def __init__(self, config=None, compiler_instance=None): """ config is a dictionary of configuration parameters (see self.loadConfig). """ self.hashes = None self.props = None self.memoryFlags = {} self.gadgets = {} self.rop = {} self.chunks = set() self.allocated = {} self.stack = [] self.mode = "" self.rollbacks = [ ] #stack of decisions that we might rollback to try other options self.currentCommand = None #gadget searching SequenceAnalyzer instance self.sea = StateMachine(solver=PrettySolver()) self.sea.push( ) #push the initial clean state on the search instance so we can move back to it without having to create a new one #current deplib state machine self.state = StateMachine(solver=PrettySolver()) #defaults self.modules = None #Set this or it's going to fail... this's on purpose! self.badchars = "" self.stackpage = 0x1000 self.bannedGadgets = [] if config: self.loadConfig(config) if compiler_instance: self.processCommands(compiler_instance)
def main(args): regProps={} memProps={} flagProps={} imm=Debugger() sm=StateMachine(solver=PrettySolver()) #define the module/s to use in the search and all the database information here gf=GadgetFinder(imm, "explorer.exe") #gf._debug=True ##### DEFINE YOUR SEARCHING CONSTRAINS HERE ####### #search for a SUB ESP, <range> for x in xrange(0x100,0x200): sm.push() #push SM state before modifing it so we can go back to the initial empty state in the next iteration sm.regs["ESP"]-=x results=gf.searchByHashes(sm) if results: for info in results: imm.log("module_id=%d, module_base=0x%x, offset=0x%x, complexity=%d"%(info[0], gf.bases[info[0]], info[1], info[2]), gf.bases[info[0]]+info[1]) sm.pop() #go back to the initial empty state imm.log("########################################################################") #search for EAX = 0 sm.regs["EAX"] = Expression(0) result=gf.searchByHashes(sm) if result: for info in result: imm.log("module_id=%d, module_base=0x%x, offset=0x%x, complexity=%d"%(info[0], gf.bases[info[0]], info[1], info[2]), gf.bases[info[0]]+info[1]) imm.log("########################################################################") #typical stack pivot to EAX regProps["ESP"]="EAX" memProps["EIP"]="EAX" results = gf.searchByProperties(regProps, memProps, flagProps) if results: for info in results: imm.log("module_id=%d, module_base=0x%x, offset=0x%x, complexity=%d"%(info[0], gf.bases[info[0]], info[1], info[2]), gf.bases[info[0]]+info[1]) else: imm.log("Nothing found")
debug = True elif o == "-l": logfile = True else: usage(imm) return "Unknown option" if not exp: usage(imm) imm.log("[!] -e is mandatory") return "Error, check script usemode" if logfile: imm = MyDebugger(template="findpivot-log-") sm = StateMachine(solver=PrettySolver()) #define the module/s to use in the search and all the database information here gf = GadgetFinder(imm, modules, dbname, dbtype, host, username, passwd) gf._debug = debug if debug: imm.log("[*] RAW Expression: %s" % str(exp)) exp = parseExpression(exp, sm) if exp == None: imm.log("[!] Expression could not be parsed, please review it") return "Error, check usemode" imm.log("[*] Parsed Expression: %s" % str(exp))