aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorbloodstalker <thabogre@gmail.com>2018-03-19 14:08:48 +0000
committerbloodstalker <thabogre@gmail.com>2018-03-19 14:08:48 +0000
commit256aa3de2212dd77d80f4cf86c64f988b448bbc7 (patch)
tree2237b97f18bb6d5830e69bef7959f5726a6e3a4b
parentadded a lua module for asmrewriter, will soon add docs. you can try the new m... (diff)
downloadmutator-256aa3de2212dd77d80f4cf86c64f988b448bbc7.tar.gz
mutator-256aa3de2212dd77d80f4cf86c64f988b448bbc7.zip
some fixes
-rwxr-xr-xbfd/load.py174
-rw-r--r--bruiser/bruiser.cpp9
-rw-r--r--bruiser/bruisercapstone.c4
-rw-r--r--bruiser/hs/.depend0
-rw-r--r--bruiser/hs/Safe.hs9
-rw-r--r--bruiser/hs/Safe_stub.h9
-rw-r--r--bruiser/hs/bruiserhs.c45
-rw-r--r--bruiser/hs/bruiserhs.h0
-rw-r--r--bruiser/hs/makefile37
-rwxr-xr-xbruiser/hs/run.sh6
-rw-r--r--bruiser/lua-scripts/demo2.lua4
11 files changed, 220 insertions, 77 deletions
diff --git a/bfd/load.py b/bfd/load.py
index 270ebec..86d66d4 100755
--- a/bfd/load.py
+++ b/bfd/load.py
@@ -42,6 +42,7 @@ class ExceptionHandler(object):
class CLIArgParser(object):
def __init__(self):
parser = argparse.ArgumentParser()
+ parser.add_argument("--dbg", action="store_true", help="debug", default=False)
parser.add_argument("--obj", type=str, help="path to the executbale, shared object or object you want to load in bruiser")
parser.add_argument("--header", action='store_true', help="dump headers", default=False)
parser.add_argument("--symboltable", action='store_true', help="dump symbol table", default=False)
@@ -58,6 +59,8 @@ class CLIArgParser(object):
parser.add_argument("--dlpath", action='store_true', help="dump dynamic linker path", default=False)
parser.add_argument("--phdynent", action='store_true', help="dump ph PT_DYNAMIC entries", default=False)
parser.add_argument("--section", type=str, help="dump a section")
+ parser.add_argument("--dumpfunc", type=str, help="dump a functions machine code")
+ parser.add_argument("--dumpfuncasm", type=str, help="dump a functions assembly code")
self.args = parser.parse_args()
if self.args.obj is None:
raise Exception("no object file provided. please specify an object with --obj.")
@@ -741,6 +744,7 @@ class ELF(object):
return ''.join(name)
def get_ph_dyn_entries(self):
+ size = 0
for phdr in self.phdr:
if byte2int(phdr.p_type) == p_type_e.PT_DYNAMIC:
self.so.seek(byte2int(phdr.p_offset), 0)
@@ -791,9 +795,11 @@ class ELF(object):
return ret_list
def dump_section(self, section_name, dump):
+ hit = False
for section in self.shhdr:
name = self.read_section_name(byte2int(section.sh_name))
if name == section_name:
+ hit = True
self.so.seek(byte2int(section.sh_offset))
obj = self.so.read(byte2int(section.sh_size))
if section_name == ".interp": self.dlpath = repr(obj)
@@ -826,6 +832,7 @@ class ELF(object):
ret_dummy.append(obj[i])
#print(ret_dummy)
return ret_dummy
+ if not hit: print(Colors.red + Colors.BOLD + "section is not present" + Colors.ENDC)
def dump_obj_size(self, stt_type, dump_b):
