def get_shellcode_vw(sample, arch="auto", should_save=True): """ Return shellcode workspace using explicit arch or via auto detect """ import viv_utils with open(sample, "rb") as f: sample_bytes = f.read() if arch == "auto": # choose arch with most functions, idea by Jay G. vw_cands = [] for arch in ["i386", "amd64"]: vw_cands.append( viv_utils.getShellcodeWorkspace(sample_bytes, arch, base=SHELLCODE_BASE, should_save=should_save)) if not vw_cands: raise ValueError("could not generate vivisect workspace") vw = max(vw_cands, key=lambda vw: len(vw.getFunctions())) else: vw = viv_utils.getShellcodeWorkspace(sample_bytes, arch, base=SHELLCODE_BASE, should_save=should_save) vw.setMeta("StorageName", "%s.viv" % sample) return vw
def get_shellcode_vw(sample, arch="auto"): """ Return shellcode workspace using explicit arch or via auto detect. The workspace is *not* analyzed nor saved. Its up to the caller to do this. Then, they can register FLIRT analyzers or decide not to write to disk. """ import viv_utils with open(sample, "rb") as f: sample_bytes = f.read() if arch == "auto": # choose arch with most functions, idea by Jay G. vw_cands = [] for arch in ["i386", "amd64"]: vw_cands.append( viv_utils.getShellcodeWorkspace(sample_bytes, arch, base=SHELLCODE_BASE, analyze=False, should_save=False)) if not vw_cands: raise ValueError("could not generate vivisect workspace") vw = max(vw_cands, key=lambda vw: len(vw.getFunctions())) else: vw = viv_utils.getShellcodeWorkspace(sample_bytes, arch, base=SHELLCODE_BASE, analyze=False, should_save=False) vw.setMeta("StorageName", "%s.viv" % sample) return vw
def _test_strings(self, test_path): expected_strings = set(self.spec["Decoded strings"]) if not expected_strings: return test_shellcode = self.spec.get("Test shellcode") if test_shellcode: with open(test_path, "rb") as f: shellcode_data = f.read() vw = viv_utils.getShellcodeWorkspace(shellcode_data) # TODO provide arch from test.yml found_strings = set(extract_strings(vw)) else: vw = viv_utils.getWorkspace(test_path) found_strings = set(extract_strings(vw)) if not (expected_strings <= found_strings): raise FLOSSStringsNotExtracted(expected_strings, found_strings)
def load_shellcode_workspace(sample_file_path, save_workspace, shellcode_ep_in, shellcode_base_in): if is_supported_file_type(sample_file_path): floss_logger.warning("Analyzing supported file type as shellcode. This will likely yield weaker analysis.") shellcode_entry_point = 0 if shellcode_ep_in: shellcode_entry_point = int(shellcode_ep_in, 0x10) shellcode_base = 0 if shellcode_base_in: shellcode_base = int(shellcode_base_in, 0x10) floss_logger.info("Generating vivisect workspace for shellcode, base: 0x%x, entry point: 0x%x...", shellcode_base, shellcode_entry_point) with open(sample_file_path, "rb") as f: shellcode_data = f.read() return viv_utils.getShellcodeWorkspace(shellcode_data, "i386", shellcode_base, shellcode_entry_point, save_workspace, sample_file_path)
def sample_499c2a85f6e8142c3f48d4251c9c7cd6_raw32(): path = os.path.join(CD, "data", "499c2a85f6e8142c3f48d4251c9c7cd6.raw32") return Sample(viv_utils.getShellcodeWorkspace(path), path)
def main(argv=None): """ :param argv: optional command line arguments, like sys.argv[1:] :return: 0 on success, non-zero on failure """ logging.basicConfig(level=logging.WARNING) parser = make_parser() if argv is not None: options, args = parser.parse_args(argv[1:]) else: options, args = parser.parse_args() set_logging_level(options.debug, options.verbose) if options.list_plugins: print_plugin_list() return 0 sample_file_path = parse_sample_file_path(parser, args) min_length = parse_min_length_option(options.min_length) # expert profile settings if options.expert: options.save_workspace = True options.group_functions = True options.quiet = False if not is_workspace_file(sample_file_path): if not options.no_static_strings and not options.functions: floss_logger.info("Extracting static strings...") print_static_strings(sample_file_path, min_length=min_length, quiet=options.quiet) if options.no_decoded_strings and options.no_stack_strings and not options.should_show_metainfo: # we are done return 0 is_supported_file = is_supported_file_type(sample_file_path) if options.is_shellcode: if is_supported_file: floss_logger.warning( "Analyzing supported file type as shellcode. This will likely yield weaker analysis." ) shellcode_entry_point = 0 if options.shellcode_entry_point: shellcode_entry_point = int(options.shellcode_entry_point, 0x10) shellcode_base = 0 if options.shellcode_base: shellcode_base = int(options.shellcode_base, 0x10) try: floss_logger.info( "Generating vivisect workspace for shellcode, base: 0x%x, entry point: 0x%x...", shellcode_base, shellcode_entry_point) with open(sample_file_path, "rb") as f: shellcode_data = f.read() vw = viv_utils.getShellcodeWorkspace(shellcode_data, "i386", shellcode_base, shellcode_entry_point, options.save_workspace, sample_file_path) except Exception, e: floss_logger.error( "Vivisect failed to load the input file: {0}".format( e.message), exc_info=options.verbose) return 1