def test_add_rw_data_patch(self, tlen=5): p1 = AddRWDataPatch(tlen, "added_data_rw") added_code = ''' li r3, 0x41 li r4, 0x0 li r5, %d lis r6, {added_data_rw}@h ori r6, r6, {added_data_rw}@l _loop: cmpw r4, r5 beq _exit stb r3, 0(r6) addi r4, r4, 1 addi r6, r6, 1 b _loop _exit: li r0, 4 li r3, 0x1 lis r4, {added_data_rw}@h ori r4, r4, {added_data_rw}@l sc ''' % tlen p2 = InsertCodePatch(0x100004f8, added_code, "modify_and_print") self.run_test("printf_nopie", [p1, p2], expected_output=b"A" * tlen + b"Hi", expected_returnCode=0)
def test_add_label_patch(self): p1 = AddLabelPatch(0x400649, "added_label") added_code = ''' mov x8, 0x40 mov x0, 0x1 ldr x1, ={added_label} mov x2, 1 svc 0 ''' p2 = InsertCodePatch(0x400580, added_code) self.run_test("printf_nopie", [p1, p2], expected_output=b"sHi", expected_returnCode=0)
def test_add_ro_data_patch(self, tlen=5): p1 = AddRODataPatch(b"A"*tlen, "added_data") added_code = ''' mov x8, 0x40 mov x0, 0x1 ldr x1, ={added_data} mov x2, %d svc 0 ''' % tlen p2 = InsertCodePatch(0x400580, added_code, "added_code") self.run_test("printf_nopie", [p1, p2], expected_output=b"A"*tlen + b"Hi", expected_returnCode=0x0)
def test_c_compilation(self): added_code = ''' li $a0, 0 %s move $a0, $v0 li $v0, 4004 la $a1, 0x400935 li $a2, 1 syscall ''' % DetourBackendMips.get_c_function_wrapper_code("c_function") self.run_test("printf_nopie", [InsertCodePatch(0x40076c, added_code, name="p1", priority=1), AddCodePatch("__attribute__((fastcall)) int func(int a){ return a + 1; }", "c_function", is_c=True, compiler_flags="")], expected_output=b"sHi", expected_returnCode=0x0)
def test_add_label_patch(self): p1 = AddLabelPatch(0x400935, "added_label") added_code = ''' li $v0, 4004 li $a0, 1 la $a1, {added_label} li $a2, 1 syscall ''' p2 = InsertCodePatch(0x40076c, added_code) self.run_test("printf_nopie", [p1, p2], expected_output=b"sHi", expected_returnCode=0)
def test_add_ro_data_patch(self, tlen=5): p1 = AddRODataPatch(b"A"*tlen, "added_data") added_code = ''' li $v0, 4004 li $a0, 1 la $a1, {added_data} li $a2, %d syscall ''' % tlen p2 = InsertCodePatch(0x40076c, added_code, "added_code") self.run_test("printf_nopie", [p1, p2], expected_output=b"A"*tlen + b"Hi", expected_returnCode=0x0)
def test_c_compilation(self): added_code = ''' mov x8, 0x40 mov x0, 0x0 %s ldr x1, =0x400649 mov x2, 1 svc 0 ''' % DetourBackendAarch64.get_c_function_wrapper_code("c_function") self.run_test("printf_nopie", [InsertCodePatch(0x400580, added_code, name="p1", priority=1), AddCodePatch("__attribute__((fastcall)) int func(int a){ return a + 1; }", "c_function", is_c=True, compiler_flags="")], expected_output=b"sHi", expected_returnCode=0x0)
def test_insert_code_patch(self): test_str = b"qwertyuiop\n\x00" added_code = ''' mov x8, 0x40 mov x0, 0x1 ldr x1, ={added_data} mov x2, %d svc 0 ''' % (len(test_str)) p1 = InsertCodePatch(0x400580, added_code) p2 = AddRODataPatch(test_str, "added_data") self.run_test("printf_nopie", [p1, p2], expected_output=b"qwertyuiop\n\x00Hi", expected_returnCode=0)
