iZsh-ragweed 0.1.8

data/lib/ragweed/rasm/util.rb

@@ -0,0 +1,26 @@
+# Cheating; monkeypatching Object is evil.
+class Object
+  # self-evident
+  def callable?; respond_to? :call; end
+  def number?; kind_of? Numeric; end
+
+  # while X remains callable, keep calling it to get its value
+  def derive
+    x = self
+    while x.callable?
+      x = x()
+    end
+    return x
+  end
+end
+
+# class String
+#   # this is just horrible
+#   def distorm
+#     Frasm::DistormDecoder.new.decode(self)
+#   end
+# 
+#   def disasm
+#     distorm.each {|i| puts i.mnem}
+#   end
+# end

data/lib/ragweed/sbuf.rb

@@ -0,0 +1,197 @@
+# Stolen (mostly) from Net::SSH
+
+# a* string a10 string 10 bytes A* string trimmed
+# C uchar
+# L native u32, l signed
+# N BE u32, n 16
+# Qq quad
+# Ss native u16
+# Vv LE u32
+
+# Encapsulate a buffer of data with structured data accessors
+class Ragweed::Sbuf
+  attr_reader :content
+  attr_accessor :position
+
+  def self.from(*args)
+    raise ArgumentError, "odd argument count" if args.length.odd?
+
+    b = self.new
+    while not args.empty?
+      t = args.shift; v = args.shift
+      if t == :raw
+        b.straw(v)
+      elsif v.kind_of? Array
+        b.st t, *v
+      else
+        b.st t, v
+      end
+    end
+
+    return b
+  end
+
+  def st(t, *args)
+    send "st#{ t }", *args
+  end
+
+  def straw(*args)
+    args.each do |raw|
+      @content << raw.to_s
+    end
+    self
+  end
+
+  def initialize(opts={})
+    @content = opts[:content] || ""
+    @position = 0
+  end
+
+  def consume!(n=position)
+    if(n >= length); clear!
+    elsif n > 0
+      @content = remainder(n)
+      @position -= n
+      @position = 0 if @position < 0
+    end
+    self
+  end
+
+  def ldraw(n=length)
+    n = ((self.length) - position) if(position + n > length)
+    @position += n
+    @content[position-n, n]
+  end
+
+  def ld(t, *args)
+    return ldraw(t) if t.kind_of? Numeric
+
+    begin
+      send "ld#{ t }", *args
+    rescue => e
+      case t.to_s
+      when /^strz(\d+)?/
+        n = $1.to_i if not $1.empty?
+        n ||= 0
+        ldsz(n)
+      when /^strs(\d+)?/
+        n = $1.to_i if not $1.empty?
+        n ||= 0
+        ldss(n)
+      else
+        raise e
+      end
+    end
+  end
+
+  def sz(t, *args); self.class.sz(t, *args); end
+  def self.sz(t, *args)
+    begin
+      send "sz#{ t }", *args
+    rescue => e
+      case t.to_s
+      when /^strz(\d+)/
+        $1.to_i
+      when /^strs(\d+)/
+        $1.to_i
+      when /^str.*/
+        raise Exception, "can't take size of unbounded string"
+      else
+        raise e
+      end
+    end
+  end
+
+  def shraw(n=length)
+    ret = ldraw(n)
+    consume!
+    return ret
+  end
+
+  def sh(t, *args)
+    return shraw(t) if t.kind_of? Numeric
+    ret = send "ld#{ t }", *args
+    consume!
+    return ret
+  end
+
+  def ldsz(n=0)
+    n = @content.size - @position if n == 0
+    ld(n).unpack("a#{ n }").first
+  end
+
+  def ldss(n=0)
+    n = @content.size - @position if n == 0
+    ld(n).unpack("A#{ n }").first
+  end
+
+  def length; @content.length; end
+  def size; @content.size; end
+  def empty?; @content.empty?; end
+
+  def available; length - position; end
+  alias_method :remaining, :available
+
+  def to_s; @content.dup; end
+  def ==(b); to_s == b.to_s; end
+  def reset; @position = 0; end
+  def eof?; @position >= length; end
+  def clear!; @content = "" and reset; end
+  def remainder(n = position); @content[n..-1] || ""; end
+  def remainder_as_buffer(t=Sbuf); t.new(:content => remainder); end
+
+  def self.szl64; 8; end
+  def self.szb64; 8; end
+  def self.szn64; 8; end
+
+  def ldl64; ld(8).unpack("Q").first; end
+  def ldb64; ld(8).reverse.unpack("Q").first; end
+  alias_method :ldn64, :ldb64
+
+  def stl64(v); straw([v].pack("Q")); end
+  def stb64(v); straw([v].pack("Q").reverse); end
+  alias_method :stn64, :stb64
+
+  def self.szl32; 4; end
+  def self.szb32; 4; end
+  def self.szn32; 4; end
+
+  def ldl32; ld(4).unpack("L").first; end
+  def ldb32; ld(4).unpack("N").first; end
+  alias_method :ldn32, :ldb32
+
+  def stl32(v); straw([v].pack("L")); end
+  def stb32(v); straw([v].pack("N")); end
+  alias_method :stn32, :stb32
+
+  def self.szl16; 2; end
+  def self.szb16; 2; end
+  def self.szn16; 2; end
+
+  def ldl16; ld(2).unpack("v").first; end
+  def ldb16; ld(2).unpack("n").first; end
+  alias_method :ldn16, :ldb16
+
+  def stl16(v); straw([v].pack("v")); end
+  def stb16(v); straw([v].pack("n")); end
+  alias_method :stn16, :stb16
+
+  def self.szl8; 1; end;
+  def self.szb8; 1; end;
+  def self.szn8; 1; end;
+
+  def ldl8; ld(1)[0]; end
+  def ldb8; ldl8; end
+  alias_method :ldn8, :ldb8
+
+  def stl8(v)
+    if v.kind_of? String
+      straw(v[0].chr)
+    else
+      straw([v].pack("c"))
+    end
+  end
+
+  def stb8(v); stl8(v); end
+  alias_method :stn8, :stb8
+end

