diff options
| author | bloodstalker <thabogre@gmail.com> | 2018-03-04 18:32:55 +0000 |
|---|---|---|
| committer | bloodstalker <thabogre@gmail.com> | 2018-03-04 18:32:55 +0000 |
| commit | e040ff88ba02058192f90503f6270d72fddd8d41 (patch) | |
| tree | f738a9943416c1f75808c57cc6d67f2fc810ea5c /bruiser | |
| parent | wip-the lua syntax is not what i want to be yet and im having trouble with th... (diff) | |
| download | mutator-e040ff88ba02058192f90503f6270d72fddd8d41.tar.gz mutator-e040ff88ba02058192f90503f6270d72fddd8d41.zip | |
the jmp table is working now. you get member set and get methods, and an iterator. you can demo2 in the lua scripts folder for a test.
Diffstat (limited to 'bruiser')
| -rw-r--r-- | bruiser/asmrewriter.c | 73 | ||||
| -rw-r--r-- | bruiser/asmrewriter.h | 11 | ||||
| -rw-r--r-- | bruiser/bruiser.cpp | 8 | ||||
| -rw-r--r-- | bruiser/bruisercapstone.c | 72 | ||||
| -rw-r--r-- | bruiser/bruisercapstone.h | 5 | ||||
| -rw-r--r-- | bruiser/lua-scripts/demo2.lua | 15 | ||||
| -rw-r--r-- | bruiser/makefile | 2 |
7 files changed, 125 insertions, 61 deletions
diff --git a/bruiser/asmrewriter.c b/bruiser/asmrewriter.c index 0cff6d6..2e3a98d 100644 --- a/bruiser/asmrewriter.c +++ b/bruiser/asmrewriter.c @@ -41,13 +41,60 @@ static JMP_S_T* check_jmpt(lua_State* __ls, int index) { } JMP_S_T* push_jmpt(lua_State* __ls) { - JMP_S_T* dummy = (JMP_S_T*)lua_newuserdata(__ls, sizeof(JMP_S_T)); + lua_checkstack(__ls, 1); + JMP_S_T* dummy = lua_newuserdata(__ls, sizeof(JMP_S_T)); luaL_getmetatable(__ls, "jmp_s_t"); lua_setmetatable(__ls, -2); return dummy; } -static int new_jmpt(lua_State* __ls) { +int jmpt_push_args(lua_State* __ls, JMP_S_T* jmpt) { + lua_checkstack(__ls, 12); + lua_pushinteger(__ls, jmpt->type); + lua_pushinteger(__ls, jmpt->location); + lua_pushinteger(__ls, jmpt->size); + lua_pushlightuserdata(__ls, jmpt->next); + lua_pushlightuserdata(__ls, jmpt->next_y); + lua_pushlightuserdata(__ls, jmpt->next_n); + lua_pushinteger(__ls, jmpt->address); + lua_pushinteger(__ls, jmpt->address_y); + lua_pushinteger(__ls, jmpt->address_n); + lua_pushinteger(__ls, jmpt->y); + lua_pushinteger(__ls, jmpt->n); + lua_pushinteger(__ls, jmpt->z); +} + +int new_jmpt_2(lua_State* __ls) { + lua_checkstack(__ls, 12); + JMP_T jmp_t = luaL_optinteger(__ls, -12, 0); + uint64_t location = luaL_optinteger(__ls, -11, 0); + uint8_t size = luaL_optinteger(__ls, -10, 0); + JMP_S_T* next = lua_touserdata(__ls, -9); + JMP_S_T* next_y = lua_touserdata(__ls, -8); + JMP_S_T* next_n = lua_touserdata(__ls, -7); + uint64_t address = luaL_optinteger(__ls, -6, 0); + uint64_t address_y = luaL_optinteger(__ls, -5, 0); + uint64_t address_n = luaL_optinteger(__ls, -4, 0); + unsigned char y = luaL_optinteger(__ls, -3, 0); + unsigned char n = luaL_optinteger(__ls, -2, 0); + unsigned char z = luaL_optinteger(__ls, -1, 0); + JMP_S_T* dummy = push_jmpt(__ls); + dummy->type = jmp_t; + dummy->location = location; + dummy->size = size; + dummy->next = next; + dummy->next_y = next_y; + dummy->next_n = next_n; + dummy->address = address; + dummy->address_y = address_y; + dummy->address_n = address_n; + dummy->y = y; + dummy->n = n; + dummy->z = z; + return 1; +} + +int new_jmpt(lua_State* __ls) { lua_checkstack(__ls, 12); JMP_T jmp_t = luaL_optinteger(__ls, 1, 0); uint64_t location = luaL_optinteger(__ls, 2, 0); @@ -123,22 +170,36 @@ X_LIST_GEN static int next(lua_State* __ls) { JMP_S_T* dummy = check_jmpt(__ls, 1); + lua_pop(__ls, -1);\ lua_pushlightuserdata(__ls, dummy->next); return 1; } static int next_y(lua_State* __ls) { JMP_S_T* dummy = check_jmpt(__ls, 