def test_overlay_comments(self):
z = Zelos(
path.join(DATA_DIR, "static_elf_helloworld"),
inst=True,
fasttrace=True,
export_trace=True,
)
directory = tempfile.TemporaryDirectory()
# The exported file is written to the directory that zelos is
# run in
original_dir = os.path.abspath(os.path.curdir)
try:
os.chdir(directory.name)
z.start()
z.close()
finally:
os.chdir(original_dir)
output = open(path.join(directory.name, "static_elf_helloworld.zmu"))
data = output.read()[len("DISAS\n"):]
memdump = json.loads(data)
self.assertGreaterEqual(len(memdump["comments"]), 8277)
self.assertEqual(len(memdump["functions"]), 244)
self.assertEqual(memdump["comments"][0]["address"], 134515568)
self.assertEqual(memdump["comments"][0]["text"], "ebp = 0x0")
output.close()
def test_yarascan(self):
# Create temp directory to store yarascan output files
with tempfile.TemporaryDirectory() as tmpdir:
filename1 = path.join(tmpdir, "rulefile1.yar")
filename2 = path.join(tmpdir, "rulefile2.yar")
filename3 = path.join(tmpdir, "rulefile3.yap")
with open(filename1,
"w") as f1, open(filename2,
"w") as f2, open(filename3, "w") as f3:
f1.write(rule1)
f2.write(rule2)
f3.write(rule3)
testglob = path.join(tmpdir, "*.yar")
yaml_filename = path.join(tmpdir, "yara.yaml")
memdump_dir = path.join(tmpdir, "memdumps")
# Init `zelos` and request yara scanning post-emulation.
z = Zelos(
path.join(DATA_DIR, "static_elf_helloworld"),
trace_off=True,
yara_file=filename3,
yara_file_glob=testglob,
yara_rule=r"/hello\sworld!/nocase",
yara_memdump=memdump_dir,
yara_outfile=yaml_filename,
yara_xrefs=True,
# yara_brief=True,
# yara_pid=None,
)
z.start(timeout=10)
# Invoke yarascan plugin via scripting, independent of the
# post-emulation scanning.
yara = z.plugins.yarascan
yara.compile(rules=["Hello World"], files=[], glob_string=None)
matches = list(
yara.matches(pid=z.process.pid,
yamldump=yaml_filename,
brief=True))
self.assertEqual(1, len(matches))
self.assertEqual(matches[0].info(brief=True),
"Matched rule: cmdline.rule0")
# Test missing `yara-python` dependency
with mock.patch.dict(sys.modules, {"yara": None}):
self.assertFalse(yara.import_yara())
self.assertTrue(yara.import_yara())
# `close` triggers the yara memory scan requested via
# the `yara_` arguments during `zelos` initialization.
z.close()
# Load in the yaml file generated by yarascan for validation
with open(yaml_filename, "r") as f:
yaml = f.read()
# PID may change, omit it from test
yaml = remove_matching_lines(yaml, ["pid"])
yaml = yaml.replace("\t", " ")
# Check each yaml entry individually, since `yara-python`
# match order is not deterministic.
for expected in expected_yaml:
self.assertTrue(expected in yaml)
from zelos import Zelos
# Initialize Zelos Engine
z = Zelos('crackme0x02')
# Set a one-shot temporary breakpoint
z.set_breakpoint(0x8048448, True)
# Start emulating!
z.start()
# We've hit our breakpoint. Read our password from EAX
password = z.regs.eax
print('Password in EAX is %d' % password)
# Single step
z.step()
# Read from the local variable var_ch. This should have the same value as EAX
password = z.memory.read_int(z.regs.ebp-0x0c)
print('Password at var_ch / EBP-0x0Ch is %d' % password)
# Cleanup
z.close()
