make sample_network_auditing.py runnable

This commit is contained in:
Kong Nguyen 2015-08-26 22:40:41 +08:00
parent b9c0aee009
commit 4d7b7c1d5e

View file

@ -10,8 +10,7 @@ import uuid
import random import random
SIZE_REG = 4 SIZE_REG = 4
SOCKETCALL_MAX_ARGS = 6 SOCKETCALL_MAX_ARGS = 3
FILENAME_MAX_LEN = 128
SOCKET_TYPES = { SOCKET_TYPES = {
1: "SOCK_STREAM", 1: "SOCK_STREAM",
@ -133,15 +132,17 @@ def bin_to_ipv4(ip):
(ip & 0xff00) >> 8, (ip & 0xff00) >> 8,
(ip & 0xff)) (ip & 0xff))
def bytearray_to_string(ba): def read_string(uc, addr):
ret = "" ret = ""
i = 0 c = uc.mem_read(addr, 1)[0]
while i < len(ba) and ba[i] != 0x0: read_bytes = 1
ret += chr(ba[i])
while c != 0x0:
ret += chr(c)
c = uc.mem_read(addr+read_bytes, 1)[0]
read_bytes += 1
i += 1
return ret return ret
def parse_sock_address(sock_addr): def parse_sock_address(sock_addr):
@ -189,9 +190,9 @@ def hook_intr(uc, intno, user_data):
buf = ecx buf = ecx
count = edx count = edx
dummy_content = str(uuid.uuid1()) dummy_content = str(uuid.uuid1())[:32]
if len(dummy_content) > count: if len(dummy_content) > count:
dummy_content = dummy_content[:count] dummy_content = dummy_content[:count]
uc.mem_write(buf, dummy_content) uc.mem_write(buf, dummy_content)
@ -206,7 +207,7 @@ def hook_intr(uc, intno, user_data):
content = uc.mem_read(buf, count) content = uc.mem_read(buf, count)
msg = "write data=%s count=%d to fd(%d)" % (bytearray_to_string(content), count, fd) msg = "write data=%s count=%d to fd(%d)" % (content, count, fd)
print(">>> %s" % msg) print(">>> %s" % msg)
fd_chains.add_log(fd, msg) fd_chains.add_log(fd, msg)
@ -214,21 +215,21 @@ def hook_intr(uc, intno, user_data):
filename_addr = ebx filename_addr = ebx
flags = ecx flags = ecx
mode = edx mode = edx
filename = uc.mem_read(filename_addr, FILENAME_MAX_LEN) filename = read_string(uc, filename_addr)
dummy_fd = id_gen.next() dummy_fd = id_gen.next()
uc.reg_write(UC_X86_REG_EAX, dummy_fd) uc.reg_write(UC_X86_REG_EAX, dummy_fd)
msg = "open file (filename=%s flags=%d mode=%d) with fd(%d)" % (bytearray_to_string(filename), flags, mode, dummy_fd) msg = "open file (filename=%s flags=%d mode=%d) with fd(%d)" % (filename, flags, mode, dummy_fd)
fd_chains.create_chain(dummy_fd) fd_chains.create_chain(dummy_fd)
fd_chains.add_log(dummy_fd, msg) fd_chains.add_log(dummy_fd, msg)
print(">>> %s" % msg) print(">>> %s" % msg)
elif eax == 11: # sys_execv elif eax == 11: # sys_execv
# print(">>> ebx=0x%x, ecx=0x%x, edx=0x%x" % (ebx, ecx, edx)) # print(">>> ebx=0x%x, ecx=0x%x, edx=0x%x" % (ebx, ecx, edx))
filename = uc.mem_read(ebx, FILENAME_MAX_LEN) filename = read_string(uc, ebx)
print(">>> SYS_EXECV filename=%s" % bytearray_to_string(filename)) print(">>> SYS_EXECV filename=%s" % filename)
elif eax == 63: # sys_dup2 elif eax == 63: # sys_dup2
fd_chains.link_fd(ecx, ebx) fd_chains.link_fd(ecx, ebx)
print(">>> SYS_DUP2 oldfd=%d newfd=%d" % (ebx, ecx)) print(">>> SYS_DUP2 oldfd=%d newfd=%d" % (ebx, ecx))
@ -237,8 +238,19 @@ def hook_intr(uc, intno, user_data):
call = uc.reg_read(UC_X86_REG_EBX) call = uc.reg_read(UC_X86_REG_EBX)
args = uc.reg_read(UC_X86_REG_ECX) args = uc.reg_read(UC_X86_REG_ECX)
buf = uc.mem_read(args, SOCKETCALL_MAX_ARGS*SIZE_REG) SOCKETCALL_NUM_ARGS = {
args = struct.unpack("<" + "I"*SOCKETCALL_MAX_ARGS, buf) 1: 3, # sys_socket
2: 3, # sys_bind
3: 3, # sys_connect
4: 2, # sys_listen
5: 3, # sys_accept
9: 4, # sys_send
11: 4, # sys_receive
13: 2 # sys_shutdown
}
buf = uc.mem_read(args, SOCKETCALL_NUM_ARGS[call]*SIZE_REG)
args = struct.unpack("<" + "I"*SOCKETCALL_NUM_ARGS[call], buf)
# int sys_socketcall(int call, unsigned long *args) # int sys_socketcall(int call, unsigned long *args)
if call == 1: # sys_socket if call == 1: # sys_socket