def _mem_add_page(uc, access, address, size, value, user_data): try: _alloc_region(address) except: gdb_helper.log(colorama.Back.RED + "\t[!] error allocating memory at 0x%08x" % (address, ) + colorama.Back.RESET)
def print_ptrs_reg(regs, prefix): for reg in regs: try: reg_value = cpu.get(reg) gdb_helper.log(colorama.Fore.GREEN + "\t%s %s = %s" % (prefix, reg, deref(reg_value)) + colorama.Fore.RESET) except: gdb_helper.log(colorama.Fore.GREEN + "\t%s %s" % (prefix, reg) + colorama.Fore.RESET)
def _free_regions(): global allocated_regions for region in allocated_regions: try: mu.mem_unmap(region, PAGE_SIZE) # gdb_helper.log( colorama.Fore.BLUE + "\t[i] free(0x%08x)" % (region,) + colorama.Fore.RESET ) except Exception as e: gdb_helper.log(str(e)) allocated_regions = set()
def do_taint(process_marks): while True: try: gdb_helper.in_kernel() gdb_helper.in_process(taint_instruction, process_marks) except KeyboardInterrupt: break except gdb_helper.StopExecution: break except Exception as e: a, b, c = sys.exc_info() gdb_helper.log(traceback.extract_tb(c)) gdb_helper.log(str(e))
def taint_execute(used_registers, used_memory): global tainted_regs, tainted_mems used_regs_r, used_regs_w = used_registers used_mems_r, used_mems_w = used_memory is_spread = False is_use = False for used_reg in used_regs_r: used_reg = get_full_register(used_reg) if used_reg and used_reg in tainted_regs: is_spread = True gdb_helper.log(colorama.Fore.GREEN + "\t[+] use tainted register: %s" % (used_reg, ) + colorama.Fore.RESET) for used_memory_cell in used_mems_r: if used_memory_cell in tainted_mems: is_spread = True gdb_helper.log(colorama.Fore.GREEN + "\t[+] use tainted memory: 0x%08x" % (used_memory_cell, ) + colorama.Fore.RESET) if is_spread: for used_reg in used_regs_w: used_reg = get_full_register(used_reg) if used_reg: gdb_helper.log(colorama.Fore.GREEN + "\t[+] taint register %s" % (used_reg, ) + colorama.Fore.RESET) tainted_regs.add(used_reg) for used_memory_cell in used_mems_w: gdb_helper.log(colorama.Fore.GREEN + "\t[+] taint memory 0x%08x" % (used_memory_cell, ) + colorama.Fore.RESET) tainted_mems.add(used_memory_cell) else: for used_reg in used_regs_w: used_reg = get_full_register(used_reg) if used_reg: tainted_regs.remove(used_reg) for used_memory_cell in used_mems_w: gdb_helper.log(colorama.Fore.RED + "\t[-] free memory 0x%08x" % (used_memory_cell, ) + colorama.Fore.RESET) tainted_mems.remove(used_memory_cell) return is_spread or is_use
def step(): cpu.update_registers() opcode = gdb_helper.get_opcode(cpu.eip) instruction = disas(opcode) gdb_helper.log(colorama.Fore.LIGHTCYAN_EX + "[*][%d] 0x%08x: %s" % (gdb_helper.ins_count, cpu.eip, instruction) + colorama.Fore.RESET) used_registers = get_used_registers(opcode) used_memory = get_used_memory(opcode, cpu) print_ptrs_reg(used_registers[0], 'regs read:') print_ptrs_reg(used_registers[1], 'regs write:') print_ptrs_mem(used_memory[0], 'mems read:') print_ptrs_mem(used_memory[1], 'mems write:') cpu.show_registers() cpu.show_registers('mmx') cpu.show_registers('sse') gdb_helper.step()
