def __init__(self, parent, sex, size):
self.parent = parent
self.shlist = []
ehdr = self.parent.Ehdr
of1 = ehdr.shoff
if not of1: # No SH table
return
for i in range(ehdr.shnum):
of2 = of1 + ehdr.shentsize
shstr = parent[of1:of2]
self.shlist.append(Section(self, sex, size, shstr=shstr))
of1 = of2
self._shstr = self.shlist[ehdr.shstrndx]
for s in self.shlist:
if not isinstance(s, NoBitsSection):
s._content = StrPatchwork(
parent[s.sh.offset: s.sh.offset + s.sh.size]
)
# Follow dependencies when initializing sections
zero = self.shlist[0]
todo = self.shlist[1:]
done = []
while todo:
s = todo.pop(0)
if ((s.linksection == zero or s.linksection in done) and
(s.infosection in [zero, None] or s.infosection in done)):
done.append(s)
s.parse_content(sex, size)
else:
todo.append(s)
for s in self.shlist:
self.do_add_section(s)
def build_content(self):
c = StrPatchwork()
c[0] = bytes(self.Ehdr)
c[self.Ehdr.phoff] = bytes(self.ph)
for s in self.sh:
c[s.sh.offset] = bytes(s.content)
c[self.Ehdr.shoff] = bytes(self.sh)
return bytes(c)
def asm(self):
asmcfg = parse_asm.parse_txt(mn_aarch64, 'l', self.TXT, self.loc_db)
# fix shellcode addr
self.loc_db.set_location_offset(self.loc_db.get_name_location("main"), 0x0)
s = StrPatchwork()
patches = asmblock.asm_resolve_final(mn_aarch64, asmcfg)
for offset, raw in viewitems(patches):
s[offset] = raw
self.assembly = bytes(s)
def asm(self):
blocks, loc_db = parse_asm.parse_txt(mn_mips32, 'l', self.TXT,
loc_db=self.myjit.ir_arch.loc_db)
# fix shellcode addr
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
s = StrPatchwork()
patches = asmblock.asm_resolve_final(mn_mips32, blocks, loc_db)
for offset, raw in viewitems(patches):
s[offset] = raw
s = bytes(s)
self.assembly = s
def asm(self):
mn_x86 = self.machine.mn
asmcfg = parse_asm.parse_txt(mn_x86, self.arch_attrib, self.TXT,
self.loc_db)
# fix shellcode addr
self.loc_db.set_location_offset(self.loc_db.get_name_location("main"),
0x0)
output = StrPatchwork()
patches = asm_resolve_final(mn_x86, asmcfg)
for offset, raw in viewitems(patches):
output[offset] = raw
self.assembly = bytes(output)
def build_content(self):
content = StrPatchwork()
content[0] = bytes(self.Doshdr)
for section in self.SHList.shlist:
content[section.offset:section.offset + section.rawsize] = bytes(
section.data)
# fix image size
section_last = self.SHList.shlist[-1]
size = section_last.addr + section_last.size + (
self.NThdr.sectionalignment - 1)
size &= ~(self.NThdr.sectionalignment - 1)
self.NThdr.sizeofimage = size
off = self.Doshdr.lfanew
content[off] = bytes(self.NTsig)
off += len(self.NTsig)
content[off] = bytes(self.Coffhdr)
off += len(self.Coffhdr)
off_shlist = off + self.Coffhdr.sizeofoptionalheader
content[off] = bytes(self.Opthdr)
off += len(self.Opthdr)
content[off] = bytes(self.NThdr)
off += len(self.NThdr)
# content[off] = bytes(self.Optehdr)
off = off_shlist
content[off] = bytes(self.SHList)
for section in self.SHList:
if off + len(bytes(self.SHList)) > section.offset:
log.warn("section offset overlap pe hdr 0x%x 0x%x" %
(off + len(bytes(self.SHList)), section.offset))
self.DirImport.build_content(content)
self.DirExport.build_content(content)
self.DirDelay.build_content(content)
self.DirReloc.build_content(content)
self.DirRes.build_content(content)
self.DirTls.build_content(content)
if (self.Doshdr.lfanew + len(self.NTsig) + len(self.Coffhdr)) % 4:
log.warn("non aligned coffhdr, bad crc calculation")
crcs = compute_crc(bytes(content), self.NThdr.CheckSum)
content[self.Doshdr.lfanew + len(self.NTsig) + len(self.Coffhdr) +
64] = struct.pack('I', crcs)
return bytes(content)
def __init__(self, minidump_str):
self._content = StrPatchwork(minidump_str)
# Specific streams
self.modulelist = None
self.memory64list = None
self.memorylist = None
self.memoryinfolist = None
self.systeminfo = None
# Get information
self.streams = []
self.threads = None
self.parse_content()
# Memory information
self.memory = {} # base address (virtual) -> Memory information
self.build_memory()
def parse_content(self,
parse_resources=True,
parse_delay=True,
parse_reloc=True):
off = 0
self._sex = 0
self._wsize = 32
self.Doshdr = pe.Doshdr.unpack(self.content, off, self)
off = self.Doshdr.lfanew
if off > len(self.content):
log.warn('ntsig after eof!')
