def sym(data, addr, status):
    cont = Container.from_string(data, loc_db=loc_db, addr=addr)
    mdis = machine.dis_engine(cont.bin_stream, loc_db=loc_db)
    asm_block = mdis.dis_block(addr)

    # Translate ASM -> IR
    ircfg = ira.new_ircfg()
    try:
        ira.add_asmblock_to_ircfg(asm_block, ircfg)
    except NotImplementedError:
        return None

    # Instantiate a Symbolic Execution engine with default value for registers
    regs_init = regs.regs_init
    sympool = copy.deepcopy(regs_init)
    sympool.update(status)
    symb = SymbolicExecutionEngine(ira, sympool)

    # Emulate one IR basic block
    ## Emulation of several basic blocks can be done through .emul_ir_blocks
    cur_addr = symb.run_at(ircfg, addr)
    IRDst = symb.symbols[ira.IRDst]

    expr = expr_simp_explicit(IRDst)
    #if isinstance(expr, ExprMem):
    #    expr = expr.ptr
    return expr
示例#2
0
文件: example.py 项目: 0cherry/miasm
import z3

from miasm.arch.x86.arch import mn_x86
from miasm.core.locationdb import LocationDB
from miasm.analysis.binary import Container
from miasm.analysis.machine import Machine
from miasm.ir.symbexec import SymbolicExecutionEngine
from miasm.analysis.dse import DSEEngine

from miasm.expression.expression import *
from miasm.ir.translators.z3_ir import Z3Mem, TranslatorZ3

loc_db = LocationDB()
s = '\x8dI\x04\x8d[\x01\x80\xf9\x01t\x05\x8d[\xff\xeb\x03\x8d[\x01\x89\xd8\xc3'
s = '\x55\x8b\xec\x83\xec\x08\xc7\x45\xf8\xcc\xcc\xcc\xcc\xc7\x45\xfc\xcc\xcc\xcc\xcc\xc7\x45\xfc\x03\x00\x00\x00\xc7\x45\xf8\x05\x00\x00\x00\x83\x7d\xfc\x05\x7e\x07\x8b\x45\xfc\xeb\x09\xeb\x05\x8b\x45\xf8\xeb\x02\x33\xc0\x8b\xe5\x5d\xc3'
c = Container.from_string(s)
machine = Machine('x86_32')
mdis = machine.dis_engine(c.bin_stream)
asmcfg = mdis.dis_multiblock(0)
for block in asmcfg.blocks:
    print(block.to_string(asmcfg.loc_db))
ira = machine.ira(loc_db)
ircfg = ira.new_ircfg_from_asmcfg(asmcfg)
# print(ircfg)
# ircfg = ira.new_ircfg(asmcfg)
# print(loc_db._offset_to_loc_key.keys()[0])
sb = SymbolicExecutionEngine(ira)
# symbolic_pc = sb.run_at(ircfg, loc_db._offset_to_loc_key.keys()[0])
# for index, info in enumerate(sb.info_ids):
#     print('###### step', index+1)
#     print('\t', info[0])
示例#3
0
    fpath = '../testbins/tests-linux-x64-elf'
    if sys.argv[1:]:
        fpath = sys.argv[1]

    sym_name = 'collatz_message'
    if sys.argv[2:]:
        sym_name = sys.argv[2]

    with open(fpath, 'rb') as fp:
        data = fp.read()

    # Container is superclass of ContainerELF, ContainerPE, etc.
    # Is container the analog of Binja's BinaryView?
    #
    # container.arch = 'x86_64'
    container = Container.from_string(data)

    # list all symbols / addresses available from the container
    ldb = container.loc_db
    for k in ldb.loc_keys:
        offset = ldb.get_location_offset(k)
        names = [x.decode() for x in ldb.get_location_names(k)]

        #print('%08X:' % offset)
        #for name in names:
        #    print('\t"%s"' % name)

