def miasm_load_vmlinux(kallsyms, vmlinux): global g_machine global g_code_size global g_jitter global g_cpu if kallsyms['arch'] == 'arm': g_cpu = "arml" elif kallsyms['arch'] == 'arm64': g_cpu = "aarch64l" else: raise Exception('Invalid arch') g_machine = Machine(g_cpu) g_jitter = g_machine.jitter('gcc') start_addr = kallsyms['_start'] g_code_size = ((len(vmlinux) + 0x1000) >> 12 << 12) g_code_size += 0x8000000 # bss end_addr = start_addr + g_code_size print_log("[+]mapping %s - %s" % (hex(start_addr), hex(end_addr))) g_jitter.vm.add_memory_page(start_addr, PAGE_READ|PAGE_WRITE, b"\x00"*g_code_size, "code page") g_jitter.vm.set_mem(kallsyms['_start'], vmlinux) # stack g_jitter.vm.add_memory_page(0xdead1000, PAGE_READ|PAGE_WRITE, b"\x00"*0x2000, "stack")
def jit_instructions(mn_str): """JIT instructions and return the jitter object.""" # Get the miasm Machine machine = Machine("mepb") mn_mep = machine.mn() loc_db = LocationDB() # Assemble the instructions asm = b"" for instr_str in mn_str.split("\n"): instr = mn_mep.fromstring(instr_str, "b") instr.mode = "b" asm += mn_mep.asm(instr)[0] # Init the jitter and add the assembled instructions to memory jitter = machine.jitter(loc_db, jit_type="gcc") jitter.vm.add_memory_page(0, PAGE_READ | PAGE_WRITE, asm) # Set the breakpoint jitter.add_breakpoint(len(asm), lambda x: False) # Jit the instructions #jitter.init_stack() jitter.init_run(0) jitter.continue_run() return jitter
class Arch(object): """ Parent class for Arch abstraction """ # Architecture name _ARCH_ = None def __init__(self, **kwargs): self.machine = Machine(self._ARCH_) self.jitter = self.machine.jitter(self.options.jitter) @classmethod def update_parser(cls, parser): pass
import sys from miasm.core.utils import decode_hex from miasm.jitter.csts import PAGE_READ, PAGE_WRITE, EXCEPT_ACCESS_VIOL from miasm.analysis.machine import Machine def code_sentinelle(jitter): jitter.run = False jitter.pc = 0 return True machine = Machine("x86_32") jitter = machine.jitter(sys.argv[1]) jitter.init_stack() # nop # mov eax, 0x42 # jmp 0x20 data = decode_hex("90b842000000eb20") # Will raise memory error at 0x40000028 error_raised = False def raise_me(jitter): global error_raised error_raised = True
help="Strategy to use for solution creation") args = parser.parse_args() # Convert strategy to the correct value strategy = { "code-cov": DSEPathConstraint.PRODUCE_SOLUTION_CODE_COV, "branch-cov": DSEPathConstraint.PRODUCE_SOLUTION_BRANCH_COV, "path-cov": DSEPathConstraint.PRODUCE_SOLUTION_PATH_COV, }[args.strategy] loc_db = LocationDB() # Map the shellcode run_addr = 0x40000 machine = Machine("x86_32") jitter = machine.jitter(loc_db, "python") with open(args.filename, "rb") as fdesc: jitter.vm.add_memory_page( run_addr, PAGE_READ | PAGE_WRITE, fdesc.read(), "Binary" ) # Expect a binary with one argument on the stack jitter.init_stack() # Argument jitter.push_uint32_t(0) # Handle return
import sys from miasm.core.utils import decode_hex from miasm.jitter.csts import PAGE_READ, PAGE_WRITE, EXCEPT_UNK_MNEMO from miasm.analysis.machine import Machine from miasm.core.locationdb import LocationDB def code_sentinelle(jitter): jitter.running = False jitter.pc = 0 return True machine = Machine("x86_32") loc_db = LocationDB() jitter = machine.jitter(loc_db, sys.argv[1]) jitter.init_stack() # nop # mov eax, 0x42 # XX data = decode_hex("90b842000000ffff90909090") # Will raise memory error at 0x40000006 error_raised = False def raise_me(jitter): global error_raised
