aboutsummaryrefslogtreecommitdiffstats
path: root/bruiser/bruisercapstone.c
diff options
context:
space:
mode:
authorbloodstalker <thabogre@gmail.com>2018-03-01 14:37:53 +0000
committerbloodstalker <thabogre@gmail.com>2018-03-01 14:37:53 +0000
commitb72238e4056bc8f28c53f42f186bd385cc81ba12 (patch)
tree5821add9b2d785f09b4f4e1c8b62a17e6a713769 /bruiser/bruisercapstone.c
parentbruiser will now run a lua script before startup so now you can easily use yo... (diff)
downloadmutator-b72238e4056bc8f28c53f42f186bd385cc81ba12.tar.gz
mutator-b72238e4056bc8f28c53f42f186bd385cc81ba12.zip
wip-the asm rewriter module plus the assembly jump table lua module implementation
Diffstat (limited to 'bruiser/bruisercapstone.c')
-rw-r--r--bruiser/bruisercapstone.c188
1 files changed, 182 insertions, 6 deletions
diff --git a/bruiser/bruisercapstone.c b/bruiser/bruisercapstone.c
index aea791d..8e190c5 100644
--- a/bruiser/bruisercapstone.c
+++ b/bruiser/bruisercapstone.c
@@ -31,17 +31,28 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.*
#include <string.h>
/**********************************************************************************************************************/
/**********************************************************************************************************************/
+JMP_S_T* head = NULL;
+JMP_S_T* tail = NULL;
extern char etext, edata, end;
// quad
#define CODE_1 "\x55\x48\x89\xe5\x48\x83\xec\x20\x89\x7d\xfc\x89\x75\xf8\x89\x55\xf4\x89\x4d\xf0\x8b\x7d\xfc\x8b\x75\xf8\xe8\xd1\xfd\xff\xff\x8b\x7d\xf4\x8b\x75\xf0\x89\x45\xec\xe8\xc3\xfd\xff\xff\x8b\x4d\xec\x1\xc1\x89\xc8\x48\x83\xc4\x20\x5d\xc3"
// glob
#define CODE_2 "\x55\x48\x89\xe5\x48\x8b\x05\x0d\x15\x20\x00\x48\x8b\x0d\xee\x14\x20\x00\x48\x8b\x15\xf7\x14\x20\x00\x48\x8b\x35\xd8\x14\x20\x00\x8b\x3e\x03\x3a\x03\x39\x03\x38\x89\xf8\x5d\xc3"
+// main
+# define CODE_3 "\x31\xed\x49\x89\xd1\x5e\x48\x89\xe2\x48\x83\xe4\xf0\x50\x54\x49\xc7\xc0\x60\x07\x40\x00\x48\xc7\xc1\xf0\x06\x40\x00\x48\xc7\xc7\x90\x06\x40\x00\xff\x15\xa6\x0b\x20\x00\xf4\x0f\x1f\x44\x00\x00\x55\xb8\x38\x10\x60\x00\x48\x3d\x38\x10\x60\x00\x48\x89\xe5\x74\x17\xb8\x00\x00\x00\x00\x48\x85\xc0\x74\x0d\x5d\xbf\x38\x10\x60\x00\xff\xe0\x0f\x1f\x44\x00\x00\x5d\xc3\x66\x0f\x1f\x44\x00\x00\xbe\x38\x10\x60\x00\x55\x48\x81\xee\x38\x10\x60\x00\x48\x89\xe5\x48\xc1\xfe\x03\x48\x89\xf0\x48\xc1\xe8\x3f\x48\x01\xc6\x48\xd1\xfe\x74\x15\xb8\x00\x00\x00\x00\x48\x85\xc0\x74\x0b\x5d\xbf\x38\x10\x60\x00\xff\xe0\x0f\x1f\x00\x5d\xc3\x66\x0f\x1f\x44\x00\x00\x80\x3d\x6d\x0b\x20\x00\x00\x75\x17\x55\x48\x89\xe5\xe8\x7e\xff\xff\xff\xc6\x05\x5b\x0b\x20\x00\x01\x5d\xc3\x0f\x1f\x44\x00\x00\xf3\xc3\x0f\x1f\x40\x00\x66\x2e\x0f\x1f\x84\x00\x00\x00\x00\x00\x55\x48\x89\xe5\x5d\xeb\x89\x66\x0f\x1f\x84\x00\x00\x00\x00\x00\x55\x48\x89\xe5\xb8\x01\x00\x00\x00\x5d\xc3\x0f\x1f\x44\x00\x00\x55\x48\x89\xe5\xb8\x02\x00\x00\x00\x5d\xc3\x0f\x1f\x44\x00\x00\x55\x48\x89\xe5\xb8\x03\x00\x00\x00\x5d\xc3\x0f\x1f\x44\x00\x00\x55\x48\x89\xe5\xb8\x04\x00\x00\