1); + lua_pop(__ls, -1);\ lua_pushlightuserdata(__ls, dummy->next_y); return 1; } static int next_n(lua_State* __ls) { JMP_S_T* dummy = check_jmpt(__ls, 1); + lua_pop(__ls, -1);\ lua_pushlightuserdata(__ls, dummy->next_n); return 1; } +static int inext(lua_State* __ls) { + JMP_S_T* dummy = check_jmpt(__ls, 1); + if (dummy->next != NULL) { + jmpt_push_args(__ls, dummy->next); + new_jmpt_2(__ls); + } else { + lua_pushnil(__ls); + } + return 1; +} + #define SET_GENERATOR(X) \ static int jmpt_set_##X(lua_State* __ls) {\ JMP_S_T* dummy = check_jmpt(__ls,1);\ @@ -164,20 +225,21 @@ X_LIST_GEN #undef X_LIST_GEN #undef SET_GENERATOR -static int jmpt_set_next(lua_State* __ls) { +int jmpt_set_next(lua_State* __ls) { JMP_S_T* dummy = check_jmpt(__ls,1); dummy->next = luaL_checkudata(__ls, 2, "jmp_s_t"); lua_settop(__ls, 1); return 1; } -static int jmpt_set_next_y(lua_State* __ls) { +int jmpt_set_next_y(lua_State* __ls) { JMP_S_T* dummy = check_jmpt(__ls,1); dummy->next_y = luaL_checkudata(__ls, 2, "jmp_s_t"); lua_settop(__ls, 1); return 1; } -static int jmpt_set_next_n(lua_State* __ls) { + +int jmpt_set_next_n(lua_State* __ls) { JMP_S_T* dummy = check_jmpt(__ls,1); dummy->next_n = luaL_checkudata(__ls, 2, "jmp_s_t"); lua_settop(__ls, 1); @@ -223,6 +285,7 @@ static const luaL_Reg jmpt_methods[] = { {"y", y}, {"n", n}, {"z", z}, + {"inext", inext}, {0,0} }; diff --git a/bruiser/asmrewriter.h b/bruiser/asmrewriter.h index d700a8d..c8b69c0 100644 --- a/bruiser/asmrewriter.h +++ b/bruiser/asmrewriter.h @@ -35,7 +35,9 @@ extern "C" { static JMP_S_T* convert_jmpt(lua_State* __ls, int index); static JMP_S_T* check_jmpt(lua_State* __ls, int index); JMP_S_T* push_jmpt(lua_State* __ls); -static int new_jmpt(lua_State* __ls); +int jmpt_push_args(lua_State* __ls, JMP_S_T* jmpt); +int new_jmpt_2(lua_State* __ls); +int new_jmpt(lua_State* __ls); static int jmpt_custom(lua_State* __ls); #define SET_GENERATOR(X) \ @@ -56,7 +58,7 @@ static int jmpt_custom(lua_State* __ls); X_LIST_GEN #undef X #undef X_LIST_GEN -#undef SET_GENERATOR +#undef GET_GENERATOR #define GET_GENERATOR(X) \ static int X(lua_State* __ls); @@ -79,9 +81,10 @@ X_LIST_GEN #undef SET_GENERATOR static int next(lua_State* __ls); -static int next(lua_State* __ls); -static int next(lua_State* __ls); +static int next_y(lua_State* __ls); +static int next_n(lua_State* __ls); +static int inext(lua_State* __ls); static int jmpt_set_next(lua_State* __ls); static int jmpt_set_next_y(lua_State* __ls); static int jmpt_set_next_n(lua_State* __ls); diff --git a/bruiser/bruiser.cpp b/bruiser/bruiser.cpp index ae7359a..8b00b5e 100644 --- a/bruiser/bruiser.cpp +++ b/bruiser/bruiser.cpp @@ -1602,10 +1602,10 @@ class LuaWrapper if (numargs != 2) {PRINT_WITH_COLOR_LB(RED, "expected exactly two args. did not get that.");return 0;} uint64_t size = lua_tointeger(__ls, 1); std::vector<uint8_t> code_v = getLuaTableInt<uint8_t>(__ls, 2, 2); - JMP_S_T* head = makejmptable(size, code_v.data(), Verbose); - JMP_S_T* dummy = push_jmpt(__ls); - dummy = head; - dumpjmptable(dummy); + auto head = makejmptable(size, code_v.data(), Verbose, __ls); + jmpt_push_args(__ls, head); + new_jmpt_2(__ls); + dumpjmptable(head); return 1; } diff --git a/bruiser/bruisercapstone.c b/bruiser/bruisercapstone.c index 21b1743..9f85f1b 100644 --- a/bruiser/bruisercapstone.c +++ b/bruiser/bruisercapstone.c @@ -21,6 +21,10 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.