update python binding samples, shellcode.py with 64bit syscall (#1052)

* update python binding samples, shellcode.py with 64bit syscall

* fix with quynh comments

* fix with more q comments

* reformatted

* reformatted and moved file

* reformatted and moved file

* delete file

* delete dead code

* deleted more dead code

* deleted more dead code / fix bugs

* fix 64bit eip intno eax

* rearrage rip

* Inconsistent print

Backports commit 8c6cbe3f3cabed57b23b721c29f937dd5baafc90 from unicorn.
This commit is contained in:
kj.xwings.l 2019-02-28 16:47:14 -05:00 committed by Lioncash
parent 7bb8554242
commit 15d52aefbe
No known key found for this signature in database
GPG key ID: 4E3C3CC1031BA9C7

View file

@ -1,27 +1,55 @@
#!/usr/bin/env python #!/usr/bin/env python
# Sample code for X86 of Unicorn. Nguyen Anh Quynh <aquynh@gmail.com> # Sample code for X86 of Unicorn.
# Nguyen Anh Quynh <aquynh@gmail.com>
# KaiJern Lau <kj@theshepherdlab.io>
from __future__ import print_function from __future__ import print_function
from unicorn import * from unicorn import *
from unicorn.x86_const import * from unicorn.x86_const import *
# Original shellcode from this example.
#X86_CODE32 = b"\xeb\x19\x31\xc0\x31\xdb\x31\xd2\x31\xc9\xb0\x04\xb3\x01\x59\xb2\x05\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xe2\xff\xff\xff\x68\x65\x6c\x6c\x6f"
X86_CODE32 = b"\xeb\x19\x31\xc0\x31\xdb\x31\xd2\x31\xc9\xb0\x04\xb3\x01\x59\xb2\x05\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xe2\xff\xff\xff\x68\x65\x6c\x6c\x6f" # Linux/x86 execve /bin/sh shellcode 23 bytes, from http://shell-storm.org/shellcode/files/shellcode-827.php
# 0: 31 c0 xor eax,eax
# 2: 50 push eax
# 3: 68 2f 2f 73 68 push 0x68732f2f
# 8: 68 2f 62 69 6e push 0x6e69622f
# d: 89 e3 mov ebx,esp
# f: 50 push eax
# 10: 53 push ebx
# 11: 89 e1 mov ecx,esp
# 13: b0 0b mov al,0xb
# 15: cd 80 int 0x80
X86_CODE32 = b"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
X86_CODE32_SELF = b"\xeb\x1c\x5a\x89\xd6\x8b\x02\x66\x3d\xca\x7d\x75\x06\x66\x05\x03\x03\x89\x02\xfe\xc2\x3d\x41\x41\x41\x41\x75\xe9\xff\xe6\xe8\xdf\xff\xff\xff\x31\xd2\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xca\x7d\x41\x41\x41\x41\x41\x41\x41\x41" X86_CODE32_SELF = b"\xeb\x1c\x5a\x89\xd6\x8b\x02\x66\x3d\xca\x7d\x75\x06\x66\x05\x03\x03\x89\x02\xfe\xc2\x3d\x41\x41\x41\x41\x75\xe9\xff\xe6\xe8\xdf\xff\xff\xff\x31\xd2\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xca\x7d\x41\x41\x41\x41\x41\x41\x41\x41"
# Linux/x86 64bit execve /bin/sh shellcode
# 0: 48 31 ff xor rdi,rdi
# 3: 57 push rdi
# 4: 57 push rdi
# 5: 5e pop rsi
# 6: 5a pop rdx
# 7: 48 bf 2f 2f 62 69 6e movabs rdi,0x68732f6e69622f2f
# e: 2f 73 68
# 11: 48 c1 ef 08 shr rdi,0x8
# 15: 57 push rdi
# 16: 54 push rsp
# 17: 5f pop rdi
# 18: 6a 3b push 0x3b
# 1a: 58 pop rax
# 1b: 0f 05 syscall
X86_CODE64 = b"\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05" X86_CODE64 = b"\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05"
# memory address where emulation starts # memory address where emulation starts
ADDRESS = 0x1000000 ADDRESS = 0x1000000
# callback for tracing instructions # callback for tracing instructions
def hook_code(uc, address, size, user_data): def hook_code(uc, address, size, user_data):
print(">>> Tracing instruction at 0x%x, instruction size = 0x%x" %(address, size)) print(">>> Tracing instruction at 0x%x, instruction size = 0x%x" %(address, size))
# read this instruction code from memory # read this instruction code from memory
tmp = uc.mem_read(address, size) tmp = uc.mem_read(address, size)
print("*** EIP = %x *** :" %(address), end="") print("*** PC = %x *** :" %(address), end="")
for i in tmp: for i in tmp:
print(" %02x" %i, end="") print(" %02x" %i, end="")
print("") print("")
@ -31,6 +59,16 @@ def hook_code(uc, address, size, user_data):
def hook_block(uc, address, size, user_data): def hook_block(uc, address, size, user_data):
print(">>> Tracing basic block at 0x%x, block size = 0x%x" %(address, size)) print(">>> Tracing basic block at 0x%x, block size = 0x%x" %(address, size))