x00\x5d\xc3\x0f\x1f\x44\x00\x00\x55\x48\x89\xe5\xb8\x05\x00\x00\x00\x5d\xc3\x0f\x1f\x44\x00\x00\x55\x48\x89\xe5\xb8\x06\x00\x00\x00\x5d\xc3\x0f\x1f\x44\x00\x00\x55\x48\x89\xe5\x89\x7d\xfc\x89\x75\xf8\x8b\x75\xfc\x03\x75\xf8\x89\xf0\x5d\xc3\x66\x66\x66\x2e\x0f\x1f\x84\x00\x00\x00\x00\x00\x55\x48\x89\xe5\x89\x7d\xfc\x89\x75\xf8\x8b\x75\xfc\x2b\x75\xf8\x89\xf0\x5d\xc3\x66\x66\x66\x2e\x0f\x1f\x84\x00\x00\x00\x00\x00\x55\x48\x89\xe5\xf2\x0f\x11\x45\xf8\xf2\x0f\x11\x4d\xf0\xf2\x0f\x10\x45\xf8\xf2\x0f\x58\x45\xf0\x5d\xc3\x66\x0f\x1f\x44\x00\x00\x55\x48\x89\xe5\xf2\x0f\x11\x45\xf8\xf2\x0f\x11\x4d\xf0\xf2\x0f\x10\x45\xf8\xf2\x0f\x5c\x45\xf0\x5d\xc3\x66\x0f\x1f\x44\x00\x00\x55\x48\x89\xe5\xf2\x0f\x11\x45\xf8\xf2\x0f\x11\x4d\xf0\xf2\x0f\x11\x55\xe8\xf2\x0f\x10\x45\xf8\xf2\x0f\x58\x45\xf0\xf2\x0f\x58\x45\xe8\x5d\xc3\x66\x66\x66\x2e\x0f\x1f\x84\x00\x00\x00\x00\x00\x55\x48\x89\xe5\x48\x83\xec\x20\x89\x7d\xfc\x89\x75\xf8\x89\x55\xf4\x89\x4d\xf0\x8b\x7d\xfc\x8b\x75\xf8\xe8\x31\xff\xff\xff\x8b\x7d\xf4\x8b\x75\xf0\x89\x45\xec\xe8\x23\xff\xff\xff\x8b\x4d\xec\x01\xc1\x89\xc8\x48\x83\xc4\x20\x5d\xc3\x66\x0f\x1f\x44\x00\x00\x55\x48\x89\xe5\x48\x89\x7d\xf8\x48\x8b\x45\xf8\x5d\xc3\x66\x90\x55\x48\x89\xe5\x48\x8d\x05\xc5\x09\x20\x00\x48\x8d\x0d\xba\x09\x20\x00\x48\x8d\x15\xaf\x09\x20\x00\x48\x8d\x35\xa4\x09\x20\x00\x8b\x3e\x03\x3a\x03\x39\x03\x38\x89\xf8\x5d\xc3\x0f\x1f\x40\x00\x55\x48\x89\xe5\x48\x83\xec\x20\xb8\x0a\x00\x00\x00\xb9\x14\x00\x00\x00\xc7\x45\xfc\x00\x00\x00\x00\x89\x7d\xf8\x48\x89\x75\xf0\x89\xc7\x89\xce\xe8\xa7\xfe\xff\xff\x48\x8d\x3d\xc0\x00\x00\x00\x89\x45\xec\xb0\x00\xe8\x46\xfd\xff\xff\xbf\x14\x00\x00\x00\xbe\x0a\x00\x00\x00\x89\x45\xe8\xe8\xa4\xfe\xff\xff\x48\x83\xc4\x20\x5d\xc3\x66\x2e\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f\x40\x00\x41\x57\x41\x56\x49\x89\xd7\x41\x55\x41\x54\x4c\x8d\x25\xee\x06\x20\x00\x55\x48\x8d\x2d\xee\x06\x20\x00\x53\x41\x89\xfd\x49\x89\xf6\x4c\x29\xe5\x48\x83\xec\x08\x48\xc1\xfd\x03\xe8\xc7\xfc\xff\xff\x48\x85\xed\x74\x20\x31\xdb\x0f\x1f\x84\x00\x00\x00\x00\x00\x4c\x89\xfa\x4c\x89\xf6\x44\x89\xef\x41\xff\x14\xdc\x48\x83\xc3\x01\x48\x39\xdd\x75\xea\x48\x83\xc4\x08\x5b\x5d\x41\x5c\x41\x5d\x41\x5e\x41\x5f\xc3\x90\x66\x2e\x0f\x1f\x84\x00\x00\x00\x00\x00\xf3\xc3"
+/**********************************************************************************************************************/
+/**********************************************************************************************************************/
+JMP_S_T* iter_next(JMP_S_T* arg) {return arg->next;}
+JMP_S_T* iter_next_y(JMP_S_T* arg) {return arg->next_y;}
+JMP_S_T* iter_next_n(JMP_S_T* arg) {return arg->next_n;}
+/**********************************************************************************************************************/
+/**********************************************************************************************************************/
/**********************************************************************************************************************/