self.NTsig = None
return
self.NTsig = pe.NTsig.unpack(self.content, off, self)
self.DirImport = None
self.DirExport = None
self.DirDelay = None
self.DirReloc = None
self.DirRes = None
if self.NTsig.signature != 0x4550:
log.warn('not a valid pe!')
return
off += len(self.NTsig)
self.Coffhdr, length = pe.Coffhdr.unpack_l(self.content, off, self)
off += length
self._wsize = ord(self.content[off + 1]) * 32
if self._wsize == 32:
Opthdr = pe.Opthdr32
else:
Opthdr = pe.Opthdr64
if len(self.content) < 0x200:
# Fix for very little PE
self.content += (0x200 - len(self.content)) * b'\x00'
self.Opthdr, length = Opthdr.unpack_l(self.content, off, self)
self.NThdr = pe.NThdr.unpack(self.content, off + length, self)
self.img_rva[0] = self.content[:self.NThdr.sizeofheaders]
off += self.Coffhdr.sizeofoptionalheader
self.SHList = pe.SHList.unpack(self.content, off, self)
# load section data
filealignment = self.NThdr.filealignment
sectionalignment = self.NThdr.sectionalignment
for section in self.SHList.shlist:
virt_size = (section.size // sectionalignment +
1) * sectionalignment
if self.loadfrommem:
section.offset = section.addr
if self.NThdr.sectionalignment > 0x1000:
raw_off = 0x200 * (section.offset // 0x200)
else:
raw_off = section.offset
if raw_off != section.offset:
log.warn('unaligned raw section (%x %x)!', raw_off,
section.offset)
section.data = StrPatchwork()
if section.rawsize == 0:
rounded_size = 0
else:
if section.rawsize % filealignment:
rs = (section.rawsize // filealignment + 1) * filealignment
else:
rs = section.rawsize
rounded_size = rs
if rounded_size > virt_size:
rounded_size = min(rounded_size, section.size)
data = self.content[raw_off:raw_off + rounded_size]
section.data = data
# Pad data to page size 0x1000
length = len(data)
data += b"\x00" * ((((length + 0xfff)) & 0xFFFFF000) - length)
self.img_rva[section.addr] = data
# Fix img_rva
self.img_rva = self.img_rva
try:
self.DirImport = pe.DirImport.unpack(
self.img_rva,
self.NThdr.optentries[pe.DIRECTORY_ENTRY_IMPORT].rva, self)
except pe.InvalidOffset:
log.warning('cannot parse DirImport, skipping')
self.DirImport = pe.DirImport(self)
try:
self.DirExport = pe.DirExport.unpack(
self.img_rva,
self.NThdr.optentries[pe.DIRECTORY_ENTRY_EXPORT].rva, self)
except pe.InvalidOffset:
log.warning('cannot parse DirExport, skipping')
self.DirExport = pe.DirExport(self)
if len(self.NThdr.optentries) > pe.DIRECTORY_ENTRY_DELAY_IMPORT:
self.DirDelay = pe.DirDelay(self)
if parse_delay:
try:
self.DirDelay = pe.DirDelay.unpack(
self.img_rva, self.NThdr.optentries[
pe.DIRECTORY_ENTRY_DELAY_IMPORT].rva, self)
except pe.InvalidOffset:
log.warning('cannot parse DirDelay, skipping')
if len(self.NThdr.optentries) > pe.DIRECTORY_ENTRY_BASERELOC:
self.DirReloc = pe.DirReloc(self)
if parse_reloc:
try:
self.DirReloc = pe.DirReloc.unpack(
self.img_rva, self.NThdr.optentries[
pe.DIRECTORY_ENTRY_BASERELOC].rva, self)
except pe.InvalidOffset:
log.warning('cannot parse DirReloc, skipping')
if len(self.NThdr.optentries) > pe.DIRECTORY_ENTRY_RESOURCE:
self.DirRes = pe.DirRes(self)
if parse_resources:
self.DirRes = pe.DirRes(self)
try:
self.DirRes = pe.DirRes.unpack(
self.img_rva,
self.NThdr.optentries[pe.DIRECTORY_ENTRY_RESOURCE].rva,
self)
except pe.InvalidOffset:
log.warning('cannot parse DirRes, skipping')
def __init__(self,
pestr=None,
loadfrommem=False,
parse_resources=True,
parse_delay=True,
parse_reloc=True,
wsize=32):
self._rva = ContectRva(self)
self._virt = ContentVirtual(self)
self.img_rva = StrPatchwork()
if pestr is None:
self._content = StrPatchwork()
self._sex = 0
self._wsize = wsize
self.Doshdr = pe.Doshdr(self)
self.NTsig = pe.NTsig(self)
