def sym(data, addr, status): cont = Container.from_string(data, loc_db=loc_db, addr=addr) mdis = machine.dis_engine(cont.bin_stream, loc_db=loc_db) asm_block = mdis.dis_block(addr) # Translate ASM -> IR ircfg = ira.new_ircfg() try: ira.add_asmblock_to_ircfg(asm_block, ircfg) except NotImplementedError: return None # Instantiate a Symbolic Execution engine with default value for registers regs_init = regs.regs_init sympool = copy.deepcopy(regs_init) sympool.update(status) symb = SymbolicExecutionEngine(ira, sympool) # Emulate one IR basic block ## Emulation of several basic blocks can be done through .emul_ir_blocks cur_addr = symb.run_at(ircfg, addr) IRDst = symb.symbols[ira.IRDst] expr = expr_simp_explicit(IRDst) #if isinstance(expr, ExprMem): # expr = expr.ptr return expr
import z3 from miasm.arch.x86.arch import mn_x86 from miasm.core.locationdb import LocationDB from miasm.analysis.binary import Container from miasm.analysis.machine import Machine from miasm.ir.symbexec import SymbolicExecutionEngine from miasm.analysis.dse import DSEEngine from miasm.expression.expression import * from miasm.ir.translators.z3_ir import Z3Mem, TranslatorZ3 loc_db = LocationDB() s = '\x8dI\x04\x8d[\x01\x80\xf9\x01t\x05\x8d[\xff\xeb\x03\x8d[\x01\x89\xd8\xc3' s = '\x55\x8b\xec\x83\xec\x08\xc7\x45\xf8\xcc\xcc\xcc\xcc\xc7\x45\xfc\xcc\xcc\xcc\xcc\xc7\x45\xfc\x03\x00\x00\x00\xc7\x45\xf8\x05\x00\x00\x00\x83\x7d\xfc\x05\x7e\x07\x8b\x45\xfc\xeb\x09\xeb\x05\x8b\x45\xf8\xeb\x02\x33\xc0\x8b\xe5\x5d\xc3' c = Container.from_string(s) machine = Machine('x86_32') mdis = machine.dis_engine(c.bin_stream) asmcfg = mdis.dis_multiblock(0) for block in asmcfg.blocks: print(block.to_string(asmcfg.loc_db)) ira = machine.ira(loc_db) ircfg = ira.new_ircfg_from_asmcfg(asmcfg) # print(ircfg) # ircfg = ira.new_ircfg(asmcfg) # print(loc_db._offset_to_loc_key.keys()[0]) sb = SymbolicExecutionEngine(ira) # symbolic_pc = sb.run_at(ircfg, loc_db._offset_to_loc_key.keys()[0]) # for index, info in enumerate(sb.info_ids): # print('###### step', index+1) # print('\t', info[0])
fpath = '../testbins/tests-linux-x64-elf' if sys.argv[1:]: fpath = sys.argv[1] sym_name = 'collatz_message' if sys.argv[2:]: sym_name = sys.argv[2] with open(fpath, 'rb') as fp: data = fp.read() # Container is superclass of ContainerELF, ContainerPE, etc. # Is container the analog of Binja's BinaryView? # # container.arch = 'x86_64' container = Container.from_string(data) # list all symbols / addresses available from the container ldb = container.loc_db for k in ldb.loc_keys: offset = ldb.get_location_offset(k) names = [x.decode() for x in ldb.get_location_names(k)] #print('%08X:' % offset) #for name in names: # print('\t"%s"' % name) # disassemble the given symbol machine = Machine(container.arch) disassembler = machine.dis_engine(container.bin_stream, loc_db=container.loc_db)
from __future__ import print_function from miasm.analysis.binary import Container from miasm.analysis.machine import Machine # The Container will provide a *bin_stream*, bytes source for the disasm engine cont = Container.from_string(b"\x83\xf8\x10\x74\x07\x89\xc6\x0f\x47\xc3\xeb\x08\x89\xc8\xe8\x31\x33\x22\x11\x40\xc3") # Instantiate a x86 32 bit architecture machine = Machine("x86_32") # Instantiate a disassembler engine, using the previous bin_stream and its # associated location DB. mdis = machine.dis_engine(cont.bin_stream, loc_db=cont.loc_db) # Run a recursive traversal disassembling from address 0 asmcfg = mdis.dis_multiblock(0) # Display each basic blocks for block in asmcfg.blocks: print(block) # Output control flow graph in a dot file open('str_cfg.dot', 'w').write(asmcfg.dot())