/**********************************************************************************************************************/
uint32_t get_textsection_length(void) {return &edata-&etext;}
/**********************************************************************************************************************/
/**********************************************************************************************************************/
-uintptr_t get_symbol_rt_address(const char* symbol_name) {}
+uintptr_t get_symbol_rt_address(const char* symbol_name) {return NULL;}
/**********************************************************************************************************************/
/**********************************************************************************************************************/
void int2byte(int value, uint8_t* ret_value, size_t size) {
@@ -95,7 +106,7 @@ int ks_write(ks_arch arch, int mode, const char* assembly, int syntax, unsigned
if (syntax) ks_option(ks, KS_OPT_SYNTAX, syntax);
if (ks_asm(ks, assembly, 0, &encode, &size, &count)) {printf("errored out\n"); return -1;}
-#if 0
+#if 1
else {
printf("%s =", assembly);
for (size_t i = 0; i < size; ++i) {
@@ -119,14 +130,17 @@ int global_rewriter(int offset, size_t size, uint8_t* asm_code, const char* obj)
unsigned char *encode;
if (cs_open(CS_ARCH_X86, CS_MODE_64, &handle) != CS_ERR_OK) return -1;
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wpointer-sign"
count = cs_disasm(handle, obj, size, 0x0, 0, &insn);
- printf("number of instructions: %d.\n\n", count);
+#pragma GCC diagnostic pop
+ printf("number of instructions: %zu.\n\n", count);
cs_option(handle, CS_OPT_DETAIL, CS_OPT_ON);
if (count > 0) {
size_t j;
for (j = 0; j < count; ++j) {
- printf(CYAN"%d.\t"NORMAL, j);
+ printf(CYAN"%zu.\t"NORMAL, j);
printf(GREEN"0x%"PRIx64":\t%s\t\t%s\t"NORMAL, insn[j].address, insn[j].mnemonic, insn[j].op_str);
printf(BLUE"insn size: %d\n"NORMAL, insn[j].size);
//for (int i = 0; i < 16; ++i) {code[i] = insn[j].bytes[i]; printf("%02x ", code[i]);}
@@ -159,14 +173,17 @@ int call_rewriter(int offset, size_t size, uint8_t* asm_code, const char* obj) {
size_t size_counter = 0;
if (cs_open(CS_ARCH_X86, CS_MODE_64, &handle) != CS_ERR_OK) return -1;
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wpointer-sign"
count = cs_disasm(handle, obj, size, 0x0, 0, &insn);
- printf("number of instructions: %d.\n\n", count);
+#pragma GCC diagnostic pop
+ printf("number of instructions: %zu.\n\n", count);
cs_option(handle, CS_OPT_DETAIL, CS_OPT_ON);
if (count > 0) {
size_t j;
for (j = 0; j < count; ++j) {
- printf(CYAN"%d.\t"NORMAL, j);
+ printf(CYAN"%zu.\t"NORMAL, j);
printf(GREEN"0x%"PRIx64":\t%s""\t\t%s\t"NORMAL, insn[j].address, insn[j].mnemonic, insn[j].op_str);
for (int i = 0; i < 16; ++i) {code[i] = insn[j].bytes[i]; printf(BLUE"%02x "NORMAL, code[i]);}
printf("\n");
@@ -198,6 +215,141 @@ int call_rewriter(int offset, size_t size, uint8_t* asm_code, const char* obj) {