def test_insert_code_patch(self): test_str = b"qwertyuiop\n\x00" added_code = ''' li $v0, 4004 li $a0, 1 la $a1, {added_data} li $a2, %d syscall ''' % (len(test_str)) p1 = InsertCodePatch(0x40076c, added_code) p2 = AddRODataPatch(test_str, "added_data") self.run_test("printf_nopie", [p1, p2], expected_output=b"qwertyuiop\n\x00Hi", expected_returnCode=0)
def test_add_label_patch(self): p1 = AddLabelPatch(0x10451, "added_label") added_code = ''' mov r7, 0x4 mov r0, 0x1 ldr r1, ={added_label} mov r2, 1 svc 0 ''' p2 = InsertCodePatch(0x103ec, added_code) self.run_test("printf_nopie", [p1, p2], expected_output=b"sHi", expected_returnCode=0)
def test_add_label_patch(self): p1 = AddLabelPatch(0x120000cf9, "added_label") added_code = ''' dli $v0, 5001 dli $a0, 1 dla $a1, {added_label} dli $a2, 1 syscall ''' p2 = InsertCodePatch(0x120000b20, added_code) self.run_test("printf_nopie", [p1, p2], expected_output=b"sHi", expected_returnCode=0)
def test_add_rw_init_data_patch(self, tlen=5): p1 = AddRWInitDataPatch(b"A" * tlen, "added_data_rw") added_code = ''' mov r7, 0x4 mov r0, 0x1 ldr r1, ={added_data_rw} mov r2, %d svc 0 ''' % tlen p2 = InsertCodePatch(0x103ec, added_code, "print") self.run_test("printf_nopie", [p1, p2], expected_output=b"A" * tlen + b"Hi", expected_returnCode=0)
def test_add_rw_init_data_patch(self, tlen=5): p1 = AddRWInitDataPatch(b"A" * tlen, "added_data_rw") added_code = ''' mov eax,0x4 mov ebx,0x1 mov edx, %d mov ecx, {added_data_rw} int 0x80 ''' % tlen p2 = InsertCodePatch(0x8048457, added_code, "print") self.run_test("printf_nopie", [p1, p2], expected_output=b"A" * tlen + b"Hi", expected_returnCode=0)
def test_add_ro_data_patch(self, tlen=5): p1 = AddRODataPatch(b"A" * tlen, "added_data") added_code = ''' mov eax, 4 ;sys_write mov ebx, 1 ;fd = stdout mov ecx, {added_data} ;buf mov edx, %d ;len int 0x80 ''' % tlen p2 = InsertCodePatch(0x8048457, added_code, "added_code") self.run_test("printf_nopie", [p1, p2], expected_output=b"A" * tlen + b"Hi", expected_returnCode=0x0)
def test_add_rw_init_data_patch(self, tlen=5): p1 = AddRWInitDataPatch(b"A" * tlen, "added_data_rw") added_code = ''' dli $v0, 5001 dli $a0, 1 dla $a1, {added_data_rw} dli $a2, %d syscall ''' % tlen p2 = InsertCodePatch(0x120000b20, added_code, "print") self.run_test("printf_nopie", [p1, p2], expected_output=b"A" * tlen + b"Hi", expected_returnCode=0)
def test_insert_code_patch(self): test_str = b"qwertyuiop\n\x00" added_code = ''' mov eax, 4 mov ebx, 1 mov ecx, {added_data} mov edx, %d int 0x80 ''' % (len(test_str)) p1 = InsertCodePatch(0x8048457, added_code) p2 = AddRODataPatch(test_str, "added_data") self.run_test("printf_nopie", [p1, p2], expected_output=b"qwertyuiop\n\x00Hi", expected_returnCode=0)
def test_add_label_patch(self): p1 = AddLabelPatch(0x10000759, "added_label") added_code = ''' li r0, 4 li r3, 1 lis r4, {added_label}@h ori r4, r4, {added_label}@l li r5, 1 sc ''' p2 = InsertCodePatch(0x100004f8, added_code) self.run_test("printf_nopie", [p1, p2], expected_output=b"sHi", expected_returnCode=0)