# Update next blocks to process in the disassembly engine cur_bloc.bto.clear() cur_bloc.add_cst(loc_key, AsmConstraint.c_next) # Prepare a tiny shellcode shellcode = ( b"\xe8\x00\x00\x00\x00" # CALL $ b"X" # POP EAX b"\xc3" # RET ) # Instantiate a x86 32 bit architecture machine = Machine("x86_32") cont = Container.from_string(shellcode) mdis = machine.dis_engine(cont.bin_stream, loc_db=cont.loc_db) print("Without callback:\n") asmcfg = mdis.dis_multiblock(0) print("\n".join(str(block) for block in asmcfg.blocks)) # Enable callback mdis.dis_block_callback = cb_x86_callpop print("=" * 40) print("With callback:\n") asmcfg_after = mdis.dis_multiblock(0) print("\n".join(str(block) for block in asmcfg_after.blocks)) # Ensure the callback has been called
from miasm.analysis.binary import Container from miasm.analysis.machine import Machine from miasm.ir.symbexec import SymbolicExecutionEngine from miasm.core.locationdb import LocationDB START_ADDR = 0 machine = Machine("x86_32") loc_db = LocationDB() # Assemble and disassemble a MOV ## Ensure that attributes 'offset' and 'l' are set line = machine.mn.fromstring("MOV EAX, EBX", loc_db, 32) asm = machine.mn.asm(line)[0] # Get back block cont = Container.from_string(asm, loc_db = loc_db) mdis = machine.dis_engine(cont.bin_stream, loc_db=loc_db) mdis.lines_wd = 1 asm_block = mdis.dis_block(START_ADDR) # Translate ASM -> IR lifter_model_call = machine.lifter_model_call(mdis.loc_db) ircfg = lifter_model_call.new_ircfg() lifter_model_call.add_asmblock_to_ircfg(asm_block, ircfg) # Instantiate a Symbolic Execution engine with default value for registers symb = SymbolicExecutionEngine(lifter_model_call) # Emulate one IR basic block ## Emulation of several basic blocks can be done through .emul_ir_blocks cur_addr = symb.run_at(ircfg, START_ADDR)
# Update next blocks to process in the disassembly engine cur_bloc.bto.clear() cur_bloc.add_cst(loc_key, AsmConstraint.c_next) # Prepare a tiny shellcode shellcode = ( b"\xe8\x00\x00\x00\x00" # CALL $ b"X" # POP EAX b"\xc3" # RET ) # Instantiate a x86 32 bit architecture machine = Machine("x86_32") loc_db = LocationDB() cont = Container.from_string(shellcode, loc_db) mdis = machine.dis_engine(cont.bin_stream, loc_db=loc_db) print("Without callback:\n") asmcfg = mdis.dis_multiblock(0) print("\n".join(str(block) for block in asmcfg.blocks)) # Enable callback mdis.dis_block_callback = cb_x86_callpop print("=" * 40) print("With callback:\n") asmcfg_after = mdis.dis_multiblock(0) print("\n".join(str(block) for block in asmcfg_after.blocks)) # Ensure the callback has been called
from pdb import pm from future.utils import viewitems from miasm.core.utils import decode_hex from miasm.analysis.machine import Machine from miasm.analysis.binary import Container from miasm.core.asmblock import AsmCFG, AsmConstraint, AsmBlock, \ AsmBlockBad, AsmConstraintTo, AsmConstraintNext, \ bbl_simplifier from miasm.core.graph import DiGraphSimplifier, MatchGraphJoker from miasm.expression.expression import ExprId # Initial data: from 'samples/simple_test.bin' data = decode_hex("5589e583ec10837d08007509c745fc01100000eb73837d08017709c745fc02100000eb64837d08057709c745fc03100000eb55837d080774138b450801c083f80e7509c745fc04100000eb3c8b450801c083f80e7509c745fc05100000eb298b450883e03085c07409c745fc06100000eb16837d08427509c745fc07100000eb07c745fc081000008b45fcc9c3") cont = Container.from_string(data) # Test Disasm engine machine = Machine("x86_32") mdis = machine.dis_engine(cont.bin_stream, loc_db=cont.loc_db) ## Disassembly of one block first_block = mdis.dis_block(0) assert len(first_block.lines) == 5 print(first_block) ## Test redisassemble asmcfg first_block_bis = mdis.dis_block(0) assert len(first_block.lines) == len(first_block_bis.lines) print(first_block_bis) ## Disassembly of several block, with cache