* /**********************************************************************************************************************/ #include "./bruisercapstone.h" #include "./devi_extra.h" +#include "./asmrewriter.h" +#include "./lua-5.3.4/src/lua.h" +#include "./lua-5.3.4/src/lauxlib.h" +#include "./lua-5.3.4/src/lualib.h" #include <capstone/capstone.h> #include <errno.h> #include <inttypes.h> @@ -213,7 +217,7 @@ int call_rewriter(int offset, size_t size, uint8_t* asm_code, const char* obj) { } /**********************************************************************************************************************/ /**********************************************************************************************************************/ -JMP_S_T* makejmptable(size_t size, uint8_t* obj, bool Verbose) { +JMP_S_T* makejmptable(size_t size, uint8_t* obj, bool Verbose, lua_State* __ls) { csh handle; cs_insn* insn; size_t count; @@ -221,8 +225,9 @@ JMP_S_T* makejmptable(size_t size, uint8_t* obj, bool Verbose) { uint8_t code[16]; size_t size_counter = 0; - JMP_S_T* head = malloc(sizeof(JMP_S_T)); - JMP_S_T* tail = malloc(sizeof(JMP_S_T)); + JMP_S_T* head = push_jmpt(__ls); + //JMP_S_T* head = malloc(sizeof(JMP_S_T)); + JMP_S_T* tail; head->type = NONE; head->next = NULL; tail = head; @@ -254,12 +259,12 @@ JMP_S_T* makejmptable(size_t size, uint8_t* obj, bool Verbose) { if (Verbose) printf(RED"%jx\n", address); if (Verbose) printf(RED"%d\n", insn[j].size); #endif - JMP_S_T* dummy = malloc(sizeof(JMP_S_T)); - dummy->location = insn[j].address; - dummy->type = JMP; - dummy->address = address; - dummy->size = insn[j].size; - dummy->next = NULL; + tail->location = insn[j].address; + tail->type = JMP; + tail->address = address; + tail->size = insn[j].size; + JMP_S_T* dummy = push_jmpt(__ls); + //JMP_S_T* dummy = malloc(sizeof(JMP_S_T)); tail->next = dummy; tail = dummy; } @@ -274,12 +279,12 @@ JMP_S_T* makejmptable(size_t size, uint8_t* obj, bool Verbose) { if (Verbose) printf(RED"%jx\n", address); if (Verbose) printf(RED"%d\n", insn[j].size); #endif - JMP_S_T* dummy = malloc(sizeof(JMP_S_T)); - dummy->location = insn[j].address; - dummy->type = JE; - dummy->address_y = address; - dummy->size = insn[j].size; - dummy->next = NULL; + tail->location = insn[j].address; + tail->type = JE; + tail->address = address; + tail->size = insn[j].size; + JMP_S_T* dummy = push_jmpt(__ls); + //JMP_S_T* dummy = malloc(sizeof(JMP_S_T)); tail->next = dummy; tail = dummy; } @@ -294,12 +299,12 @@ JMP_S_T* makejmptable(size_t size, uint8_t* obj, bool Verbose) { if (Verbose) printf(RED"%lx\n", address); if (Verbose) printf(RED"%d\n", insn[j].size); #endif - JMP_S_T* dummy = malloc(sizeof(JMP_S_T)); - dummy->location = insn[j].address; - dummy->type = JNE; - dummy->address_y = address; - dummy->size = insn[j].size; - dummy->next = NULL; + tail->location = insn[j].address; + tail->type = JNE; + tail->address = address; + tail->size = insn[j].size; + JMP_S_T* dummy = push_jmpt(__ls); + //JMP_S_T* dummy = malloc(sizeof(JMP_S_T)); tail->next = dummy; tail = dummy; } @@ -317,6 +322,7 @@ JMP_S_T* makejmptable(size_t size, uint8_t* obj, bool Verbose) { printf("ERROR!!!\n"); } cs_close(&handle); + tail->next = NULL; return head; } /**********************************************************************************************************************/ @@ -333,7 +339,7 @@ int freejmptable(JMP_S_T* _head) { /**********************************************************************************************************************/ int dumpjmptable(JMP_S_T* current) { while (current != NULL) { - printf("jump location: %ld", current->location); + printf("jump location: %lx", current->location); printf("\tjump address: %lu", current->address); printf("\tjump type: %d", current->type); printf("\tjump