ret_list = []
@@ -862,29 +869,34 @@ class ELF(object):
print(line)
def dump_header(self):
- print("------------------------------------------------------------------------------")
- print(Colors.green + "elf header:" + Colors.ENDC)
- print(Colors.blue + "ei_mag: " + Colors.cyan + repr(self.elfhdr.ei_mag) + Colors.ENDC)
- print(Colors.blue + "ei_class: " + Colors.cyan + repr(byte2int(self.elfhdr.ei_class)) + Colors.ENDC)
- print(Colors.blue + "ei_data: " + Colors.cyan + repr(byte2int(self.elfhdr.ei_data)) + Colors.ENDC)
- print(Colors.blue + "ei_version: " + Colors.cyan + repr(byte2int(self.elfhdr.ei_version)) + Colors.ENDC)
- print(Colors.blue + "ei_osabi: " + Colors.cyan + repr(byte2int(self.elfhdr.ei_osabi)) + Colors.ENDC)
- print(Colors.blue + "ei_abiversion: " + Colors.cyan + repr(byte2int(self.elfhdr.ei_abiversion)) + Colors.ENDC)
- print(Colors.blue + "ei_pad: " + Colors.cyan + repr(byte2int(self.elfhdr.ei_pad)) + Colors.ENDC)
- print(Colors.blue + "e_type: " + Colors.cyan + repr(byte2int(self.elfhdr.e_type)) + Colors.ENDC)
- print(Colors.blue + "e_machine: " + Colors.cyan + repr(byte2int(self.elfhdr.e_machine)) + Colors.ENDC)
- print(Colors.blue + "e_version: " + Colors.cyan + repr(byte2int(self.elfhdr.e_version)) + Colors.ENDC)
- print(Colors.blue + "e_entry: " + Colors.cyan + repr(byte2int(self.elfhdr.e_entry)) + Colors.ENDC)
- print(Colors.blue + "e_phoff: " + Colors.cyan + repr(byte2int(self.elfhdr.e_phoff)) + Colors.ENDC)
- print(Colors.blue + "e_shoff: " + Colors.cyan + repr(byte2int(self.elfhdr.e_shoff)) + Colors.ENDC)
- print(Colors.blue + "e_flags: " + Colors.cyan + repr(byte2int(self.elfhdr.e_flags)) + Colors.ENDC)
- print(Colors.blue + "e_ehsize: " + Colors.cyan + repr(byte2int(self.elfhdr.e_ehsize)) + Colors.ENDC)
- print(Colors.blue + "e_phentsize: " + Colors.cyan + repr(byte2int(self.elfhdr.e_phentsize)) + Colors.ENDC)
- print(Colors.blue + "e_phnum: " + Colors.cyan + repr(byte2int(self.elfhdr.e_phnum)) + Colors.ENDC)
- print(Colors.blue + "e_shentsize: " + Colors.cyan + repr(byte2int(self.elfhdr.e_shentsize)) + Colors.ENDC)
- print(Colors.blue + "e_shnum: " + Colors.cyan + repr(byte2int(self.elfhdr.e_shnum)) + Colors.ENDC)
- print(Colors.blue + "e_shstrndx: " + Colors.cyan + repr(byte2int(self.elfhdr.e_shstrndx)) + Colors.ENDC)
- print("------------------------------------------------------------------------------")
+ header = ["ei_mag", "ei_class", "ei_data", "ei_version", "ei_osabi", "ei_abiversion", "ei_pad",
+ "e_type", "e_machine", "e_version", "e_version", "e_entry", "e_phoff", "e_shoff", "e_flags",
+ "e_entsize", "e_phentsize", "e_phnum", "e_shentsize", "e_shnum", "e_shstrndx"]
+ mag_list = [self.elfhdr.ei_mag]
+ class_list = [byte2int(self.elfhdr.ei_class)]
+ data_list = [byte2int(self.elfhdr.ei_data)]
+ version_list = [byte2int(self.elfhdr.ei_version)]
+ osabi_list = [byte2int(self.elfhdr.ei_osabi)]
+ abiversion_list = [byte2int(self.elfhdr.ei_abiversion)]
+ pad_list = [byte2int(self.elfhdr.ei_pad)]