def taint_instruction(): cpu.update_registers() opcode = gdb_helper.get_opcode(cpu.eip) instruction = disas(opcode) if not gdb_helper.ins_count % 1000: gdb_helper.log(colorama.Fore.LIGHTCYAN_EX + "[*][%d] 0x%08x: %s" % (gdb_helper.ins_count, cpu.eip, instruction) + colorama.Fore.RESET) if instruction.split()[0] in ('call', 'ret') or instruction.startswith('j'): #gdb_helper.log(colorama.Fore.YELLOW + "\t[i] ignore" + colorama.Fore.RESET) return if instruction.split()[0] == 'sysenter': gdb_helper.log(colorama.Fore.GREEN + "[*][%d] sysenter (EAX=0x%x)" % (gdb_helper.ins_count, cpu.eax) + colorama.Fore.RESET) used_registers = get_used_registers(opcode) used_memory = get_used_memory(opcode, cpu) try: (allowed, denied) = check_violations(used_memory) for denied_ptr in denied: gdb_helper.log(colorama.Fore.RED + "\t[!] ACCESS VIOLATION: 0x%08x" % (denied_ptr, ) + colorama.Fore.RESET) raise gdb_helper.StopExecution() if taint_execute(used_registers, used_memory): gdb_helper.log("\t\t[debug] current taint regs: %s" % str(tainted_regs)) gdb_helper.log("\t\t[debug] current taint mems: %s" % str(tainted_mems)) raise gdb_helper.StopExecution() #pass except gdb_helper.StopExecution as e: raise e except Exception as e: print(str(e)) _free_regions() '''
def show_registers(self, group=''): if group == '': for register in [ 'eax', 'ecx', 'edx', 'ebx', 'esp', 'ebp', 'esi', 'edi', 'eip', 'eflags' ]: gdb_helper.log( colorama.Fore.GREEN + "\t\t%s %s" % (register.upper(), deref(self.__dict__[register])) + colorama.Fore.RESET) elif group == 'mmx': for register in [ 'xmm0', 'xmm1', 'xmm2', 'xmm3', 'xmm4', 'xmm5', 'xmm6', 'xmm7' ]: gdb_helper.log( colorama.Fore.GREEN + "\t\t%s %s" % (register.upper(), deref(self.__dict__[register])) + colorama.Fore.RESET) elif group == 'sse': for register in [ 'st0', 'st1', 'st2', 'st3', 'st4', 'st5', 'st6', 'st7' ]: gdb_helper.log( colorama.Fore.GREEN + "\t\t%s %s" % (register.upper(), deref(self.__dict__[register])) + colorama.Fore.RESET)
def get_used_memory(opcode, cpu): global mu, read, write read = set() write = set() try: _alloc_region(cpu.eip) except: pass mu.mem_write(cpu.eip, opcode) max_attempts = 5 while True: try: max_attempts -= 1 if max_attempts <= 0: gdb_helper.log(colorama.Back.RED + "\t[!] error emulation\n" + colorama.Back.RESET) break mu.reg_write(UC_X86_REG_EAX, cpu.eax) mu.reg_write(UC_X86_REG_ECX, cpu.ecx) mu.reg_write(UC_X86_REG_EDX, cpu.edx) mu.reg_write(UC_X86_REG_EBX, cpu.ebx) mu.reg_write(UC_X86_REG_ESP, cpu.esp) mu.reg_write(UC_X86_REG_EBP, cpu.ebp) mu.reg_write(UC_X86_REG_ESI, cpu.esi) mu.reg_write(UC_X86_REG_EDI, cpu.edi) mu.emu_start(cpu.eip, cpu.eip + len(opcode)) mu.emu_stop() break except KeyboardInterrupt: mu.emu_stop() break except Exception as e: mu.emu_stop() read = set() write = set() #gdb_helper.log(str(e)) return (read, write)
import sys sys.path.append(".") import gdb_helper gdb_helper.gdb = gdb def stop(): raise gdb_helper.StopExecution() if __name__ == '__main__': gdb_helper.init() while True: try: gdb_helper.in_kernel() gdb_helper.in_process(stop, {}) except KeyboardInterrupt: break except gdb_helper.StopExecution: break except Exception as e: gdb_helper.log(str(e)) gdb_helper.finit()
def print_tainted_mem(): gdb_helper.log("\ttainted regs: %s" % str(tainted_regs)) gdb_helper.log("\ttainted mems: %s" % str(tainted_mems))
def print_ptrs_mem(addrs, prefix): for addr in addrs: gdb_helper.log(colorama.Fore.GREEN + "\t%s %s" % ( prefix, deref(addr), ) + colorama.Fore.RESET)