def main(args): regProps={} memProps={} flagProps={} imm=Debugger() sm=StateMachine(solver=PrettySolver()) #define the module/s to use in the search and all the database information here gf=GadgetFinder(imm, "explorer.exe") #gf._debug=True ##### DEFINE YOUR SEARCHING CONSTRAINS HERE ####### #search for a SUB ESP, <range> for x in xrange(0x100,0x200): sm.push() #push SM state before modifing it so we can go back to the initial empty state in the next iteration sm.regs["ESP"]-=x results=gf.searchByHashes(sm) if results: for info in results: imm.log("module_id=%d, module_base=0x%x, offset=0x%x, complexity=%d"%(info[0], gf.bases[info[0]], info[1], info[2]), gf.bases[info[0]]+info[1]) sm.pop() #go back to the initial empty state imm.log("########################################################################") #search for EAX = 0 sm.regs["EAX"] = Expression(0) result=gf.searchByHashes(sm) if result: for info in result: imm.log("module_id=%d, module_base=0x%x, offset=0x%x, complexity=%d"%(info[0], gf.bases[info[0]], info[1], info[2]), gf.bases[info[0]]+info[1]) imm.log("########################################################################") #typical stack pivot to EAX regProps["ESP"]="EAX" memProps["EIP"]="EAX" results = gf.searchByProperties(regProps, memProps, flagProps) if results: for info in results: imm.log("module_id=%d, module_base=0x%x, offset=0x%x, complexity=%d"%(info[0], gf.bases[info[0]], info[1], info[2]), gf.bases[info[0]]+info[1]) else: imm.log("Nothing found")
findings = [] #simulate a XCHG ESP, EXP/RETN sm.regs["ESP"] = exp sm.EIP = sm.readMemory(sm.regs["ESP"], 4) sm.regs["ESP"] += 4 if debug: sm.simplify() sm.printState(imm) #first search by hashes imm.log("[*] Exact search (by hashes)") results = gf.searchByHashes(sm) if results: for info in results: imm.log( "module_id=%d, module_base=0x%x, offset=0x%x, complexity=%d" % (info[0], gf.bases[info[0]], info[1], info[2]), gf.bases[info[0]] + info[1]) findings.append(info) results_count -= 1 if not results_count: break if not results_count: return "Finished"
findings=[] #simulate a XCHG ESP, EXP/RETN sm.regs["ESP"]=exp sm.EIP=sm.readMemory(sm.regs["ESP"], 4) sm.regs["ESP"]+=4 if debug: sm.simplify() sm.printState(imm) #first search by hashes imm.log("[*] Exact search (by hashes)") results = gf.searchByHashes(sm) if results: for info in results: imm.log("module_id=%d, module_base=0x%x, offset=0x%x, complexity=%d"%(info[0], gf.bases[info[0]], info[1], info[2]), gf.bases[info[0]]+info[1]) findings.append(info) results_count-=1 if not results_count: break if not results_count: return "Finished" #then by properties imm.log("[*] Heuristic search (by gadget's properties). Only new findings are showed.") tmp=sm.calcProperties()