    # disassemble the given symbol
    machine = Machine(container.arch)
    disassembler = machine.dis_engine(container.bin_stream, loc_db=container.loc_db)
示例#4
0
from __future__ import print_function
from miasm.analysis.binary import Container
from miasm.analysis.machine import Machine

# The Container will provide a *bin_stream*, bytes source for the disasm engine
cont = Container.from_string(b"\x83\xf8\x10\x74\x07\x89\xc6\x0f\x47\xc3\xeb\x08\x89\xc8\xe8\x31\x33\x22\x11\x40\xc3")

# Instantiate a x86 32 bit architecture
machine = Machine("x86_32")

# Instantiate a disassembler engine, using the previous bin_stream and its
# associated location DB.
mdis = machine.dis_engine(cont.bin_stream, loc_db=cont.loc_db)

# Run a recursive traversal disassembling from address 0
asmcfg = mdis.dis_multiblock(0)

# Display each basic blocks
for block in asmcfg.blocks:
    print(block)

# Output control flow graph in a dot file
open('str_cfg.dot', 'w').write(asmcfg.dot())
示例#5
0
    # Update next blocks to process in the disassembly engine
    cur_bloc.bto.clear()
    cur_bloc.add_cst(loc_key, AsmConstraint.c_next)


# Prepare a tiny shellcode
shellcode = (
    b"\xe8\x00\x00\x00\x00"  # CALL $
    b"X"  # POP EAX
    b"\xc3"  # RET
)

# Instantiate a x86 32 bit architecture
machine = Machine("x86_32")
cont = Container.from_string(shellcode)
mdis = machine.dis_engine(cont.bin_stream, loc_db=cont.loc_db)

print("Without callback:\n")
asmcfg = mdis.dis_multiblock(0)
print("\n".join(str(block) for block in asmcfg.blocks))

# Enable callback
mdis.dis_block_callback = cb_x86_callpop

print("=" * 40)
print("With callback:\n")
asmcfg_after = mdis.dis_multiblock(0)
print("\n".join(str(block) for block in asmcfg_after.blocks))

# Ensure the callback has been called
示例#6
0
from miasm.analysis.binary import Container
from miasm.analysis.machine import Machine
from miasm.ir.symbexec import SymbolicExecutionEngine
from miasm.core.locationdb import LocationDB

START_ADDR = 0
machine = Machine("x86_32")
loc_db = LocationDB()

# Assemble and disassemble a MOV
## Ensure that attributes 'offset' and 'l' are set
line = machine.mn.fromstring("MOV EAX, EBX", loc_db, 32)
asm = machine.mn.asm(line)[0]

# Get back block
cont = Container.from_string(asm, loc_db = loc_db)
mdis = machine.dis_engine(cont.bin_stream, loc_db=loc_db)
mdis.lines_wd = 1
asm_block = mdis.dis_block(START_ADDR)

# Translate ASM -> IR
lifter_model_call = machine.lifter_model_call(mdis.loc_db)
ircfg = lifter_model_call.new_ircfg()
lifter_model_call.add_asmblock_to_ircfg(asm_block, ircfg)

# Instantiate a Symbolic Execution engine with default value for registers
symb = SymbolicExecutionEngine(lifter_model_call)

# Emulate one IR basic block
## Emulation of several basic blocks can be done through .emul_ir_blocks
cur_addr = symb.run_at(ircfg, START_ADDR)
示例#7
0
    # Update next blocks to process in the disassembly engine
    cur_bloc.bto.clear()
    cur_bloc.add_cst(loc_key, AsmConstraint.c_next)


# Prepare a tiny shellcode
shellcode = (
    b"\xe8\x00\x00\x00\x00"  # CALL $
    b"X"  # POP EAX
    b"\xc3"  # RET
)

# Instantiate a x86 32 bit architecture
machine = Machine("x86_32")
loc_db = LocationDB()
cont = Container.from_string(shellcode, loc_db)
mdis = machine.dis_engine(cont.bin_stream, loc_db=loc_db)

print("Without callback:\n")
asmcfg = mdis.dis_multiblock(0)
print("\n".join(str(block) for block in asmcfg.blocks))