#! /usr/bin/env python2 #-*- coding:utf-8 -*- import unittest import logging from miasm.analysis.machine import Machine import miasm.os_dep.linux_stdlib as stdlib from miasm.core.utils import pck32 from miasm.jitter.csts import PAGE_READ, PAGE_WRITE machine = Machine("x86_32") jit = machine.jitter() jit.init_stack() heap = stdlib.linobjs.heap class TestLinuxStdlib(unittest.TestCase): def test_xxx_sprintf(self): def alloc_str(s): s += b"\x00" ptr = heap.alloc(jit, len(s)) jit.vm.set_mem(ptr, s) return ptr fmt = alloc_str(b"'%s' %d") str_ = alloc_str(b"coucou") buf = heap.alloc(jit,1024) jit.push_uint32_t(1111) jit.push_uint32_t(str_)
#! /usr/bin/env python2 #-*- coding:utf-8 -*- import unittest import logging from miasm.analysis.machine import Machine import miasm.os_dep.linux_stdlib as stdlib from miasm.core.utils import pck32 from miasm.jitter.csts import PAGE_READ, PAGE_WRITE from miasm.core.locationdb import LocationDB machine = Machine("x86_32") loc_db = LocationDB() jit = machine.jitter(loc_db) jit.init_stack() heap = stdlib.linobjs.heap class TestLinuxStdlib(unittest.TestCase): def test_xxx_sprintf(self): def alloc_str(s): s += b"\x00" ptr = heap.alloc(jit, len(s)) jit.vm.set_mem(ptr, s) return ptr fmt = alloc_str(b"'%s' %d") str_ = alloc_str(b"coucou") buf = heap.alloc(jit, 1024)
if args.verbose: syscall.log.setLevel(logging.DEBUG) # Get corresponding interpreter and reloc address cont_target_tmp = Container.from_stream(open(args.target, 'rb')) ld_path = bytes(cont_target_tmp.executable.getsectionbyname(".interp").content).strip(b"\x00") if cont_target_tmp.executable.Ehdr.type in [elf_csts.ET_REL, elf_csts.ET_DYN]: elf_base_addr = 0x40000000 elif cont_target_tmp.executable.Ehdr.type == elf_csts.ET_EXEC: elf_base_addr = 0 # Not relocatable else: raise ValueError("Unsupported type %d" % cont_target_tmp.executable.Ehdr.type) # Instantiate a jitter machine = Machine(cont_target_tmp.arch) jitter = machine.jitter(args.jitter) jitter.init_stack() # Get elements for the target architecture if cont_target_tmp.arch == "arml": LinuxEnvironment = environment.LinuxEnvironment_arml syscall_callbacks = syscall.syscall_callbacks_arml prepare_loader = environment.prepare_loader_arml elif cont_target_tmp.arch == "x86_64": LinuxEnvironment = environment.LinuxEnvironment_x86_64 syscall_callbacks = syscall.syscall_callbacks_x86_64 prepare_loader = environment.prepare_loader_x86_64 else: raise ValueError("Unsupported architecture: %r", cont_target_tmp.arch) # Load the interpreter in memory, applying relocation
# Get corresponding interpreter and reloc address cont_target_tmp = Container.from_stream(open(args.target, 'rb'), loc_db) ld_path = bytes( cont_target_tmp.executable.getsectionbyname(".interp").content).strip( b"\x00") if cont_target_tmp.executable.Ehdr.type in [elf_csts.ET_REL, elf_csts.ET_DYN]: elf_base_addr = 0x40000000 elif cont_target_tmp.executable.Ehdr.type == elf_csts.ET_EXEC: elf_base_addr = 0 # Not relocatable else: raise ValueError("Unsupported type %d" % cont_target_tmp.executable.Ehdr.type) # Instantiate a jitter machine = Machine(cont_target_tmp.arch) jitter = machine.jitter(loc_db, args.jitter) jitter.init_stack() # Get elements for the target architecture if cont_target_tmp.arch == "arml": LinuxEnvironment = environment.LinuxEnvironment_arml syscall_callbacks = syscall.syscall_callbacks_arml prepare_loader = environment.prepare_loader_arml elif cont_target_tmp.arch == "x86_64": LinuxEnvironment = environment.LinuxEnvironment_x86_64 syscall_callbacks = syscall.syscall_callbacks_x86_64 