def generate_medium_reassembler_binary(self, test_bin=True):
try:
nr = NetworkRules()
backend = ReassemblerBackend(self.infile)
patches = []
patches.extend(IndirectCFI(self.infile, backend).get_patches())
patches.extend(
TransmitProtection(self.infile, backend).get_patches())
patches.extend(ShiftStack(self.infile, backend).get_patches())
patches.extend(Adversarial(self.infile, backend).get_patches())
patches.extend(Backdoor(self.infile, backend).get_patches())
# patches.extend(NxStack(self.infile,backend).get_patches())
patches.extend(
MallocExtPatcher(self.infile, backend).get_patches())
patches.extend(
StackRetEncryption(self.infile, backend).get_patches())
patches.extend(
UninitializedPatcher(self.infile, backend).get_patches())
patches.extend(
NoFlagPrintfPatcher(self.infile, backend).get_patches())
backend.apply_patches(patches)
final_content = backend.get_final_content()
if test_bin:
test_bin_with_qemu(self.infile, final_content)
res = (final_content, "")
except PatcherexError, e:
traceback.print_exc(e)
res = (None, None)
def generate_medium_reassembler_optimized_binary(self, test_bin=True):
try:
intermediate = tempfile.mktemp(prefix='%s_' %
os.path.basename(self.infile))
optimize_it(self.infile, intermediate)
nr = NetworkRules()
backend = ReassemblerBackend(intermediate)
patches = []
patches.extend(IndirectCFI(intermediate, backend).get_patches())
patches.extend(
TransmitProtection(intermediate, backend).get_patches())
patches.extend(ShiftStack(intermediate, backend).get_patches())
patches.extend(Adversarial(intermediate, backend).get_patches())
patches.extend(Backdoor(intermediate, backend).get_patches())
# patches.extend(NxStack(intermediate,backend).get_patches())
patches.extend(
MallocExtPatcher(intermediate, backend).get_patches())
patches.extend(
StackRetEncryption(intermediate, backend).get_patches())
patches.extend(
UninitializedPatcher(intermediate, backend).get_patches())
patches.extend(
NoFlagPrintfPatcher(intermediate, backend).get_patches())
backend.apply_patches(patches)
final_content = backend.get_final_content()
if test_bin:
test_bin_with_qemu(self.infile, final_content)
res = (final_content, "")
except PatcherexError, e:
traceback.print_exc(e)
res = (None, None)
def generate_stackretencryption_binary(self, test_bin=None):
backend = ReassemblerBackend(self.infile)
patches = []
patches.extend(StackRetEncryption(self.infile, backend).get_patches())
backend.apply_patches(patches)
final_content = backend.get_final_content()
return (final_content, "")
def generate_indirectcfi_binary(self, test_bin=None): # new
backend = ReassemblerBackend(self.infile)
patches = []
patches.extend(IndirectCFI(self.infile, backend).get_patches())
backend.apply_patches(patches)
final_content = backend.get_final_content()
return (final_content, "")
def generate_shiftstack_binary(self, test_bin=None): # new
backend = ReassemblerBackend(self.infile)
patches = []
patches.extend(ShiftStack(self.infile, backend).get_patches())
backend.apply_patches(patches)
final_content = backend.get_final_content()
return (final_content, "")
mov eax,0x2
mov ebx,0x1
mov esi,0x0
int 0x80
popa
ret
'''
patches.append(AddCodePatch(transmit_code, name="transmit_function"))
patches.append(AddRODataPatch(b"HI!\x00", name="transmitted_string"))
# the following code is going to be executed just before the original instruction at 0x8048166
injected_code = '''
; at this code location, it is fine to clobber eax and ebx
mov eax, {transmitted_string} ; a patch can refer to another patch address, by putting its name between curly brackets
mov ebx, 4
call {transmit_function}
'''
patches.append(
InsertCodePatch(0x8048166,
injected_code,
name="injected_code_after_receive"))
# now we ask to the backend to inject all our patches
backend.apply_patches(patches)
# and then we save the file
backend.save("/tmp/CADET_00003_mod1")
# at this point you can try to run /tmp/CADET_00003_mod1 inside the DECREE VM or using our modified version of QEMU