Esempi in Python per DSEPathConstraint

Linguaggio di programmazione: Python

Spazio dei nomi/nome del pacchetto: miasm2.analysis.dse

Classe/tipologia: DSEPathConstraint

Esempi su hotexamples.com: 7

DSEPathConstraint in Python: 7 esempi trovati. Questi sono i migliori esempi reali in Python per miasm2.analysis.dse.DSEPathConstraint, estratti da progetti open source. Li puoi valutare, per aiutarci a migliorare la qualità dei nostri esempi.

Metodi utilizzati di frequente

Mostra Nascondi

attach(4)

add_lib_handler(3)

update_state_from_concrete(3)

DSEPathConstraint(1)

restore_snapshot(1)

take_snapshot(1)

update_state(1)

Esempio n. 1

Mostra file

def main():
	#Grab Filename
	parser = Sandbox_Linux_x86_64.parser(description="Sandbox")
	parser.add_argument('filename',help='filename')
	args = parser.parse_args()
	
	#Create Sandbox at entry of binary
	sb = Sandbox_Linux_x86_64(args.filename,args,globals())
	sb.jitter.init_run(sb.entry_point)

	#Stack cookies
	sb.jitter.vm.add_memory_page(0x28,PAGE_READ|PAGE_WRITE,"B"*100,"stack cookies")
	
	#Create dynamic symbolic engine
	machine = Machine("x86_64")
	dse = DSEPathConstraint(machine,produce_solution=DSEPathConstraint.PRODUCE_SOLUTION_PATH_COV)
	dse.attach(sb.jitter)

	#Setup dse, all libraries are now handled by names in the globals
	dse.update_state_from_concrete()
	dse.add_lib_handler(sb.libs,globals())
	#dse.jitter.jit.log_mn=True

	#Run
	sb.run()

	#Print answers
	dse.cur_solver.check()
	model = dse.cur_solver.model()
	print model

Esempio n. 2

Mostra file

File: solution.py Progetto: Trietptm-on-Coding-Algorithms/Miasm2_Examples

def main():
    global dse

    #Argparse wrapper is within Sandbox_Linux_x86_64, but it also return a jitter object so w/e
    parser = Sandbox_Linux_x86_64.parser(description="Sandbox")
    parser.add_argument('filename', help="filename")
    args = parser.parse_args()

    #start sandbox
    sb = Sandbox_Linux_x86_64(args.filename, args, globals())
    sb.jitter.init_run(sb.entry_point)

    #Stack cookies
    sb.jitter.vm.add_memory_page(0x28, PAGE_READ | PAGE_WRITE, "B" * 100,
                                 "stack cookies")

    #Setup Dynamic Sym Engine and the machine
    machine = Machine("x86_64")
    dse = DSEPathConstraint(
        machine, produce_solution=DSEPathConstraint.PRODUCE_SOLUTION_PATH_COV)
    dse.attach(sb.jitter)
    dse.update_state_from_concrete()
    #dse.jitter.jit.log_mn = True

    #DSE stubs are handled by functions in the globals, aka you the programmer
    dse.add_lib_handler(sb.libs, globals())

    #Run, print solutions
    sb.run()
    print dse.new_solutions

    pass

Esempio n. 3

Mostra file

File: s.py Progetto: SneakyNachos/Miasm2_Examples

from miasm2.analysis.machine import Machine
from miasm2.core.utils import *
from miasm2.analysis.binary import Container
from miasm2.core import asmblock
from miasm2.expression.expression import *
from argparse import ArgumentParser
from miasm2.analysis.sandbox import Sandbox_Linux_x86_32
from miasm2.analysis.dse import DSEPathConstraint
from miasm2.jitter.csts import PAGE_READ,PAGE_WRITE
from miasm2.os_dep.linux_stdlib import *
import struct

#Machine, Dynamic Sym Engine
machine = Machine("x86_32")
dse = DSEPathConstraint(machine,produce_solution=DSEPathConstraint.PRODUCE_SOLUTION_PATH_COV)

def ptrace_bp(jitter):
	#Force ptrace to return 0, always
	ret_addr = jitter.get_stack_arg(0)
	jitter.func_ret_systemv(ret_addr,0)
	return True

def toint_bp(jitter):
	"""toInt handler, change input to a 32-bit integer"""
	ret_addr,args = jitter.func_args_systemv(["input"])	
	jitter.func_ret_systemv(ret_addr,args.input)
	dse.attach(jitter)
	dse.update_state_from_concrete()
	regs = dse.ir_arch.arch.regs
	dse.update_state({
		regs.EAX: ExprId("input",32)

