def test_angr_backward_slice(request):
file_name, func_addr = ReqParams.many(request, ['file_name', 'func_addr.hex'])
file_path = os.path.join(MyPath.samples(), file_name)
project = angr.Project(file_path, load_options={"auto_load_libs": False})
cfg = project.analyses.CFGEmulated(keep_state=True, state_add_options=angr.sim_options.refs,
context_sensitivity_level=2)
cdg = project.analyses.CDG(cfg)
ddg = project.analyses.DDG(cfg)
target_node = cfg.get_any_node(func_addr)
bs = project.analyses.BackwardSlice(cfg, cdg=cdg, ddg=ddg, targets=[(target_node, -1)])
# bs.dbg_repr()
node_has_type = False
for node in bs.taint_graph.nodes():
# param taint_type: Type of the taint, might be one of the following: 'reg', 'tmp', 'mem'.
# print(node.stmt_idx)
if hasattr(node, 'type'):
print(node.type)
node_has_type = True
# if n.type == taint_type and n.addr == simrun_addr and n.stmt_id == stmt_idx:
# taint = n
print('node type %s found' % ('' if node_has_type else 'not'))
# VSA_DDG
# vsa_ddg = project.analyses.VSA_DDG()
return sys_app_ok()
def test_log_switch(request):
log_configs = SystemConfig.get_cache_log_cfg()
keys = log_configs.keys()
for category in keys:
LogRecords.save('test_log_switch: ' + category,
category=category,
action='test_log_switch')
return sys_app_ok()
def test_angr_constraints(request):
# state 的 constraints
file_id, file_name, func_addr = ReqParams.many(request, ['file_id', 'file_name', 'func_addr.hex'])
file_path = os.path.join(MyPath.samples(), file_name)
project = angr.Project(file_path, load_options={"auto_load_libs": False})
cfg = project.analyses.CFG()
return sys_app_ok()
def get_inverted_fw_data(self, index_con):
index_con = InvertedIndex.str_to_hex(index_con)
print(index_con)
result = file_inverted_col.find({'index_con': {'$regex': index_con}})
item_list = list(result)
if item_list is None or len(item_list) == 0:
return sys_app_ok()
file_ids_str = ''
for filePo in item_list:
file_id = filePo.get('file_id')
if file_ids_str.find(file_id) > -1:
continue
file_ids_str += file_id + ','
file_ids = file_ids_str.split(',')
results = []
if len(file_ids) > 0:
files_result = fw_files_col.find({
'component': 1,
'file_id': {
'$in': file_ids
}
})
file_list = list(files_result)
if file_list is None or len(file_list) == 0:
return sys_app_err('ERROR_INVALID_PARAMETER')
for file_info in file_list:
file_info.pop('_id')
pack_info = pack_files_col.find_one(
{'pack_id': file_info.get('pack_id')})
if pack_info is not None:
pack_info.pop('_id')
file_info['pack_info'] = pack_info
return sys_app_ok_p({'total': len(file_list), 'files': file_list})
return sys_app_ok()
def test_angr_identifier(request):
file_id, file_name, func_addr = ReqParams.many(request, ['file_id', 'file_name', 'func_addr.hex'])
file_path = os.path.join(MyPath.samples(), file_name)
project = angr.Project(file_path, load_options={"auto_load_libs": False})
# p = angr.Project(os.path.join(bin_location, "tests", "i386", "identifiable"))
idfer = project.analyses.Identifier(require_predecessors=False)
seen = dict()
for addr, symbol in idfer.run():
seen[addr] = symbol
return sys_app_ok()
def test_angr_plot_graph(request):
file_id, file_name, func_addr = ReqParams.many(request, ['file_id', 'file_name', 'func_addr.hex'])
if len(file_id) == 0:
if len(file_name) == 0:
return sys_app_err_p('INVALID_REQ_PARAM', 'file_id 或 file_name 必填其一')
file_path = os.path.join(MyPath.samples(), file_name)
project = angr.Project(file_path, load_options={'auto_load_libs': False})
start_state = project.factory.blank_state(addr=func_addr)
start_state.stack_push(0x0)
with hook0(project):
cfg = project.analyses.CFGEmulated(fail_fast=True, starts=[func_addr], initial_state=start_state,
context_sensitivity_level=2, keep_state=True, call_depth=100, normalize=True)
graph_file = os.path.join(MyPath.temporary(), StrUtils.uuid_str())
plot_cfg(cfg, graph_file, asminst=True, vexinst=False, func_addr={func_addr: True},
debug_info=False, remove_imports=True, remove_path_terminator=True)
else:
func_parse = FunctionParse(file_id, func_addr)
content = func_parse.cfg_graph()
return sys_app_ok()
def get_report_pdf(self, report_id, pack_id, pack_name, pdf_name):
query_condition = {}
if report_id is not None and len(report_id) > 0:
query_condition['report_id'] = report_id
if pack_id is not None and len(pack_id) > 0:
query_condition['pack_id'] = pack_id
if pack_name is not None and len(pack_name) > 0:
query_condition['pack_name'] = {'$regex': pack_name}
if pdf_name is not None and len(pdf_name) > 0:
query_condition['pdf_name'] = {'$regex': pdf_name}
result = report_record_col.find(query_condition).sort('_id', -1)
item_list = list(result)
if item_list is not None and len(item_list) > 0:
for item in item_list:
item.pop('_id')
return sys_app_ok_p(item_list)
return sys_app_ok()
def get_inverted_data(self, index_con, file_id):
if index_con is not None and len(index_con) > 0:
index_con = InvertedIndex.str_to_hex(index_con)
