def miasm_load_vmlinux(kallsyms, vmlinux):
global g_machine
global g_code_size
global g_jitter
global g_cpu
if kallsyms['arch'] == 'arm':
g_cpu = "arml"
elif kallsyms['arch'] == 'arm64':
g_cpu = "aarch64l"
else:
raise Exception('Invalid arch')
g_machine = Machine(g_cpu)
g_jitter = g_machine.jitter('gcc')
start_addr = kallsyms['_start']
g_code_size = ((len(vmlinux) + 0x1000) >> 12 << 12)
g_code_size += 0x8000000 # bss
end_addr = start_addr + g_code_size
print_log("[+]mapping %s - %s" % (hex(start_addr), hex(end_addr)))
g_jitter.vm.add_memory_page(start_addr, PAGE_READ|PAGE_WRITE, b"\x00"*g_code_size, "code page")
g_jitter.vm.set_mem(kallsyms['_start'], vmlinux)
# stack
g_jitter.vm.add_memory_page(0xdead1000, PAGE_READ|PAGE_WRITE, b"\x00"*0x2000, "stack")
def jit_instructions(mn_str):
"""JIT instructions and return the jitter object."""
# Get the miasm Machine
machine = Machine("mepb")
mn_mep = machine.mn()
loc_db = LocationDB()
# Assemble the instructions
asm = b""
for instr_str in mn_str.split("\n"):
instr = mn_mep.fromstring(instr_str, "b")
instr.mode = "b"
asm += mn_mep.asm(instr)[0]
# Init the jitter and add the assembled instructions to memory
jitter = machine.jitter(loc_db, jit_type="gcc")
jitter.vm.add_memory_page(0, PAGE_READ | PAGE_WRITE, asm)
# Set the breakpoint
jitter.add_breakpoint(len(asm), lambda x: False)
# Jit the instructions
#jitter.init_stack()
jitter.init_run(0)
jitter.continue_run()
return jitter
class Arch(object):
"""
Parent class for Arch abstraction
"""
# Architecture name
_ARCH_ = None
def __init__(self, **kwargs):
self.machine = Machine(self._ARCH_)
self.jitter = self.machine.jitter(self.options.jitter)
@classmethod
def update_parser(cls, parser):
pass
class Arch(object):
"""
Parent class for Arch abstraction
"""
# Architecture name
_ARCH_ = None
def __init__(self, **kwargs):
self.machine = Machine(self._ARCH_)
self.jitter = self.machine.jitter(self.options.jitter)
@classmethod
def update_parser(cls, parser):
pass
import sys
from miasm.core.utils import decode_hex
from miasm.jitter.csts import PAGE_READ, PAGE_WRITE, EXCEPT_ACCESS_VIOL
from miasm.analysis.machine import Machine
def code_sentinelle(jitter):
jitter.run = False
jitter.pc = 0
return True
machine = Machine("x86_32")
jitter = machine.jitter(sys.argv[1])
jitter.init_stack()
# nop
# mov eax, 0x42
# jmp 0x20
data = decode_hex("90b842000000eb20")
# Will raise memory error at 0x40000028
error_raised = False
def raise_me(jitter):
global error_raised
error_raised = True
help="Strategy to use for solution creation")
args = parser.parse_args()
# Convert strategy to the correct value
strategy = {
"code-cov": DSEPathConstraint.PRODUCE_SOLUTION_CODE_COV,
"branch-cov": DSEPathConstraint.PRODUCE_SOLUTION_BRANCH_COV,
"path-cov": DSEPathConstraint.PRODUCE_SOLUTION_PATH_COV,
}[args.strategy]
loc_db = LocationDB()
# Map the shellcode
run_addr = 0x40000
machine = Machine("x86_32")
jitter = machine.jitter(loc_db, "python")
with open(args.filename, "rb") as fdesc:
jitter.vm.add_memory_page(
run_addr,
PAGE_READ | PAGE_WRITE,
fdesc.read(),
"Binary"
)
# Expect a binary with one argument on the stack
jitter.init_stack()
# Argument
jitter.push_uint32_t(0)
# Handle return
import sys
from miasm.core.utils import decode_hex
from miasm.jitter.csts import PAGE_READ, PAGE_WRITE, EXCEPT_UNK_MNEMO
from miasm.analysis.machine import Machine
from miasm.core.locationdb import LocationDB
def code_sentinelle(jitter):
jitter.running = False
jitter.pc = 0
return True
machine = Machine("x86_32")
loc_db = LocationDB()
jitter = machine.jitter(loc_db, sys.argv[1])
jitter.init_stack()
# nop
# mov eax, 0x42
# XX
data = decode_hex("90b842000000ffff90909090")
# Will raise memory error at 0x40000006
error_raised = False
def raise_me(jitter):
global error_raised
#! /usr/bin/env python2
#-*- coding:utf-8 -*-
import unittest