# Enable callback
mdis.dis_block_callback = cb_x86_callpop

print("=" * 40)
print("With callback:\n")
asmcfg_after = mdis.dis_multiblock(0)
print("\n".join(str(block) for block in asmcfg_after.blocks))

# Ensure the callback has been called
示例#8
0
from pdb import pm

from future.utils import viewitems

from miasm.core.utils import decode_hex
from miasm.analysis.machine import Machine
from miasm.analysis.binary import Container
from miasm.core.asmblock import AsmCFG, AsmConstraint, AsmBlock, \
    AsmBlockBad, AsmConstraintTo, AsmConstraintNext, \
    bbl_simplifier
from miasm.core.graph import DiGraphSimplifier, MatchGraphJoker
from miasm.expression.expression import ExprId

# Initial data: from 'samples/simple_test.bin'
data = decode_hex("5589e583ec10837d08007509c745fc01100000eb73837d08017709c745fc02100000eb64837d08057709c745fc03100000eb55837d080774138b450801c083f80e7509c745fc04100000eb3c8b450801c083f80e7509c745fc05100000eb298b450883e03085c07409c745fc06100000eb16837d08427509c745fc07100000eb07c745fc081000008b45fcc9c3")
cont = Container.from_string(data)

# Test Disasm engine
machine = Machine("x86_32")
mdis = machine.dis_engine(cont.bin_stream, loc_db=cont.loc_db)
## Disassembly of one block
first_block = mdis.dis_block(0)
assert len(first_block.lines) == 5
print(first_block)

## Test redisassemble asmcfg
first_block_bis = mdis.dis_block(0)
assert len(first_block.lines) == len(first_block_bis.lines)
print(first_block_bis)

## Disassembly of several block, with cache
示例#9
0
from miasm.core.utils import decode_hex
from miasm.analysis.machine import Machine
from miasm.analysis.binary import Container
from miasm.core.asmblock import AsmCFG, AsmConstraint, AsmBlock, \
    AsmBlockBad, AsmConstraintTo, AsmConstraintNext, \
    bbl_simplifier
from miasm.core.graph import DiGraphSimplifier, MatchGraphJoker
from miasm.expression.expression import ExprId
from miasm.core.locationdb import LocationDB

# Initial data: from 'samples/simple_test.bin'
data = decode_hex(
    "5589e583ec10837d08007509c745fc01100000eb73837d08017709c745fc02100000eb64837d08057709c745fc03100000eb55837d080774138b450801c083f80e7509c745fc04100000eb3c8b450801c083f80e7509c745fc05100000eb298b450883e03085c07409c745fc06100000eb16837d08427509c745fc07100000eb07c745fc081000008b45fcc9c3"
)
loc_db = LocationDB()
cont = Container.from_string(data, loc_db)

# Test Disasm engine
machine = Machine("x86_32")
mdis = machine.dis_engine(cont.bin_stream, loc_db=loc_db)
## Disassembly of one block
first_block = mdis.dis_block(0)
assert len(first_block.lines) == 5
print(first_block)

## Test redisassemble asmcfg
first_block_bis = mdis.dis_block(0)
assert len(first_block.lines) == len(first_block_bis.lines)
print(first_block_bis)

## Disassembly of several block, with cache
示例#10
0
from __future__ import print_function
from miasm.analysis.binary import Container
from miasm.analysis.machine import Machine

# The Container will provide a *bin_stream*, bytes source for the disasm engine
cont = Container.from_string(
    b"\x83\xf8\x10\x74\x07\x89\xc6\x0f\x47\xc3\xeb\x08\x89\xc8\xe8\x31\x33\x22\x11\x40\xc3"
)

# Instantiate a x86 32 bit architecture
machine = Machine("x86_32")

# Instantiate a disassembler engine, using the previous bin_stream and its
# associated location DB.
mdis = machine.dis_engine(cont.bin_stream, loc_db=cont.loc_db)

