diff options
author | bloodstalker <thabogre@gmail.com> | 2018-03-19 14:08:48 +0000 |
---|---|---|
committer | bloodstalker <thabogre@gmail.com> | 2018-03-19 14:08:48 +0000 |
commit | 256aa3de2212dd77d80f4cf86c64f988b448bbc7 (patch) | |
tree | 2237b97f18bb6d5830e69bef7959f5726a6e3a4b | |
parent | added a lua module for asmrewriter, will soon add docs. you can try the new m... (diff) | |
download | mutator-256aa3de2212dd77d80f4cf86c64f988b448bbc7.tar.gz mutator-256aa3de2212dd77d80f4cf86c64f988b448bbc7.zip |
some fixes
-rwxr-xr-x | bfd/load.py | 174 | ||||
-rw-r--r-- | bruiser/bruiser.cpp | 9 | ||||
-rw-r--r-- | bruiser/bruisercapstone.c | 4 | ||||
-rw-r--r-- | bruiser/hs/.depend | 0 | ||||
-rw-r--r-- | bruiser/hs/Safe.hs | 9 | ||||
-rw-r--r-- | bruiser/hs/Safe_stub.h | 9 | ||||
-rw-r--r-- | bruiser/hs/bruiserhs.c | 45 | ||||
-rw-r--r-- | bruiser/hs/bruiserhs.h | 0 | ||||
-rw-r--r-- | bruiser/hs/makefile | 37 | ||||
-rwxr-xr-x | bruiser/hs/run.sh | 6 | ||||
-rw-r--r-- | bruiser/lua-scripts/demo2.lua | 4 |
11 files changed, 220 insertions, 77 deletions
diff --git a/bfd/load.py b/bfd/load.py index 270ebec..86d66d4 100755 --- a/bfd/load.py +++ b/bfd/load.py @@ -42,6 +42,7 @@ class ExceptionHandler(object): class CLIArgParser(object): def __init__(self): parser = argparse.ArgumentParser() + parser.add_argument("--dbg", action="store_true", help="debug", default=False) parser.add_argument("--obj", type=str, help="path to the executbale, shared object or object you want to load in bruiser") parser.add_argument("--header", action='store_true', help="dump headers", default=False) parser.add_argument("--symboltable", action='store_true', help="dump symbol table", default=False) @@ -58,6 +59,8 @@ class CLIArgParser(object): parser.add_argument("--dlpath", action='store_true', help="dump dynamic linker path", default=False) parser.add_argument("--phdynent", action='store_true', help="dump ph PT_DYNAMIC entries", default=False) parser.add_argument("--section", type=str, help="dump a section") + parser.add_argument("--dumpfunc", type=str, help="dump a functions machine code") + parser.add_argument("--dumpfuncasm", type=str, help="dump a functions assembly code") self.args = parser.parse_args() if self.args.obj is None: raise Exception("no object file provided. please specify an object with --obj.") @@ -741,6 +744,7 @@ class ELF(object): return ''.join(name) def get_ph_dyn_entries(self): + size = 0 for phdr in self.phdr: if byte2int(phdr.p_type) == p_type_e.PT_DYNAMIC: self.so.seek(byte2int(phdr.p_offset), 0) @@ -791,9 +795,11 @@ class ELF(object): return ret_list def dump_section(self, section_name, dump): + hit = False for section in self.shhdr: name = self.read_section_name(byte2int(section.sh_name)) if name == section_name: + hit = True self.so.seek(byte2int(section.sh_offset)) obj = self.so.read(byte2int(section.sh_size)) if section_name == ".interp": self.dlpath = repr(obj) @@ -826,6 +832,7 @@ class ELF(object): ret_dummy.append(obj[i]) #print(ret_dummy) return ret_dummy + if not hit: print(Colors.red + Colors.BOLD + "section is not present" + Colors.ENDC) def dump_obj_size(self, stt_type, dump_b): ret_list = [] @@ -862,29 +869,34 @@ class ELF(object): print(line) def dump_header(self): - print("------------------------------------------------------------------------------") - print(Colors.green + "elf header:" + Colors.ENDC) - print(Colors.blue + "ei_mag: " + Colors.cyan + repr(self.elfhdr.ei_mag) + Colors.ENDC) - print(Colors.blue + "ei_class: " + Colors.cyan + repr(byte2int(self.elfhdr.ei_class)) + Colors.ENDC) - print(Colors.blue + "ei_data: " + Colors.cyan + repr(byte2int(self.elfhdr.ei_data)) + Colors.ENDC) - print(Colors.blue + "ei_version: " + Colors.cyan + repr(byte2int(self.elfhdr.ei_version)) + Colors.ENDC) - print(Colors.blue + "ei_osabi: " + Colors.cyan + repr(byte2int(self.elfhdr.ei_osabi)) + Colors.ENDC) - print(Colors.blue + "ei_abiversion: " + Colors.cyan + repr(byte2int(self.elfhdr.ei_abiversion)) + Colors.ENDC) - print(Colors.blue + "ei_pad: " + Colors.cyan + repr(byte2int(self.elfhdr.ei_pad)) + Colors.ENDC) - print(Colors.blue + "e_type: " + Colors.cyan + repr(byte2int(self.elfhdr.e_type)) + Colors.ENDC) - print(Colors.blue + "e_machine: " + Colors.cyan + repr(byte2int(self.elfhdr.e_machine)) + Colors.ENDC) - print(Colors.blue + "e_version: " + Colors.cyan + repr(byte2int(self.elfhdr.e_version)) + Colors.ENDC) - print(Colors.blue + "e_entry: " + Colors.cyan + repr(byte2int(self.elfhdr.e_entry)) + Colors.ENDC) - print(Colors.blue + "e_phoff: " + Colors.cyan + repr(byte2int(self.elfhdr.e_phoff)) + Colors.ENDC) - print(Colors.blue + "e_shoff: " + Colors.cyan + repr(byte2int(self.elfhdr.e_shoff)) + Colors.ENDC) - print(Colors.blue + "e_flags: " + Colors.cyan + repr(byte2int(self.elfhdr.e_flags)) + Colors.ENDC) - print(Colors.blue + "e_ehsize: " + Colors.cyan + repr(byte2int(self.elfhdr.e_ehsize)) + Colors.ENDC) - print(Colors.blue + "e_phentsize: " + Colors.cyan + repr(byte2int(self.elfhdr.e_phentsize)) + Colors.ENDC) - print(Colors.blue + "e_phnum: " + Colors.cyan + repr(byte2int(self.elfhdr.e_phnum)) + Colors.ENDC) - print(Colors.blue + "e_shentsize: " + Colors.cyan + repr(byte2int(self.elfhdr.e_shentsize)) + Colors.ENDC) - print(Colors.blue + "e_shnum: " + Colors.cyan + repr(byte2int(self.elfhdr.e_shnum)) + Colors.ENDC) - print(Colors.blue + "e_shstrndx: " + Colors.cyan + repr(byte2int(self.elfhdr.e_shstrndx)) + Colors.ENDC) - print("------------------------------------------------------------------------------") + header = ["ei_mag", "ei_class", "ei_data", "ei_version", "ei_osabi", "ei_abiversion", "ei_pad", + "e_type", "e_machine", "e_version", "e_version", "e_entry", "e_phoff", "e_shoff", "e_flags", + "e_entsize", "e_phentsize", "e_phnum", "e_shentsize", "e_shnum", "e_shstrndx"] + mag_list = [self.elfhdr.ei_mag] + class_list = [byte2int(self.elfhdr.ei_class)] + data_list = [byte2int(self.elfhdr.ei_data)] + version_list = [byte2int(self.elfhdr.ei_version)] + osabi_list = [byte2int(self.elfhdr.ei_osabi)] + abiversion_list = [byte2int(self.elfhdr.ei_abiversion)] + pad_list = [byte2int(self.elfhdr.ei_pad)] + type_list = [byte2int(self.elfhdr.e_type)] + machine_list = [byte2int(self.elfhdr.e_machine)] + version_list = [byte2int(self.elfhdr.e_version)] + entry_list = [byte2int(self.elfhdr.e_entry)] + phoff_list = [byte2int(self.elfhdr.e_phoff)] + shoff_list = [byte2int(self.elfhdr.e_shoff)] + flags_list = [byte2int(self.elfhdr.e_flags)] + ehsize_list = [byte2int(self.elfhdr.e_ehsize)] + phentsize_list = [byte2int(self.elfhdr.e_phentsize)] + phnum_list = [byte2int(self.elfhdr.e_phnum)] + shentsize_list = [byte2int(self.elfhdr.e_shentsize)] + shnum_list = [byte2int(self.elfhdr.e_shnum)] + shstrndx_list = [byte2int(self.elfhdr.e_shstrndx)] + lines = ffs(2, header, True, mag_list, class_list, data_list, version_list, osabi_list, abiversion_list, + pad_list, type_list, machine_list, version_list, entry_list, phoff_list, shoff_list, + flags_list, ehsize_list, phentsize_list, phnum_list, shentsize_list, phnum_list, shentsize_list, shnum_list, shstrndx_list) + for line in lines: + print(line) def dump_phdrs(self): header = ["p_type", "p_flags", "p_offset", "p_vaddr", "p_paddr", "p_filesz", "p_memsz", "p_flags2", "p_align"] @@ -1066,6 +1078,20 @@ def elf_get_func_code(): elf.init(64) return elf.dump_funcs(False) +def elf_get_func_code_byname(): + so = openSO_r(sys.argv[1]) + arg = openSO_r(sys.argv[2]) + elf = ELF(so) + elf.init(64) + counter = 0 + hit = False + for name in elf.dump_symbol_string(ELF_ST_TYPE.STT_FUNC, False): + if name == arg: + code = elf.dump_funcs(False)[counter] + hit = True + counter += 1 + return code + class Call_Rewriter(object): #def __init__(self, obj_code, arch, mode): def __init__(self, obj_code): @@ -1102,57 +1128,67 @@ class Rewriter(object): name = self.elf.read_section_name(byte2int(self.elf.shhdr[i].sh_name)) if section_name == name: self.magic_section_number = i + 1 + print(self.magic_section_number) def fix_section_size(self, section_name): pass +def premain(argparser): + so = openSO_r(argparser.args.obj) + elf = ELF(so) + elf.init(64) + if argparser.args.header: elf.dump_header() + elif argparser.args.symboltable: + elf.dump_symbol_tb(".strtab", sh_type_e.SHT_STRTAB) + elf.dump_symbol_tb(".dynstr", sh_type_e.SHT_STRTAB) + elif argparser.args.phdrs: elf.dump_phdrs() + elif argparser.args.shdrs: elf.dump_shdrs() + elif argparser.args.symbolindex: elf.dump_symbol_idx() + elif argparser.args.stentries: elf.dump_st_entries() + elif argparser.args.objcode: elf.dump_funcs(True) + elif argparser.args.funcs: elf.dump_symbol_string(ELF_ST_TYPE.STT_FUNC, True) + elif argparser.args.objs: elf.dump_symbol_string(ELF_ST_TYPE.STT_OBJECT, True) + elif argparser.args.dynsym: elf.dump_st_entries_dyn() + elif argparser.args.dlpath: elf.dump_section(".interp", True) + elif argparser.args.section: elf.dump_section(argparser.args.section, True) + elif argparser.args.test2: + rewriter = Rewriter(argparser.args.obj) + rewriter.fix_section_offsets(".text") + elif argparser.args.dumpfunc: + counter = 0 + for name in elf.dump_symbol_string(ELF_ST_TYPE.STT_FUNC, False): + if name == argparser.args.dumpfunc: + print(Colors.red + Colors.BOLD + name + Colors.ENDC) + code = elf.dump_funcs(False)[counter] + print(code) + counter += 1 + elif argparser.args.dumpfuncasm: + counter = 0 + hit = False + for name in elf.dump_symbol_string(ELF_ST_TYPE.STT_FUNC, False): + if name == argparser.args.dumpfuncasm: + code = elf.dump_funcs(False)[counter] + hit = True + counter += 1 + if hit: + md = Cs(CS_ARCH_X86, CS_MODE_64) + for i in md.disasm(bytes(code), 0x0): + print(hex(i.address).ljust(7), i.mnemonic.ljust(7), i.op_str) + elif argparser.args.phdynent: elf.dump_ph_dyn_entries() + def main(): - try: - argparser = CLIArgParser() - so = openSO_r(argparser.args.obj) - elf = ELF(so) - elf.init(64) - if argparser.args.header: elf.dump_header() - elif argparser.args.symboltable: - elf.dump_symbol_tb(".strtab", sh_type_e.SHT_STRTAB) - elf.dump_symbol_tb(".dynstr", sh_type_e.SHT_STRTAB) - elif argparser.args.phdrs: elf.dump_phdrs() - elif argparser.args.shdrs: elf.dump_shdrs() - elif argparser.args.symbolindex: elf.dump_symbol_idx() - elif argparser.args.stentries: elf.dump_st_entries() - elif argparser.args.objcode: elf.dump_funcs(True) - elif argparser.args.funcs: elf.dump_symbol_string(ELF_ST_TYPE.STT_FUNC, True) - elif argparser.args.objs: elf.dump_symbol_string(ELF_ST_TYPE.STT_OBJECT, True) - elif argparser.args.dynsym: elf.dump_st_entries_dyn() - elif argparser.args.dlpath: elf.dump_section(".interp", True) - elif argparser.args.section: elf.dump_section(argparser.args.section, True) - elif argparser.args.test2: - rewriter = Rewriter(argparser.args.obj) - rewriter.fix_section_offsets(".text") - elif argparser.args.test: - counter = 0 - print(elf.dump_funcs(False)[10]) - print(elf.dump_symbol_string(ELF_ST_TYPE.STT_FUNC, False)[10]) - for name in elf.dump_symbol_string(ELF_ST_TYPE.STT_FUNC, False): - if name == "glob": - print(counter) - print(elf.dump_funcs(False)[counter]) - print(name) - if name == "quad": - print(counter) - print(elf.dump_funcs(False)[counter]) - print(name) - counter += 1 - obj = elf.dump_funcs(False)[10] - rewriter = Call_Rewriter(obj) - rewriter.run() - elif argparser.args.phdynent: elf.dump_ph_dyn_entries() - except: - signal.signal(signal.SIGINT, SigHandler_SIGINT) - variables = globals().copy() - variables.update(locals()) - shell = code.InteractiveConsole(variables) - shell.interact(banner="PyElfDump REPL") + argparser = CLIArgParser() + if argparser.args.dbg: + try: + premain(argparser) + except: + signal.signal(signal.SIGINT, SigHandler_SIGINT) + variables = globals().copy() + variables.update(locals()) + shell = code.InteractiveConsole(variables) + shell.interact(banner="DELF REPL") + else: + premain(argparser) if __name__ == "__main__": main() diff --git a/bruiser/bruiser.cpp b/bruiser/bruiser.cpp index ea2add1..82cd632 100644 --- a/bruiser/bruiser.cpp +++ b/bruiser/bruiser.cpp @@ -325,8 +325,7 @@ class PyExec { Py_DECREF(pFunc); Py_DECREF(pModule); PyErr_Print(); - std::cout << RED << "call failed." << NORMAL << "\n"; - fprintf(stderr, "Call failed\n"); + std::cout << RED << "Call failed." << NORMAL << "\n"; return EXIT_FAILURE; } } @@ -476,6 +475,8 @@ class PyExec { std::vector<std::string> exportStrings(void) {return hexobj_str;} std::vector<std::uint8_t> exportTextSection(void) {return text_section;} + void getVarargs(std::vector<void*> _varargs) {varargs = _varargs;} + private: std::string py_script_name; std::string py_func_name; @@ -491,6 +492,7 @@ class PyExec { std::vector<std::string> hexobj_str; std::vector<std::vector<uint8_t>> hexobj; std::vector<uint8_t> text_section; + std::vector<void*> varargs; }; /**********************************************************************************************************************/ class XObjReliquary {}; @@ -1339,6 +1341,7 @@ class LuaWrapper action = lua_tostring(__ls, 3); if (action == "") PRINT_WITH_COLOR_LB(RED, "third argument is nil"); lua_pop(__ls, 3); + std::cout << NORMAL; } else { std::cout << RED << "wrong number of arguments provided. should give the python script name, python func name and its args.\n" << NORMAL; @@ -1349,7 +1352,7 @@ class LuaWrapper PyExec py(filename.c_str(), funcname.c_str(), objjpath.c_str()); if (Verbose) std::cout << BLUE << "running load.py: " << NORMAL << "\n"; - py.run(); + if (py.run() == EXIT_FAILURE) return 0; if (action == "code_list") { py.getAsCppByte(); //py.printHexObjs(); diff --git a/bruiser/bruisercapstone.c b/bruiser/bruisercapstone.c index f8dff64..8edc7ad 100644 --- a/bruiser/bruisercapstone.c +++ b/bruiser/bruisercapstone.c @@ -344,9 +344,7 @@ int dumpjmptable(JMP_S_T* current) { } } /**********************************************************************************************************************/ -void jmprewriter_j(JMP_S_T* jmp, uint8_t* code, JMP_T type, uint8_t* rewritten) { - -} +void jmprewriter_j(JMP_S_T* jmp, uint8_t* code, JMP_T type, uint8_t* rewritten) {} void jmprewriter_jne(JMP_S_T* jmp, uint8_t* code, JMP_T type, uint8_t* rewritten) {}; void jmprewriter_je(JMP_S_T* jmp, uint8_t* code, JMP_T type, uint8_t* rewritten) {} /**********************************************************************************************************************/ diff --git a/bruiser/hs/.depend b/bruiser/hs/.depend new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/bruiser/hs/.depend