self.Coffhdr = pe.Coffhdr(self)
if self._wsize == 32:
Opthdr = pe.Opthdr32
else:
Opthdr = pe.Opthdr64
self.Opthdr = Opthdr(self)
self.NThdr = pe.NThdr(self)
self.NThdr.optentries = [pe.Optehdr(self) for _ in range(0x10)]
self.NThdr.CheckSum = 0
self.SHList = pe.SHList(self)
self.SHList.shlist = []
self.NThdr.sizeofheaders = 0x1000
self.DirImport = pe.DirImport(self)
self.DirExport = pe.DirExport(self)
self.DirDelay = pe.DirDelay(self)
self.DirReloc = pe.DirReloc(self)
self.DirRes = pe.DirRes(self)
self.Doshdr.magic = 0x5a4d
self.Doshdr.lfanew = 0xe0
self.NTsig.signature = 0x4550
if wsize == 32:
self.Opthdr.magic = 0x10b
elif wsize == 64:
self.Opthdr.magic = 0x20b
else:
raise ValueError('unknown pe size %r' % wsize)
self.Opthdr.majorlinkerversion = 0x7
self.Opthdr.minorlinkerversion = 0x0
self.NThdr.filealignment = 0x1000
self.NThdr.sectionalignment = 0x1000
self.NThdr.majoroperatingsystemversion = 0x5
self.NThdr.minoroperatingsystemversion = 0x1
self.NThdr.MajorImageVersion = 0x5
self.NThdr.MinorImageVersion = 0x1
self.NThdr.majorsubsystemversion = 0x4
self.NThdr.minorsubsystemversion = 0x0
self.NThdr.subsystem = 0x3
if wsize == 32:
self.NThdr.dllcharacteristics = 0x8000
else:
self.NThdr.dllcharacteristics = 0x8000
# for createthread
self.NThdr.sizeofstackreserve = 0x200000
self.NThdr.sizeofstackcommit = 0x1000
self.NThdr.sizeofheapreserve = 0x100000
self.NThdr.sizeofheapcommit = 0x1000
self.NThdr.ImageBase = 0x400000
self.NThdr.sizeofheaders = 0x1000
self.NThdr.numberofrvaandsizes = 0x10
self.NTsig.signature = 0x4550
if wsize == 32:
self.Coffhdr.machine = 0x14c
elif wsize == 64:
self.Coffhdr.machine = 0x8664
else:
raise ValueError('unknown pe size %r' % wsize)
if wsize == 32:
self.Coffhdr.characteristics = 0x10f
self.Coffhdr.sizeofoptionalheader = 0xe0
else:
self.Coffhdr.characteristics = 0x22 # 0x2f
self.Coffhdr.sizeofoptionalheader = 0xf0
else:
self._content = StrPatchwork(pestr)
self.loadfrommem = loadfrommem
self.parse_content(parse_resources=parse_resources,
parse_delay=parse_delay,
parse_reloc=parse_reloc)
"--verbose",
help="verbose mode",
action="store_true")
options = parser.parse_args()
if options.endianness == 'b':
sandbox = Sandbox_Linux_armb_str
elif options.endianness == 'l':
sandbox = Sandbox_Linux_arml_str
else:
raise ValueError("Bad endianness!")
loc_db = LocationDB()
sb = sandbox(loc_db, options.filename, options, globals())
if options.address is None:
raise ValueError('invalid address')
sb.run()
# test correct de xor
start = sb.jitter.cpu.R0
stop = sb.jitter.cpu.R1
s = sb.jitter.vm.get_mem(start, stop - start)
s = StrPatchwork(s)
for i, c in enumerate(s):
s[i] = int_to_byte(ord(c) ^ 0x11)
s = bytes(s)
assert (s == b"test string\x00")
new_dll = [({
"name": "USER32.dll",
"firstthunk": s_iat.addr
}, ["MessageBoxA"])]
pe.DirImport.add_dlldesc(new_dll)
s_myimp = pe.SHList.add_section(name="myimp", rawsize=len(pe.DirImport))
pe.DirImport.set_rva(s_myimp.addr)
pe.Opthdr.AddressOfEntryPoint = s_text.addr
addr_main = pe.rva2virt(s_text.addr)
virt = pe.virt
output = pe
dst_interval = interval([(pe.rva2virt(s_text.addr),
pe.rva2virt(s_text.addr + s_text.size))])
else:
st = StrPatchwork()
addr_main = 0
virt = st
output = st
# Get and parse the source code
with open(args.source) as fstream:
source = fstream.read()
loc_db = LocationDB()
asmcfg = parse_asm.parse_txt(machine.mn, attrib, source, loc_db)
# Fix shellcode addrs
loc_db.set_location_offset(loc_db.get_name_location("main"), addr_main)
def __set__(self, owner, new_content):
owner.resize(len(owner._content), len(new_content))
owner._content = StrPatchwork(new_content)
owner.parse_content(owner.sex, owner.size)