+ type_list = [byte2int(self.elfhdr.e_type)]
+ machine_list = [byte2int(self.elfhdr.e_machine)]
+ version_list = [byte2int(self.elfhdr.e_version)]
+ entry_list = [byte2int(self.elfhdr.e_entry)]
+ phoff_list = [byte2int(self.elfhdr.e_phoff)]
+ shoff_list = [byte2int(self.elfhdr.e_shoff)]
+ flags_list = [byte2int(self.elfhdr.e_flags)]
+ ehsize_list = [byte2int(self.elfhdr.e_ehsize)]
+ phentsize_list = [byte2int(self.elfhdr.e_phentsize)]
+ phnum_list = [byte2int(self.elfhdr.e_phnum)]
+ shentsize_list = [byte2int(self.elfhdr.e_shentsize)]
+ shnum_list = [byte2int(self.elfhdr.e_shnum)]
+ shstrndx_list = [byte2int(self.elfhdr.e_shstrndx)]
+ lines = ffs(2, header, True, mag_list, class_list, data_list, version_list, osabi_list, abiversion_list,
+ pad_list, type_list, machine_list, version_list, entry_list, phoff_list, shoff_list,
+ flags_list, ehsize_list, phentsize_list, phnum_list, shentsize_list, phnum_list, shentsize_list, shnum_list, shstrndx_list)
+ for line in lines:
+ print(line)
def dump_phdrs(self):
header = ["p_type", "p_flags", "p_offset", "p_vaddr", "p_paddr", "p_filesz", "p_memsz", "p_flags2", "p_align"]
@@ -1066,6 +1078,20 @@ def elf_get_func_code():
elf.init(64)
return elf.dump_funcs(False)
+def elf_get_func_code_byname():
+ so = openSO_r(sys.argv[1])
+ arg = openSO_r(sys.argv[2])
+ elf = ELF(so)
+ elf.init(64)
+ counter = 0
+ hit = False
+ for name in elf.dump_symbol_string(ELF_ST_TYPE.STT_FUNC, False):
+ if name == arg:
+ code = elf.dump_funcs(False)[counter]
+ hit = True
+ counter += 1
+ return code
+
class Call_Rewriter(object):
#def __init__(self, obj_code, arch, mode):
def __init__(self, obj_code):
@@ -1102,57 +1128,67 @@ class Rewriter(object):
name = self.elf.read_section_name(byte2int(self.elf.shhdr[i].sh_name))
if section_name == name:
self.magic_section_number = i + 1
+ print(self.magic_section_number)
def fix_section_size(self, section_name):
pass
+def premain(argparser):
+ so = openSO_r(argparser.args.obj)
+ elf = ELF(so)
+ elf.init(64)
+ if argparser.args.header: elf.dump_header()
+ elif argparser.args.symboltable:
+ elf.dump_symbol_tb(".strtab", sh_type_e.SHT_STRTAB)
+ elf.dump_symbol_tb(".dynstr", sh_type_e.SHT_STRTAB)
+ elif argparser.args.phdrs: elf.dump_phdrs()
+ elif argparser.args.shdrs: elf.dump_shdrs()
+ elif argparser.args.symbolindex: elf.dump_symbol_idx()
+ elif argparser.args.stentries: elf.dump_st_entries()
+ elif argparser.args.objcode: elf.dump_funcs(True)
+ elif argparser.args.funcs: elf.dump_symbol_string(ELF_ST_TYPE.STT_FUNC, True)
+ elif argparser.args.objs: elf.dump_symbol_string(ELF_ST_TYPE.STT_OBJECT, True)
+ elif argparser.args.dynsym: elf.dump_st_entries_dyn()
+ elif argparser.args.dlpath: elf.dump_section(".interp", True)
+ elif argparser.args.section: elf.dump_section(argparser.args.section, True)
+ elif argparser.args.test2:
+ rewriter = Rewriter(argparser.args.obj)
+ rewriter.fix_section_offsets(".text")
+ elif argparser.args.dumpfunc:
+ counter = 0
