from zelos import CommandLineOption
from zelos.hooks import HookType
from zelos.plugin import OSPlugin
from .kernel import construct_kernel
from .loader import ElfLoader, LinuxMode
from .parse import LiefELF
from .signals import Signals
CommandLineOption(
"linux_rootfs",
action="append",
default=[],
help="Specify the rootfs directory for an emulated architecture. Can "
"be specified multiple times to set the rootfs for different "
"architectures, and the appropriate rootfs will be used during "
"emulation. Format: '--linux_rootfs ARCH,PATH'. ARCH is 'x86', "
"'x86-64', 'arm', or 'mips'. PATH is the absolute host path to the "
"directory to be used as rootfs.",
)
class Linux(OSPlugin):
NAME = "Linux"
def __init__(self, z):
super().__init__(z)
self.initial_parse = False
def parse(self, path, binary_data):
# You should have received a copy of the GNU Affero General Public
# License along with this program. If not, see
# <http://www.gnu.org/licenses/>.
# ======================================================================
import base64
import json
import logging
from os.path import abspath, basename
from termcolor import colored
from zelos import CommandLineOption, IPlugin, Zelos
CommandLineOption("export_mem",
action="store_true",
help="Export memory regions.")
CommandLineOption("export_trace",
action="store_true",
help="Export dynamic trace data.")
class Overlay(IPlugin):
"""
Provides functionality for exporting memory & instruction overlays.
"""
def __init__(self, z: Zelos):
super().__init__(z)
self.logger = logging.getLogger(__name__)
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
# You should have received a copy of the GNU Affero General Public
# License along with this program. If not, see
# <http://www.gnu.org/licenses/>.
# ======================================================================
from collections import defaultdict
from zelos import CommandLineOption, HookType, IPlugin
CommandLineOption(
"syscall_limit",
type=int,
default=0,
help="Stop execution after SYSCALL_LIMIT syscalls are executed.",
)
CommandLineOption(
"syscall_thread_limit",
type=int,
default=0,
help="End THREAD after SYSCALL_THREAD_LIMIT syscalls are executed"
" in that thread",
)
CommandLineOption(
"syscall_thread_swap",
type=int,
default=100,
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
# You should have received a copy of the GNU Affero General Public
# License along with this program. If not, see
# <http://www.gnu.org/licenses/>.
# ======================================================================
from collections import defaultdict
from zelos import Zelos, IPlugin, CommandLineOption, HookType
import hexdump
CommandLineOption("asan", action="store_true", help="ASAN-like capabilities")
class WriteRecord:
def __init__(self, ip_addr, mem_addr, value):
self.ip_addr = ip_addr
self.mem_addr = mem_addr
self.value = value
def __repr__(self):
return f"(ip 0x{self.ip_addr:x}: {self.value} -> 0x{self.mem_addr:x})"
class AllocInfo:
def __init__(self, addr, size, inst_addr, desc, is_free=False):
# Address of the corresponding heap buffer allocation
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
# You should have received a copy of the GNU Affero General Public
# License along with this program. If not, see
# <http://www.gnu.org/licenses/>.
# ======================================================================
from collections import defaultdict
from zelos import CommandLineOption, HookType, IPlugin, Zelos
CommandLineOption(
"syscall_limit",
type=int,
default=0,
help="Stop execution after SYSCALL_LIMIT syscalls are executed.",
)
CommandLineOption(
"syscall_thread_limit",
type=int,
default=0,
help="End THREAD after SYSCALL_THREAD_LIMIT syscalls are executed"
" in that thread",
)
CommandLineOption(
"syscall_thread_swap",
type=int,
default=100,
from collections import defaultdict
from graphviz import Digraph
from zelos import CommandLineOption, IPlugin, Zelos
from zelos.exceptions import MemoryReadUnmapped
CommandLineOption(
"cfg", action="store_true", help="Generate a Control Flow Graph (CFG)."
)
class GraphvizCFG(IPlugin):
"""
Plugin for zelos that generates a control flow graph using graphviz.
"""
def __init__(self, z: Zelos):
super().__init__(z)
self.logger = self.zelos.logger
if not self._check_config():
return
self.last_inst = None
self.edges = defaultdict(list)
if self.zelos.config.cfg:
self.cfg = Digraph(filename="cfg", format="png")
self._subscribe_to_feed()
def closure():
self.cfg.render()
self.logger.info("Saved CFG to 'cfg.png'")
# <http://www.gnu.org/licenses/>.
# ======================================================================
import logging
import capstone.arm_const as cs_arm
import capstone.x86_const as cs_x86
from termcolor import colored
from zelos import CommandLineOption, IPlugin
from zelos.exceptions import MemoryReadUnmapped
CommandLineOption(
"trace_off",
action="store_true",
help="Turns off printing on the command line",
)
CommandLineOption(
"trace_file",
type=str,
default=None,
help="Writes the trace to a file instead of the command line.",
)
CommandLineOption(
"fasttrace",
action="count",
default=0,
help=("Enable instruction-level tracing only the first time a memory "
"""
# tl;dr
This is a copy of the strings_script.py file, except written as a Zelos
plugin. In order to include this plugin, you must either
* copy this file into the zelos/ext/plugins folder
* specify the containing folder in the ZELOS_PLUGIN_DIR environment
variable
"""
CommandLineOption(
"print_strings",
type=int,
default=None,
help="The minimum size of string to identify",
)
class StringCollectorPlugin(IPlugin):
NAME = "strings"
"""
Identifies strings that are written in-memory. We identify strings by the
observation that when they are written to memory
* They are comprised of valid utf-8 bytes
* The string is written in sequential chunks.
This runs into some false positives with data that happens to be
valid utf-8. To reduce false positives we observe that
* Strings often end at the first null byte.
import pathlib
from collections import defaultdict
from io import StringIO
from itertools import islice
from pathlib import Path
from typing import Generator, List
import zelos
from zelos import CommandLineOption, IPlugin, Zelos
CommandLineOption(
"yara_file",
type=str,
action="append",
default=[],
help="Scan memory for yara rules in the specified file(s)",
)
CommandLineOption(
"yara_file_glob",
type=str,
default=None,
help="Scan memory for yara rules in all files specified by the given glob",
)
CommandLineOption(
"yara_rule",
type=str,
action="append",
default=[],
help="Scan memory for the specified yara rule string(s).",
from crashd.taint.tcg import TCGParse
from crashd.taint.taint_graph import TaintGraph
from crashd.dwarf.dwarf_source_code import (
show_tainted_source,
annotate_with_dwarf_data,
get_function_info,
)
from zelos.ext.plugins.trace import Trace
_ = Trace
CommandLineOption(
"taint",
action="store_true",
help=("Enables collection of data that allows for taint tracking."
" Collection will slow down overall run."),
)
CommandLineOption(
"taint_when",
action="append",
nargs="?",
default=[],
const="",
metavar="ZML_STRING",
help="Starts taint tracking when the specified ZML condition is met.",
)
CommandLineOption(
"taint_output",
# You should have received a copy of the GNU Affero General Public
# License along with this program. If not, see
# <http://www.gnu.org/licenses/>.
# ======================================================================
import base64
import json
import logging
from os.path import abspath, basename
from termcolor import colored
from zelos import CommandLineOption, IPlugin, Zelos
CommandLineOption("export_mem",
action="store_true",
help="Export memory regions.")
CommandLineOption("export_insts",
action="store_true",
help="Export instructions.")
CommandLineOption("export_funcs",
action="store_true",
help="Export functions.")
class Overlay(IPlugin):
"""
Provides functionality for exporting memory & instruction overlays.
"""