diff options
| author | bloodstalker <thabogre@gmail.com> | 2017-12-30 15:58:10 +0000 |
|---|---|---|
| committer | bloodstalker <thabogre@gmail.com> | 2017-12-30 15:58:10 +0000 |
| commit | ee61d170432d83713b0841ad0318096bc85f09cb (patch) | |
| tree | e6d57e7c67179430f68080813ad0e47bc45e17a8 | |
| parent | fix (diff) | |
| download | mutator-ee61d170432d83713b0841ad0318096bc85f09cb.tar.gz mutator-ee61d170432d83713b0841ad0318096bc85f09cb.zip | |
bruiser gets the function code and name from bfd now. besides that minor changes here and there.
| -rwxr-xr-x | bfd/load.py | 47 | ||||
| -rw-r--r-- | bruiser/bruiser.cpp | 29 | ||||
| -rw-r--r-- | bruiser/executioner.h | 40 | ||||
| -rw-r--r-- | bruiser/lua-scripts/demo1.lua | 2 | ||||
| -rwxr-xr-x | bruiser/run.sh | 3 | ||||
| -rwxr-xr-x | obfuscator/run.sh | 6 |
6 files changed, 111 insertions, 16 deletions
diff --git a/bfd/load.py b/bfd/load.py index 9587115..ccaec6a 100755 --- a/bfd/load.py +++ b/bfd/load.py @@ -22,6 +22,7 @@ class CLIArgParser(object): parser.add_argument("--symbolindex", action='store_true', help="dump symbol index", default=False) parser.add_argument("--stentries", action='store_true', help="dump section table entries", default=False) parser.add_argument("--objcode", action='store_true', help="dump objects", default=False) + parser.add_argument("--test", action='store_true', help="test switch", default=False) self.args = parser.parse_args() if self.args.obj is None: raise Exception("no object file provided. please specify an object with --obj.") @@ -416,7 +417,7 @@ class ELF(object): char = strings[index] return ''.join(name) - def dump_objs(self, dump_b): + def dump_funcs(self, dump_b): ret_list = [] dummy = [] ret_list_int = [] @@ -437,6 +438,18 @@ class ELF(object): return ret_list_int + def dump_symbol_string(self, stt_type, dump_b): + ret_list = [] + for entry in self.string_tb_e: + if entry.st_type == stt_type: + ret_list.append("".join(self.get_st_entry_symbol_string(byte2int(entry.st_name)))) + if dump_b: + for name in ret_list: + print(name) + + return ret_list + + def dump_symbol_idx(self): print(Colors.green + "symbol:" + Colors.ENDC) for iter in self.string_tb_e: @@ -543,9 +556,11 @@ class ELF(object): print(chr(byte), end='') if chr(byte) == '\0': print() + def dump_st_entries(self): for entry in self.string_tb_e: - print(Colors.green + "name: " + Colors.ENDC + repr(byte2int(entry.st_name)), end="") + print(Colors.green + "name index: " + Colors.ENDC + repr(byte2int(entry.st_name)), end="") + print(Colors.green + " name: " + Colors.ENDC + repr("".join(self.get_st_entry_symbol_string(byte2int(entry.st_name)))), end="") print(Colors.green + " value: " + Colors.ENDC + repr(byte2int(entry.st_value)), end="") print(Colors.green + " size: " + Colors.ENDC + repr(byte2int(entry.st_size)), end="") print(Colors.green + " info: " + Colors.ENDC + repr(byte2int(entry.st_info)), end="") @@ -554,6 +569,18 @@ class ELF(object): print(Colors.green + " bind: " + Colors.ENDC + get_elf_st_bind_string(entry.st_bind), end="") print(Colors.green + " type: " + Colors.ENDC + get_elf_st_type_string(entry.st_type)) + def get_st_entry_symbol_string(self, index): + symbol = [] + for i in range(0, byte2int(self.elfhdr.e_shnum)): + name = self.read_section_name(byte2int(self.shhdr[i].sh_name)) + if byte2int(self.shhdr[i].sh_type) == sh_type_e.SHT_STRTAB and name == ".strtab": + self.so.seek(byte2int(self.shhdr[i].sh_offset) + index, 0) + byte = self.so.read(1) + while chr(byte[0]) != "\0": + if chr(byte[0]) != "\0": symbol.append(chr(byte[0])) + byte = self.so.read(1) + return symbol + def get_symbol_string_table(self, offset): symbol = [] for i in