From 5de630461628e95a7460f16574242f897f874a94 Mon Sep 17 00:00:00 2001 From: bloodstalker Date: Sat, 19 May 2018 04:05:03 +0430 Subject: fixes #33. fixed #34. python interpreter should clean up after itself properly so maybe #32 is also sovled but i need more time to know. the stack usage for lua has been reduced so larger number of xobjs are fine now. general cleanup for executioner and bruiser. added a note regarding running obfuscators test. lua no longer needs libreadline to build. bfds test no longer needs libbfd to build. --- bruiser/CompletionHints.cpp | 3 +- bruiser/asmrewriter.c | 4 +- bruiser/asmrewriter.h | 4 +- bruiser/bruiser.cpp | 192 ++++++++++++--------------- bruiser/bruiser.h | 3 + bruiser/bruisercapstone.c | 8 +- bruiser/bruisercapstone.h | 2 +- bruiser/bruiserffi.c | 2 + bruiser/cap.sh | 6 + bruiser/dump.sh | 7 + bruiser/executioner.h | 284 +++++++--------------------------------- bruiser/ffi.sh | 5 + bruiser/ffs.c | 2 +- bruiser/lua-5.3.4/src/luaconf.h | 2 +- bruiser/lua-scripts/demo1.lua | 28 +++- bruiser/makefile | 5 +- bruiser/run.sh | 6 +- 17 files changed, 200 insertions(+), 363 deletions(-) create mode 100755 bruiser/cap.sh create mode 100755 bruiser/dump.sh create mode 100755 bruiser/ffi.sh (limited to 'bruiser') diff --git a/bruiser/CompletionHints.cpp b/bruiser/CompletionHints.cpp index d7a6dbb..7ff9b18 100644 --- a/bruiser/CompletionHints.cpp +++ b/bruiser/CompletionHints.cpp @@ -32,7 +32,8 @@ namespace bruiser { void ShellCompletion(const char* __buf, linenoiseCompletions* __lc) { if (__buf != NULL) { for(auto &iter : LUA_FUNCS) { - if (iter.find(__buf) != std::string::npos) { + //if (iter.find(__buf) != std::string::npos) { + if (iter.find(__buf) == 0U) { linenoiseAddCompletion(__lc, iter.c_str()); } } diff --git a/bruiser/asmrewriter.c b/bruiser/asmrewriter.c index 694a6fe..d8401c4 100644 --- a/bruiser/asmrewriter.c +++ b/bruiser/asmrewriter.c @@ -62,6 +62,7 @@ int jmpt_push_args(lua_State* __ls, JMP_S_T* jmpt) { lua_pushinteger(__ls, jmpt->y); lua_pushinteger(__ls, jmpt->n); lua_pushinteger(__ls, jmpt->z); + return 0; } int new_jmpt_2(lua_State* __ls) { @@ -166,7 +167,7 @@ static int X(lua_State* __ls) { \ X_LIST_GEN #undef X #undef X_LIST_GEN -#undef SET_GENERATOR +#undef GET_GENERATOR static int next(lua_State* __ls) { JMP_S_T* dummy = check_jmpt(__ls, 1); @@ -249,6 +250,7 @@ int jmpt_set_next_n(lua_State* __ls) { static int jmpt_gc(lua_State* __ls) { JMP_S_T* dummy = check_jmpt(__ls,1); //freejmptable(dummy); + return 0; } static int jmpt_tostring(lua_State* __ls) { diff --git a/bruiser/asmrewriter.h b/bruiser/asmrewriter.h index ba08365..e4c5fa4 100644 --- a/bruiser/asmrewriter.h +++ b/bruiser/asmrewriter.h @@ -60,7 +60,7 @@ static int jmpt_custom(lua_State* __ls); X_LIST_GEN #undef X #undef X_LIST_GEN -#undef GET_GENERATOR +#undef SET_GENERATOR #define GET_GENERATOR(X) \ static int X(lua_State* __ls); @@ -80,7 +80,7 @@ static int X(lua_State* __ls); X_LIST_GEN #undef X #undef X_LIST_GEN -#undef SET_GENERATOR +#undef GET_GENERATOR static int next(lua_State* __ls); static int next_y(lua_State* __ls); diff --git a/bruiser/bruiser.cpp b/bruiser/bruiser.cpp index 529cb75..42dbac7 100644 --- a/bruiser/bruiser.cpp +++ b/bruiser/bruiser.cpp @@ -81,6 +81,7 @@ using namespace clang::tooling; /**********************************************************************************************************************/ /*global vars*/ namespace { // start of anonymous namespace + std::vector> vptrs; static llvm::cl::OptionCategory BruiserCategory("Empty"); std::vector PushToLua; @@ -122,7 +123,7 @@ template int pushLuaTableInt(lua_State* __ls, std::vector vec) { int tableindex = 1; lua_newtable(__ls); - if (!lua_checkstack(__ls, vec.size())) { + if (!lua_checkstack(__ls, 3)) { PRINT_WITH_COLOR_LB(RED, "cant grow lua stack. current size is too small."); return -1; } @@ -138,7 +139,7 @@ int pushLuaTableInt(lua_State* __ls, std::vector vec) { int pushLuaTableString(lua_State* __ls, std::vector vec) { int tableindex = 1; lua_newtable(__ls); - if (!lua_checkstack(__ls, vec.size())) { + if (!lua_checkstack(__ls, 3)) { PRINT_WITH_COLOR_LB(RED, "cant grow lua stack. current size is too small."); return -1; } @@ -155,7 +156,7 @@ template int pushLuaTableNumber(lua_State* __ls, std::vector vec) { int tableindex = 1; lua_newtable(__ls); - if (!lua_checkstack(__ls, vec.size())) { + if (!lua_checkstack(__ls, 3)) { PRINT_WITH_COLOR_LB(RED, "cant grow lua stack. current size is too small."); return -1; } @@ -172,7 +173,7 @@ template std::vector getLuaTableInt(lua_State* __ls, int numargs, int argnum) { std::vector ret; int table_length = lua_rawlen(__ls, argnum); - if (!lua_checkstack(__ls, table_length)) { + if (!lua_checkstack(__ls, 2)) { std::cout << RED << "need to grow lua stack by " << table_length << ":"; PRINT_WITH_COLOR_LB(RED, "cant grow lua stack by that much."); } @@ -187,7 +188,7 @@ std::vector getLuaTableInt(lua_State* __ls, int numargs, int argnum) { std::vector getLuaTableString(lua_State* __ls, int numargs, int argnum) { std::vector ret; int table_length = lua_rawlen(__ls, argnum); - if (!lua_checkstack(__ls, table_length)) { + if (!lua_checkstack(__ls, 2)) { std::cout << RED << "need to grow lua stack by " << table_length << ":"; PRINT_WITH_COLOR_LB(RED, "cant grow lua stack by that much."); } @@ -203,7 +204,7 @@ template std::vector getLuaTableNumber(lua_State* __ls, int numargs, int argnum) { std::vector ret; int table_length = lua_rawlen(__ls, argnum); - if (!lua_checkstack(__ls, table_length)) { + if (!lua_checkstack(__ls, 2)) { std::cout << RED << "need to grow lua stack by " << table_length << ":"; PRINT_WITH_COLOR_LB(RED, "cant grow lua stack by that much."); } @@ -256,7 +257,7 @@ class LuaEngine char buf[500]; std::string bruiser_path; // @DEVI-linux-only - size_t len = readlink("/proc/self/exe", buf, 499); + int len = readlink("/proc/self/exe", buf, 499); if (len != -1) { buf[len] = '\0'; bruiser_path = buf; @@ -340,19 +341,22 @@ class PyExec { public: PyExec(std::string __py_script_name, std::string __py_func_name, std::string __obj_path ) : py_script_name(__py_script_name), py_func_name(__py_func_name), obj_path(__obj_path) {} + ~PyExec() { + Py_Finalize(); + } int run(void) { Py_Initialize(); int argc = 2; wchar_t* argv[2]; - argv[0] = Py_DecodeLocale((char*)py_script_name.c_str(), 0); - argv[1] = Py_DecodeLocale((char*)obj_path.c_str(), 0); + argv[0] = Py_DecodeLocale(py_script_name.c_str(), 0); + argv[1] = Py_DecodeLocale(obj_path.c_str(), 0); char buf[500]; std::string bruiser_path; // @DEVI-linux-only - size_t len = readlink("/proc/self/exe", buf, 499); + int len = readlink("/proc/self/exe", buf, 499); if (len != -1) { buf[len] = '\0'; bruiser_path = buf; @@ -374,14 +378,13 @@ class PyExec { pArgs = PyTuple_New(1); pValue = PyUnicode_FromString(obj_path.c_str()); PyTuple_SetItem(pArgs, 0, pValue); - pArgs = nullptr; - if (Verbose) std::cout << BLUE << "calling python function..." << NORMAL << "\n"; - pValue = PyObject_CallObject(pFunc, pArgs); //Py_DECREF(pArgs); + //pArgs = nullptr; + if (Verbose) std::cout << BLUE << "calling python function..." << NORMAL << "\n"; + //pValue = PyObject_CallObject(pFunc, pArgs); + pValue = PyObject_CallObject(pFunc, nullptr); if (pValue != nullptr) { if (Verbose) std::cout << GREEN << "call finished successfully." << NORMAL << "\n"; - //printf("Result of call: %ld\n", PyLong_AsLong(pValue)); - //Py_DECREF(pValue); } else { Py_DECREF(pFunc); Py_DECREF(pModule); @@ -394,19 +397,18 @@ class PyExec { if (PyErr_Occurred()) PyErr_Print(); fprintf(stderr, "Cannot find function\"%s\"\n", py_func_name.c_str()); } - Py_XDECREF(pFunc); - Py_DECREF(pModule); + //Py_XDECREF(pFunc); + //Py_DECREF(pModule); } else { PyErr_Print(); fprintf(stderr, "Failed to load \"%ls\"\n", argv[0]); return 1; } - Py_Finalize(); + //Py_Finalize(); return 0; } - std::vector actionParser(std::string action) {} void convertNPush(PyObject* pyobject) {} int64_t pyInt(PyObject* po) {return PyLong_AsLong(po);} @@ -445,19 +447,22 @@ class PyExec { char* dummy; if (PyBytes_Check(po)) { dummy = PyBytes_AsString(po); + return dummy; } else { PRINT_WITH_COLOR_LB(RED, "Not a PyBytes object."); } - return dummy; + return nullptr; } char* pyByteArray(PyObject* po) { char* dummy; if (PyByteArray_Check(po)) { dummy = PyByteArray_AsString(po); + return dummy; } else { PRINT_WITH_COLOR_LB(RED, "Not a PyByteArray object."); } + return nullptr; } int getAsCppStringVec(void) { @@ -468,7 +473,7 @@ class PyExec { if (Verbose) std::cout << BLUE << "length of list: " << list_length << NORMAL <<"\n"; for (int i = 0; i < list_length; ++i) { PyObject* pybytes = PyList_GetItem(pValue, i); - //@DEVI-FIXIT-the weird '' we get for strings is because of repr(). + if (pybytes == nullptr) PRINT_WITH_COLOR_LB(RED, "getascppstringvec:failed to get py list item."); PyObject* pyrepr = PyObject_Repr(pybytes); PyObject* pyunicode = PyUnicode_AsEncodedString(pyrepr, "utf-8", "surrogateescape"); const char* dummy = PyBytes_AsString(pyunicode); @@ -636,29 +641,6 @@ const clang::Type* bruiser::TypeInfo::getTypeInfo(clang::ASTContext* __astc) return __astc->getCanonicalType(TP); } /**********************************************************************************************************************/ -namespace bruiser -{ - void BruiserLinenoiseCompletionCallback(const char* __buf, linenoiseCompletions* __lc) - { - if (__buf[0] == 'h') - { - linenoiseAddCompletion(__lc, "help"); - } - } - - char* BruiserLinenoiseHintsCallback(const char* __buf, int* __color, int* __bold) - { - if (!strcasecmp(__buf, "h")) - { - *__color = LN_MAGENTA; - *__bold = NO_BOLD; - return (char *)"elp"; - } - - return NULL; - } -} -/**********************************************************************************************************************/ class AbstractMatcherHandler : public virtual MatchFinder::MatchCallback { public: @@ -1296,7 +1278,8 @@ class LiveActionListArrays : public ASTFrontendAction class LuaWrapper { public: - LuaWrapper(Executioner& __EX, XGlobals __XG) : executioner(__EX), xglobals(__XG) {} + //LuaWrapper(std::unique_ptr _e, std::unique_ptr _x) : executioner(std::move(_e)), xglobals(std::move(_x)) {} + LuaWrapper() {} /*print out the history*/ int BruiserLuaHistory(lua_State* __ls) @@ -1378,11 +1361,10 @@ class LuaWrapper if (objjpath == "") PRINT_WITH_COLOR_LB(RED, "second argument is nil"); action = lua_tostring(__ls, 3); if (action == "") PRINT_WITH_COLOR_LB(RED, "third argument is nil"); - lua_pop(__ls, 3); std::cout << NORMAL; } else { - std::cout << RED << "wrong number of arguments provided. should give the python script name, python func name and its args.\n" << NORMAL; + std::cout << RED << "wrong number of arguments provided. should give the python script name, python func name and the return type.\n" << NORMAL; return EXIT_FAILURE; } @@ -1398,10 +1380,10 @@ class LuaWrapper int tableindex1 = 1; int tableindex2 = 1; // the return type to lua is a table of tables - lua_newtable(__ls); - if (!lua_checkstack(__ls, py.exportObjs().size())) { + if (!lua_checkstack(__ls, 5)) { PRINT_WITH_COLOR_LB(RED, "cant grow lua stack. current size is too small."); } + lua_newtable(__ls); for (auto& iter : py.exportObjs()) { lua_pushnumber(__ls, tableindex1); lua_newtable(__ls); @@ -1419,10 +1401,10 @@ class LuaWrapper py.getAsCppStringVec(); int tableindex = 1 ; // the return type to lua is a table - lua_newtable(__ls); - if (!lua_checkstack(__ls, py.exportStrings().size())) { + if (!lua_checkstack(__ls, 5)) { PRINT_WITH_COLOR_LB(RED, "cant grow lua stack. current size is too small."); } + lua_newtable(__ls); for (auto& iter : py.exportStrings()) { lua_pushnumber(__ls, tableindex); tableindex++; @@ -1433,10 +1415,10 @@ class LuaWrapper py.getAsCppByte_PyIntList(); int tableindex = 1 ; // the return