def read_string(uc, address):
ret = ""
c = uc.mem_read(address, 1)[0]
read_bytes = 1
while c != 0x0:
ret += chr(c)
c = uc.mem_read(address + read_bytes, 1)[0]
read_bytes += 1
return ret
# callback for tracing Linux interrupt # callback for tracing Linux interrupt
def hook_intr(uc, intno, user_data): def hook_intr(uc, intno, user_data):
@ -42,6 +80,7 @@ def hook_intr(uc, intno, user_data):
eax = uc.reg_read(UC_X86_REG_EAX) eax = uc.reg_read(UC_X86_REG_EAX)
eip = uc.reg_read(UC_X86_REG_EIP) eip = uc.reg_read(UC_X86_REG_EIP)
if eax == 1: # sys_exit if eax == 1: # sys_exit
print(">>> 0x%x: interrupt 0x%x, EAX = 0x%x" %(eip, intno, eax)) print(">>> 0x%x: interrupt 0x%x, EAX = 0x%x" %(eip, intno, eax))
uc.emu_stop() uc.emu_stop()
@ -50,7 +89,6 @@ def hook_intr(uc, intno, user_data):
ecx = uc.reg_read(UC_X86_REG_ECX) ecx = uc.reg_read(UC_X86_REG_ECX)
# EDX = buffer size # EDX = buffer size
edx = uc.reg_read(UC_X86_REG_EDX) edx = uc.reg_read(UC_X86_REG_EDX)
try: try:
buf = uc.mem_read(ecx, edx) buf = uc.mem_read(ecx, edx)
print(">>> 0x%x: interrupt 0x%x, SYS_WRITE. buffer = 0x%x, size = %u, content = " \ print(">>> 0x%x: interrupt 0x%x, SYS_WRITE. buffer = 0x%x, size = %u, content = " \
@ -61,19 +99,42 @@ def hook_intr(uc, intno, user_data):
except UcError as e: except UcError as e:
print(">>> 0x%x: interrupt 0x%x, SYS_WRITE. buffer = 0x%x, size = %u, content = <unknown>\n" \ print(">>> 0x%x: interrupt 0x%x, SYS_WRITE. buffer = 0x%x, size = %u, content = <unknown>\n" \
%(eip, intno, ecx, edx)) %(eip, intno, ecx, edx))
elif eax == 11: # sys_write
ebx = uc.reg_read(UC_X86_REG_EBX)
filename = read_string(uc, ebx)
print(">>> SYS_EXECV filename=%s" % filename)
else: else:
print(">>> 0x%x: interrupt 0x%x, EAX = 0x%x" %(eip, intno, eax)) print(">>> 0x%x: interrupt 0x%x, EAX = 0x%x" %(eip, intno, eax))
def hook_syscall(mu, user_data): def hook_syscall32(mu, user_data):
rax = mu.reg_read(UC_X86_REG_RAX) eax = mu.reg_read(UC_X86_REG_EAX)
print(">>> got SYSCALL with RAX = 0x%x" %(rax)) print(">>> got SYSCALL with EAX = 0x%x" %(eax))
mu.emu_stop() mu.emu_stop()
def hook_syscall64(mu, user_data):
rax = mu.reg_read(UC_X86_REG_RAX)
rdi = mu.reg_read(UC_X86_REG_RDI)
print(">>> got SYSCALL with RAX = %d" %(rax))
if rax == 59: #sys_execve
filename = read_string(mu, rdi)
print(">>> SYS_EXECV filename=%s" % filename)
else:
rip = mu.reg_read(UC_X86_REG_RIP)
print(">>> Syscall Found at 0x%x: , RAX = 0x%x" %(rip, rax))
mu.emu_stop()
# Test X86 32 bit # Test X86 32 bit
def test_i386(mode, code): def test_i386(mode, code):
print("Emulate x86 code") if mode == UC_MODE_32:
print("Emulate x86_32 code")
elif mode == UC_MODE_64:
print("Emulate x86_64 code")
try: try:
# Initialize emulator # Initialize emulator
mu = Uc(UC_ARCH_X86, mode) mu = Uc(UC_ARCH_X86, mode)
@ -93,11 +154,13 @@ def test_i386(mode, code):
# tracing all instructions with customized callback # tracing all instructions with customized callback
mu.hook_add(UC_HOOK_CODE, hook_code) mu.hook_add(UC_HOOK_CODE, hook_code)
# handle interrupt ourself if mode == UC_MODE_32:
mu.hook_add(UC_HOOK_INTR, hook_intr) # handle interrupt ourself
mu.hook_add(UC_HOOK_INTR, hook_intr)
# handle SYSCALL # handle SYSCALL
mu.hook_add(UC_HOOK_INSN, hook_syscall, None, 1, 0, UC_X86_INS_SYSCALL) mu.hook_add(UC_HOOK_INSN, hook_syscall32, None, 1, 0, UC_X86_INS_SYSCALL)
elif mode == UC_MODE_64:
mu.hook_add(UC_HOOK_INSN, hook_syscall64, None, 1, 0, UC_X86_INS_SYSCALL)
# emulate machine code in infinite time # emulate machine code in infinite time
mu.emu_start(ADDRESS, ADDRESS + len(code)) mu.emu_start(ADDRESS, ADDRESS + len(code))
@ -108,12 +171,9 @@ def test_i386(mode, code):
except UcError as e: except UcError as e:
print("ERROR: %s" % e) print("ERROR: %s" % e)
if __name__ == '__main__': if __name__ == '__main__':
test_i386(UC_MODE_32, X86_CODE32_SELF) test_i386(UC_MODE_32, X86_CODE32_SELF)
print("=" * 20) print("=" * 20)
test_i386(UC_MODE_32, X86_CODE32) test_i386(UC_MODE_32, X86_CODE32)
print("=" * 20) print("=" * 20)
test_i386(UC_MODE_64, X86_CODE64) # FIXME test_i386(UC_MODE_64, X86_CODE64)