}
/**********************************************************************************************************************/
/**********************************************************************************************************************/
+JMP_S_T* makejmptable(size_t size, uint8_t* obj) {
+ csh handle;
+ cs_insn* insn;
+ size_t count;
+ uint8_t rewritten[16];
+ uint8_t code[16];
+ size_t size_counter = 0;
+
+ head = malloc(sizeof(JMP_S_T));
+ tail = malloc(sizeof(JMP_S_T));
+ head->type = NONE;
+ head->next = NULL;
+ tail = head;
+
+ if (cs_open(CS_ARCH_X86, CS_MODE_64, &handle) != CS_ERR_OK) return NULL;
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wpointer-sign"
+ count = cs_disasm(handle, obj, size, 0x0, 0, &insn);
+#pragma GCC diagnostic pop
+ printf("number of instructions: %zu.\n\n", count);
+ cs_option(handle, CS_OPT_DETAIL, CS_OPT_ON);
+
+ intmax_t address;
+ if (count > 0) {
+ size_t j;
+ for (j = 0; j < count; ++j) {
+ printf(CYAN"%zu.\t"NORMAL, j);
+ printf(GREEN"0x%"PRIx64":\t%s""\t\t%s\t"NORMAL, insn[j].address, insn[j].mnemonic, insn[j].op_str);
+ for (int i = 0; i < 16; ++i) {code[i] = insn[j].bytes[i]; printf(BLUE"%02x "NORMAL, code[i]);}
+ printf("\n");
+
+ if (strcmp(insn[j].mnemonic, "jmp") == 0) {
+ char* endptr;
+ address = strtoumax(insn[j].op_str, &endptr, 0);
+#if 1
+ printf(RED"found a jmp\n");
+ for (int i = 0; i < 16; ++i) {code[i] = insn[j].bytes[i]; printf(RED"%02x "NORMAL, code[i]);}
+ printf("\n");
+ printf(RED"%jx\n", address);
+ printf(RED"%d\n", insn[j].size);
+#endif
+ JMP_S_T* dummy = malloc(sizeof(JMP_S_T));
+ dummy->location = insn[j].address;
+ dummy->type = JMP;
+ dummy->address = address;
+ dummy->size = insn[j].size;
+ dummy->next = NULL;
+ tail->next = dummy;
+ tail = dummy;
+ }
+
+ if (strcmp(insn[j].mnemonic, "je") == 0) {
+ char* endptr;
+ address = strtoimax(insn[j].op_str, &endptr, 0);
+#if 1
+ printf(RED"found a je\n");
+ for (int i = 0; i < 16; ++i) {code[i] = insn[j].bytes[i]; printf(RED"%02x "NORMAL, code[i]);}
+ printf("\n");
+ printf(RED"%jx\n", address);
+ printf(RED"%d\n", insn[j].size);
+#endif
+ JMP_S_T* dummy = malloc(sizeof(JMP_S_T));
+ dummy->location = insn[j].address;
+ dummy->type = JE;
+ dummy->address_y = address;
+ dummy->size = insn[j].size;
+ dummy->next = NULL;
+ tail->next = dummy;
+ tail = dummy;
+ }
+
+ if (strcmp(insn[j].mnemonic, "jne") == 0) {
+ char* endptr;
+ address = strtoimax(insn[j].op_str, &endptr, 0);
+#if 1
+ printf(RED"found a jne\n");
+ for (int i = 0; i < 16; ++i) {code[i] = insn[j].bytes[i]; printf(RED"%02x "NORMAL, code[i]);}
+ printf("\n");
+ printf(RED"%lx\n", address);
+ printf(RED"%d\n", insn[j].size);
+#endif
+ JMP_S_T* dummy = malloc(sizeof(JMP_S_T));
+ dummy->location = insn[j].address;
+ dummy->type = JNE;
+ dummy->address_y = address;
+ dummy->size = insn[j].size;
+ dummy->next = NULL;
+ tail->next = dummy;
+ tail = dummy;
+ }
+
+#if 0
+ for (int i = 0; i < insn[j].size; ++i) {