type to lua is a table - lua_newtable(__ls); - if (!lua_checkstack(__ls, py.exportStrings().size())) { + if (!lua_checkstack(__ls, 5)) { PRINT_WITH_COLOR_LB(RED, "cant grow lua stack. current size is too small."); } + lua_newtable(__ls); for (auto& iter : py.exportTextSection()) { lua_pushnumber(__ls, tableindex); tableindex++; @@ -1463,28 +1445,36 @@ class LuaWrapper if (Verbose) PRINT_WITH_COLOR_LB(GREEN, "stack index 1 is a table."); } if (Verbose) std::cout << CYAN << "table_length: " << table_length << NORMAL << "\n"; - if (!lua_checkstack(__ls, table_length)) { + if (!lua_checkstack(__ls, 2)) { PRINT_WITH_COLOR_LB(RED, "cant grow lua stack. current size is too small."); } for (int i = 1; i <= table_length; ++i) { lua_rawgeti(__ls, 1, i); - xobj_code_.push_back(int(lua_tonumber(__ls, i + 2))); + xobj_code_.push_back(int(lua_tonumber(__ls, 3))); + lua_pop(__ls, 1); } if (Verbose) { std::cout << BLUE << "function code: "; for (auto& iter : xobj_code_) {std::cout << NORMAL << int(iter) << " ";} std::cout << NORMAL <<"\n"; } + xobj_name = lua_tostring(__ls, 2); - std::pair xobj = executioner.loadObjsInXMem(xobj_code_); + std::pair xobj = loadObjsInXMem(xobj_code_); if (Verbose) { std::cout << "xobj will be registered as " << YELLOW << xobj_name << NORMAL << ". " << "it is recommended to use a post- or pre-fix for the xobj names to avoid namespace pollution." "\n"; std::cout << GREEN << "pointer: " << BLUE << xobj.first << " " << GREEN << "size: " << BLUE << xobj.second << NORMAL << "\n"; } - executioner.pushvptr(xobj.first, xobj_name); + vptrs.push_back(std::make_pair(xobj.first, xobj_name)); return 0; } + int BruiserLuaGetXSize(lua_State* __ls) { + int ret = vptrs.size(); + lua_pushinteger(__ls, ret); + return 1; + } + int BruiserLuaCallX(lua_State* __ls) { int numargs = lua_gettop(__ls); if (numargs != 5) {PRINT_WITH_COLOR_LB(RED, "xcall: bad number of args. expected exactly five.");} @@ -1494,11 +1484,13 @@ class LuaWrapper void* x_ptr; if (lua_type(__ls, 4) == LUA_TNUMBER) { - x_ptr = executioner.getvptrbyindex(lua_tointeger(__ls, 4)).first; + if (vptrs.size() - 1 > lua_tointeger(__ls, 4)) x_ptr = vptrs[lua_tointeger(__ls, 4)].first; } else if (lua_type(__ls, 4) == LUA_TSTRING) { - x_ptr = executioner.getvptrbyname(lua_tostring(__ls, 4)).first; + for (auto& iter : vptrs) { + if (iter.second == lua_tostring(__ls ,4)) x_ptr = iter.first; + } } else { - PRINT_WITH_COLOR_LB(RED, "argument 4 is neihter an index nor a string."); + PRINT_WITH_COLOR_LB(RED, "argument 4 is neihter a number nor a string."); lua_pushnil(__ls); return 1; } @@ -1611,40 +1603,47 @@ class LuaWrapper } } +#if 1 int BruiserLuaXObjGetList(lua_State* __ls) { - auto xlist = executioner.getvptrs(); - lua_newtable(__ls); - if (!lua_checkstack(__ls, xlist.size())) { - PRINT_WITH_COLOR_LB(RED, "cant grow lua stack. current size is too small."); - } - for (auto& iter : xlist) { - if (Verbose) std::cout << CYAN << iter.second << NORMAL; - lua_pushstring(__ls, iter.second.c_str()); - if (Verbose) std::cout << " " << MAGENTA << (long int)iter.first << NORMAL <<"\n"; - lua_pushinteger(__ls, (long int)iter.first); - lua_settable(__ls, -3); - } + if (lua_gettop(__ls) != 0) { + PRINT_WITH_COLOR_LB(RED, "no arguments required..."); + return 0; + } + if (!lua_checkstack(__ls, 3)) { + PRINT_WITH_COLOR_LB(RED, "cant grow lua stack. current size is too small."); + } + lua_newtable(__ls); + for (auto& iter : vptrs) { + if (Verbose) std::cout << CYAN << iter.second << NORMAL; + lua_pushstring(__ls, iter.second.c_str()); + if (Verbose) std::cout << " " << MAGENTA << (long int)iter.first << NORMAL <<"\n"; + lua_pushinteger(__ls, (long int)iter.first); + lua_settable(__ls, -3); + } return 1; } +#endif int BruiserLuaXObjAllocGlobal(lua_State* __ls) { int numargs = lua_gettop(__ls); if (numargs != 2) {PRINT_WITH_COLOR_LB(RED, "expected exactly two args. did not get that.");return 0;} std::string glob_name = lua_tostring(__ls , 1); size_t size = lua_tointeger(__ls, 2); - xglobals.reserve(size); + //xglobals->reserve(size); return 0; } - int BruiserLuaXObjAllocAllGlobals(lua_State* __ls) {} + int BruiserLuaXObjAllocAllGlobals(lua_State* __ls) { + return 0; + } int BruiserGetJumpTable(lua_State* __ls) { int numargs = lua_gettop(__ls); if (numargs != 2) {PRINT_WITH_COLOR_LB(RED, "expected exactly two args. did not get that.");return 0;} uint64_t size = lua_tointeger(__ls, 1); - PRINT_WITH_COLOR_LB(CYAN, "cpp:calling getluatableint..."); + if (Verbose) PRINT_WITH_COLOR_LB(CYAN, "cpp:calling getluatableint..."); std::vector code_v = getLuaTableInt(__ls, 2, 2); - PRINT_WITH_COLOR_LB(GREEN, "cpp:called getluatableint..."); + if (Verbose) PRINT_WITH_COLOR_LB(GREEN, "cpp:called getluatableint..."); if (Verbose) PRINT_WITH_COLOR_LB(BLUE, "making jump table..."); auto head = makejmptable(size, code_v.data(), Verbose, __ls); if (Verbose) PRINT_WITH_COLOR_LB(GREEN, "finished makejmptable call."); @@ -1850,8 +1849,10 @@ class LuaWrapper std::string line; std::string dummy; + unsigned int line_number = 0; while(getline(targetfile, line)) { - dummy += line; + line_number++; + if (line_number >= linebegin && line_number < lineend) dummy += line; //lua_pushstring(__ls, line.c_str()); } @@ -1904,15 +1905,6 @@ class LuaWrapper return 1; } - int BruiserLuaDropToCLI(lua_State* __ls) { - int numargs = lua_gettop(__ls); - if (numargs != 0) { - PRINT_WITH_COLOR_LB(RED, "wrong number of args. should be called with no arguments."); - return 0; - } - ShellGlobalInstance.droptocli = true; - } - int BruiserLuaStrainRecognition(lua_State* __ls) { unsigned int numthreads = std::thread::hardware_concurrency(); lua_pushnumber(__ls, numthreads); @@ -2114,18 +2106,12 @@ class LuaWrapper } return 1; } - - private: - Executioner executioner; - XGlobals xglobals; }; /**********************************************************************************************************************/ class BruiserCFE { public: BruiserCFE(std::unique_ptr _CT) : CT(std::move(_CT)) {} - //~BruiserCFE() {} - /*hijakcs the main main*/ int BruiserLuaHijackMain(lua_State* __ls) { int RunResult = this->GetClangTool()->run(newFrontendActionFactory().get()); @@ -2152,7 +2138,6 @@ class BruiserCFE { unsigned int InArgCnt = 0U;\ InArgCnt = lua_gettop(__ls);\ unsigned int returncount=0U;\ - std::cout << "i was called\n";\ this->GetClangTool()->run(newFrontendActionFactory().get());\ for(auto &iter : PushToLua)\ {lua_pushstring(__ls, iter.c_str());returncount++;}\ @@ -2200,7 +2185,8 @@ class RunLoop cop = std::move(_cop); } - int run(char* command) { + int run(void) { + char* command; if (NonCLILuaScript != "") { luaL_dofile(ls, NonCLILuaScript.c_str()); if (KEEPALIVE) {} @@ -2217,6 +2203,7 @@ class RunLoop le.RunChunk(command); linenoiseFree(command); } + return 0; } private: @@ -2285,13 +2272,6 @@ int main(int argc, const char **argv) { /*initializing the log*/ bruiser::BruiserReport BruiserLog; - /*initing xobj stuff*/ - Executioner executioner; - Arguary arguary; - XGlobals xglobals; - - /*initialize the LuaWrapper class so we can register and run them from lua.*/ - /*linenoise init*/ linenoiseSetCompletionCallback(bruiser::ShellCompletion); linenoiseSetHintsCallback(bruiser::ShellHints); @@ -2302,8 +2282,6 @@ int main(int argc, const char **argv) { /*start running bruiser*/ { - char* command; - LuaEngine LE; LE.LoadEverylib(); LE.RunLuaDefaults(); @@ -2338,7 +2316,10 @@ int main(int argc, const char **argv) { runloop.setCOP(std::move(op)); } - std::unique_ptr LW(new LuaWrapper(executioner, xglobals)); + //std::unique_ptr ex; + //std::unique_ptr xg; + //std::unique_ptr LW(new LuaWrapper(std::move(ex), std::move(xg))); + std::unique_ptr LW(new LuaWrapper()); *static_cast(lua_e_p2) = LW.get(); /*@DEVI-this part is just registering our LuaWrapper member functions with lua so we can call them from lua.*/ @@ -2376,9 +2357,10 @@ int main(int argc, const char **argv) { lua_register(LE.GetLuaState(), "freejmptable", &LuaDispatch<&LuaWrapper::BruiserFreeJumpTable>); lua_register(LE.GetLuaState(), "dumpjmptable", &LuaDispatch<&LuaWrapper::BruiserDumpJumpTable>); lua_register(LE.GetLuaState(), "ramdump", &LuaDispatch<&LuaWrapper::BruiserRamDump>); + lua_register(LE.GetLuaState(), "xsize", &LuaDispatch<&LuaWrapper::BruiserLuaGetXSize>); runloop.setLW(std::move(LW)); - runloop.run(command); + runloop.run(); LE.Cleanup(); diff --git a/bruiser/bruiser.h b/bruiser/bruiser.h index 943bfba..cda065b 100644 --- a/bruiser/bruiser.h +++ b/bruiser/bruiser.h @@ -310,6 +310,8 @@ class Daemonize #define ELF_EI_PAD = 0xfffffff000000000; // @DEVI-FIXME-using uint128 here +// fails to build on stock ubuntu 16.04 +# if 0 struct ELFHDR_64 { public: ELFHDR_64() = default; @@ -347,6 +349,7 @@ struct ELFHDR_32 { uint16_t e_ehsize; uint16_t e_phentsize; uint16_t e_phnum; uint16_t e_shentsize; uint16_t e_shnum; uint16_t e_shstrndx; }; +#endif /*program header*/ struct PHDR_64 { public: diff --git a/bruiser/bruisercapstone.c b/bruiser/bruisercapstone.c index 9db031f..d0f4217 100644 --- a/bruiser/bruisercapstone.c +++ b/bruiser/bruisercapstone.c @@ -41,7 +41,7 @@ extern char etext, edata, end; // glob #define CODE_2 "\x55\x48\x89\xe5\x48\x8b\x05\x0d\x15\x20\x00\x48\x8b\x0d\xee\x14\x20\x00\x48\x8b\x15\xf7\x14\x20\x00\x48\x8b\x35\xd8\x14\x20\x00\x8b\x3e\x03\x3a\x03\x39\x03\x38\x89\xf8\x5d\xc3" // main -# define CODE_3 "\x31\xed\x49\x89\xd1\x5e\x48\x89\xe2\x48\x83\xe4\xf0\x50\x54\x49\xc7\xc0\x60\x07\x40\x00\x48\xc7\xc1\xf0\x06\x40\x00\x48\xc7\xc7\x90\x06\x40\x00\xff\x15\xa6\x0b\x20\x00\xf4\x0f\x1f\x44\x00\x00\x55\xb8\x38\x10\x60\x00\x48\x3d\x38\x10\x60\x00\x48\x89\xe5\x74\x17\xb8\x00\x00\x00\x00\x48\x85\xc0\x74\x0d\x5d\xbf\x38\x10\x60\x00\xff\xe0\x0f\x1f\x44\x00\x00\x5d\xc3\x66\x0f\x1f\x44\x00\x00\xbe\x38\x10\x60\x00\x55\x48\x81\xee\x38\x10\x60\x00\x48\x89\xe5\x48\xc1\xfe\x03\x48\x89\xf0\x48\xc1\xe8\x3f\x48\x01\xc6\x48\xd1\xfe\x74\x15\xb8\x00\x00\x00\x00\x48\x85\xc0\x74\x0b\x5d\xbf\x38\x10\x60\x00\xff\xe0\x0f\x1f\x00\x5d\xc3\x66\x0f\x1f\x44\x00\x00\x80\x3d\x6d\x0b\x20\x00\x00\x75\x17\x55\x48\x89\xe5\xe8\x7e\xff\xff\xff\xc6\x05\x5b\x0b\x20\x00\x01\x5d\xc3\x0f\x1f\x44\x00\x00\xf3\xc3\x0f\x1f\x40\x00\x66\x2e\x0f\x1f\x84\x00\x00\x00\x00\x00\x55\x48\x89\xe5\x5d\xeb\x89\x66\x0f\x1f\x84\x00\x00\x00\x00\x00\x55\x48\x89\xe5\xb8\x01\x00\x00\x00\x5d\xc3\x0f\x1f\x44\x00\x00\x55\x48\x89\xe5\xb8\x02\x00\x00\x00\x5d\xc3\x0f\x1f\x44\x00\x00\x55\x48\x89\xe5\xb8\x03\x00\x00\x00\x5d\xc3\x0f\x1f\x44\x00\x00\x55\x48\x89\xe5\xb8\x04\x00\x00\x00\x5d\xc3\x0f\x1f\x44\x00\x00\x55\x48\x89\xe5\xb8\x05\x00\x00\x00\x5d\xc3\x0f\x1f\x44\x00\x00\x55\x48\x89\xe5\xb8\x06\x00\x00\x00\x5d\xc3\x0f\x1f\x44\x00\x00\x55\x48\x89\xe5\x89\x7d\xfc\x89\x75\xf8\x8b\x75\xfc\x03\x75\xf8\x89\xf0\x5d\xc3\x66\x66\x66\x2e\x0f\x1f\x84\x00\x00\x00\x00\x00\x55\x48\x89\xe5\x89\x7d\xfc\x89\x75\xf8\x8b\x75\xfc\x2b\x75\xf8\x89\xf0\x5d\xc3\x66\x66\x66\x2e\x0f\x1f\x84\x00\x00\x00\x00\x00\x55\x48\x89\xe5\xf2\x0f\x11\x45\xf8\xf2\x0f\x11\x4d\xf0\xf2\x0f\x10\x45\xf8\xf2\x0f\x58\x45\xf0\x5d\xc3\x66\x0f\x1f\x44\x00\x00\x55\x48\x89\xe5\xf2\x0f\x11\x45\xf8\xf2\x0f\x11\x4d\xf0\xf2\x0f\x10\x45\xf8\xf2\x0f\x5c\x45\xf0\x5d\xc3\x66\x0f\x1f\x44\x00\x00\x55\x48\x89\xe5\xf2\x0f\x11\x45\xf8\xf2\x0f\x11\x4d\xf0\xf2\x0f\x11\x55\xe8\xf2\x0f\x10\x45\xf8\xf2\x0f\x58\x45\xf0\xf2\x0f\x58\x45\xe8\x5d\xc3\x66\x66\x66\x2e\x0f\x1f\x84\x00\x00\x00\x00\x00\x55\x48\x89\xe5\x48\x83\xec\x20\x89\x7d\xfc\x89\x75\xf8\x89\x55\xf4\x89\x4d\xf0\x8b\x7d\xfc\x8b\x75\xf8\xe8\x31\xff\xff\xff\x8b\x7d\xf4\x8b\x75\xf0\x89\x45\xec\xe8\x23\xff\xff\xff\x8b\x4d\xec\x01\xc1\x89\xc8\x48\x83\xc4\x20\x5d\xc3\x66\x0f\x1f\x44\x00\x00\x55\x48\x89\xe5\x48\x89\x7d\xf8\x48\x8b\x45\xf8\x5d\xc3\x66\x90\x55\x48\x89\xe5\x48\x8d\x05\xc5\x09\x20\x00\x48\x8d\x0d\xba\x09\x20\x00\x48\x8d\x15\xaf\x09\x20\x00\x48\x8d\x35\xa4\x09\x20\x00\x8b\x3e\x03\x3a\x03\x39\x03\x38\x89\xf