prepare_loader = environment.prepare_loader_x86_64 else: raise ValueError("Unsupported architecture: %r", cont_target_tmp.arch) # Load the interpreter in memory, applying relocation
# Get corresponding interpreter and reloc address cont_target_tmp = Container.from_stream(open(args.target, 'rb')) ld_path = bytes( cont_target_tmp.executable.getsectionbyname(".interp").content).strip( b"\x00") if cont_target_tmp.executable.Ehdr.type in [elf_csts.ET_REL, elf_csts.ET_DYN]: elf_base_addr = 0x40000000 elif cont_target_tmp.executable.Ehdr.type == elf_csts.ET_EXEC: elf_base_addr = 0 # Not relocatable else: raise ValueError("Unsupported type %d" % cont_target_tmp.executable.Ehdr.type) # Instantiate a jitter machine = Machine(cont_target_tmp.arch) jitter = machine.jitter(args.jitter) jitter.init_stack() # Get elements for the target architecture if cont_target_tmp.arch == "arml": LinuxEnvironment = environment.LinuxEnvironment_arml syscall_callbacks = syscall.syscall_callbacks_arml prepare_loader = environment.prepare_loader_arml elif cont_target_tmp.arch == "x86_64": LinuxEnvironment = environment.LinuxEnvironment_x86_64 syscall_callbacks = syscall.syscall_callbacks_x86_64 prepare_loader = environment.prepare_loader_x86_64 else: raise ValueError("Unsupported architecture: %r", cont_target_tmp.arch) # Load the interpreter in memory, applying relocation
parser.add_argument("filename", help="Target x86 shellcode") parser.add_argument("strategy", choices=["code-cov", "branch-cov", "path-cov"], help="Strategy to use for solution creation") args = parser.parse_args() # Convert strategy to the correct value strategy = { "code-cov": DSEPathConstraint.PRODUCE_SOLUTION_CODE_COV, "branch-cov": DSEPathConstraint.PRODUCE_SOLUTION_BRANCH_COV, "path-cov": DSEPathConstraint.PRODUCE_SOLUTION_PATH_COV, }[args.strategy] # Map the shellcode run_addr = 0x40000 machine = Machine("x86_32") jitter = machine.jitter("python") with open(args.filename, "rb") as fdesc: jitter.vm.add_memory_page( run_addr, PAGE_READ | PAGE_WRITE, fdesc.read(), "Binary" ) # Expect a binary with one argument on the stack jitter.init_stack() # Argument jitter.push_uint32_t(0) # Handle return
import sys from miasm.core.utils import decode_hex from miasm.jitter.csts import PAGE_READ, PAGE_WRITE, EXCEPT_ACCESS_VIOL from miasm.analysis.machine import Machine def code_sentinelle(jitter): jitter.run = False jitter.pc = 0 return True machine = Machine("x86_32") jitter = machine.jitter(sys.argv[1]) jitter.init_stack() # nop # mov eax, 0x42 # jmp 0x20 data = decode_hex("90b842000000eb20") # Will raise memory error at 0x40000028 error_raised = False def raise_me(jitter): global error_raised error_raised = True assert jitter.pc == 0x40000028 return False
parser.add_argument("strategy", choices=["code-cov", "branch-cov", "path-cov"], help="Strategy to use for solution creation") args = parser.parse_args() # Convert strategy to the correct value strategy = { "code-cov": DSEPathConstraint.PRODUCE_SOLUTION_CODE_COV, "branch-cov": DSEPathConstraint.PRODUCE_SOLUTION_BRANCH_COV, "path-cov": DSEPathConstraint.PRODUCE_SOLUTION_PATH_COV, }[args.strategy] # Map the shellcode run_addr = 0x40000 machine = Machine("x86_32") jitter = machine.jitter("python") with open(args.filename, "rb") as fdesc: jitter.vm.add_memory_page(run_addr, PAGE_READ | PAGE_WRITE, fdesc.read(), "Binary") # Expect a binary with one argument on the stack jitter.init_stack() # Argument jitter.push_uint32_t(0) # Handle return def code_sentinelle(jitter): jitter.run = False return False