Esempio n. 4

Mostra file

File: dse_crackme.py Progetto: vbrandl/miasm

def xxx_puts_symb(dse):
    string = dse.jitter.get_str_ansi(dse.jitter.cpu.RDI)
    raise FinishOn(string)


todo = set([""])  # Set of file content to test

# Instantiate the DSE engine
machine = Machine("x86_64")
# Convert strategy to the correct value
strategy = {
    "code-cov": DSEPathConstraint.PRODUCE_SOLUTION_CODE_COV,
    "branch-cov": DSEPathConstraint.PRODUCE_SOLUTION_BRANCH_COV,
    "path-cov": DSEPathConstraint.PRODUCE_SOLUTION_PATH_COV,
}[options.strategy]
dse = DSEPathConstraint(machine, produce_solution=strategy)

# Attach to the jitter
dse.attach(sb.jitter)

# Update the jitter state: df is read, but never set
# Approaches: specific or generic
# - Specific:
#   df_value = ExprInt(sb.jitter.cpu.df, dse.ir_arch.arch.regs.df.size)
#   dse.update_state({
#       dse.ir_arch.arch.regs.df: df_value
#   })
# - Generic:
dse.update_state_from_concrete()

# Add constraint on file size, we don't want to generate too big FILE

Esempio n. 5

Mostra file

File: dse_crackme.py Progetto: commial/miasm

def xxx_puts_symb(dse):
    string = dse.jitter.get_str_ansi(dse.jitter.cpu.RDI)
    raise FinishOn(string)


todo = set([""]) # Set of file content to test

# Instanciate the DSE engine
machine = Machine("x86_64")
# Convert strategy to the correct value
strategy = {
    "code-cov": DSEPathConstraint.PRODUCE_SOLUTION_CODE_COV,
    "branch-cov": DSEPathConstraint.PRODUCE_SOLUTION_BRANCH_COV,
    "path-cov": DSEPathConstraint.PRODUCE_SOLUTION_PATH_COV,
}[options.strategy]
dse = DSEPathConstraint(machine, produce_solution=strategy)

# Attach to the jitter
dse.attach(sb.jitter)

# Update the jitter state: df is read, but never set
# Approachs: specific or generic
# - Specific:
#   df_value = ExprInt(sb.jitter.cpu.df, dse.ir_arch.arch.regs.df.size)
#   dse.update_state({
#       dse.ir_arch.arch.regs.df: df_value
#   })
# - Generic:
dse.update_state_from_concrete()

# Add constraint on file size, we don't want to generate too big FILE

Esempio n. 6

Mostra file

# Handle return
def code_sentinelle(jitter):
    jitter.run = False
    return False


ret_addr = 0x1337beef
jitter.add_breakpoint(ret_addr, code_sentinelle)
jitter.push_uint32_t(ret_addr)

# Init the jitter
jitter.init_run(run_addr)

# Init a DSE instance with a given strategy
dse = DSEPathConstraint(machine, produce_solution=strategy)
dse.attach(jitter)
# Concretize everything exept the argument
dse.update_state_from_concrete()
regs = jitter.ir_arch.arch.regs
arg = ExprId("ARG", 32)
arg_addr = ExprMem(ExprInt(jitter.cpu.ESP + 4, regs.ESP.size), arg.size)
dse.update_state({
    # @[ESP + 4] = ARG
    arg_addr: arg
})

# Explore solutions
todo = set([ExprInt(0, arg.size)])
done = set()
snapshot = dse.take_snapshot()

Esempio n. 7

Mostra file

File: dse_strategies.py Progetto: commial/miasm

jitter.push_uint32_t(0)

# Handle return
def code_sentinelle(jitter):
    jitter.run = False
    return False

ret_addr = 0x1337beef
jitter.add_breakpoint(ret_addr, code_sentinelle)
jitter.push_uint32_t(ret_addr)

# Init the jitter
jitter.init_run(run_addr)

# Init a DSE instance with a given strategy
dse = DSEPathConstraint(machine, produce_solution=strategy)
dse.attach(jitter)
# Concretize everything except the argument
dse.update_state_from_concrete()
regs = jitter.ir_arch.arch.regs
arg = ExprId("ARG", 32)
arg_addr = ExprMem(ExprInt(jitter.cpu.ESP + 4, regs.ESP.size), arg.size)
dse.update_state({
    # @[ESP + 4] = ARG
    arg_addr: arg
})

# Explore solutions
todo = set([ExprInt(0, arg.size)])
done = set()
snapshot = dse.take_snapshot()