def test_add_ro_data_patch(self, tlen=5): p1 = AddRODataPatch(b"A" * tlen, "added_data") added_code = ''' li r0, 4 li r3, 1 lis r4, {added_data}@h ori r4, r4, {added_data}@l li r5, %d sc ''' % tlen p2 = InsertCodePatch(0x100004f8, added_code, "added_code") self.run_test("printf_nopie", [p1, p2], expected_output=b"A" * tlen + b"Hi", expected_returnCode=0x0)
def test_insert_code_patch(self): test_str = b"qwertyuiop\n\x00" added_code = ''' li r0, 4 li r3, 1 lis r4, {added_data}@h ori r4, r4, {added_data}@l li r5, %d sc ''' % (len(test_str)) p1 = InsertCodePatch(0x100004f8, added_code) p2 = AddRODataPatch(test_str, "added_data") self.run_test("printf_nopie", [p1, p2], expected_output=b"qwertyuiop\n\x00Hi", expected_returnCode=0)
def test_sample_pie(self): patches = [] transmit_code = ''' pop rsi pop rax push rsi sub rsi, rax sub rsi, 0xa add rsi, {transmitted_string} mov rax, 1 mov rdi, 1 syscall mov rbx, (rsp) add rsp, 8 pop r9 pop r8 pop r10 pop rdx pop rsi pop rdi pop rax mov (rsp), rbx ret ''' injected_code = ''' push rax push rdi push rsi push rdx push r10 push r8 push r9 mov rdx, 10 push $ call {transmit_function} ''' patches.append(AddCodePatch(transmit_code, name="transmit_function")) patches.append( AddRODataPatch(b"---HI---\x00", name="transmitted_string")) patches.append( InsertCodePatch(0x400665, injected_code, name="injected_code_after_receive")) self.run_test("sample_x86-64_pie", patches, expected_output=b'---HI---\x00\x00Purdue')
def test_double_patch_collision(self): test_str1 = b"1111111111\n\x00" test_str2 = b"2222222222\n\x00" added_code1 = ''' li r0, 4 li r3, 1 lis r4, {str1}@h ori r4, r4, {str1}@l li r5, %d sc ''' % (len(test_str1)) added_code2 = ''' li r0, 4 li r3, 1 lis r4, {str2}@h ori r4, r4, {str2}@l li r5, %d sc ''' % (len(test_str2)) p1 = InsertCodePatch(0x100004f8, added_code1, name="p1", priority=100) p2 = InsertCodePatch(0x100004f8, added_code2, name="p2", priority=1) p3 = AddRODataPatch(test_str1, "str1") p4 = AddRODataPatch(test_str2, "str2") self.run_test("printf_nopie", [p1, p2, p3, p4], expected_output=test_str1 + b"Hi", try_without_cfg=False) p1 = InsertCodePatch(0x100004f8, added_code1, name="p1", priority=1) p2 = InsertCodePatch(0x100004f8, added_code2, name="p2", priority=100) p3 = AddRODataPatch(test_str1, "str1") p4 = AddRODataPatch(test_str2, "str2") backend = self.run_test("printf_nopie", [p1, p2, p3, p4], expected_output=test_str2 + b"Hi", try_without_cfg=False) self.assertNotIn(p1, backend.added_patches) self.assertIn(p2, backend.added_patches) p1 = InsertCodePatch(0x100004f8, added_code1, name="p1", priority=1) p2 = InsertCodePatch(0x100004f8 + 0x4, added_code2, name="p2", priority=100) p3 = AddRODataPatch(test_str1, "str1") p4 = AddRODataPatch(test_str2, "str2") backend = self.run_test("printf_nopie", [p1, p2, p3, p4], expected_output=test_str2 + b"Hi", try_without_cfg=False) self.assertNotIn(p1, backend.added_patches) self.assertIn(p2, backend.added_patches)