+ for name in elf.dump_symbol_string(ELF_ST_TYPE.STT_FUNC, False):
+ if name == argparser.args.dumpfunc:
+ print(Colors.red + Colors.BOLD + name + Colors.ENDC)
+ code = elf.dump_funcs(False)[counter]
+ print(code)
+ counter += 1
+ elif argparser.args.dumpfuncasm:
+ counter = 0
+ hit = False
+ for name in elf.dump_symbol_string(ELF_ST_TYPE.STT_FUNC, False):
+ if name == argparser.args.dumpfuncasm:
+ code = elf.dump_funcs(False)[counter]
+ hit = True
+ counter += 1
+ if hit:
+ md = Cs(CS_ARCH_X86, CS_MODE_64)
+ for i in md.disasm(bytes(code), 0x0):
+ print(hex(i.address).ljust(7), i.mnemonic.ljust(7), i.op_str)
+ elif argparser.args.phdynent: elf.dump_ph_dyn_entries()
+
def main():
- try:
- argparser = CLIArgParser()
- so = openSO_r(argparser.args.obj)
- elf = ELF(so)
- elf.init(64)
- if argparser.args.header: elf.dump_header()
- elif argparser.args.symboltable:
- elf.dump_symbol_tb(".strtab", sh_type_e.SHT_STRTAB)
- elf.dump_symbol_tb(".dynstr", sh_type_e.SHT_STRTAB)
- elif argparser.args.phdrs: elf.dump_phdrs()
- elif argparser.args.shdrs: elf.dump_shdrs()
- elif argparser.args.symbolindex: elf.dump_symbol_idx()
- elif argparser.args.stentries: elf.dump_st_entries()
- elif argparser.args.objcode: elf.dump_funcs(True)
- elif argparser.args.funcs: elf.dump_symbol_string(ELF_ST_TYPE.STT_FUNC, True)
- elif argparser.args.objs: elf.dump_symbol_string(ELF_ST_TYPE.STT_OBJECT, True)
- elif argparser.args.dynsym: elf.dump_st_entries_dyn()
- elif argparser.args.dlpath: elf.dump_section(".interp", True)
- elif argparser.args.section: elf.dump_section(argparser.args.section, True)
- elif argparser.args.test2:
- rewriter = Rewriter(argparser.args.obj)
- rewriter.fix_section_offsets(".text")
- elif argparser.args.test:
- counter = 0
- print(elf.dump_funcs(False)[10])
- print(elf.dump_symbol_string(ELF_ST_TYPE.STT_FUNC, False)[10])
- for name in elf.dump_symbol_string(ELF_ST_TYPE.STT_FUNC, False):
- if name == "glob":
- print(counter)
- print(elf.dump_funcs(False)[counter])
- print(name)
- if name == "quad":
- print(counter)
- print(elf.dump_funcs(False)[counter])
- print(name)
- counter += 1
- obj = elf.dump_funcs(False)[10]
- rewriter = Call_Rewriter(obj)
- rewriter.run()
- elif argparser.args.phdynent: elf.dump_ph_dyn_entries()
- except:
- signal.signal(signal.SIGINT, SigHandler_SIGINT)
- variables = globals().copy()
- variables.update(locals())
- shell = code.InteractiveConsole(variables)
- shell.interact(banner="PyElfDump REPL")
+ argparser = CLIArgParser()
+ if argparser.args.dbg:
+ try:
+ premain(argparser)
+ except:
+ signal.signal(signal.SIGINT, SigHandler_SIGINT)
+ variables = globals().copy()
+ variables.update(locals())
+ shell = code.InteractiveConsole(variables)
+ shell.interact(banner="DELF REPL")
+ else:
+ premain(argparser)
if __name__ == "__main__":
main()
diff --git a/bruiser/bruiser.cpp b/bruiser/bruiser.cpp
index ea2add1..82cd632 100644
--- a/bruiser/bruiser.cpp
+++ b/bruiser/bruiser.cpp
@@ -325,8 +325,7 @@ class PyExec {
Py_DECREF(pFunc);
