Пример #1
0
from zelos import CommandLineOption
from zelos.hooks import HookType
from zelos.plugin import OSPlugin

from .kernel import construct_kernel
from .loader import ElfLoader, LinuxMode
from .parse import LiefELF
from .signals import Signals

CommandLineOption(
    "linux_rootfs",
    action="append",
    default=[],
    help="Specify the rootfs directory for an emulated architecture. Can "
    "be specified multiple times to set the rootfs for different "
    "architectures, and the appropriate rootfs will be used during "
    "emulation. Format: '--linux_rootfs ARCH,PATH'. ARCH is 'x86', "
    "'x86-64', 'arm', or 'mips'. PATH is the absolute host path to the "
    "directory to be used as rootfs.",
)


class Linux(OSPlugin):
    NAME = "Linux"

    def __init__(self, z):
        super().__init__(z)
        self.initial_parse = False

    def parse(self, path, binary_data):
Пример #2
0
# You should have received a copy of the GNU Affero General Public
# License along with this program.  If not, see
# <http://www.gnu.org/licenses/>.
# ======================================================================
import base64
import json
import logging

from os.path import abspath, basename

from termcolor import colored

from zelos import CommandLineOption, IPlugin, Zelos

CommandLineOption("export_mem",
                  action="store_true",
                  help="Export memory regions.")

CommandLineOption("export_trace",
                  action="store_true",
                  help="Export dynamic trace data.")


class Overlay(IPlugin):
    """
    Provides functionality for exporting memory & instruction overlays.
    """
    def __init__(self, z: Zelos):
        super().__init__(z)

        self.logger = logging.getLogger(__name__)
Пример #3
0
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.

# You should have received a copy of the GNU Affero General Public
# License along with this program.  If not, see
# <http://www.gnu.org/licenses/>.
# ======================================================================
from collections import defaultdict

from zelos import CommandLineOption, HookType, IPlugin

CommandLineOption(
    "syscall_limit",
    type=int,
    default=0,
    help="Stop execution after SYSCALL_LIMIT syscalls are executed.",
)

CommandLineOption(
    "syscall_thread_limit",
    type=int,
    default=0,
    help="End THREAD after SYSCALL_THREAD_LIMIT syscalls are executed"
    " in that thread",
)

CommandLineOption(
    "syscall_thread_swap",
    type=int,
    default=100,
Пример #4
0
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.

# You should have received a copy of the GNU Affero General Public
# License along with this program.  If not, see
# <http://www.gnu.org/licenses/>.
# ======================================================================

from collections import defaultdict

from zelos import Zelos, IPlugin, CommandLineOption, HookType
import hexdump

CommandLineOption("asan", action="store_true", help="ASAN-like capabilities")


class WriteRecord:
    def __init__(self, ip_addr, mem_addr, value):
        self.ip_addr = ip_addr
        self.mem_addr = mem_addr
        self.value = value

    def __repr__(self):
        return f"(ip 0x{self.ip_addr:x}: {self.value} -> 0x{self.mem_addr:x})"


class AllocInfo:
    def __init__(self, addr, size, inst_addr, desc, is_free=False):
        # Address of the corresponding heap buffer allocation
Пример #5
0
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.

# You should have received a copy of the GNU Affero General Public
# License along with this program.  If not, see
# <http://www.gnu.org/licenses/>.
# ======================================================================
from collections import defaultdict

from zelos import CommandLineOption, HookType, IPlugin, Zelos

CommandLineOption(
    "syscall_limit",
    type=int,
    default=0,
    help="Stop execution after SYSCALL_LIMIT syscalls are executed.",
)

CommandLineOption(
    "syscall_thread_limit",
    type=int,
    default=0,
    help="End THREAD after SYSCALL_THREAD_LIMIT syscalls are executed"
    " in that thread",
)

CommandLineOption(
    "syscall_thread_swap",
    type=int,
    default=100,
from collections import defaultdict
from graphviz import Digraph
from zelos import CommandLineOption, IPlugin, Zelos
from zelos.exceptions import MemoryReadUnmapped

