arg = s.split()[0] except: return self.help_norop() if arg == "enable": self.__options.norop = True if not silent: print("[+] NoROP enable. You have to reload gadgets") elif arg == "disable": self.__options.norop = False if not silent: print("[+] NoROP disable. You have to reload gadgets") else: if not silent: return self.help_norop() return False def help_norop(self): print("Syntax: norop <enable|disable> - Disable ROP search engin") return False def do_nosys(self, s, silent=False): try: arg = s.split()[0] except: return self.help_nosys() if arg == "enable": self.__options.nosys = True if not silent: print("[+] NoSYS enable. You have to reload gadgets") elif arg == "disable": self.__options.nosys = False if not silent: print("[+] NoSYS disable. You have to reload gadgets") else: if not silent: return self.help_nosys() return False def help_nosys(self): print("Syntax: nosys <enable|disable> - Disable SYS search engin") return False def do_thumb(self, s, silent=False): try: arg = s.split()[0] except: return self.help_thumb() if arg == "enable": self.__options.thumb = True if not silent: print("[+] Thumb enable. You have to reload gadgets") elif arg == "disable": self.__options.thumb = False if not silent: print("[+] Thumb disable. You have to reload gadgets") else: if not silent: return self.help_thumb() return False def help_thumb(self): print("Syntax: thumb <enable|disable> - Use the thumb mode for the search engine (ARM only)") return False def do_all(self, s, silent=False): if s == "enable": self.__options.all = True if not silent: print("[+] Showing all gadgets enabled. You have to reload gadgets") elif s == "disable": self.__options.all = False if not silent: print("[+] Showing all gadgets disabled. You have to reload gadgets") else: if not silent: return self.help_all() return False def help_multibr(self): print("Syntax: multibr <enable|disable> - Enable/Disable multiple branch gadgets") return False def do_multibr(self, s, silent=False): if s == "enable": self.__options.multibr = True if not silent: print("[+] Multiple branch gadgets enabled. You have to reload gadgets") elif s == "disable": self.__options.multibr = False if not silent: print("[+] Multiple branch gadgets disabled. You have to reload gadgets") else: if not silent: return self.help_all() return False def help_all(self): print("Syntax: all <enable|disable - Show all gadgets (disable removing duplicate gadgets)") return False
class Core(cmd.Cmd): classes = resolve_datafile('classes.txt') def __init__(self, options): cmd.Cmd.__init__(self) self.__options = options self.__binary = None self.__gadgets = [] self.__offset = 0 self.__functions = None self.prompt = '(ROPgadget)> ' def __checksBeforeManipulations(self): if self.__binary == None or self.__binary.getBinary( ) == None or self.__binary.getArch( ) == None or self.__binary.getArchMode() == None: return False return True def _sectionInRange(self, section): """ given a section and a range, edit the section so that all opcodes are within the range """ if self.__options.range == "0x0-0x0": return section rangeStart, rangeEnd = map(lambda x: int(x, 16), self.__options.range.split('-')) sectionStart = section['vaddr'] sectionEnd = sectionStart + section['size'] opcodes = section['opcodes'] if rangeEnd < sectionStart or rangeStart > sectionEnd: return None if rangeStart > sectionStart: diff = rangeStart - sectionStart opcodes = opcodes[diff:] section['vaddr'] += diff section['offset'] += diff section['size'] -= diff if rangeEnd < sectionEnd: diff = sectionEnd - rangeEnd opcodes = opcodes[:-diff] section['size'] -= diff if not section['size']: return None section['opcodes'] = opcodes return section def __getGadgets(self): if self.__checksBeforeManipulations() == False: return False G = Gadgets(self.__binary, self.__options, self.__offset) execSections = self.__binary.getExecSections() # Find ROP/JOP/SYS gadgets self.__gadgets = [] for section in execSections: section = self._sectionInRange(section) if not section: continue if not self.__options.norop: self.__gadgets += G.addROPGadgets(section) if not self.__options.nojop: self.__gadgets += G.addJOPGadgets(section) if not self.__options.nosys: self.__gadgets += G.addSYSGadgets(section) # Pass clean single instruction and unknown instructions self.__gadgets = G.passClean(self.__gadgets, self.__options.multibr) # Delete duplicate gadgets if not self.__options.all: self.