Py_DECREF(pModule);
PyErr_Print();
- std::cout << RED << "call failed." << NORMAL << "\n";
- fprintf(stderr, "Call failed\n");
+ std::cout << RED << "Call failed." << NORMAL << "\n";
return EXIT_FAILURE;
}
}
@@ -476,6 +475,8 @@ class PyExec {
std::vector<std::string> exportStrings(void) {return hexobj_str;}
std::vector<std::uint8_t> exportTextSection(void) {return text_section;}
+ void getVarargs(std::vector<void*> _varargs) {varargs = _varargs;}
+
private:
std::string py_script_name;
std::string py_func_name;
@@ -491,6 +492,7 @@ class PyExec {
std::vector<std::string> hexobj_str;
std::vector<std::vector<uint8_t>> hexobj;
std::vector<uint8_t> text_section;
+ std::vector<void*> varargs;
};
/**********************************************************************************************************************/
class XObjReliquary {};
@@ -1339,6 +1341,7 @@ class LuaWrapper
action = lua_tostring(__ls, 3);
if (action == "") PRINT_WITH_COLOR_LB(RED, "third argument is nil");
lua_pop(__ls, 3);
+ std::cout << NORMAL;
}
else {
std::cout << RED << "wrong number of arguments provided. should give the python script name, python func name and its args.\n" << NORMAL;
@@ -1349,7 +1352,7 @@ class LuaWrapper
PyExec py(filename.c_str(), funcname.c_str(), objjpath.c_str());
if (Verbose) std::cout << BLUE << "running load.py: " << NORMAL << "\n";
- py.run();
+ if (py.run() == EXIT_FAILURE) return 0;
if (action == "code_list") {
py.getAsCppByte();
//py.printHexObjs();
diff --git a/bruiser/bruisercapstone.c b/bruiser/bruisercapstone.c
index f8dff64..8edc7ad 100644
--- a/bruiser/bruisercapstone.c
+++ b/bruiser/bruisercapstone.c
@@ -344,9 +344,7 @@ int dumpjmptable(JMP_S_T* current) {
}
}
/**********************************************************************************************************************/
-void jmprewriter_j(JMP_S_T* jmp, uint8_t* code, JMP_T type, uint8_t* rewritten) {
-
-}
+void jmprewriter_j(JMP_S_T* jmp, uint8_t* code, JMP_T type, uint8_t* rewritten) {}
void jmprewriter_jne(JMP_S_T* jmp, uint8_t* code, JMP_T type, uint8_t* rewritten) {};
void jmprewriter_je(JMP_S_T* jmp, uint8_t* code, JMP_T type, uint8_t* rewritten) {}
/**********************************************************************************************************************/
diff --git a/bruiser/hs/.depend b/bruiser/hs/.depend
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/bruiser/hs/.depend
diff --git a/bruiser/hs/Safe.hs b/bruiser/hs/Safe.hs
new file mode 100644
index 0000000..8994e9e
--- /dev/null
+++ b/bruiser/hs/Safe.hs
@@ -0,0 +1,9 @@
+{-#Language ForeignFunctionInterface#-}
+module Safe where
+import Foreign.C.Types
+fibonacci :: Int -> Int
+fibonacci n = fibs !! n
+ where fibs = 0 : 1: zipWith (+) fibs (tail fibs)
+fibonacci_hs ::CInt -> CInt
+fibonacci_hs = fromIntegral.fibonacci.fromIntegral
+foreign export ccall fibonacci_hs::CInt->CInt
diff --git a/bruiser/hs/Safe_stub.h b/bruiser/hs/Safe_stub.h
new file mode 100644
index 0000000..3d939a1
--- /dev/null