CommandLineOption(
    "cfg", action="store_true", help="Generate a Control Flow Graph (CFG)."
)

class GraphvizCFG(IPlugin):
    """
    Plugin for zelos that generates a control flow graph using graphviz.
    """
    def __init__(self, z: Zelos):
        super().__init__(z)

        self.logger = self.zelos.logger

        if not self._check_config():
            return

        self.last_inst = None
        self.edges = defaultdict(list)

        if self.zelos.config.cfg:
            self.cfg = Digraph(filename="cfg", format="png")
            self._subscribe_to_feed()

            def closure():
                self.cfg.render()
                self.logger.info("Saved CFG to 'cfg.png'")
Пример #7
0
# <http://www.gnu.org/licenses/>.
# ======================================================================

import logging

import capstone.arm_const as cs_arm
import capstone.x86_const as cs_x86

from termcolor import colored

from zelos import CommandLineOption, IPlugin
from zelos.exceptions import MemoryReadUnmapped

CommandLineOption(
    "trace_off",
    action="store_true",
    help="Turns off printing on the command line",
)

CommandLineOption(
    "trace_file",
    type=str,
    default=None,
    help="Writes the trace to a file instead of the command line.",
)

CommandLineOption(
    "fasttrace",
    action="count",
    default=0,
    help=("Enable instruction-level tracing only the first time a memory "
Пример #8
0
"""
# tl;dr

This is a copy of the strings_script.py file, except written as a Zelos
plugin. In order to include this plugin, you must either

  * copy this file into the zelos/ext/plugins folder
  * specify the containing folder in the ZELOS_PLUGIN_DIR environment
    variable


"""

CommandLineOption(
    "print_strings",
    type=int,
    default=None,
    help="The minimum size of string to identify",
)


class StringCollectorPlugin(IPlugin):
    NAME = "strings"
    """
    Identifies strings that are written in-memory. We identify strings by the
    observation that when they are written to memory
      * They are comprised of valid utf-8 bytes
      * The string is written in sequential chunks.

    This runs into some false positives with data that happens to be
    valid utf-8. To reduce false positives we observe that
      * Strings often end at the first null byte.
Пример #9
0
import pathlib

from collections import defaultdict
from io import StringIO
from itertools import islice
from pathlib import Path
from typing import Generator, List

import zelos

from zelos import CommandLineOption, IPlugin, Zelos

CommandLineOption(
    "yara_file",
    type=str,
    action="append",
    default=[],
    help="Scan memory for yara rules in the specified file(s)",
)
CommandLineOption(
    "yara_file_glob",
    type=str,
    default=None,
    help="Scan memory for yara rules in all files specified by the given glob",
)
CommandLineOption(
    "yara_rule",
    type=str,
    action="append",
    default=[],
    help="Scan memory for the specified yara rule string(s).",
Пример #10
0
from crashd.taint.tcg import TCGParse
from crashd.taint.taint_graph import TaintGraph
from crashd.dwarf.dwarf_source_code import (
    show_tainted_source,
    annotate_with_dwarf_data,
    get_function_info,
)

from zelos.ext.plugins.trace import Trace

_ = Trace

CommandLineOption(
    "taint",
    action="store_true",
    help=("Enables collection of data that allows for taint tracking."
          " Collection will slow down overall run."),
)

CommandLineOption(
    "taint_when",
    action="append",
    nargs="?",
    default=[],
    const="",
    metavar="ZML_STRING",
    help="Starts taint tracking when the specified ZML condition is met.",
)

CommandLineOption(
    "taint_output",
Пример #11
0
# You should have received a copy of the GNU Affero General Public
# License along with this program.  If not, see
# <http://www.gnu.org/licenses/>.
# ======================================================================
import base64
import json
import logging

from os.path import abspath, basename

from termcolor import colored

from zelos import CommandLineOption, IPlugin, Zelos

CommandLineOption("export_mem",
                  action="store_true",
                  help="Export memory regions.")

CommandLineOption("export_insts",
                  action="store_true",
                  help="Export instructions.")

CommandLineOption("export_funcs",
                  action="store_true",
                  help="Export functions.")


class Overlay(IPlugin):
    """
    Provides functionality for exporting memory & instruction overlays.
    """