__gadgets = rgutils.deleteDuplicateGadgets(self.__gadgets) # Applicate some Options self.__gadgets = Options(self.__options, self.__binary, self.__gadgets).getGadgets() # Sorted alphabetically self.__gadgets = rgutils.alphaSortgadgets(self.__gadgets) return True def __default_to_regular(self, d): if isinstance(d, defaultdict): d = {k: self.__default_to_regular(v) for k, v in d.items()} return d def __makingclasses(self): ##Read from the current file if Core.classes is None: print('classes.txt datafile not found, sorry.') return single_byte_ins = [ "leave", "clc", "aaa", "sahf", "daa", "aas", "das", "lahf" ] recursivedict = lambda: defaultdict(recursivedict) gadgetclasses = recursivedict() with codecs.open(Core.classes, 'r', 'utf-8') as fp: for line in fp: line.strip() if not line: break if line.split(' ', 1)[0] == "classname": classname = line.split(' ', 1)[1].strip() else: instruction = line instruction = instruction.strip() instruction = instruction.split(',', 1) firstpart = instruction[0].strip() opcode = firstpart.split(' ', 1)[0] if opcode in single_byte_ins: # for single instructions with no operands try: lists = gadgetclasses[opcode] except: pass finally: if not lists: gadgetclasses[opcode] = [classname] else: if classname not in lists: lists.append(classname) continue operand1 = firstpart.partition(' ')[2].strip() operand2 = "" if len(instruction) > 1: operand2 = instruction[1].strip() if operand2 != "": #for instructions with two operands lists = [] try: lists = gadgetclasses[opcode][operand1][operand2] except: pass finally: if not lists: gadgetclasses[opcode][operand1][operand2] = [ classname ] else: if classname not in lists: lists.append(classname) else: #for instructions with one operand lists = [] try: lists = gadgetclasses[opcode][operand1] except: pass finally: if not lists: gadgetclasses[opcode][operand1] = [classname] else: if classname not in lists: lists.append(classname) gadgetclasses = self.__default_to_regular(gadgetclasses) # print gadgetclasses return gadgetclasses def __lookingForGadgets(self): if self.__checksBeforeManipulations() == False: return False if self.__options.silent: return True arch = self.__binary.getArchMode() print( "Gadgets information\n============================================================" ) for gadget in self.__gadgets: vaddr = gadget["vaddr"] insts = gadget["gadget"] bytes = gadget["bytes"] bytesStr = " // " + bytes.encode( 'hex') if self.__options.dump else "" print(("0x%08x" % (vaddr) if arch == CS_MODE_32 else "0x%016x" % (vaddr)) + " : %s" % (insts) + bytesStr) #self.__makingclasses() print("\nUnique gadgets found: %d" % (len(self.__gadgets))) return True def __checkingForClasses(self): if self.__checksBeforeManipulations() == False: return False if self.__options.silent: return True classes = self.__makingclasses() class_ins = {} arch = self.__binary.getArchMode() print( "Gadgets information\n============================================================" ) for gadget in self.__gadgets: vaddr = gadget["vaddr"] insts = gadget["gadget"] bytes = gadget["bytes"] bytesStr = " // " + bytes.encode( 'hex') if self.__options.dump else "" splited_ins = insts.split(' ; ') single_ins = splited_ins[:-1] if (len(single_ins) == 1 and (splited_ins[-1][0] == 'r')): separated_ins = single_ins[0].split(" ", 1) opcode = separated_ins[0] if (len(separated_ins) == 2): arguments = separated_ins[1].split(", ") elif (len(separated_ins) == 1): arguments = [] try: data = classes[opcode] for i in arguments: data = data[i] for j in data: try: class_ins[j].append({ u'addr': vaddr, u'ins': insts + bytesStr, u'arch': arch }) except: class_ins[j] = [{ u'addr': vaddr, u'ins': insts + bytesStr, u'arch': arch }] except: continue for cls in class_ins.keys(): print "\n===========================================================\n", cls, "\n===========================================================" for ins in class_ins[cls]: print(("0x%08x" % (ins["addr"]) if ins["arch"] == CS_MODE_32 else "0x%016x" % (ins["addr"])) + " : %s" % (ins["ins"])) print "\n", len(class_ins.keys()), "Classes Satisfied" print("\nUnique gadgets found: %d" % (len(self.__gadgets))) return True def __lookingForAString(self, string): if self.__checksBeforeManipulations() == False: return False if self.__options.silent: return True dataSections = self.__binary.getDataSections() arch = self.