+ asm_code[size_counter] = insn[j].bytes[i];
+ size_counter++;
+ }
+#endif
+ }
+
+ cs_free(insn, count);
+ } else {
+ printf("ERROR!!!\n");
+ }
+ cs_close(&handle);
+ return head;
+}
+/**********************************************************************************************************************/
+int freejmptable(JMP_S_T* _head) {
+ JMP_S_T* previous = _head;
+ JMP_S_T* current = _head;
+ while (current != NULL) {
+ previous = current;
+ current = current->next;
+ free(previous);
+ }
+ return 0;
+}
+/**********************************************************************************************************************/
+int dumpjmptable(JMP_S_T* current) {
+ while (current != NULL) {
+ printf("jump location: %lx", current->location);
+ printf("\tjump address: %lu", current->address);
+ printf("\tjump type: %d", current->type);
+ printf("\tinstruction size: %d\n", current->size);
+ current = current->next;
+ }
+}
+/**********************************************************************************************************************/
+void jmprewriter_j(JMP_S_T* jmp, uint8_t* code, JMP_T type, uint8_t* rewritten) {
+
+}
+void jmprewriter_jne(JMP_S_T* jmp, uint8_t* code, JMP_T type, uint8_t* rewritten) {};
+void jmprewriter_je(JMP_S_T* jmp, uint8_t* code, JMP_T type, uint8_t* rewritten) {}
+/**********************************************************************************************************************/
+/**********************************************************************************************************************/
// @DEVI-the following lines are only meant for testing.
#pragma weak main
int main(int argc, char** argv) {
@@ -223,6 +375,7 @@ int main(int argc, char** argv) {
printf("end: %10p\n", &end);
printf("text section length: %d\n", get_textsection_length());
+#if 1
printf("----------------------------------------------------------\n");
uint8_t value[4];
int2byte(-528, value, 4);
@@ -235,11 +388,34 @@ int main(int argc, char** argv) {
for (int i = 0; i < 4; ++i) {printf("%02x ", value[i]);}
printf("\n");
printf("----------------------------------------------------------\n");
+#endif
unsigned char* encode;
ks_write(KS_ARCH_X86, KS_MODE_64, "add rax, rcx", 0, encode);
ks_free(encode);
+#if 0
+ head = malloc(sizeof(JMP_S_T));
+ tail = malloc(sizeof(JMP_S_T));
+ head->type = NONE;
+ head->next = NULL;
+ tail = head;
+#endif
+ uint8_t asm_code3[834];
+ JMP_S_T* current = makejmptable(834, CODE_3);
+
+#if 0
+ while (current != NULL) {
+ printf("jump location: %lx", current->location);
+ printf("\tjump address: %lu", current->address);
+ printf("\tjump type: %d", current->type);
+ printf("\tinstruction size: %d\n", current->size);
+ current = current->next;
+ }
+#endif
+ dumpjmptable(current);
+ freejmptable(current);
+
return 0;
}
/**********************************************************************************************************************/
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-09 17:25:41 +0000