8\x5d\xc3\x0f\x1f\x40\x00\x55\x48\x89\xe5\x48\x83\xec\x20\xb8\x0a\x00\x00\x00\xb9\x14\x00\x00\x00\xc7\x45\xfc\x00\x00\x00\x00\x89\x7d\xf8\x48\x89\x75\xf0\x89\xc7\x89\xce\xe8\xa7\xfe\xff\xff\x48\x8d\x3d\xc0\x00\x00\x00\x89\x45\xec\xb0\x00\xe8\x46\xfd\xff\xff\xbf\x14\x00\x00\x00\xbe\x0a\x00\x00\x00\x89\x45\xe8\xe8\xa4\xfe\xff\xff\x48\x83\xc4\x20\x5d\xc3\x66\x2e\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f\x40\x00\x41\x57\x41\x56\x49\x89\xd7\x41\x55\x41\x54\x4c\x8d\x25\xee\x06\x20\x00\x55\x48\x8d\x2d\xee\x06\x20\x00\x53\x41\x89\xfd\x49\x89\xf6\x4c\x29\xe5\x48\x83\xec\x08\x48\xc1\xfd\x03\xe8\xc7\xfc\xff\xff\x48\x85\xed\x74\x20\x31\xdb\x0f\x1f\x84\x00\x00\x00\x00\x00\x4c\x89\xfa\x4c\x89\xf6\x44\x89\xef\x41\xff\x14\xdc\x48\x83\xc3\x01\x48\x39\xdd\x75\xea\x48\x83\xc4\x08\x5b\x5d\x41\x5c\x41\x5d\x41\x5e\x41\x5f\xc3\x90\x66\x2e\x0f\x1f\x84\x00\x00\x00\x00\x00\xf3\xc3" +#define CODE_3 "\x31\xed\x49\x89\xd1\x5e\x48\x89\xe2\x48\x83\xe4\xf0\x50\x54\x49\xc7\xc0\x60\x07\x40\x00\x48\xc7\xc1\xf0\x06\x40\x00\x48\xc7\xc7\x90\x06\x40\x00\xff\x15\xa6\x0b\x20\x00\xf4\x0f\x1f\x44\x00\x00\x55\xb8\x38\x10\x60\x00\x48\x3d\x38\x10\x60\x00\x48\x89\xe5\x74\x17\xb8\x00\x00\x00\x00\x48\x85\xc0\x74\x0d\x5d\xbf\x38\x10\x60\x00\xff\xe0\x0f\x1f\x44\x00\x00\x5d\xc3\x66\x0f\x1f\x44\x00\x00\xbe\x38\x10\x60\x00\x55\x48\x81\xee\x38\x10\x60\x00\x48\x89\xe5\x48\xc1\xfe\x03\x48\x89\xf0\x48\xc1\xe8\x3f\x48\x01\xc6\x48\xd1\xfe\x74\x15\xb8\x00\x00\x00\x00\x48\x85\xc0\x74\x0b\x5d\xbf\x38\x10\x60\x00\xff\xe0\x0f\x1f\x00\x5d\xc3\x66\x0f\x1f\x44\x00\x00\x80\x3d\x6d\x0b\x20\x00\x00\x75\x17\x55\x48\x89\xe5\xe8\x7e\xff\xff\xff\xc6\x05\x5b\x0b\x20\x00\x01\x5d\xc3\x0f\x1f\x44\x00\x00\xf3\xc3\x0f\x1f\x40\x00\x66\x2e\x0f\x1f\x84\x00\x00\x00\x00\x00\x55\x48\x89\xe5\x5d\xeb\x89\x66\x0f\x1f\x84\x00\x00\x00\x00\x00\x55\x48\x89\xe5\xb8\x01\x00\x00\x00\x5d\xc3\x0f\x1f\x44\x00\x00\x55\x48\x89\xe5\xb8\x02\x00\x00\x00\x5d\xc3\x0f\x1f\x44\x00\x00\x55\x48\x89\xe5\xb8\x03\x00\x00\x00\x5d\xc3\x0f\x1f\x44\x00\x00\x55\x48\x89\xe5\xb8\x04\x00\x00\x00\x5d\xc3\x0f\x1f\x44\x00\x00\x55\x48\x89\xe5\xb8\x05\x00\x00\x00\x5d\xc3\x0f\x1f\x44\x00\x00\x55\x48\x89\xe5\xb8\x06\x00\x00\x00\x5d\xc3\x0f\x1f\x44\x00\x00\x55\x48\x89\xe5\x89\x7d\xfc\x89\x75\xf8\x8b\x75\xfc\x03\x75\xf8\x89\xf0\x5d\xc3\x66\x66\x66\x2e\x0f\x1f\x84\x00\x00\x00\x00\x00\x55\x48\x89\xe5\x89\x7d\xfc\x89\x75\xf8\x8b\x75\xfc\x2b\x75\xf8\x89\xf0\x5d\xc3\x66\x66\x66\x2e\x0f\x1f\x84\x00\x00\x00\x00\x00\x55\x48\x89\xe5\xf2\x0f\x11\x45\xf8\xf2\x0f\x11\x4d\xf0\xf2\x0f\x10\x45\xf8\xf2\x0f\x58\x45\xf0\x5d\xc3\x66\x0f\x1f\x44\x00\x00\x55\x48\x89\xe5\xf2\x0f\x11\x45\xf8\xf2\x0f\x11\x4d\xf0\xf2\x0f\x10\x45\xf8\xf2\x0f\x5c\x45\xf0\x5d\xc3\x66\x0f\x1f\x44\x00\x00\x55\x48\x89\xe5\xf2\x0f\x11\x45\xf8\xf2\x0f\x11\x4d\xf0\xf2\x0f\x11\x55\xe8\xf2\x0f\x10\x45\xf8\xf2\x0f\x58\x45\xf0\xf2\x0f\x58\x45\xe8\x5d\xc3\x66\x66\x66\x2e\x0f\x1f\x84\x00\x00\x00\x00\x00\x55\x48\x89\xe5\x48\x83\xec\x20\x89\x7d\xfc\x89\x75\xf8\x89\x55\xf4\x89\x4d\xf0\x8b\x7d\xfc\x8b\x75\xf8\xe8\x31\xff\xff\xff\x8b\x7d\xf4\x8b\x75\xf0\x89\x45\xec\xe8\x23\xff\xff\xff\x8b\x4d\xec\x01\xc1\x89\xc8\x48\x83\xc4\x20\x5d\xc3\x66\x0f\x1f\x44\x00\x00\x55\x48\x89\xe5\x48\x89\x7d\xf8\x48\x8b\x45\xf8\x5d\xc3\x66\x90\x55\x48\x89\xe5\x48\x8d\x05\xc5\x09\x20\x00\x48\x8d\x0d\xba\x09\x20\x00\x48\x8d\x15\xaf\x09\x20\x00\x48\x8d\x35\xa4\x09\x20\x00\x8b\x3e\x03\x3a\x03\x39\x03\x38\x89\xf8\x5d\xc3\x0f\x1f\x40\x00\x55\x48\x89\xe5\x48\x83\xec\x20\xb8\x0a\x00\x00\x00\xb9\x14\x00\x00\x00\xc7\x45\xfc\x00\x00\x00\x00\x89\x7d\xf8\x48\x89\x75\xf0\x89\xc7\x89\xce\xe8\xa7\xfe\xff\xff\x48\x8d\x3d\xc0\x00\x00\x00\x89\x45\xec\xb0\x00\xe8\x46\xfd\xff\xff\xbf\x14\x00\x00\x00\xbe\x0a\x00\x00\x00\x89\x45\xe8\xe8\xa4\xfe\xff\xff\x48\x83\xc4\x20\x5d\xc3\x66\x2e\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f\x40\x00\x41\x57\x41\x56\x49\x89\xd7\x41\x55\x41\x54\x4c\x8d\x25\xee\x06\x20\x00\x55\x48\x8d\x2d\xee\x06\x20\x00\x53\x41\x89\xfd\x49\x89\xf6\x4c\x29\xe5\x48\x83\xec\x08\x48\xc1\xfd\x03\xe8\xc7\xfc\xff\xff\x48\x85\xed\x74\x20\x31\xdb\x0f\x1f\x84\x00\x00\x00\x00\x00\x4c\x89\xfa\x4c\x89\xf6\x44\x89\xef\x41\xff\x14\xdc\x48\x83\xc3\x01\x48\x39\xdd\x75\xea\x48\x83\xc4\x08\x5b\x5d\x41\x5c\x41\x5d\x41\x5e\x41\x5f\xc3\x90\x66\x2e\x0f\x1f\x84\x00\x00\x00\x00\x00\xf3\xc3" /**********************************************************************************************************************/ /**********************************************************************************************************************/ JMP_S_T* iter_next(JMP_S_T* arg) {return arg->next;} @@ -54,7 +54,7 @@ JMP_S_T* iter_next_n(JMP_S_T* arg) {return arg->next_n;} uint32_t get_textsection_length(void) {return &edata-&etext;} /**********************************************************************************************************************/ /**********************************************************************************************************************/ -uintptr_t get_symbol_rt_address(const char* symbol_name) {return NULL;} +uintptr_t* get_symbol_rt_address(const char* symbol_name) {return NULL;} /**********************************************************************************************************************/ /**********************************************************************************************************************/ void int2byte(int value, uint8_t* ret_value, size_t size) { @@ -345,6 +345,7 @@ int dumpjmptable(JMP_S_T* current) { printf("\tinstruction size: %d\n", current->size); current = current->next; } + return 0; } /**********************************************************************************************************************/ void jmprewriter_j(JMP_S_T* jmp, uint8_t* code, JMP_T type, uint8_t* rewritten) {} @@ -394,7 +395,8 @@ int main(int argc, char** argv) { unsigned char* encode; ks_write(KS_ARCH_X86, KS_MODE_64, "add rax, rcx", 0, encode); - ks_free(encode); + printf("fucking