__binary.getArchMode() print( "Strings information\n============================================================" ) for section in dataSections: section = self._sectionInRange(section) if not section: continue allRef = [ m.start() for m in re.finditer(string.encode(), section["opcodes"]) ] for ref in allRef: vaddr = self.__offset + section["vaddr"] + ref match = section["opcodes"][ref:ref + len(string)] print(("0x%08x" % (vaddr) if arch == CS_MODE_32 else "0x%016x" % (vaddr)) + " : %s" % (match.decode())) return True def __lookingForOpcodes(self, opcodes): if self.__checksBeforeManipulations() == False: return False if self.__options.silent: return True execSections = self.__binary.getExecSections() arch = self.__binary.getArchMode() print( "Opcodes information\n============================================================" ) for section in execSections: section = self._sectionInRange(section) if not section: continue allRef = [ m.start() for m in re.finditer( re.escape(opcodes.decode("hex")), section["opcodes"]) ] for ref in allRef: vaddr = self.__offset + section["vaddr"] + ref print(("0x%08x" % (vaddr) if arch == CS_MODE_32 else "0x%016x" % (vaddr)) + " : %s" % (opcodes)) return True def __lookingForMemStr(self, memstr): if self.__checksBeforeManipulations() == False: return False if self.__options.silent: return True sections = self.__binary.getExecSections() sections += self.__binary.getDataSections() arch = self.__binary.getArchMode() print( "Memory bytes information\n=======================================================" ) chars = list(memstr) for char in chars: try: for section in sections: section = self._sectionInRange(section) if not section: continue allRef = [ m.start() for m in re.finditer(char, section["opcodes"]) ] for ref in allRef: vaddr = self.__offset + section["vaddr"] + ref print(("0x%08x" % (vaddr) if arch == CS_MODE_32 else "0x%016x" % (vaddr)) + " : '%c'" % (char)) raise except: pass return True def analyze(self): try: self.__offset = int(self.__options.offset, 16) if self.__options.offset else 0 except ValueError: print("[Error] The offset must be in hexadecimal") return False if self.__options.console: if self.__options.binary: self.__binary = Binary(self.__options) if self.__checksBeforeManipulations() == False: return False self.cmdloop() return True self.__binary = Binary(self.__options) if self.__checksBeforeManipulations() == False: return False if self.__options.string: return self.__lookingForAString(self.__options.string) elif self.__options.opcode: return self.__lookingForOpcodes(self.__options.opcode) elif self.__options.memstr: return self.__lookingForMemStr(self.__options.memstr) else: self.__getGadgets() if (self.__options.microgadgets): self.__checkingForClasses() # print self.__options else: self.__lookingForGadgets() if self.__options.ropchain: ROPMaker(self.__binary, self.__gadgets, self.__offset) elif self.__options.fns: arch = self.__binary.getArchMode() if arch != CS_MODE_32: self.functions().show() else: print("Not implemented on 32 bit yet.") elif self.__options.fns2map: arch = self.__binary.getArchMode() if arch != CS_MODE_32: self.functions().map() else: print("Not implemented on 32 bit yet.") elif self.__options.fns2list: arch = self.__binary.getArchMode() if arch != CS_MODE_32: self.functions().list() else: print("Not implemented on 32 bit yet.") elif self.__options.fns2lines: arch = self.__binary.getArchMode() if arch != CS_MODE_32: self.functions().lines() else: print("Not implemented on 32 bit yet.") return True def gadgets(self): return self.__gadgets def functions(self): return Functions(self, self.__gadgets, self.__options) # Console methods ============================================ def do_fns(self): if self.__binary == None: if not silent: print("[-] No binary loaded.") return False Functions(self, self.__options).show() return False def do_binary(self, s, silent=False): # Do not split the filename with spaces since it might contain # whitespaces if len(s) == 0: if not silent: return self.help_binary() return False binary = s self.__options.binary = binary self.__binary = Binary(self.__options) if self.__checksBeforeManipulations() == False: return False if not silent: print("[+] Binary loaded") def help_binary(self): print("Syntax: binary <file> -- Load a binary") return False def do_EOF(self, s, silent=False): return self.do_quit(s, silent) def do_quit(self, s, silent=False): return True def help_quit(self): print("Syntax: quit -- Terminates the application") return False def do_load(self, s, silent=False): if self.