# Run a recursive traversal disassembling from address 0
asmcfg = mdis.dis_multiblock(0)

# Display each basic blocks
for block in asmcfg.blocks:
    print(block)

# Output control flow graph in a dot file
open('str_cfg.dot', 'w').write(asmcfg.dot())
示例#11
0
from miasm.analysis.binary import Container
from miasm.analysis.machine import Machine
from miasm.ir.symbexec import SymbolicExecutionEngine
from miasm.core.locationdb import LocationDB

START_ADDR = 0
machine = Machine("x86_32")
loc_db = LocationDB()

# Assemble and disassemble a MOV
## Ensure that attributes 'offset' and 'l' are set
line = machine.mn.fromstring("MOV EAX, EBX", loc_db, 32)
asm = machine.mn.asm(line)[0]

# Get back block
cont = Container.from_string(asm, loc_db = loc_db)
mdis = machine.dis_engine(cont.bin_stream, loc_db=loc_db)
mdis.lines_wd = 1
asm_block = mdis.dis_block(START_ADDR)

# Translate ASM -> IR
ira = machine.ira(mdis.loc_db)
ircfg = ira.new_ircfg()
ira.add_asmblock_to_ircfg(asm_block, ircfg)

# Instantiate a Symbolic Execution engine with default value for registers
symb = SymbolicExecutionEngine(ira)

# Emulate one IR basic block
## Emulation of several basic blocks can be done through .emul_ir_blocks
cur_addr = symb.run_at(ircfg, START_ADDR)
示例#12
0
文件: asmblock.py 项目: cea-sec/miasm
from pdb import pm

from future.utils import viewitems

from miasm.core.utils import decode_hex
from miasm.analysis.machine import Machine
from miasm.analysis.binary import Container
from miasm.core.asmblock import AsmCFG, AsmConstraint, AsmBlock, \
    AsmBlockBad, AsmConstraintTo, AsmConstraintNext, \
    bbl_simplifier
from miasm.core.graph import DiGraphSimplifier, MatchGraphJoker
from miasm.expression.expression import ExprId

# Initial data: from 'samples/simple_test.bin'
data = decode_hex("5589e583ec10837d08007509c745fc01100000eb73837d08017709c745fc02100000eb64837d08057709c745fc03100000eb55837d080774138b450801c083f80e7509c745fc04100000eb3c8b450801c083f80e7509c745fc05100000eb298b450883e03085c07409c745fc06100000eb16837d08427509c745fc07100000eb07c745fc081000008b45fcc9c3")
cont = Container.from_string(data)

# Test Disasm engine
machine = Machine("x86_32")
mdis = machine.dis_engine(cont.bin_stream, loc_db=cont.loc_db)
## Disassembly of one block
first_block = mdis.dis_block(0)
assert len(first_block.lines) == 5
print(first_block)

## Test redisassemble asmcfg
first_block_bis = mdis.dis_block(0)
assert len(first_block.lines) == len(first_block_bis.lines)
print(first_block_bis)

## Disassembly of several block, with cache
示例#13
0
文件: callback.py 项目: cea-sec/miasm
    # Update next blocks to process in the disassembly engine
    cur_bloc.bto.clear()
    cur_bloc.add_cst(loc_key, AsmConstraint.c_next)


# Prepare a tiny shellcode
shellcode = (
    b"\xe8\x00\x00\x00\x00" # CALL $
    b"X"                    # POP EAX
    b"\xc3"                 # RET
)

# Instantiate a x86 32 bit architecture
machine = Machine("x86_32")
cont = Container.from_string(shellcode)
mdis = machine.dis_engine(cont.bin_stream, loc_db=cont.loc_db)

print("Without callback:\n")
asmcfg = mdis.dis_multiblock(0)
print("\n".join(str(block) for block in asmcfg.blocks))

# Enable callback
mdis.dis_block_callback = cb_x86_callpop

print("=" * 40)
print("With callback:\n")
asmcfg_after = mdis.dis_multiblock(0)
print("\n".join(str(block) for block in asmcfg_after.blocks))

# Ensure the callback has been called