here\n"); + //ks_free(encode); uint8_t asm_code3[834]; lua_State* L = luaL_newstate(); diff --git a/bruiser/bruisercapstone.h b/bruiser/bruisercapstone.h index 423c5fd..64f23a9 100644 --- a/bruiser/bruisercapstone.h +++ b/bruiser/bruisercapstone.h @@ -56,7 +56,7 @@ JMP_S_T* iter_next_y(JMP_S_T* arg); JMP_S_T* iter_next_n(JMP_S_T* arg); uint32_t get_textsection_length(void); -uintptr_t get_symbol_rt_address(const char* symbol_name); +uintptr_t* get_symbol_rt_address(const char* symbol_name); void int2byte(int value, uint8_t* ret_value, size_t size); void leb128_encode_s(int32_t value, uint8_t* ret_value, size_t size); void leb128_encode_u(uint32_t value, uint8_t* ret_value, size_t size); diff --git a/bruiser/bruiserffi.c b/bruiser/bruiserffi.c index 371176c..c548aa5 100644 --- a/bruiser/bruiserffi.c +++ b/bruiser/bruiserffi.c @@ -163,7 +163,9 @@ void* ffi_callX(int argc, const char** arg_string, ffi_type rtype, void* x_ptr, return NULL; } + fprintf(stdout, "before the ffi call\n"); ffi_call(&cif, FFI_FN(x_ptr), &ret, values); + fprintf(stdout, "after the ffi call\n"); return ret; } diff --git a/bruiser/cap.sh b/bruiser/cap.sh new file mode 100755 index 0000000..0eb4801 --- /dev/null +++ b/bruiser/cap.sh @@ -0,0 +1,6 @@ +#!/bin/bash +cd $(dirname $0) +clang -c ./asmrewriter.c -o asmrewriter.o +clang ./bruisercapstone.c -L/usr/local/lib64 -lcapstone -lkeystone -llua asmrewriter.o -o bcapstone +./bcapstone || exit 1 +rm ./bcapstone diff --git a/bruiser/dump.sh b/bruiser/dump.sh new file mode 100755 index 0000000..411f193 --- /dev/null +++ b/bruiser/dump.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +"gcc" ramdump.c -o ramdump +PID=$("pgrep" Dwarf_Fortress) +"./ramdump" $PID +echo +"ls" -s /tmp/ramdump diff --git a/bruiser/executioner.h b/bruiser/executioner.h index 90a205a..4e17a81 100644 --- a/bruiser/executioner.h +++ b/bruiser/executioner.h @@ -21,7 +21,6 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.* /**********************************************************************************************************************/ #include "./bruiser.h" #include "lua-5.3.4/src/lua.hpp" - #include #include #include @@ -32,23 +31,12 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.* #include #include #include +#include /**********************************************************************************************************************/ #ifndef EXECUTIONER_H #define EXECUTIONER_H /**********************************************************************************************************************/ namespace { // start of anonymous namespace - using XObject = void(*)(void); - using xobj_2int = int(*)(int, int); - using xobj_int = int(*)(int, ...); - using xobj_float = float(*)(float, ...); - using xobj_double = double(*)(double, ...); - using LuaRegFunc = int(*)(lua_State*); - - template - T xobjcaster(void* ptr, T v) {return v;} - template - T xobjcaster(void* ptr, T first, Args... args) {/*return (first(*)(args...))xobjcaster(ptr);*/} - constexpr int MEMORY_SIZE = 32768; std::vector memory(MEMORY_SIZE, 0); @@ -68,142 +56,57 @@ namespace { // start of anonymous namespace } return 0; } +} // end of anonymous namespace - inline std::vector codegen(lua_State* __ls) { - int numargs = lua_gettop(__ls); - for (int i = 2; i <= numargs; ++i) { - if (lua_type(__ls, i) == LUA_TBOOLEAN) { - } - else if (lua_type(__ls, i) == LUA_TLIGHTUSERDATA) { - } - else if (lua_type(__ls, i) == LUA_TNUMBER) { - } - else if (lua_type(__ls, i) == LUA_TSTRING) { -#ifdef __x86_64__ - asm volatile("movl %%eax, %0"); -#endif - } - else if (lua_type(__ls, i) == LUA_TTABLE) { - } - else if (lua_type(__ls, i) == LUA_TFUNCTION) { - } - else if (lua_type(__ls, i) == LUA_TUSERDATA) { - } - else if (lua_type(__ls, i) == LUA_TTHREAD) { - } - else { // type is nil - PRINT_WITH_COLOR_LB(RED, "you passed a Nil argument..."); - } - } - } +int getMemorySize(void) {return MEMORY_SIZE;} - std::vector arg_emitter(std::vector _args) { - std::vector ret; - return ret; +std::pair loadObjsInXMem(std::vector& _obj_code) { + size_t code_size = _obj_code.size(); + void* program_memory = alloc_writeable_memory(code_size); + if (program_memory == nullptr) { + std::cout << "could not allocate virtual memory\n"; + return std::make_pair(nullptr, 0); } - - int LuaXobjWrapper(lua_State* __ls) { - int numargs = lua_gettop(__ls); - std::vector arg_vec; - std::string xfuncname; - std::vector> arg_ptr; - std::vector> arg_str; - std::vector> arg_double; - std::vector> arg_bool; - - if (lua_type(__ls, 1) == LUA_TSTRING) { - xfuncname = lua_tostring(__ls, 1); - } else { - PRINT_WITH_COLOR_LB(RED, "the first argument should be a string that is the name of the xfunc to be called."); - } - - // detecting arg types - for (int i = 2; i <= numargs; ++i) { - if (lua_type(__ls, i) == LUA_TBOOLEAN) { - arg_bool.push_back(std::make_pair(!!lua_tonumber(__ls, i), i)); - } - else if (lua_type(__ls, i) == LUA_TLIGHTUSERDATA) { - } - else if (lua_type(__ls, i) == LUA_TNUMBER) { - arg_double.push_back(std::make_pair(lua_tonumber(__ls, i), i)); - } - else if (lua_type(__ls, i) == LUA_TSTRING) { - arg_str.push_back(std::make_pair(lua_tostring(__ls, i), i)); - } - else if (lua_type(__ls, i) == LUA_TTABLE) { - } - else if (lua_type(__ls, i) == LUA_TFUNCTION) { - } - else if (lua_type(__ls, i) == LUA_TUSERDATA) { - } - else if (lua_type(__ls, i) == LUA_TTHREAD) { - } - // type is Nil - else { - PRINT_WITH_COLOR_LB(RED, "you passed a Nil argument..."); - } - } - - pid_t pid = fork(); - if (pid < 0) { - PRINT_WITH_COLOR_LB(RED, "could not fork..."); - lua_pushnumber(__ls, EXIT_FAILURE); - } - if (pid == 0) {} - if (pid > 0) { - } - - return 0; + memcpy(program_memory, _obj_code.data(), code_size); + if (make_mem_executable(program_memory, code_size) < 0) { + std::cout << "could not make vmemory executable.