__binary == None: if not silent: print("[-] No binary loaded.") return False if not silent: print("[+] Loading gadgets, please wait...") self.__getGadgets() if not silent: print("[+] Gadgets loaded !") def help_load(self): print("Syntax: load -- Load all gadgets") return False def do_display(self, s, silent=False): self.__lookingForGadgets() def help_display(self): print("Syntax: display -- Display all gadgets loaded") return False def do_depth(self, s, silent=False): try: depth = int(s.split()[0]) except: if not silent: return self.help_depth() return False if depth <= 0: if not silent: print("[-] The depth value must be > 0") return False self.__options.depth = int(depth) if not silent: print("[+] Depth updated. You have to reload gadgets") def help_depth(self): print("Syntax: depth <value> -- Set the depth search engine") return False def do_badbytes(self, s, silent=False): try: bb = s.split()[0] except: if not silent: return self.help_badbytes() else: return False self.__options.badbytes = bb if not silent: print("[+] Bad bytes updated. You have to reload gadgets") def help_badbytes(self): print("Syntax: badbytes <badbyte1|badbyte2...> -- ") return False def __withK(self, listK, gadget): if len(listK) == 0: return True for a in listK: if a not in gadget: return False return True def __withoutK(self, listK, gadget): for a in listK: if a in gadget: return False return True def do_search(self, s, silent=False): args = s.split() if not len(args): return self.help_search() withK, withoutK = [], [] for a in args: if a[0:1] == "!": withoutK += [a[1:]] else: withK += [a] if self.__checksBeforeManipulations() == False: if not silent: print("[-] You have to load a binary") return False arch = self.__binary.getArchMode() for gadget in self.__gadgets: vaddr = gadget["vaddr"] insts = gadget["gadget"] if self.__withK(withK, insts) and self.__withoutK(withoutK, insts): # What to do if silent = True? print(("0x%08x" % (vaddr) if arch == CS_MODE_32 else "0x%016x" % (vaddr)) + " : %s" % (insts)) def help_search(self): print( "Syntax: search <keyword1 keyword2 keyword3...> -- Filter with or without keywords" ) print("keyword = with") print("!keyword = witout") return False def count(self): return len(self.__gadgets) def do_count(self, s, silent=False): if not silent: print("[+] %d loaded gadgets." % self.count()) def help_count(self): print("Shows the number of loaded gadgets.") return False def do_filter(self, s, silent=False): try: self.__options.filter = s.split()[0] except: if not silent: return self.help_filter() return False if not silent: print("[+] Filter setted. You have to reload gadgets") def help_filter(self): print( "Syntax: filter <filter1|filter2|...> - Suppress specific instructions" ) return False def do_only(self, s, silent=False): try: if s.lower() == "none": self.__options.only = None else: self.__options.only = s.split()[0] except: if not silent: return self.help_only() return False if not silent: print("[+] Only setted. You have to reload gadgets") def help_only(self): print( "Syntax: only <only1|only2|...> - Only show specific instructions") return False def do_range(self, s, silent=False): try: rangeS = int(s.split('-')[0], 16) rangeE = int(s.split('-')[1], 16) self.__options.range = s.split()[0] except: if not silent: return self.help_range() return False if rangeS > rangeE: if not silent: print("[-] The start value must be greater than the end value") return False if not silent: print("[+] Range setted. You have to reload gadgets") def help_range(self): print( "Syntax: range <start-and> - Search between two addresses (0x...-0x...)" ) return False def do_settings(self, s, silent=False): print("All: %s" % (self.__options.all)) print("Badbytes: %s" % (self.__options.badbytes)) print("Binary: %s" % (self.__options.binary)) print("Depth: %s" % (self.__options.depth)) print("Filter: %s" % (self.__options.filter)) print("Memstr: %s" % (self.__options.memstr)) print("MultiBr: %s" % (self.__options.multibr)) print("NoJOP: %s" % (self.__options.nojop)) print("NoROP: %s" % (self.__options.norop)) print("NoSYS: %s" % (self.__options.nosys)) print("Offset: %s" % (self.__options.offset)) print("Only: %s" % (self.__options.only)) print("Opcode: %s" % (self.__options.opcode)) print("ROPchain: %s" % (self.__options.ropchain)) print("Range: %s" % (self.__options.range)) print("RawArch: %s" % (self.