result = file_inverted_col.find({
'index_con': {
'$regex': index_con
}
}).limit(100)
item_list = list(result)
elif file_id is not None and len(file_id) > 0:
result = file_inverted_col.find({'file_id': file_id}).limit(100)
item_list = list(result)
else:
return sys_app_err('ERROR_INVALID_PARAMETER')
if item_list is None or len(item_list) == 0:
return sys_app_ok()
for item_info in item_list:
item_info.pop("_id")
return sys_app_ok_p({'total': len(item_list), 'items': item_list})
def test_modules(request):
TestModulesService.test_verify_file_type_and_write_file()
return sys_app_ok()
def save(self, pack_id):
title_name = '固件分析报告'
result_pack = pack_files_col.find({'pack_id': pack_id})
pack_list = list(result_pack)
firmware_name = ''
firmware_file_num = 0
execute_file_num = 0
fw_file_lists = ''
firmware_md5 = ''
firmware_size = ''
if pack_list is not None and len(pack_list) > 0:
pack_info = pack_list[0]
firmware_name = pack_info.get('name')
pack_id = pack_info.get('pack_id')
pack_file_id = pack_info.get('file_id')
result_files = fw_files_col.find({'pack_id': pack_id})
fw_file_lists = list(result_files)
if fw_file_lists is not None or len(fw_file_lists) > 0:
firmware_file_num = len(fw_file_lists)
for file_info in fw_file_lists:
fw_file_type = file_info.get('file_type')
if fw_file_type == 4:
execute_file_num += 1
item = PackFilesStorage.fetch(pack_file_id)
firmware_md5 = item.get('md5')
length_b = item.get('length')
length_kb = length_b / 1024
length_mb = length_kb / 1024
if length_kb < 1:
firmware_size = str('%.2f' % length_b) + ' B'
elif length_mb < 1:
firmware_size = str('%.2f' % length_kb) + ' KB'
else:
firmware_size = str('%.2f' % length_mb) + ' MB'
else:
return sys_app_err('ERROR_INVALID_PARAMETER')
# firmware_inst = 'MIPS'
# firmware_decomp_size = '7.2M'
content = list()
report_time = SysUtils.get_now_time_str()
self.draw_con(content, title_name,
self.text_type(20, 30, colors.black, 1))
self.draw_con(content, '报告生成时间:' + report_time,
self.text_type(11, 20, colors.black, 2))
content.append(Spacer(300, 20)) # 添加空白,长度300,宽20
# 1 固件分析综述
self.summary_info(content, firmware_name, firmware_md5, firmware_size,
pack_id, firmware_file_num, execute_file_num)
ct = self.text_type(10, 15, colors.black, 1)
# 设置自动换行
ct.wordWrap = 'CJK'
# 2 组件关联的漏洞
self.relation_loophole(content, fw_file_lists, firmware_name, ct)
# 3 可执行文件详情
self.fw_file_table(content, fw_file_lists, ct)
# 4 特征码
self.file_inverted_table(content, fw_file_lists, ct)
self.draw_con(content, '报告结束', self.text_type(11, 20, colors.black, 1))
time_stamp = SysUtils.parse_time_stamp_str()
inde = firmware_name.index('.')
if inde > -1:
firmware_name = firmware_name[0:inde]
pdf_name = firmware_name + title_name + time_stamp + '.pdf'
path = './firmware_analyze_serv_report/'
if not os.path.exists(path):
os.mkdir(path)
pdf_path = path + pdf_name
# 生成pdf文件
doc = SimpleDocTemplate(pdf_path, pagesize=letter)
doc.build(content)
report_id = StrUtils.uuid_str()
report_record_info = {
'report_id': report_id,
'pack_id': pack_id,
'pack_name': firmware_name,
'pdf_path': pdf_path,
'pdf_name': pdf_name,
'create_time': report_time
}
report_record_col.save(report_record_info)
return sys_app_ok()
def inverted(self, file_id):
file_result = fw_files_col.find({'file_id': file_id})
file_list = list(file_result)
if file_list is None or len(file_list) == 0:
return sys_app_err('ERROR_INVALID_PARAMETER')
filePo = file_list[0]
file_path = filePo.get('file_path')
# file_path = 'E:/samples/argv_test'
# file_path = 'E:/samples/py_code.txt'
dict1 = {}
dict2 = {}
sentences = InvertedIndex.read_file(self, file_path)
sentencesLen = len(sentences)
for i in range(sentencesLen):
sentence = sentences[i]
for word in sentence:
if word == '':
continue
if word.lower() not in dict1:
dict1[word.lower()] = set() # new word
dict2[word.lower()] = 1
else:
dict2[word.lower()] += 1
dict1[word.lower()].add(i + 1) # update for dictionary
answer_list = sorted(dict2.items(), key=lambda d: d[1],
reverse=True) # Sort by wordcount of dictionary.
answer_sort_ascll = sorted(answer_list, key=lambda x: x[0])
for word in answer_sort_ascll:
word0 = InvertedIndex.str_to_hex(word[0]).replace('/x0', '')
sort_dotid = sorted(dict1[word[0]])
position = ''
for i in range(len(sort_dotid)):
position += str(sort_dotid[i])
if i != (len(sort_dotid) - 1):
position += ','
index_con = word0
index_con_str = InvertedIndex.hex_to_str(word0)
appear_total = word[1]
vulner_info = {
'file_id': file_id,
'file_path': file_path,
'index_con': index_con,
'appear_total': appear_total,
'position': position
}
result = file_inverted_col.find({
'file_id': file_id,
'index_con': index_con,
'appear_total': appear_total
})
item_list = list(result)
if (item_list is None or len(item_list)
== 0) and len(index_con) > 0 and len(index_con_str) > 10:
file_inverted_col.save(vulner_info)
# 对组件列表增加建立 inverted 完成标志
FwFileDO.set_inverted(file_id)
return sys_app_ok()