\n"; + return std::make_pair(nullptr, 0); } -} // end of anonymous namespace - -int getMemorySize(void) {return MEMORY_SIZE;} + return std::make_pair(program_memory, code_size); +} class Executioner { public: Executioner() {} + +#if 0 + Executioner() { + std::cout << RED << "vptrs size on executioner ctor: " << vptrs.size() << NORMAL << "\n"; + this->vptrs.reserve(100); + this->xvoidptrs.reserve(100); + } +#endif + +#if 0 ~Executioner() { - for (auto &iter : obj_mem_ptrs) { - if (iter.first != nullptr) { - if (munmap(iter.first, iter.second) < 0) { + for (auto &iter : xvoidptrs) { + if (iter != nullptr) { + if (munmap(iter, sizeof(void*)) < 0) { perror("could not unmap vmemory."); } } } } +#endif - void getObjs(std::vector>& _objs) {objs = _objs;} - - void getNames(std::vector& _names) {names = _names;} - - std::pair loadObjsInXMem(std::vector& _obj_code) { - size_t code_size = _obj_code.size(); - void* program_memory = alloc_writeable_memory(code_size); - if (program_memory == nullptr) { - std::cout << "could not allocate virtual memory\n"; - return std::make_pair(nullptr, 0); - } - memcpy(program_memory, _obj_code.data(), code_size); - if (make_mem_executable(program_memory, code_size) < 0) { - std::cout << "could not make vmemory executable.\n"; - return std::make_pair(nullptr, 0); - } - xvoidptrs.push_back(program_memory); - return std::make_pair(program_memory, code_size); - } - - std::vector getAllArgs(lua_State* __ls) { - int numargs = lua_gettop(__ls); - std::vector args; - for (int i = 0; i < numargs; ++i) {} - return args; - } + //private: + //Executioner(const Executioner&); + //Executioner& operator=(const Executioner&); + //public: + //Executioner(Executioner&& x) = default; + //Executioner &operator=(Executioner&& x) = default; - void loadAll(void) { - for (auto &iter : objs) { - this->loadObjsInXMem(iter); - } - } + public: void emitByte(uint8_t _byte, std::vector& _code) { _code.push_back(_byte); @@ -213,134 +116,43 @@ class Executioner { for (auto &iter : _bytes) {this->emitByte(iter, _code);} } - void registerWithLua(lua_State* _lua_State) { - lua_register(_lua_State, "xobjwrapper", LuaXobjWrapper); - } - - XObject getXobject(void* _ptr) {return (XObject)_ptr;} - - void xobjsGetPtrs(void) { - for (auto& iter : obj_mem_ptrs) { - XObject dummy = (XObject)iter.first; - xobjs.push_back(dummy); - } +#if 0 + void pushvptr(void* _vptr, std::string _name, std::vector>) { + this->vptrs.push_back(std::make_pair(_vptr, _name)); } - void pusheph(std::function __eph) {ephs.push_back(__eph);} - void pushvptr(void* _vptr, std::string _name) {vptrs.push_back(std::make_pair(_vptr, _name));} - std::vector> getvptrs(void) {return vptrs;} std::pair getvptrbyindex(unsigned int _index) { - if (vptrs.size() - 1 >= _index) { - return vptrs[_index]; + if (this->vptrs.size() - 1 >= _index) { + return this->vptrs[_index]; } return std::make_pair(nullptr, ""); } + std::pair getvptrbyname(const char* name) { - for (auto &iter : vptrs) { + for (auto &iter : this->vptrs) { if (std::strcmp(name, iter.second.c_str()) == 0) return iter; + std::cout << "xobj name match\n"; } return std::make_pair(nullptr, ""); } - - private: - std::vector> obj_mem_ptrs; - std::vector> objs; - std::vector names; - std::vector xobjs; - std::vector xvoidptrs; - std::vector> ephs; - std::vector> vptrs; -}; -/**********************************************************************************************************************/ -/**********************************************************************************************************************/ -#if 1 -class EphemeralFunc { - public: - EphemeralFunc(xobj_2int _ptr, std::string _name) : ptr(_ptr), name(_name) {} - virtual ~EphemeralFunc() {} - - int lua_func(lua_State* __ls) { - int numargs = lua_gettop(__ls); - if (numargs != 2) { - PRINT_WITH_COLOR(RED, "expected 2 arguments..."); - lua_tonumber(__ls, 0); - return 1; - } - int arg1 = lua_tonumber(__ls, 1); - int arg2 = lua_tonumber(__ls, 1); - std::cout << RED << "right before execution..." << NORMAL << "\n"; - int result = ptr(arg1, arg2); - lua_pushnumber(__ls, result); - return 1; - } - - private: - xobj_2int ptr; - std::string name; -}; - -typedef int (EphemeralFunc::*m_func)(lua_State* L); -template -int LuaDispatch2(lua_State* __ls) -{ - EphemeralFunc* LWPtr = *static_cast(lua_getextraspace(__ls)); - return ((*LWPtr).*func)(__ls); -} - -int devi_luareg(lua_State* __ls, xobj_2int __xobj, std::string __name, Executioner& __EX) { - EphemeralFunc eph(__xobj, __name); - //__EX.pusheph(eph.lua_func); - lua_register(__ls, __name.c_str(), &LuaDispatch2<&EphemeralFunc::lua_func>); - return 0; -} #endif -/**********************************************************************************************************************/ -/**********************************************************************************************************************/ -class Arguary { - public: - Arguary() = default; - ~Arguary() {} - void pass_ptr(void* _arg) {ptr_stack.push_back(_arg);} - void pass_int(int _arg) {int_stack.push_back(_arg);} - void pass_uint64(uint64_t _arg) {uint64_stack.push_back(_arg);} - void pass_string(char* _arg) {string_stack.push_back(_arg);} - void pass_float(float _arg) {float_stack.push_back(_arg);} - void pass_double(double _arg) {double_stack.push_back(_arg);} - void pass_llint(long long int _arg) {llint_stack.push_back(_arg);} - void clear_arg_stacks(void) { - ptr_stack.clear(); - int_stack.clear(); - uint64_stack.clear(); - string_stack.clear(); - float_stack.clear(); - double_stack.clear(); - llint_stack.clear(); - } - - private: - std::vector ptr_stack; - std::vector int_stack; - std::vector uint64_stack; - std::vector string_stack; - std::vector float_stack; - std::vector double_stack; - std::vector llint_stack; + //private: + //std::vector> vptrs; + //std::vector xvoidptrs; }; /**********************************************************************************************************************/ /**********************************************************************************************************************/ class XGlobals { public: XGlobals() {} - ~XGlobals() { - for (auto &iter : globals) free(iter.first); - } void reserve(size_t size) { globals.push_back(std::make_pair(malloc(size), size)); } void* getAddressByIndex(int index) { + return nullptr; } private: diff --git a/bruiser/ffi.sh b/bruiser/ffi.sh new file mode 100755 index 0000000..8528ae9 --- /dev/null +++ b/bruiser/ffi.sh @@ -0,0 +1,5 @@ +#!