data/lib/ragweed/trampoline.rb

@@ -0,0 +1,103 @@
+class Ragweed::Trampoline
+
+  # Normally called through WinProcess#remote_call, but, for
+  # what it's worth: needs a WinProcess instance and a location,
+  # which can be a string module!function or a pointer.
+  def initialize(p, loc, opts={})
+    @p = p
+    @loc = @p.get_proc loc
+    @argc = opts[:argc]
+    @a = @p.arena
+    @mem = @a.alloc(1024)
+    @arg_mem = @mem + 512
+    @wait = opts[:wait] || true
+    @chicken = opts[:chicken] 
+    @opts = opts
+  end
+
+  # Call the remote function. Returns the 32 bit EAX return value provided
+  # by stdcall. 
+  def call(*args)
+    raise "Insufficient Arguments" if @argc and @argc != args.size
+    
+    @shim = Ragweed::Blocks::remote_trampoline(args.size, @opts)
+
+    # Won't leak memory.
+    @p.arena do |a|
+      # 1024 is a SWAG. Divide it in half, one for the trampoline
+      # (which is unrolled, because I am lazy and dumb) and the other
+      # for the call stack.
+      base = @p.ptr(a.alloc(1024))
+      
+      argm = base + 512
+      cur = argm
+
+      # Write the location for the tramp to call
+      cur.write(@loc)
+      cur += 4
+
+      # Write the function arguments into the call stack.
+      (0...args.size).each_backwards do |i|
+        if args[i].kind_of? Integer
+          val = args[i].to_l32
+        elsif args[i].kind_of? String
+          stash = a.copy(args[i])
+          val = stash.to_l32
+        else
+          val = args[i].to_s
+        end
+        cur.write(val)
+        cur += 4
+      end if args.size.nonzero?
+
+      # Write a placeholder for the return value
+      cur.write(0xDEADBEEF.to_l32)
+
+      # Write the tramp
+      s = @shim.assemble
+      base.write(s)
+
+      th = Wrap32::create_remote_thread(@p.handle, base, argm)
+      Wrap32::wait_for_single_object(th) if @wait
+      Wrap32::close_handle(th)
+      ret = @p.read32(cur)
+      if ret == 0xDEADBEEF
+        ret = nil
+      end
+      ret
+    end
+  end
+end
+
+class Trevil
+  def initialize(p)
+    @p = p
+    @ev1, @ev2 = [WinEvent.new, WinEvent.new]
+    @a = @p.arena
+  end
+
+  def clear!
+    @a.release
+  end
+
+  def go
+    mem = @a.alloc(1024)
+    base = @p.ptr(mem)
+    data = base + 512
+    swch = ["OpenProcess",
+            "DuplicateHandle",
+            "ResetEvent",
+            "SetEvent",
+            "WaitForSingleObject"].
+      map {|x| @p.get_proc("kernel32!#{x}").to_i}.
+      pack("LLLLL")
+    state = [Wrap32::get_current_process_id, @ev1.handle, @ev2.handle].
+      pack("LLL")
+
+    data.write(swch + state)
+    base.write(event_pair_stub(:debug => false).assemble)
+    Wrap32::create_remote_thread(@p.handle, base, data)
+    @ev1.wait
+    @ev2
+  end
+end