diff --git a/bruiser/hs/Safe.hs b/bruiser/hs/Safe.hs new file mode 100644 index 0000000..8994e9e --- /dev/null +++ b/bruiser/hs/Safe.hs @@ -0,0 +1,9 @@ +{-#Language ForeignFunctionInterface#-} +module Safe where +import Foreign.C.Types +fibonacci :: Int -> Int +fibonacci n = fibs !! n + where fibs = 0 : 1: zipWith (+) fibs (tail fibs) +fibonacci_hs ::CInt -> CInt +fibonacci_hs = fromIntegral.fibonacci.fromIntegral +foreign export ccall fibonacci_hs::CInt->CInt diff --git a/bruiser/hs/Safe_stub.h b/bruiser/hs/Safe_stub.h new file mode 100644 index 0000000..3d939a1 --- /dev/null +++ b/bruiser/hs/Safe_stub.h @@ -0,0 +1,9 @@ +#include "HsFFI.h" +#ifdef __cplusplus +extern "C" { +#endif +extern HsInt32 fibonacci_hs(HsInt32 a1); +#ifdef __cplusplus +} +#endif + diff --git a/bruiser/hs/bruiserhs.c b/bruiser/hs/bruiserhs.c new file mode 100644 index 0000000..1ab34d8 --- /dev/null +++ b/bruiser/hs/bruiserhs.c @@ -0,0 +1,45 @@ + +/***************************************************Project Mutator****************************************************/ +/*first line intentionally left blank.*/ +/*bruiser's lua asmrewriter implementation for jump tables*/ +/*Copyright (C) 2018 Farzad Sadeghi + +This program is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License +as published by the Free Software Foundation; either version 2 +of the License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.*/ +/**********************************************************************************************************************/ +#include <HsFFI.h> +#ifdef __GLASCOW_HASKELL__ +#include "Safe_stub.h" +extern void __stginit_Safe(void); +#endif +#include "bruiserhs.h" +#include <stdio.h> + +#pragma weak main +int main(int argc, char** argv) { + int i; + hs_init(&argc, &argv); +#ifdef __GLASCOW_HASKELL__ + hs_add_root(__stginit_Safe); +#endif + + i = fibonacci_hs(42); + printf("Fibonnaci:%d\n", i); + + hs_exit(); + return 0; +} +/**********************************************************************************************************************/ +/*last line intentionally left blank*/ + diff --git a/bruiser/hs/bruiserhs.h b/bruiser/hs/bruiserhs.h new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/bruiser/hs/bruiserhs.h diff --git a/bruiser/hs/makefile b/bruiser/hs/makefile new file mode 100644 index 0000000..8787dd4 --- /dev/null +++ b/bruiser/hs/makefile @@ -0,0 +1,37 @@ +TARGET=bruiserhs +CC=clang +CC?=clang +CC_FLAGS= +CC_EXTRA?= +CC_FLAGS+=$(CC_EXTRA) + +SRCS=$(wildcard *.c) + +.DEFAULT:all clean + +.PHONY:all clean help + +all:$(TARGET) + +depend:.depend + +.depend:$(SRCS) + rm -rf .depend + $(CC) -MM $(CC_FLAGS) $^ > ./.depend + +-include ./.depend + +.c.o: + $(CC) $(CC_FLAGS) -c $< -o $@ + +$(TARGET): $(TARGET).o + $(CC) $^ $(LD_FLAGS) -o $@ + +clean: + rm -f *.o *~ $(TARGET) + rm .depend + +help: + @echo "all is the default target" + @echo "there is delete." + @echo "there is clean." diff --git a/bruiser/hs/run.sh b/bruiser/hs/run.sh new file mode 100755 index 0000000..413b088 --- /dev/null +++ b/bruiser/hs/run.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +ghc -c -O Safe.hs +ghc --make -no-hs-main -optc-O bruiserhs.c Safe -o bruiserhs + +"./bruiserhs" diff --git a/bruiser/lua-scripts/demo2.lua b/bruiser/lua-scripts/demo2.lua index db840fc..bd2eb91 100644 --- a/bruiser/lua-scripts/demo2.lua +++ b/bruiser/lua-scripts/demo2.lua @@ -118,9 +118,9 @@ function get_jmp_table() end --main() ---pretty_dump() +pretty_dump() --test() --jmp_t_test() --integ_test() --asm_rewriter_pretty() -dump_jmp_table() +--dump_jmp_table() |