from miasm.core.utils import decode_hex from miasm.analysis.machine import Machine from miasm.analysis.binary import Container from miasm.core.asmblock import AsmCFG, AsmConstraint, AsmBlock, \ AsmBlockBad, AsmConstraintTo, AsmConstraintNext, \ bbl_simplifier from miasm.core.graph import DiGraphSimplifier, MatchGraphJoker from miasm.expression.expression import ExprId from miasm.core.locationdb import LocationDB # Initial data: from 'samples/simple_test.bin' data = decode_hex( "5589e583ec10837d08007509c745fc01100000eb73837d08017709c745fc02100000eb64837d08057709c745fc03100000eb55837d080774138b450801c083f80e7509c745fc04100000eb3c8b450801c083f80e7509c745fc05100000eb298b450883e03085c07409c745fc06100000eb16837d08427509c745fc07100000eb07c745fc081000008b45fcc9c3" ) loc_db = LocationDB() cont = Container.from_string(data, loc_db) # Test Disasm engine machine = Machine("x86_32") mdis = machine.dis_engine(cont.bin_stream, loc_db=loc_db) ## Disassembly of one block first_block = mdis.dis_block(0) assert len(first_block.lines) == 5 print(first_block) ## Test redisassemble asmcfg first_block_bis = mdis.dis_block(0) assert len(first_block.lines) == len(first_block_bis.lines) print(first_block_bis) ## Disassembly of several block, with cache
from __future__ import print_function from miasm.analysis.binary import Container from miasm.analysis.machine import Machine # The Container will provide a *bin_stream*, bytes source for the disasm engine cont = Container.from_string( b"\x83\xf8\x10\x74\x07\x89\xc6\x0f\x47\xc3\xeb\x08\x89\xc8\xe8\x31\x33\x22\x11\x40\xc3" ) # Instantiate a x86 32 bit architecture machine = Machine("x86_32") # Instantiate a disassembler engine, using the previous bin_stream and its # associated location DB. mdis = machine.dis_engine(cont.bin_stream, loc_db=cont.loc_db) # Run a recursive traversal disassembling from address 0 asmcfg = mdis.dis_multiblock(0) # Display each basic blocks for block in asmcfg.blocks: print(block) # Output control flow graph in a dot file open('str_cfg.dot', 'w').write(asmcfg.dot())
from miasm.analysis.binary import Container from miasm.analysis.machine import Machine from miasm.ir.symbexec import SymbolicExecutionEngine from miasm.core.locationdb import LocationDB START_ADDR = 0 machine = Machine("x86_32") loc_db = LocationDB() # Assemble and disassemble a MOV ## Ensure that attributes 'offset' and 'l' are set line = machine.mn.fromstring("MOV EAX, EBX", loc_db, 32) asm = machine.mn.asm(line)[0] # Get back block cont = Container.from_string(asm, loc_db = loc_db) mdis = machine.dis_engine(cont.bin_stream, loc_db=loc_db) mdis.lines_wd = 1 asm_block = mdis.dis_block(START_ADDR) # Translate ASM -> IR ira = machine.ira(mdis.loc_db) ircfg = ira.new_ircfg() ira.add_asmblock_to_ircfg(asm_block, ircfg) # Instantiate a Symbolic Execution engine with default value for registers symb = SymbolicExecutionEngine(ira) # Emulate one IR basic block ## Emulation of several basic blocks can be done through .emul_ir_blocks cur_addr = symb.run_at(ircfg, START_ADDR)