From 4d7b7c1d5e626925a8b2a19b04d73ce48f17ad12 Mon Sep 17 00:00:00 2001 From: Kong Nguyen Date: Wed, 26 Aug 2015 22:40:41 +0800 Subject: [PATCH] make sample_network_auditing.py runnable --- bindings/python/sample_network_auditing.py | 46 ++++++++++++++-------- 1 file changed, 29 insertions(+), 17 deletions(-) diff --git a/bindings/python/sample_network_auditing.py b/bindings/python/sample_network_auditing.py index 127845f3..66e575ce 100755 --- a/bindings/python/sample_network_auditing.py +++ b/bindings/python/sample_network_auditing.py @@ -10,8 +10,7 @@ import uuid import random SIZE_REG = 4 -SOCKETCALL_MAX_ARGS = 6 -FILENAME_MAX_LEN = 128 +SOCKETCALL_MAX_ARGS = 3 SOCKET_TYPES = { 1: "SOCK_STREAM", @@ -133,15 +132,17 @@ def bin_to_ipv4(ip): (ip & 0xff00) >> 8, (ip & 0xff)) -def bytearray_to_string(ba): +def read_string(uc, addr): ret = "" - i = 0 - while i < len(ba) and ba[i] != 0x0: - ret += chr(ba[i]) + c = uc.mem_read(addr, 1)[0] + read_bytes = 1 + + while c != 0x0: + ret += chr(c) + c = uc.mem_read(addr+read_bytes, 1)[0] + read_bytes += 1 - i += 1 - return ret def parse_sock_address(sock_addr): @@ -189,9 +190,9 @@ def hook_intr(uc, intno, user_data): buf = ecx count = edx - dummy_content = str(uuid.uuid1()) + dummy_content = str(uuid.uuid1())[:32] if len(dummy_content) > count: - dummy_content = dummy_content[:count] + dummy_content = dummy_content[:count] uc.mem_write(buf, dummy_content) @@ -206,7 +207,7 @@ def hook_intr(uc, intno, user_data): content = uc.mem_read(buf, count) - msg = "write data=%s count=%d to fd(%d)" % (bytearray_to_string(content), count, fd) + msg = "write data=%s count=%d to fd(%d)" % (content, count, fd) print(">>> %s" % msg) fd_chains.add_log(fd, msg) @@ -214,21 +215,21 @@ def hook_intr(uc, intno, user_data): filename_addr = ebx flags = ecx mode = edx - filename = uc.mem_read(filename_addr, FILENAME_MAX_LEN) + filename = read_string(uc, filename_addr) dummy_fd = id_gen.next() uc.reg_write(UC_X86_REG_EAX, dummy_fd) - msg = "open file (filename=%s flags=%d mode=%d) with fd(%d)" % (bytearray_to_string(filename), flags, mode, dummy_fd) + msg = "open file (filename=%s flags=%d mode=%d) with fd(%d)" % (filename, flags, mode, dummy_fd) fd_chains.create_chain(dummy_fd) fd_chains.add_log(dummy_fd, msg) print(">>> %s" % msg) elif eax == 11: # sys_execv # print(">>> ebx=0x%x, ecx=0x%x, edx=0x%x" % (ebx, ecx, edx)) - filename = uc.mem_read(ebx, FILENAME_MAX_LEN) + filename = read_string(uc, ebx) - print(">>> SYS_EXECV filename=%s" % bytearray_to_string(filename)) + print(">>> SYS_EXECV filename=%s" % filename) elif eax == 63: # sys_dup2 fd_chains.link_fd(ecx, ebx) print(">>> SYS_DUP2 oldfd=%d newfd=%d" % (ebx, ecx)) @@ -237,8 +238,19 @@ def hook_intr(uc, intno, user_data): call = uc.reg_read(UC_X86_REG_EBX) args = uc.reg_read(UC_X86_REG_ECX) - buf = uc.mem_read(args, SOCKETCALL_MAX_ARGS*SIZE_REG) - args = struct.unpack("<" + "I"*SOCKETCALL_MAX_ARGS, buf) + SOCKETCALL_NUM_ARGS = { + 1: 3, # sys_socket + 2: 3, # sys_bind + 3: 3, # sys_connect + 4: 2, # sys_listen + 5: 3, # sys_accept + 9: 4, # sys_send + 11: 4, # sys_receive + 13: 2 # sys_shutdown + } + + buf = uc.mem_read(args, SOCKETCALL_NUM_ARGS[call]*SIZE_REG) + args = struct.unpack("<" + "I"*SOCKETCALL_NUM_ARGS[call], buf) # int sys_socketcall(int call, unsigned long *args) if call == 1: # sys_socket