import logging
from miasm.analysis.machine import Machine
import miasm.os_dep.linux_stdlib as stdlib
from miasm.core.utils import pck32
from miasm.jitter.csts import PAGE_READ, PAGE_WRITE
machine = Machine("x86_32")
jit = machine.jitter()
jit.init_stack()
heap = stdlib.linobjs.heap
class TestLinuxStdlib(unittest.TestCase):
def test_xxx_sprintf(self):
def alloc_str(s):
s += b"\x00"
ptr = heap.alloc(jit, len(s))
jit.vm.set_mem(ptr, s)
return ptr
fmt = alloc_str(b"'%s' %d")
str_ = alloc_str(b"coucou")
buf = heap.alloc(jit,1024)
jit.push_uint32_t(1111)
jit.push_uint32_t(str_)
#! /usr/bin/env python2
#-*- coding:utf-8 -*-
import unittest
import logging
from miasm.analysis.machine import Machine
import miasm.os_dep.linux_stdlib as stdlib
from miasm.core.utils import pck32
from miasm.jitter.csts import PAGE_READ, PAGE_WRITE
machine = Machine("x86_32")
jit = machine.jitter()
jit.init_stack()
heap = stdlib.linobjs.heap
class TestLinuxStdlib(unittest.TestCase):
def test_xxx_sprintf(self):
def alloc_str(s):
s += b"\x00"
ptr = heap.alloc(jit, len(s))
jit.vm.set_mem(ptr, s)
return ptr
fmt = alloc_str(b"'%s' %d")
str_ = alloc_str(b"coucou")
buf = heap.alloc(jit,1024)
jit.push_uint32_t(1111)
jit.push_uint32_t(str_)
#! /usr/bin/env python2
#-*- coding:utf-8 -*-
import unittest
import logging
from miasm.analysis.machine import Machine
import miasm.os_dep.linux_stdlib as stdlib
from miasm.core.utils import pck32
from miasm.jitter.csts import PAGE_READ, PAGE_WRITE
from miasm.core.locationdb import LocationDB
machine = Machine("x86_32")
loc_db = LocationDB()
jit = machine.jitter(loc_db)
jit.init_stack()
heap = stdlib.linobjs.heap
class TestLinuxStdlib(unittest.TestCase):
def test_xxx_sprintf(self):
def alloc_str(s):
s += b"\x00"
ptr = heap.alloc(jit, len(s))
jit.vm.set_mem(ptr, s)
return ptr
fmt = alloc_str(b"'%s' %d")
str_ = alloc_str(b"coucou")
buf = heap.alloc(jit, 1024)
if args.verbose:
syscall.log.setLevel(logging.DEBUG)
# Get corresponding interpreter and reloc address
cont_target_tmp = Container.from_stream(open(args.target, 'rb'))
ld_path = bytes(cont_target_tmp.executable.getsectionbyname(".interp").content).strip(b"\x00")
if cont_target_tmp.executable.Ehdr.type in [elf_csts.ET_REL, elf_csts.ET_DYN]:
elf_base_addr = 0x40000000
elif cont_target_tmp.executable.Ehdr.type == elf_csts.ET_EXEC:
elf_base_addr = 0 # Not relocatable
else:
raise ValueError("Unsupported type %d" % cont_target_tmp.executable.Ehdr.type)
# Instantiate a jitter
machine = Machine(cont_target_tmp.arch)
jitter = machine.jitter(args.jitter)
jitter.init_stack()
# Get elements for the target architecture
if cont_target_tmp.arch == "arml":
LinuxEnvironment = environment.LinuxEnvironment_arml
syscall_callbacks = syscall.syscall_callbacks_arml
prepare_loader = environment.prepare_loader_arml
elif cont_target_tmp.arch == "x86_64":
LinuxEnvironment = environment.LinuxEnvironment_x86_64
syscall_callbacks = syscall.syscall_callbacks_x86_64
prepare_loader = environment.prepare_loader_x86_64
else:
raise ValueError("Unsupported architecture: %r", cont_target_tmp.arch)
# Load the interpreter in memory, applying relocation
# Get corresponding interpreter and reloc address
cont_target_tmp = Container.from_stream(open(args.target, 'rb'), loc_db)
ld_path = bytes(
cont_target_tmp.executable.getsectionbyname(".interp").content).strip(
b"\x00")
if cont_target_tmp.executable.Ehdr.type in [elf_csts.ET_REL, elf_csts.ET_DYN]:
elf_base_addr = 0x40000000
elif cont_target_tmp.executable.Ehdr.type == elf_csts.ET_EXEC:
elf_base_addr = 0 # Not relocatable
else:
raise ValueError("Unsupported type %d" %
cont_target_tmp.executable.Ehdr.type)
# Instantiate a jitter
machine = Machine(cont_target_tmp.arch)
jitter = machine.jitter(loc_db, args.jitter)
jitter.init_stack()
# Get elements for the target architecture
if cont_target_tmp.arch == "arml":
