def test_angr_backward_slice(request): file_name, func_addr = ReqParams.many(request, ['file_name', 'func_addr.hex']) file_path = os.path.join(MyPath.samples(), file_name) project = angr.Project(file_path, load_options={"auto_load_libs": False}) cfg = project.analyses.CFGEmulated(keep_state=True, state_add_options=angr.sim_options.refs, context_sensitivity_level=2) cdg = project.analyses.CDG(cfg) ddg = project.analyses.DDG(cfg) target_node = cfg.get_any_node(func_addr) bs = project.analyses.BackwardSlice(cfg, cdg=cdg, ddg=ddg, targets=[(target_node, -1)]) # bs.dbg_repr() node_has_type = False for node in bs.taint_graph.nodes(): # param taint_type: Type of the taint, might be one of the following: 'reg', 'tmp', 'mem'. # print(node.stmt_idx) if hasattr(node, 'type'): print(node.type) node_has_type = True # if n.type == taint_type and n.addr == simrun_addr and n.stmt_id == stmt_idx: # taint = n print('node type %s found' % ('' if node_has_type else 'not')) # VSA_DDG # vsa_ddg = project.analyses.VSA_DDG() return sys_app_ok()
def test_bin_info(request): file_name, load_options = ReqParams.many(request, ['file_name', 'load_options.int']) file_path = os.path.join(MyPath.samples(), 'bin', file_name) # bw_result = binwalk.scan(file_path, signature=True, opcodes=True) bw_result = binwalk.scan('--signature', '--opcodes', file_path) bw_result = binwalk.scan('--signature', file_path) return sys_app_ok_p({}) if load_options == 1: proj = angr.Project(file_path, load_options={ 'main_opts': { 'backend': 'blob', 'base_addr': 0x10000, 'entry_point': 0x10000, 'arch': 'ARM', 'offset': 0, } }) else: # proj = angr.Project(file_path) proj = angr.Project(file_path, load_options={'auto_load_libs': False, 'main_opts': {}, }) boyscout = proj.analyses.BoyScout() # proj2 = angr.Project(file_path, arch=angr.SimARM(endness="Iend_BE"), # load_options={ # 'backend': 'blob', # 'base_addr': 0x10000, # 'entry_point': 0x10000, # 'arch': 'ARM', # 'offset': 0, # }) # girlscout = proj2.analyses.GirlScout(pickle_intermediate_results=True) return sys_app_ok_p({'arch': boyscout.arch, 'endianness': boyscout.endianness})
def com_sourcecode_files_tree(request): pack_id, tree_type = ReqParams.many(request, ['pack_id', 'tree_type']) file_list = SourceCodeFileDO.search_files_of_pack(pack_id) if tree_type is None or len(tree_type) == 0 or tree_type == 'normal': tree_type = 'normal' exec_tree = {} elif tree_type == 'antd': exec_tree = [] else: tree_type = 'normal' exec_tree = {} # 对每个文件做树的各级节点定位和创建 for file in file_list: # 获取文件路径 file_path = file['file_path'] file_id = file['file_id'] if file_path is None or len(file_path) == 0: continue if tree_type == 'normal': MyTree.file_path_insert_into_tree(exec_tree, file_path, file_id) elif tree_type == 'antd': MyTree.file_path_insert_into_antd_tree(exec_tree, file_path, file_id) # 保存操作日志 LogRecords.save('', category='statistics', action='查询组件源码文件目录树', desc='获取组件源码文件目录树(模式为:%s)' % (tree_type)) return sys_app_ok_p(exec_tree)
def test_angr_reaching_definitions(request): file_id, file_name, func_addr = ReqParams.many(request, ['file_id', 'file_name', 'func_addr.hex']) file_path = os.path.join(MyPath.samples(), file_name) project = angr.Project(file_path, load_options={'auto_load_libs': False}) # cfg = project.analyses.CFGFast() cfg = project.analyses.CFGEmulated() function = FunctionParse.func_by_addr(func_addr, cfg=cfg) tmp_kb = angr.KnowledgeBase(project) reaching_definition = project.analyses.ReachingDefinitions( subject=function, kb=tmp_kb, observe_all=True ) # nose.tools.assert_equal(reaching_definition.subject.__class__ is Subject, True) def _result_extractor(rda): unsorted_result = map( lambda x: {'key': x[0], 'register_definitions': x[1].register_definitions._storage, 'stack_definitions': x[1].stack_definitions._storage, 'memory_definitions': x[1].memory_definitions._storage}, rda.observed_results.items() ) return list(sorted( unsorted_result, key=lambda x: x['key'] )) result = _result_extractor(reaching_definition) pass
