def main(args):
regProps={}
memProps={}
flagProps={}
imm=Debugger()
sm=StateMachine(solver=PrettySolver())
#define the module/s to use in the search and all the database information here
gf=GadgetFinder(imm, "explorer.exe")
#gf._debug=True
##### DEFINE YOUR SEARCHING CONSTRAINS HERE #######
#search for a SUB ESP, <range>
for x in xrange(0x100,0x200):
sm.push() #push SM state before modifing it so we can go back to the initial empty state in the next iteration
sm.regs["ESP"]-=x
results=gf.searchByHashes(sm)
if results:
for info in results:
imm.log("module_id=%d, module_base=0x%x, offset=0x%x, complexity=%d"%(info[0], gf.bases[info[0]], info[1], info[2]), gf.bases[info[0]]+info[1])
sm.pop() #go back to the initial empty state
imm.log("########################################################################")
#search for EAX = 0
sm.regs["EAX"] = Expression(0)
result=gf.searchByHashes(sm)
if result:
for info in result:
imm.log("module_id=%d, module_base=0x%x, offset=0x%x, complexity=%d"%(info[0], gf.bases[info[0]], info[1], info[2]), gf.bases[info[0]]+info[1])
imm.log("########################################################################")
#typical stack pivot to EAX
regProps["ESP"]="EAX"
memProps["EIP"]="EAX"
results = gf.searchByProperties(regProps, memProps, flagProps)
if results:
for info in results:
imm.log("module_id=%d, module_base=0x%x, offset=0x%x, complexity=%d"%(info[0], gf.bases[info[0]], info[1], info[2]), gf.bases[info[0]]+info[1])
else:
imm.log("Nothing found")
findings = []
#simulate a XCHG ESP, EXP/RETN
sm.regs["ESP"] = exp
sm.EIP = sm.readMemory(sm.regs["ESP"], 4)
sm.regs["ESP"] += 4
if debug:
sm.simplify()
sm.printState(imm)
#first search by hashes
imm.log("[*] Exact search (by hashes)")
results = gf.searchByHashes(sm)
if results:
for info in results:
imm.log(
"module_id=%d, module_base=0x%x, offset=0x%x, complexity=%d" %
(info[0], gf.bases[info[0]], info[1], info[2]),
gf.bases[info[0]] + info[1])
findings.append(info)
results_count -= 1
if not results_count:
break
if not results_count:
return "Finished"
findings=[]
#simulate a XCHG ESP, EXP/RETN
sm.regs["ESP"]=exp
sm.EIP=sm.readMemory(sm.regs["ESP"], 4)
sm.regs["ESP"]+=4
if debug:
sm.simplify()
sm.printState(imm)
#first search by hashes
imm.log("[*] Exact search (by hashes)")
results = gf.searchByHashes(sm)
if results:
for info in results:
imm.log("module_id=%d, module_base=0x%x, offset=0x%x, complexity=%d"%(info[0], gf.bases[info[0]], info[1], info[2]), gf.bases[info[0]]+info[1])
findings.append(info)
results_count-=1
if not results_count:
break
if not results_count:
return "Finished"
#then by properties
imm.log("[*] Heuristic search (by gadget's properties). Only new findings are showed.")
tmp=sm.calcProperties()
