def get_shellcode_vw(sample, arch="auto", should_save=True):
"""
Return shellcode workspace using explicit arch or via auto detect
"""
import viv_utils
with open(sample, "rb") as f:
sample_bytes = f.read()
if arch == "auto":
# choose arch with most functions, idea by Jay G.
vw_cands = []
for arch in ["i386", "amd64"]:
vw_cands.append(
viv_utils.getShellcodeWorkspace(sample_bytes,
arch,
base=SHELLCODE_BASE,
should_save=should_save))
if not vw_cands:
raise ValueError("could not generate vivisect workspace")
vw = max(vw_cands, key=lambda vw: len(vw.getFunctions()))
else:
vw = viv_utils.getShellcodeWorkspace(sample_bytes,
arch,
base=SHELLCODE_BASE,
should_save=should_save)
vw.setMeta("StorageName", "%s.viv" % sample)
return vw
def get_shellcode_vw(sample, arch="auto"):
"""
Return shellcode workspace using explicit arch or via auto detect.
The workspace is *not* analyzed nor saved. Its up to the caller to do this.
Then, they can register FLIRT analyzers or decide not to write to disk.
"""
import viv_utils
with open(sample, "rb") as f:
sample_bytes = f.read()
if arch == "auto":
# choose arch with most functions, idea by Jay G.
vw_cands = []
for arch in ["i386", "amd64"]:
vw_cands.append(
viv_utils.getShellcodeWorkspace(sample_bytes,
arch,
base=SHELLCODE_BASE,
analyze=False,
should_save=False))
if not vw_cands:
raise ValueError("could not generate vivisect workspace")
vw = max(vw_cands, key=lambda vw: len(vw.getFunctions()))
else:
vw = viv_utils.getShellcodeWorkspace(sample_bytes,
arch,
base=SHELLCODE_BASE,
analyze=False,
should_save=False)
vw.setMeta("StorageName", "%s.viv" % sample)
return vw
def _test_strings(self, test_path):
expected_strings = set(self.spec["Decoded strings"])
if not expected_strings:
return
test_shellcode = self.spec.get("Test shellcode")
if test_shellcode:
with open(test_path, "rb") as f:
shellcode_data = f.read()
vw = viv_utils.getShellcodeWorkspace(shellcode_data) # TODO provide arch from test.yml
found_strings = set(extract_strings(vw))
else:
vw = viv_utils.getWorkspace(test_path)
found_strings = set(extract_strings(vw))
if not (expected_strings <= found_strings):
raise FLOSSStringsNotExtracted(expected_strings, found_strings)
def _test_strings(self, test_path):
expected_strings = set(self.spec["Decoded strings"])
if not expected_strings:
return
test_shellcode = self.spec.get("Test shellcode")
if test_shellcode:
with open(test_path, "rb") as f:
shellcode_data = f.read()
vw = viv_utils.getShellcodeWorkspace(shellcode_data) # TODO provide arch from test.yml
found_strings = set(extract_strings(vw))
else:
vw = viv_utils.getWorkspace(test_path)
found_strings = set(extract_strings(vw))
if not (expected_strings <= found_strings):
raise FLOSSStringsNotExtracted(expected_strings, found_strings)
def load_shellcode_workspace(sample_file_path, save_workspace, shellcode_ep_in, shellcode_base_in):
if is_supported_file_type(sample_file_path):
floss_logger.warning("Analyzing supported file type as shellcode. This will likely yield weaker analysis.")
shellcode_entry_point = 0
if shellcode_ep_in:
shellcode_entry_point = int(shellcode_ep_in, 0x10)
shellcode_base = 0
if shellcode_base_in:
shellcode_base = int(shellcode_base_in, 0x10)
floss_logger.info("Generating vivisect workspace for shellcode, base: 0x%x, entry point: 0x%x...",
shellcode_base, shellcode_entry_point)
with open(sample_file_path, "rb") as f:
shellcode_data = f.read()
return viv_utils.getShellcodeWorkspace(shellcode_data, "i386", shellcode_base, shellcode_entry_point,
save_workspace, sample_file_path)
def load_shellcode_workspace(sample_file_path, save_workspace, shellcode_ep_in, shellcode_base_in):
if is_supported_file_type(sample_file_path):
floss_logger.warning("Analyzing supported file type as shellcode. This will likely yield weaker analysis.")
shellcode_entry_point = 0
if shellcode_ep_in:
shellcode_entry_point = int(shellcode_ep_in, 0x10)
shellcode_base = 0
if shellcode_base_in:
shellcode_base = int(shellcode_base_in, 0x10)
floss_logger.info("Generating vivisect workspace for shellcode, base: 0x%x, entry point: 0x%x...",
shellcode_base, shellcode_entry_point)
with open(sample_file_path, "rb") as f:
shellcode_data = f.read()
return viv_utils.getShellcodeWorkspace(shellcode_data, "i386", shellcode_base, shellcode_entry_point,
save_workspace, sample_file_path)
def sample_499c2a85f6e8142c3f48d4251c9c7cd6_raw32():
path = os.path.join(CD, "data", "499c2a85f6e8142c3f48d4251c9c7cd6.raw32")
return Sample(viv_utils.getShellcodeWorkspace(path), path)
def main(argv=None):
"""
:param argv: optional command line arguments, like sys.argv[1:]
:return: 0 on success, non-zero on failure
"""
logging.basicConfig(level=logging.WARNING)
parser = make_parser()
if argv is not None:
options, args = parser.parse_args(argv[1:])
else:
options, args = parser.parse_args()
set_logging_level(options.debug, options.verbose)
if options.list_plugins:
print_plugin_list()
return 0
sample_file_path = parse_sample_file_path(parser, args)
min_length = parse_min_length_option(options.min_length)
# expert profile settings
if options.expert:
options.save_workspace = True
options.group_functions = True
options.quiet = False
if not is_workspace_file(sample_file_path):
if not options.no_static_strings and not options.functions:
floss_logger.info("Extracting static strings...")
print_static_strings(sample_file_path,
min_length=min_length,
quiet=options.quiet)
if options.no_decoded_strings and options.no_stack_strings and not options.should_show_metainfo:
# we are done
return 0
is_supported_file = is_supported_file_type(sample_file_path)
if options.is_shellcode:
if is_supported_file:
floss_logger.warning(
"Analyzing supported file type as shellcode. This will likely yield weaker analysis."
)
shellcode_entry_point = 0
if options.shellcode_entry_point:
shellcode_entry_point = int(options.shellcode_entry_point, 0x10)
shellcode_base = 0
if options.shellcode_base:
shellcode_base = int(options.shellcode_base, 0x10)
try:
floss_logger.info(
"Generating vivisect workspace for shellcode, base: 0x%x, entry point: 0x%x...",
shellcode_base, shellcode_entry_point)
with open(sample_file_path, "rb") as f:
shellcode_data = f.read()
vw = viv_utils.getShellcodeWorkspace(shellcode_data, "i386",
shellcode_base,
shellcode_entry_point,
options.save_workspace,
sample_file_path)
except Exception, e:
floss_logger.error(
"Vivisect failed to load the input file: {0}".format(
e.message),
exc_info=options.verbose)
return 1