def function_info(request): # 从请求中取参数:文件 ID、函数地址 file_id, func_addr, extra_info = ReqParams.many( request, ['file_id', 'func_addr.hex', 'extra_info']) # 获取指定函数的汇编、中间码等代码信息 codes_dict = FunctionsService.func_codes(file_id, func_addr) infos_dict = codes_dict if extra_info is not None: # 取出首尾空格后分割成列表(用逗号分隔) extra_list = extra_info.strip().split(',') if 'props' in extra_list: # 如指定 props 则附加函数属性信息 props_dict = FunctionsService.func_props(file_id, func_addr) infos_dict['props'] = props_dict if 'vars' in extra_list: # 如指定 props 则附加函数变量信息 vars_dict = VarsService.extract_vars(file_id, func_addr) infos_dict['vars'] = vars_dict infos_dict['vulnerabe'] = { 'flag': '0', 'desc': '非脆弱性函数' } # 0:非脆弱性函数 1:脆弱性函数 infos_dict['taint'] = {'flag': '0', 'desc': '非污点函数'} # 0:非污点函数 1:非污点函数 func_name = infos_dict.get('function_name') if func_name is not None: vulner_info = func_vulner_col.find_one( {'func_name': { '$regex': func_name }}) if vulner_info is not None: infos_dict['vulnerabe'] = { 'flag': '1', 'desc': '脆弱性函数' } # 0:非脆弱性函数 1:脆弱性函数 taint_info = func_taint_col.find_one( {'func_name': { '$regex': func_name }}) if taint_info is not None: infos_dict['taint'] = { 'flag': '1', 'desc': '污点函数' } # 0:非污点函数 1:非污点函数 # 保存操作日志 LogRecords.save('', category='query', action='查询函数分析信息', desc='查询代码分析后的函数信息,文件ID=%s,函数地址=0x%x' % (file_id, func_addr)) return sys_app_ok_p(infos_dict)
def test_angr_constraints(request): # state 的 constraints file_id, file_name, func_addr = ReqParams.many(request, ['file_id', 'file_name', 'func_addr.hex']) file_path = os.path.join(MyPath.samples(), file_name) project = angr.Project(file_path, load_options={"auto_load_libs": False}) cfg = project.analyses.CFG() return sys_app_ok()
def test_angr_vars(request): file_id, file_name, func_addr = ReqParams.many(request, ['file_id', 'file_name', 'func_addr.hex']) func_parse = FunctionParse(file_id, func_addr) props = func_parse.get_props() # _test_func(file_name) return sys_app_ok_p(props)
def pack_exec_files_tree(request): pack_id, tree_type = ReqParams.many(request, ['pack_id', 'tree_type']) start_check_component_task(pack_id) # # # 检查组件关联 # # check_component(pack_id, FileType.EXEC_FILE) # # 修改为任务处理方式进行检查组件关联 关联组件标记,相似度匹配计算,标记漏洞(version/edbid) # # 启动编译任务 # extra_info = {'task_type': TaskType.COMPONENT_CHECK, # 'task_name': '检查组件关联', # 'task_desc': '检查组件关联,相似度匹配计算,标记漏洞(version/edbid)'} # task = MyTask(check_component, (pack_id,), extra_info=extra_info) # task_id = task.get_task_id() # 读取所有可执行文件 exec_list = FwFileDO.search_files_of_pack(pack_id, FileType.EXEC_FILE) if tree_type is None or len(tree_type) == 0 or tree_type == 'normal': # file_path_insert_into_tree 树,初始化为字典 tree_type = 'normal' exec_tree = {} elif tree_type == 'antd': # file_path_insert_into_antd_tree 树,初始化为数组 exec_tree = [] else: tree_type = 'normal' exec_tree = {} # 对每个文件做树的各级节点定位和创建 for exec_file in exec_list: # 获取文件路径 file_path = exec_file['file_path'] file_id = exec_file['file_id'] component = exec_file['component'] # if exec_file['component'] is not None: # component = exec_file['component'] # else: # component = 0 if file_path is None or len(file_path) == 0: continue if tree_type == 'normal': MyTree.file_path_insert_into_tree(exec_tree, file_path, file_id, component) elif tree_type == 'antd': MyTree.file_path_insert_into_antd_tree(exec_tree, file_path, file_id, component) # 保存操作日志 LogRecords.save('', category='statistics', action='读取固件包文件结构', desc='获取指定固件包(ID=%s)的文件结构(模式为:%s)' % (pack_id, tree_type)) return sys_app_ok_p(exec_tree)