next: %x", ¤t->next); @@ -393,27 +399,13 @@ int main(int argc, char** argv) { ks_write(KS_ARCH_X86, KS_MODE_64, "add rax, rcx", 0, encode); ks_free(encode); -#if 0 - head = malloc(sizeof(JMP_S_T)); - tail = malloc(sizeof(JMP_S_T)); - head->type = NONE; - head->next = NULL; - tail = head; -#endif uint8_t asm_code3[834]; - JMP_S_T* current = makejmptable(834, CODE_3, true); + lua_State* L = luaL_newstate(); + JMP_S_T* current = makejmptable(834, CODE_3, true, L); -#if 0 - while (current != NULL) { - printf("jump location: %lx", current->location); - printf("\tjump address: %lu", current->address); - printf("\tjump type: %d", current->type); - printf("\tinstruction size: %d\n", current->size); - current = current->next; - } -#endif dumpjmptable(current); - freejmptable(current); + lua_close(L); + //freejmptable(current); return 0; } diff --git a/bruiser/bruisercapstone.h b/bruiser/bruisercapstone.h index 1b4879f..8d97220 100644 --- a/bruiser/bruisercapstone.h +++ b/bruiser/bruisercapstone.h @@ -18,6 +18,9 @@ You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.*/ /**********************************************************************************************************************/ +#include "./lua-5.3.4/src/lua.h" +#include "./lua-5.3.4/src/lauxlib.h" +#include "./lua-5.3.4/src/lualib.h" #include <capstone/capstone.h> #include <keystone/keystone.h> #include <stdint.h> @@ -62,7 +65,7 @@ void leb128_decode_u(uint32_t value, uint8_t* ret_value, size_t size); int ks_write(ks_arch arch, int mode, const char* assembly, int syntax, unsigned char* encode); int global_rewriter(int offset, size_t size, uint8_t* asm_code, const char* obj); int call_rewriter(int offset, size_t size, uint8_t* asm_code, const char* obj); -JMP_S_T* makejmptable(size_t size, uint8_t* obj, bool Verbose); +JMP_S_T* makejmptable(size_t size, uint8_t* obj, bool Verbose, lua_State* __ls); int freejmptable(JMP_S_T* _head); int dumpjmptable(JMP_S_T* head); void jmprewriter_j(JMP_S_T* jmp, uint8_t* code, JMP_T type, uint8_t* rewritten); diff --git a/bruiser/lua-scripts/demo2.lua b/bruiser/lua-scripts/demo2.lua index fc50cc1..de13c58 100644 --- a/bruiser/lua-scripts/demo2.lua +++ b/bruiser/lua-scripts/demo2.lua @@ -61,6 +61,9 @@ setmetatable(jmp_s_t, {__call = function(self, arg1,arg2,arg3,arg4,arg5,arg6,arg return t end}) +setmetatable(jmp_s_t, {__index = function(self, arg1) +end}) + function jmp_s_t:show(msg) print(msg, self, self:custom()) return self @@ -84,14 +87,14 @@ end function integ_test() local text_section = xobj.getTextSection() - local head = jmp_s_t.new() - head = getjmptable(#text_section, text_section) + local head = getjmptable(#text_section, text_section) head:show("XXXXXhead is") - print(head:location()) - --while head:next() ~= nil do - for i=1,11,1 do - head = head:next() + print("head location is ", head:location()) + while head:inext() ~= nil do + --for i=1,11,1 do head:show("next is") + head = head:inext() + --if head:type() == 0 then break end end end diff --git a/bruiser/makefile b/bruiser/makefile index 5f16931..31a6892 100644 --- a/bruiser/makefile +++ b/bruiser/makefile @@ -52,7 +52,7 @@ $(LIB_LUA_JIT): $(MAKE) -C LuaJIT @echo "building with jit" -$(BRUISER): $(BRUISER).o ../mutator_aux.o ../tinyxml2/tinyxml2.o linenoise.o CompletionHints.o mutagen.o ORCmutation.o bruiserffi.o bruisercapstone.o asmrewriter.o $(LIB_LUA) +$(BRUISER): $(BRUISER).o ../mutator_aux.o ../tinyxml2/tinyxml2.o linenoise.o CompletionHints.o mutagen.o ORCmutation.o bruiserffi.o asmrewriter.o bruisercapstone.o $(LIB_LUA) $(CXX) $^ $(LD_FLAGS) -o $@ clean: |