LinuxEnvironment = environment.LinuxEnvironment_arml
syscall_callbacks = syscall.syscall_callbacks_arml
prepare_loader = environment.prepare_loader_arml
elif cont_target_tmp.arch == "x86_64":
LinuxEnvironment = environment.LinuxEnvironment_x86_64
syscall_callbacks = syscall.syscall_callbacks_x86_64
prepare_loader = environment.prepare_loader_x86_64
else:
raise ValueError("Unsupported architecture: %r", cont_target_tmp.arch)
# Load the interpreter in memory, applying relocation
# Get corresponding interpreter and reloc address
cont_target_tmp = Container.from_stream(open(args.target, 'rb'))
ld_path = bytes(
cont_target_tmp.executable.getsectionbyname(".interp").content).strip(
b"\x00")
if cont_target_tmp.executable.Ehdr.type in [elf_csts.ET_REL, elf_csts.ET_DYN]:
elf_base_addr = 0x40000000
elif cont_target_tmp.executable.Ehdr.type == elf_csts.ET_EXEC:
elf_base_addr = 0 # Not relocatable
else:
raise ValueError("Unsupported type %d" %
cont_target_tmp.executable.Ehdr.type)
# Instantiate a jitter
machine = Machine(cont_target_tmp.arch)
jitter = machine.jitter(args.jitter)
jitter.init_stack()
# Get elements for the target architecture
if cont_target_tmp.arch == "arml":
LinuxEnvironment = environment.LinuxEnvironment_arml
syscall_callbacks = syscall.syscall_callbacks_arml
prepare_loader = environment.prepare_loader_arml
elif cont_target_tmp.arch == "x86_64":
LinuxEnvironment = environment.LinuxEnvironment_x86_64
syscall_callbacks = syscall.syscall_callbacks_x86_64
prepare_loader = environment.prepare_loader_x86_64
else:
raise ValueError("Unsupported architecture: %r", cont_target_tmp.arch)
# Load the interpreter in memory, applying relocation
parser.add_argument("filename", help="Target x86 shellcode")
parser.add_argument("strategy", choices=["code-cov", "branch-cov", "path-cov"],
help="Strategy to use for solution creation")
args = parser.parse_args()
# Convert strategy to the correct value
strategy = {
"code-cov": DSEPathConstraint.PRODUCE_SOLUTION_CODE_COV,
"branch-cov": DSEPathConstraint.PRODUCE_SOLUTION_BRANCH_COV,
"path-cov": DSEPathConstraint.PRODUCE_SOLUTION_PATH_COV,
}[args.strategy]
# Map the shellcode
run_addr = 0x40000
machine = Machine("x86_32")
jitter = machine.jitter("python")
with open(args.filename, "rb") as fdesc:
jitter.vm.add_memory_page(
run_addr,
PAGE_READ | PAGE_WRITE,
fdesc.read(),
"Binary"
)
# Expect a binary with one argument on the stack
jitter.init_stack()
# Argument
jitter.push_uint32_t(0)
# Handle return
import sys
from miasm.core.utils import decode_hex
from miasm.jitter.csts import PAGE_READ, PAGE_WRITE, EXCEPT_ACCESS_VIOL
from miasm.analysis.machine import Machine
def code_sentinelle(jitter):
jitter.run = False
jitter.pc = 0
return True
machine = Machine("x86_32")
jitter = machine.jitter(sys.argv[1])
jitter.init_stack()
# nop
# mov eax, 0x42
# jmp 0x20
data = decode_hex("90b842000000eb20")
# Will raise memory error at 0x40000028
error_raised = False
def raise_me(jitter):
global error_raised
error_raised = True
assert jitter.pc == 0x40000028
return False
parser.add_argument("strategy",
choices=["code-cov", "branch-cov", "path-cov"],
help="Strategy to use for solution creation")
args = parser.parse_args()
# Convert strategy to the correct value
strategy = {
"code-cov": DSEPathConstraint.PRODUCE_SOLUTION_CODE_COV,
"branch-cov": DSEPathConstraint.PRODUCE_SOLUTION_BRANCH_COV,
"path-cov": DSEPathConstraint.PRODUCE_SOLUTION_PATH_COV,
}[args.strategy]
# Map the shellcode
run_addr = 0x40000
machine = Machine("x86_32")
jitter = machine.jitter("python")
with open(args.filename, "rb") as fdesc:
jitter.vm.add_memory_page(run_addr, PAGE_READ | PAGE_WRITE, fdesc.read(),
"Binary")
# Expect a binary with one argument on the stack
jitter.init_stack()
# Argument
jitter.push_uint32_t(0)
# Handle return
def code_sentinelle(jitter):
jitter.run = False
return False