def taintmodify(request): # 从请求中取参数:文件 ID func_name, hazard, solution = ReqParams.many(request, ['func_name', 'hazard', 'solution'], protocol='POST') TaintdictDO.update(func_name, hazard, solution) # 保存操作日志 LogRecords.save('', category='statistics', action='自定义污点函数-删除', desc='污点函数(func_name=%s)的信息,' % func_name) return sys_app_ok_p([])
def test_angr_identifier(request): file_id, file_name, func_addr = ReqParams.many(request, ['file_id', 'file_name', 'func_addr.hex']) file_path = os.path.join(MyPath.samples(), file_name) project = angr.Project(file_path, load_options={"auto_load_libs": False}) # p = angr.Project(os.path.join(bin_location, "tests", "i386", "identifiable")) idfer = project.analyses.Identifier(require_predecessors=False) seen = dict() for addr, symbol in idfer.run(): seen[addr] = symbol return sys_app_ok()
def pack_edit(request): pack_id, manufacturer, model, version = ReqParams.many( request, ['pack_id', 'manufacturer', 'model', 'version'], protocol='POST') PackFileDO.save_manufacturer(pack_id, manufacturer, model, version) # 保存操作日志 LogRecords.save('', category='statistics', action='编辑指定固件包信息', desc='编辑指定固件包信息 厂商 型号(ID=%s)的信息' % pack_id) return sys_app_ok_p([])
def async_fwdownload(request): # 获取下载URL fw_download_url, ftp_user, ftp_password = ReqParams.many(request, ['url', 'user', 'password'], protocol='POST') # 启动下载任务 extra_info = {'task_type': TaskType.REMOTE_DOWNLOAD, 'task_name': '固件下载', 'task_desc': '下载固件入库存储桶并进行文件抽取操作'} task = MyTask(_proc_tasks, (fw_download_url, settings.FW_PATH, ftp_user, ftp_password), extra_info=extra_info) task_id = task.get_task_id() # 保存操作日志 LogRecords.save({'task_id': task_id}, category='download', action='固件下载', desc='下载固件入库存储桶并进行文件抽取操作') # 返回响应:任务初始化的信息 return sys_app_ok_p(MyTask.fetch_exec_info(task_id))
def taintadd(request): # 从请求中取参数:文件 ID func_name, hazard, solution = ReqParams.many(request, ['func_name', 'hazard', 'solution'], protocol='POST') # find func_name in taint_dict if TaintdictDO.search_func_name(func_name) is None: print("add func_name") # 新的 fun ID fun_id = StrUtils.uuid_str() TaintdictDO.save(fun_id, func_name, hazard, solution) # 保存操作日志 LogRecords.save('', category='statistics', action='自定义污点函数-增加', desc='污点函数(ID=%s)的信息,' % fun_id) return sys_app_ok_p('添加成功') else: print("already has func_name") return sys_app_ok_p(['函数已存在'])
def list_make(request): print('list_make') pack_id, arch, tree_type, component_name = ReqParams.many( request, ['pack_id', 'arch', 'tree_type', 'component_name']) # 读取所有可执行文件 exec_list = MakeCOMFileDO.search_files_of_pack(pack_id, FileType.MAKE_FILE, arch, component_name) if tree_type is None or len(tree_type) == 0 or tree_type == 'normal': # file_path_insert_into_tree 树,初始化为字典 tree_type = 'normal' exec_tree = {} elif tree_type == 'antd': # file_path_insert_into_antd_tree 树,初始化为数组 exec_tree = [] else: tree_type = 'normal' exec_tree = {} # 对每个文件做树的各级节点定位和创建 for exec_file in exec_list: # 获取文件路径 path = exec_file['file_path'] # 保留make_component之后目录 file_path = path.split('make_component')[1] file_id = exec_file['file_id'] if file_path is None or len(file_path) == 0: continue if tree_type == 'normal': MyTree.file_path_insert_into_tree(exec_tree, file_path, file_id) elif tree_type == 'antd': MyTree.file_path_insert_into_antd_tree(exec_tree, file_path, file_id) # 保存操作日志 LogRecords.save('', category='statistics', action='读取固件包文件结构', desc='获取指定固件包(ID=%s)的文件结构(模式为:%s)' % (pack_id, tree_type)) return sys_app_ok_p(exec_tree)