__options.rawArch)) print("RawMode: %s" % (self.__options.rawMode)) print("Re: %s" % (self.__options.re)) print("String: %s" % (self.__options.string)) print("Thumb: %s" % (self.__options.thumb)) def help_settings(self): print("Display setting's environment") return False def do_nojop(self, s, silent=False): try: arg = s.split()[0] except: return self.help_nojop() if arg == "enable": self.__options.nojop = True if not silent: print("[+] NoJOP enable. You have to reload gadgets") elif arg == "disable": self.__options.nojop = False if not silent: print("[+] NoJOP disable. You have to reload gadgets") else: if not silent: return self.help_nojop() return False def help_nojop(self): print("Syntax: nojop <enable|disable> - Disable JOP search engin") return False def do_norop(self, s, silent=False): try: arg = s.split()[0] except: return self.help_norop() if arg == "enable": self.__options.norop = True if not silent: print("[+] NoROP enable. You have to reload gadgets") elif arg == "disable": self.__options.norop = False if not silent: print("[+] NoROP disable. You have to reload gadgets") else: if not silent: return self.help_norop() return False def help_norop(self): print("Syntax: norop <enable|disable> - Disable ROP search engin") return False def do_nosys(self, s, silent=False): try: arg = s.split()[0] except: return self.help_nosys() if arg == "enable": self.__options.nosys = True if not silent: print("[+] NoSYS enable. You have to reload gadgets") elif arg == "disable": self.__options.nosys = False if not silent: print("[+] NoSYS disable. You have to reload gadgets") else: if not silent: return self.help_nosys() return False def help_nosys(self): print("Syntax: nosys <enable|disable> - Disable SYS search engin") return False def do_thumb(self, s, silent=False): try: arg = s.split()[0] except: return self.help_thumb() if arg == "enable": self.__options.thumb = True if not silent: print("[+] Thumb enable. You have to reload gadgets") elif arg == "disable": self.__options.thumb = False if not silent: print("[+] Thumb disable. You have to reload gadgets") else: if not silent: return self.help_thumb() return False def help_thumb(self): print( "Syntax: thumb <enable|disable> - Use the thumb mode for the search engine (ARM only)" ) return False def do_all(self, s, silent=False): if s == "enable": self.__options.all = True if not silent: print( "[+] Showing all gadgets enabled. You have to reload gadgets" ) elif s == "disable": self.__options.all = False if not silent: print( "[+] Showing all gadgets disabled. You have to reload gadgets" ) else: if not silent: return self.help_all() return False def help_multibr(self): print( "Syntax: multibr <enable|disable> - Enable/Disable multiple branch gadgets" ) return False def do_multibr(self, s, silent=False): if s == "enable": self.__options.multibr = True if not silent: print( "[+] Multiple branch gadgets enabled. You have to reload gadgets" ) elif s == "disable": self.__options.multibr = False if not silent: print( "[+] Multiple branch gadgets disabled. You have to reload gadgets" ) else: if not silent: return self.help_all() return False def help_all(self): print( "Syntax: all <enable|disable - Show all gadgets (disable removing duplicate gadgets)" ) return False def help_re(self): print("Syntax: re <pattern1 | pattern2 |...> - Regular expression") return False def do_re(self, s, silent=False): if s.lower() == 'none': self.__options.re = None elif s == "": self.help_re() silent = True else: self.__options.re = s if not silent: print("[+] Re setted. You have to reload gadgets")
def getGadgetsQuiet(self): self.__binary = Binary(self.__options) self.__getAllgadgets() return self.__gadgets
pe.has_relocs(), 'FunctionsOffset': nucleus_out, } # ----- ROPgadget ----- rg_offset = 0 config = [ '--binary', os.path.join(pe_dir, f), '--all', '--nojop', '--nosys', ] rg_args = Args(config).getArgs() rg_bin = Binary(rg_args) G = Gadgets(rg_bin, rg_args, rg_offset) exec_sections = rg_bin.getExecSections() rg_gadgets = [] for section in exec_sections: rg_gadgets += G.addROPGadgets(section) rg_gadgets = G.passClean(rg_gadgets, rg_args.multibr) rg_gadgets = Options(rg_args, rg_bin, rg_gadgets).getGadgets() # --------------------- if not ropper_parsing_error: rs.setArchitectureFor(name=f, arch='x86') rs.loadGadgetsFor(name=f) rp_gadgets = rs.getFileFor(f).gadgets rp_gadgets.sort(key=attrgetter('address')) print 'Found {} gadgets!'.format(len(rp_gadgets))