def test_c_compilation(self): added_code = ''' mov ecx, 0x4 %s mov ebx, 1 lea ecx, [0x080484f4] mov edx, 1 int 0x80 ''' % patcherex.utils.get_nasm_c_wrapper_code("c_function", get_return=True) self.run_test("printf_nopie", [ InsertCodePatch(0x8048457, added_code, name="p1", priority=1), AddCodePatch( "__attribute__((fastcall)) int func(int a){ return a; }", "c_function", is_c=True) ], expected_output=b"sHi", expected_returnCode=0x0)
def test_double_patch_collision(self): test_str1 = b"1111111111\n\x00" test_str2 = b"2222222222\n\x00" added_code1 = ''' dli $v0, 5001 dli $a0, 1 dla $a1, {str1} dli $a2, %d syscall ''' % (len(test_str1)) added_code2 = ''' dli $v0, 5001 dli $a0, 1 dla $a1, {str2} dli $a2, %d syscall ''' % (len(test_str2)) p1 = InsertCodePatch(0x120000b20, added_code1, name="p1", priority=100) p2 = InsertCodePatch(0x120000b20, added_code2, name="p2", priority=1) p3 = AddRODataPatch(test_str1, "str1") p4 = AddRODataPatch(test_str2, "str2") self.run_test("printf_nopie", [p1, p2, p3, p4], expected_output=test_str1 + b"Hi", try_without_cfg=False) p1 = InsertCodePatch(0x120000b20, added_code1, name="p1", priority=1) p2 = InsertCodePatch(0x120000b20, added_code2, name="p2", priority=100) p3 = AddRODataPatch(test_str1, "str1") p4 = AddRODataPatch(test_str2, "str2") backend = self.run_test("printf_nopie", [p1, p2, p3, p4], expected_output=test_str2 + b"Hi", try_without_cfg=False) self.assertNotIn(p1, backend.added_patches) self.assertIn(p2, backend.added_patches) p1 = InsertCodePatch(0x120000b20, added_code1, name="p1", priority=1) p2 = InsertCodePatch(0x120000b20 + 0x4, added_code2, name="p2", priority=100) p3 = AddRODataPatch(test_str1, "str1") p4 = AddRODataPatch(test_str2, "str2") backend = self.run_test("printf_nopie", [p1, p2, p3, p4], expected_output=test_str2 + b"Hi", try_without_cfg=False) self.assertNotIn(p1, backend.added_patches) self.assertIn(p2, backend.added_patches)
def test_c_compilation(self): added_code = ''' li r3, 0 %s li r0, 4 lis r4, 0x10000759@h ori r4, r4, 0x10000759@l li r5, 1 sc ''' % DetourBackendPpc.get_c_function_wrapper_code("c_function") self.run_test("printf_nopie", [ InsertCodePatch(0x100004f8, added_code, name="p1", priority=1), AddCodePatch( "__attribute__((fastcall)) int func(int a){ return a + 1; }", "c_function", is_c=True, compiler_flags="") ], expected_output=b"sHi", expected_returnCode=0x0)
def test_add_rw_data_patch(self, tlen=5): p1 = AddRWDataPatch(tlen, "added_data_rw") added_code = ''' mov eax, 4 mov ebx, 1 xor ecx, ecx mov edx, %d _loop: cmp ecx, edx je _exit mov BYTE [{added_data_rw}+ecx], 0x41 add ecx, 1 jmp _loop _exit mov ecx, {added_data_rw} int 0x80 ''' % tlen p2 = InsertCodePatch(0x8048457, added_code, "modify_and_print") self.run_test("printf_nopie", [p1, p2], expected_output=b"A" * tlen + b"Hi", expected_returnCode=0)
def test_add_rw_data_patch(self, tlen=5): p1 = AddRWDataPatch(tlen, "added_data_rw") added_code = ''' li $a0, 0x41 li $a1, 0x0 li $a2, %d la $a3, {added_data_rw} _loop: beq $a1, $a2, _exit sb $a0, ($a3) addiu $a1, $a1, 1 addiu $a3, $a3, 1 b _loop _exit: li $v0, 4004 li $a0, 0x1 la $a1, {added_data_rw} syscall ''' % tlen p2 = InsertCodePatch(0x40076c, added_code, "modify_and_print") self.run_test("printf_nopie", [p1, p2], expected_output=b"A"*tlen + b"Hi", expected_returnCode=0)