def test_angr_plot_graph(request): file_id, file_name, func_addr = ReqParams.many(request, ['file_id', 'file_name', 'func_addr.hex']) if len(file_id) == 0: if len(file_name) == 0: return sys_app_err_p('INVALID_REQ_PARAM', 'file_id 或 file_name 必填其一') file_path = os.path.join(MyPath.samples(), file_name) project = angr.Project(file_path, load_options={'auto_load_libs': False}) start_state = project.factory.blank_state(addr=func_addr) start_state.stack_push(0x0) with hook0(project): cfg = project.analyses.CFGEmulated(fail_fast=True, starts=[func_addr], initial_state=start_state, context_sensitivity_level=2, keep_state=True, call_depth=100, normalize=True) graph_file = os.path.join(MyPath.temporary(), StrUtils.uuid_str()) plot_cfg(cfg, graph_file, asminst=True, vexinst=False, func_addr={func_addr: True}, debug_info=False, remove_imports=True, remove_path_terminator=True) else: func_parse = FunctionParse(file_id, func_addr) content = func_parse.cfg_graph() return sys_app_ok()
def call_graph_a(request): # 从请求中取参数:文件 ID、函数地址、画图模式 file_id, func_addr, simple = ReqParams.many( request, ['file_id', 'func_addr.hex', 'simple.int']) # 获取 call_graph 图形数据 func_parse = FunctionParse(file_id, func_addr) graph_data = func_parse.cg_graph(simple != 1) # 保存操作日志 LogRecords.save('', category='query', action='生成函数调用图', desc='生成指定函数的调用关系图,文件ID=%s,函数地址=0x%x' % (file_id, func_addr)) return sys_app_ok_p({ 'file_id': file_id, 'func_addr': func_addr, 'call_graph': graph_data })
def vuler_association(request): print('vuler_association') file_id, version, name, edb_id = ReqParams.many( request, ['file_id', 'version', 'name', 'edb_id']) rv = FwFileDO.set_component_extra_props(file_id, { 'version': version, 'name': name, 'edb_id': edb_id }) # 保存操作日志 LogRecords.save('', category='statistics', action='组件手动漏洞关联', desc='组件手动漏洞关联(漏洞编号 版本 名称)') if rv.matched_count == 1: return sys_app_ok_p('组件手动漏洞关联成功') else: return sys_app_ok_p('组件手动漏洞关联失败,文件未找到')
def control_dependence_graph(request): # 从请求中取参数:文件 ID、函数地址、画图模式 file_id, func_addr, simple = ReqParams.many( request, ['file_id', 'func_addr.hex', 'simple.int']) # 绘制 control_dependence_graph (CDG) 图形 func_parse = FunctionParse(file_id, func_addr) graph_data = func_parse.cdg_graph() # 保存操作日志 LogRecords.save('', category='query', action='生成控制依赖图', desc='生成指定函数的控制依赖图,文件ID=%s,函数地址=0x%x' % (file_id, func_addr)) return sys_app_ok_p({ 'file_id': file_id, 'func_addr': func_addr, 'cdg_graph': graph_data })
def compile(request): # 获取编译参数 arch, pack_id = ReqParams.many(request, ['arch', 'pack_id']) # 启动编译任务 extra_info = { 'pack_id': pack_id, 'task_type': TaskType.COMPONENT_COMPILE, 'task_name': '组件编译', 'task_desc': '组件编译及入库操作' } task = MyTask(_proc_compile_tasks, (arch, pack_id), extra_info=extra_info) task_id = task.get_task_id() # 保存操作日志 LogRecords.save({'task_id': task_id}, category='compile', action='组件编译', desc='组件编译及入库操作') # 返回响应:任务初始化的信息 return sys_app_ok_p(MyTask.fetch_exec_info(task_id))
def function_props(request): # 从请求中取参数:文件 ID、函数地址 file_id, func_addr = ReqParams.many(request, ['file_id', 'func_addr.hex']) func_props = FunctionsService.func_props(file_id, func_addr) return sys_app_ok_p(func_props)
def get_inverted_data(request): # 获取参数 index_con, file_id = ReqParams.many(request, ['index_con', 'file_id']) return invertedIndex.get_inverted_data(index_con, file_id)
def cosine_algorithm(request): # 获取参数 fw_file_id, component_file_id = ReqParams.many( request, ['fw_file_id', 'component_file_id']) return assembly.cosine_algorithm(fw_file_id, component_file_id)
def get_report_pdf(request): # 获取参数 report_id, pack_id, pack_name, pdf_name = ReqParams.many( request, ['report_id', 'pack_id', 'pack_name', 'pdf_name']) return report.get_report_pdf(report_id, pack_id, pack_name, pdf_name)
def analyze_extract_vars(request): file_id, func_addr = ReqParams.many(request, ['file_id', 'func_addr.hex']) vars_dict = VarsService.extract_vars(file_id, func_addr) return sys_app_ok_p(vars_dict)