+++ b/bruiser/hs/Safe_stub.h
@@ -0,0 +1,9 @@
+#include "HsFFI.h"
+#ifdef __cplusplus
+extern "C" {
+#endif
+extern HsInt32 fibonacci_hs(HsInt32 a1);
+#ifdef __cplusplus
+}
+#endif
+
diff --git a/bruiser/hs/bruiserhs.c b/bruiser/hs/bruiserhs.c
new file mode 100644
index 0000000..1ab34d8
--- /dev/null
+++ b/bruiser/hs/bruiserhs.c
@@ -0,0 +1,45 @@
+
+/***************************************************Project Mutator****************************************************/
+/*first line intentionally left blank.*/
+/*bruiser's lua asmrewriter implementation for jump tables*/
+/*Copyright (C) 2018 Farzad Sadeghi
+
+This program is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License
+as published by the Free Software Foundation; either version 2
+of the License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.*/
+/**********************************************************************************************************************/
+#include <HsFFI.h>
+#ifdef __GLASCOW_HASKELL__
+#include "Safe_stub.h"
+extern void __stginit_Safe(void);
+#endif
+#include "bruiserhs.h"
+#include <stdio.h>
+
+#pragma weak main
+int main(int argc, char** argv) {
+ int i;
+ hs_init(&argc, &argv);
+#ifdef __GLASCOW_HASKELL__
+ hs_add_root(__stginit_Safe);
+#endif
+
+ i = fibonacci_hs(42);
+ printf("Fibonnaci:%d\n", i);
+
+ hs_exit();
+ return 0;
+}
+/**********************************************************************************************************************/
+/*last line intentionally left blank*/
+
diff --git a/bruiser/hs/bruiserhs.h b/bruiser/hs/bruiserhs.h
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/bruiser/hs/bruiserhs.h
diff --git a/bruiser/hs/makefile b/bruiser/hs/makefile
new file mode 100644
index 0000000..8787dd4
--- /dev/null
+++ b/bruiser/hs/makefile
@@ -0,0 +1,37 @@
+TARGET=bruiserhs
+CC=clang
+CC?=clang
+CC_FLAGS=
+CC_EXTRA?=
+CC_FLAGS+=$(CC_EXTRA)
+
+SRCS=$(wildcard *.c)
+
+.DEFAULT:all clean
+
+.PHONY:all clean help
+
+all:$(TARGET)
+
+depend:.depend
+
+.depend:$(SRCS)
+ rm -rf .depend
+ $(CC) -MM $(CC_FLAGS) $^ > ./.depend
+
+-include ./.depend
+
+.c.o:
+ $(CC) $(CC_FLAGS) -c $< -o $@
+
+$(TARGET): $(TARGET).o
+ $(CC) $^ $(LD_FLAGS) -o $@
+
+clean:
+ rm -f *.o *~ $(TARGET)
+ rm .depend
+
+help:
+ @echo "all is the default target"
+ @echo "there is delete."
+ @echo "there is clean."
diff --git a/bruiser/hs/run.sh b/bruiser/hs/run.sh
new file mode 100755
index 0000000..413b088
--- /dev/null
+++ b/bruiser/hs/run.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+ghc -c -O Safe.hs
+ghc --make -no-hs-main -optc-O bruiserhs.c Safe -o bruiserhs
+
+"./bruiserhs"
diff --git a/bruiser/lua-scripts/demo2.lua b/bruiser/lua-scripts/demo2.lua
index db840fc..bd2eb91 100644
--- a/bruiser/lua-scripts/demo2.lua
+++ b/bruiser/lua-scripts/demo2.lua
@@ -118,9 +118,9 @@ function get_jmp_table()
end
--main()
---pretty_dump()
+pretty_dump()
--test()
--jmp_t_test()
--integ_test()
--asm_rewriter_pretty()
-dump_jmp_table()
+--dump_jmp_table()