/bin/bash +cd $(dirname $0) +gcc ./bruiserffi.c -lffi -lcapstone -o ffi +./ffi +rm ./ffi diff --git a/bruiser/ffs.c b/bruiser/ffs.c index 47d6d11..940ae47 100644 --- a/bruiser/ffs.c +++ b/bruiser/ffs.c @@ -19,7 +19,7 @@ along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.*/ /**********************************************************************************************************************/ #include "ffs.h" -// @DEVI-the acceptable indexes right now are 0 and 1 since we are only reserving 2 void* slots in luaconf.h. +// @DEVI-the acceptable indexes right now are 0 and 19 since we are only reserving 2 void* slots in luaconf.h. void* lua_getextraspace_wrapper(lua_State* __ls, int index) { return lua_getextraspace(__ls) + sizeof(void*)*index; } diff --git a/bruiser/lua-5.3.4/src/luaconf.h b/bruiser/lua-5.3.4/src/luaconf.h index 759ddeb..48bb33e 100644 --- a/bruiser/lua-5.3.4/src/luaconf.h +++ b/bruiser/lua-5.3.4/src/luaconf.h @@ -730,7 +730,7 @@ ** a Lua state with very fast access. ** CHANGE it if you need a different size. */ -#define LUA_EXTRASPACE 2*(sizeof(void *)) +#define LUA_EXTRASPACE 20*(sizeof(void *)) /* diff --git a/bruiser/lua-scripts/demo1.lua b/bruiser/lua-scripts/demo1.lua index efbc7c5..6f02860 100644 --- a/bruiser/lua-scripts/demo1.lua +++ b/bruiser/lua-scripts/demo1.lua @@ -12,14 +12,14 @@ -- objload("elf_get_func_code", "../bfd/test/test.so", "code_list") -- -------------------------------------------------------------------------------------------------------------- -elf_file = "../bfd/test/test.so" +elf_file = "/home/bloodstalker/devi/hell2/bfd/test/test.so" --elf_file = "/home/bloodstalker/devi/hell2/bfd/test/test.so" --elf_file = "../bfd/test/test" function getGlobalTable() local return_table = {} local names = objload("elf_get_obj_names", elf_file, "symbol_list") - local sizes = objload("elf_get_obj_sizes", elf_file, "symbol_list") + local sizes = objload("elf_get_obj_sizes", elf_file, "bytes") for i=1,#names,1 do return_table[names[i]] = sizes[i] end @@ -34,7 +34,7 @@ function printObjNames() end function printObjSizes() - local c = objload("elf_get_obj_sizes", elf_file, "symbol_list") + local c = objload("elf_get_obj_sizes", elf_file, "bytes") for k,v in ipairs(c) do print(k,v) end @@ -63,7 +63,7 @@ end function findMain() local c = objload("elf_get_func_names", elf_file, "symbol_list") for k,v in ipairs(c) do - if v == "'main'" then + if v == "main" then io.write("main index is".." "..k.."\n") return k end @@ -135,8 +135,7 @@ function main() io.write(string.format('%02x', v), " ") end io.write("\n") - - local C_main_code = codeTableByName("'main'") +local C_main_code = codeTableByName("'main'") for k, v in ipairs(C_main_code) do io.write(v, " ") end @@ -152,6 +151,14 @@ function main() printFuncSizes() + print("passthrough_code: ") + for k,v in pairs(passthrough_code) do + io.write(v," ") + end + io.write("\n") + + + print("xsize = "..xsize()) xobjregister(add2_code, "add2") xobjregister(sub2_code, "sub2") xobjregister(adddouble_code, "adddouble") @@ -159,6 +166,12 @@ function main() xobjregister(triple_code, "triple") xobjregister(quad_code, "quad") xobjregister(passthrough_code, "passthrough") + print("xsize = "..xsize()) + + local x_list = xobjlist() + for k,v in pairs(x_list) do + print(k,v) + end a=xcall(2,{"uint32","uint32"},"uint32",0, {30,20}) print("call add result", a) @@ -167,7 +180,7 @@ function main() arg1 = 100 arg2 = 200 - a=xcall(2,{"sint32", "sint32"},"sint32",1, {arg1,arg2}) + a=xcall(2,{"sint32", "sint32"},"sint32","sub2", {arg1,arg2}) print("xcall returned:",a) if a ~= -100 then print("test failed") end @@ -188,6 +201,7 @@ function main() print("xcall returned:",a) if (a ~= "i live!") then print("test failed"); os.exit(1) end + -- nested call --a=xcall(4,{"sint32", "sint32", "sint32", "sint32"},"sint32",5, {10,20,30,40}) --print("xcall returned:",a) --if a ~= 100 then print("test failed") end diff --git a/bruiser/makefile b/bruiser/makefile index b16dca3..d6682c9 100644 --- a/bruiser/makefile +++ b/bruiser/makefile @@ -6,6 +6,7 @@ CC=clang CC?=clang CXX_FLAGS+=-I/usr/include -g CXX_FLAGS+=$(shell $(PY_CONF) --includes) +CC_FLAGS+=-g BRUISER=bruiser LUA?=JIT LIB_LUA=./lua-5.3.4/src/liblua.a @@ -45,14 +46,14 @@ linenoise.o: $(CC) $(CC_FLAGS) linenoise/linenoise.c -c -o linenoise.o $(LIB_LUA): - $(MAKE) -C lua-5.3.4 linux + $(MAKE) -C lua-5.3.4/src linux a @echo "building with vanilla" $(LIB_LUA_JIT): $(MAKE) -C LuaJIT @echo "building with jit" -$(BRUISER): $(BRUISER).o ../mutator_aux.o ../tinyxml2/tinyxml2.o linenoise.o CompletionHints.o mutagen.o ORCmutation.o bruiserffi.o asmrewriter.o bruisercapstone.o ramdump.o ffs.o $(LIB_LUA) +$(BRUISER): $(BRUISER).o ../mutator_aux.o ../tinyxml2/tinyxml2.o linenoise.o CompletionHints.o mutagen.o ORCmutation.o bruiserffi.o asmrewriter.o bruisercapstone.o ramdump.o ffs.o $(LIB_LUA) $(CXX) $^ $(LD_FLAGS) -o $@ clean: diff --git a/bruiser/run.sh b/bruiser/run.sh index 3b6e7ba..0a1dca3 100755 --- a/bruiser/run.sh +++ b/bruiser/run.sh @@ -1,7 +1,7 @@ #!/bin/bash cd $(dirname $0) -"make" -#"./bruiser" -"./bruiser" ../test/bruisertest/test.cpp --src +#"./bruiser" --verbose --lua ./lua-scripts/demo1.lua +"./bruiser" --lua ./lua-scripts/demo1.lua +#"./bruiser" ../test/bruisertest/test.cpp --src --verbose --lua ./lua-scripts/demo1.lua #gdb "./bruiser ../test/bruisertest/test.cpp --src" -- cgit v1.2.3