range(0, int.from_bytes(self.elfhdr.e_shnum, byteorder="little", signed=False)): @@ -608,11 +635,22 @@ def ch_exe_to_so(path): print(Colors.purple + "changed exe to so" + Colors.ENDC) so.close +def elf_init(): + so = openSO_r(sys.argv[1]) + elf = ELF(so) + elf.init(64) + +def elf_get_func_names(): + so = openSO_r(sys.argv[1]) + elf = ELF(so) + elf.init(64) + return elf.dump_symbol_string(ELF_ST_TYPE.STT_FUNC, False) + def main2(): so = openSO_r(sys.argv[1]) elf = ELF(so) elf.init(64) - return elf.dump_objs(False) + return elf.dump_funcs(False) def main(): variables = globals().copy() @@ -629,7 +667,8 @@ def main(): elif argparser.args.shdrs: elf.dump_shdrs() elif argparser.args.symbolindex: elf.dump_symbol_idx() elif argparser.args.stentries: elf.dump_st_entries() - elif argparser.args.objcode: elf.dump_objs(True) + elif argparser.args.objcode: elf.dump_funcs(True) + elif argparser.args.test: elf.dump_symbol_string(ELF_ST_TYPE.STT_FUNC, True) except: shell.interact(banner="PyElfDump REPL") diff --git a/bruiser/bruiser.cpp b/bruiser/bruiser.cpp index dff1bb1..324841d 100644 --- a/bruiser/bruiser.cpp +++ b/bruiser/bruiser.cpp @@ -221,7 +221,7 @@ class PyExec { //Py_DECREF(pArgs); if (pValue != nullptr) { std::cout << GREEN << "call finished successfully." << NORMAL << "\n"; - printf("Result of call: %ld\n", PyLong_AsLong(pValue)); + //printf("Result of call: %ld\n", PyLong_AsLong(pValue)); //Py_DECREF(pValue); } else { Py_DECREF(pFunc); @@ -249,13 +249,13 @@ class PyExec { } int getAsCppStringVec(void) { + PRINT_WITH_COLOR_LB(BLUE, "processing return result..."); if (PyList_Check(pValue)) { std::cout << GREEN << "got a python list\n" << NORMAL; int list_length = PyList_Size(pValue); std::cout << BLUE << "length of list: " << list_length << "\n" << NORMAL; for (int i = 0; i < list_length; ++i) { PyObject* pybytes = PyList_GetItem(pValue, i); - std::cout << CYAN << "bytes size: " << PyBytes_Size(pybytes) << "\n" << NORMAL; PyObject* pyrepr = PyObject_Repr(pybytes); PyObject* pyunicode = PyUnicode_AsEncodedString(pyrepr, "utf-8", "surrogateescape"); const char* dummy = PyBytes_AsString(pyunicode); @@ -267,9 +267,11 @@ class PyExec { } int getAsCppByte(void) { + PRINT_WITH_COLOR_LB(BLUE, "processing return result..."); std::vector<uint8_t> tempvec; if(PyList_Check(pValue)) { int list_length = PyList_Size(pValue); + std::cout << BLUE << "length of list: " << list_length << "\n" << NORMAL; for(int i = 0; i < list_length; ++i) { PyObject* pybytes = PyList_GetItem(pValue, i); if(PyList_Check(pybytes)) { @@ -281,7 +283,7 @@ class PyExec { tempvec.push_back(int(byte)); } } - hexobj.push_back(tempvec); + if (!tempvec.empty()) {hexobj.push_back(tempvec);} tempvec.clear(); } } @@ -294,6 +296,7 @@ class PyExec { } void printHexObjs(void) { + PRINT_WITH_COLOR_LB(YELLOW, "functions with a zero size will not be printed:"); for (auto &iter : hexobj) { for (auto &iterer : iter) { std::cout << RED << int(iterer) << " "; @@ -1173,11 +1176,13 @@ class LuaWrapper std::string filename = "load"; std::string funcname; std::string objjpath; + std::string action; - if (numargs == 2) { + if (numargs == 3) { std::cout << CYAN << "got args." << NORMAL << "\n"; funcname = lua_tostring(__ls, 1); objjpath = lua_tostring(__ls, 2); + action = lua_tostring(__ls, 3); } else { std::cout << RED << "wrong number of arguments provided. should give the python script name, python func name and its args.