def test_c_compilation(self): added_code = ''' mov r7, 0x4 mov r0, 0x0 %s ldr r1, =0x10451 mov r2, 1 svc 0 ''' % DetourBackendArm.get_c_function_wrapper_code("c_function") self.run_test("printf_nopie", [ InsertCodePatch(0x103ec, added_code, name="p1", priority=1), AddCodePatch( "__attribute__((fastcall)) int func(int a){ return a + 1; }", "c_function", is_c=True, compiler_flags="", is_thumb=True) ], expected_output=b"sHi", expected_returnCode=0x0)
def test_add_rw_data_patch(self, tlen=5): p1 = AddRWDataPatch(tlen, "added_data_rw") added_code = ''' mov x8, 0x40 mov x0, 0x41 mov x1, 0x0 mov x2, %d ldr x3, ={added_data_rw} _loop: cmp x1, x2 beq _exit str x0, [x3, x1] add x1, x1, 1 b _loop _exit: mov x0, 0x1 ldr x1, ={added_data_rw} svc 0 ''' % tlen p2 = InsertCodePatch(0x400580, added_code, "modify_and_print") self.run_test("printf_nopie", [p1, p2], expected_output=b"A"*tlen + b"Hi", expected_returnCode=0)
def test_sample_no_pie(self): patches = [] transmit_code = ''' mov rax, 1 mov rdi, 1 syscall mov rbx, (rsp) add rsp, 8 pop r9 pop r8 pop r10 pop rdx pop rsi pop rdi pop rax mov (rsp), rbx ret ''' patches.append(AddCodePatch(transmit_code, name="transmit_function")) patches.append( AddRODataPatch(b"---HI---\x00", name="transmitted_string")) injected_code = ''' push rax push rdi push rsi push rdx push r10 push r8 push r9 mov rsi, {transmitted_string} mov rdx, 10 call {transmit_function} ''' patches.append( InsertCodePatch(0x400502, injected_code, name="injected_code_after_receive")) self.execute(patches, "sample_x86-64_no_pie", b'---HI---\x00\x00Purdue')
def test_double_patch_collision(self): test_str1 = b"1111111111\n\x00" test_str2 = b"2222222222\n\x00" added_code1 = ''' mov r7, 0x4 mov r0, 0x1 ldr r1, ={str1} mov r2, %d svc 0 ''' % (len(test_str1)) added_code2 = ''' mov r7, 0x4 mov r0, 0x1 ldr r1, ={str2} mov r2, %d svc 0 ''' % (len(test_str2)) p1 = InsertCodePatch(0x103ec, added_code1, name="p1", priority=100) p2 = InsertCodePatch(0x103ec, added_code2, name="p2", priority=1) p3 = AddRODataPatch(test_str1, "str1") p4 = AddRODataPatch(test_str2, "str2") self.run_test("printf_nopie", [p1, p2, p3, p4], expected_output=test_str1 + b"Hi") p1 = InsertCodePatch(0x103ec, added_code1, name="p1", priority=1) p2 = InsertCodePatch(0x103ec, added_code2, name="p2", priority=100) p3 = AddRODataPatch(test_str1, "str1") p4 = AddRODataPatch(test_str2, "str2") backend = self.run_test("printf_nopie", [p1, p2, p3, p4], expected_output=test_str2 + b"Hi") self.assertNotIn(p1, backend.added_patches) self.assertIn(p2, backend.added_patches) p1 = InsertCodePatch(0x103ec, added_code1, name="p1", priority=1) p2 = InsertCodePatch(0x103ec + 0x4, added_code2, name="p2", priority=100) p3 = AddRODataPatch(test_str1, "str1") p4 = AddRODataPatch(test_str2, "str2") backend = self.run_test("printf_nopie", [p1, p2, p3, p4], expected_output=test_str2 + b"Hi") self.assertNotIn(p1, backend.added_patches) self.assertIn(p2, backend.added_patches)