\n" << NORMAL; @@ -1200,9 +1205,13 @@ class LuaWrapper { std::cout << BLUE << "running load.py: " << NORMAL << "\n"; py.run(); - //py.getAsCppStringVec(); - py.getAsCppByte(); - py.printHexObjs(); + if (action == "code_list") { + py.getAsCppByte(); + py.printHexObjs(); + } + else if (action == "symbol_list") { + py.getAsCppStringVec(); + } //py.killPyObj(); lua_pushnumber(__ls, 0); exit(EXIT_SUCCESS); @@ -1736,11 +1745,13 @@ int LuaDispatch(lua_State* __ls) /**********************************************************************************************************************/ /**********************************************************************************************************************/ /*Main*/ -int main(int argc, const char **argv) -{ +int main(int argc, const char **argv) { /*initializing the log*/ bruiser::BruiserReport BruiserLog; + /*initing executioner*/ + Executioner executioner; + /*gets the compilation database and options for the clang instances that we would later run*/ CommonOptionsParser op(argc, argv, BruiserCategory); ClangTool Tool(op.getCompilations(), op.getSourcePathList()); diff --git a/bruiser/executioner.h b/bruiser/executioner.h index d1c0b32..ed5009b 100644 --- a/bruiser/executioner.h +++ b/bruiser/executioner.h @@ -26,12 +26,13 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.* #include <cstdarg> #include <cstring> #include <sys/mman.h> +#include <unistd.h> #include "lua-5.3.4/src/lua.hpp" /**********************************************************************************************************************/ #ifndef EXECUTIONER_H #define EXECUTIONER_H /**********************************************************************************************************************/ -namespace { +namespace { // start of anonymous namespace using XObject = void(*)(void); constexpr int MEMORY_SIZE = 32768; std::vector<uint8_t> memory(MEMORY_SIZE, 0); @@ -52,7 +53,28 @@ namespace { } return 0; } -} + + int LuaGenericWrapper(lua_State* __ls, XObject __x) { + int numargs = lua_gettop(__ls); + std::vector<uint64_t> arg_vec; + + for (int i = 0; i < numargs; ++i) { + arg_vec.push_back(lua_tonumber(__ls, i + 1)); + } + + pid_t pid = fork(); + if (pid < 0) { + //PRINT_WITH_COLOR_LB(RED, "could not fork..."); + lua_pushnumber(__ls, EXIT_FAILURE); + } + if (pid == 0) {} + if (pid > 0) { + __x; + } + + return 0; + } +} // end of anonymous namespace int getMemorySize(void) {return MEMORY_SIZE;} @@ -102,12 +124,24 @@ class Executioner { for (auto &iter : _bytes) {this->emitByte(iter, _code);} } - void registerWithLua(lua_State* _lua_State) {} + void registerWithLua(lua_State* _lua_State) { + for (auto& iter : names) { + //lua_register(_lua_State, iter.c_str(), LuaGeneric); + } + } + + void xobjsGetPtrs(void) { + for (auto& iter : obj_mem_ptrs) { + XObject dummy = (XObject)iter.first; + xobjs.push_back(dummy); + } + } private: std::vector<std::pair<void*, size_t>> obj_mem_ptrs; std::vector<std::vector<uint8_t>> objs; std::vector<std::string> names; + std::vector<XObject> xobjs; }; /**********************************************************************************************************************/ #endif diff --git a/bruiser/lua-scripts/demo1.lua b/bruiser/lua-scripts/demo1.lua new file mode 100644 index 0000000..98bdb0d --- /dev/null +++ b/bruiser/lua-scripts/demo1.lua @@ -0,0 +1,2 @@ +objload("elf_get_func_names", "../bfd/test/test.so", "symbol_list") +objload("main2", "../bfd/test/test.so", "code_list") diff --git a/bruiser/run.sh b/bruiser/run.sh new file mode 100755 index 0000000..912fcf2 --- /dev/null +++ b/bruiser/run.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +./bruiser ../test/bruisertest/test.cpp diff --git a/obfuscator/run.sh b/obfuscator/run.sh new file mode 100755 index 0000000..d5197d5 --- /dev/null +++ b/obfuscator/run.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +#make +"./obfuscator" ./test/test.cpp +"./obfuscator" ./test/header.hpp -- +#less dupe.cpp |