data/lib/ragweed/utils.rb

@@ -0,0 +1,88 @@
+# These should probably be extensions to Module since that's the location of instance_eval and friends.
+class Object
+    module ObjectExtensions
+      # Every object has a "singleton" class, which you can think
+      # of as the class (ie, 1.metaclass =~ Fixnum) --- but that you
+      # can modify and extend without fucking up the actual class.
+      def metaclass; class << self; self; end; end
+      def meta_eval(&blk) metaclass.instance_eval &blk; end
+      def meta_def(name, &blk) meta_eval { define_method name, &blk }; end
+      def try(meth, *args); send(meth, *args) if respond_to? meth; end
+
+      def through(meth, *args)
+          if respond_to? meth
+              send(meth, *args)
+          else
+              self
+          end
+      end
+
+      ## This is from Topher Cyll's Stupd IRB tricks
+      def mymethods
+        (self.methods - self.class.superclass.methods).sort
+      end
+    end
+    include ObjectExtensions
+end
+
+class String
+  def to_l32; unpack("L").first; end
+  def to_b32; unpack("N").first; end
+  def to_l16; unpack("v").first; end
+  def to_b16; unpack("n").first; end
+  def to_u8; self[0]; end
+  def shift_l32; shift(4).to_l32; end
+  def shift_b32; shift(4).to_b32; end
+  def shift_l16; shift(2).to_l16; end
+  def shift_b16; shift(2).to_b16; end
+  def shift_u8; shift(1).to_u8; end
+  
+  def shift(count=1)
+      return self if count == 0
+      slice! 0..(count-1)
+  end
+end
+
+class Integer
+  module IntegerExtensions
+    # Convert integers to binary strings
+    def to_l32; [self].pack "L"; end
+    def to_b32; [self].pack "N"; end
+    def to_l16; [self].pack "v"; end
+    def to_b16; [self].pack "n"; end
+    def to_u8; [self].pack "C"; end
+    def ffs
+      i = 0
+      v = self
+      while((v >>= 1) != 0)
+          i += 1
+      end
+      return i
+    end
+  end
+  include IntegerExtensions
+end
+
+class Module
+  def flag_dump(i)
+    @bit_map ||= constants.map do |k|
+      [k, const_get(k.intern).ffs]
+    end.sort {|x, y| x[1] <=> y[1]}
+
+    last = 0
+    r = ""
+    @bit_map.each do |tup|
+      if((v = (tup[1] - last)) > 1)
+        r << ("." * (v-1))
+      end
+
+      if((i & (1 << tup[1])) != 0)
+        r << tup[0][0].chr
+      else
+        r << tup[0][0].chr.downcase
+      end
+      last = tup[1]
+    end
+    return r.reverse
+  end
+end

data/lib/ragweed/wrap32.rb

@@ -0,0 +1,53 @@
+# Dir[File.expand_path("#{File.dirname(__FILE__)}/wrap32/*.rb")].each do |file|
+#   require file
+# end
+module Ragweed; end
+module Ragweed::Wrap32
+
+  # :stopdoc:
+  VERSION = '0.1.6'
+  LIBPATH = ::File.expand_path(::File.dirname(__FILE__)) + ::File::SEPARATOR
+  PATH = ::File.dirname(LIBPATH) + ::File::SEPARATOR
+  # :startdoc:
+
+  # Returns the version string for the library.
+  #
+  def self.version
+    VERSION
+  end
+
+  # Returns the library path for the module. If any arguments are given,
+  # they will be joined to the end of the libray path using
+  # <tt>File.join</tt>.
+  #
+  def self.libpath( *args )
+    args.empty? ? LIBPATH : ::File.join(LIBPATH, args.flatten)
+  end
+
+  # Returns the lpath for the module. If any arguments are given,
+  # they will be joined to the end of the path using
+  # <tt>File.join</tt>.
+  #
+  def self.path( *args )
+    args.empty? ? PATH : ::File.join(PATH, args.flatten)
+  end
+
+  # Utility method used to require all files ending in .rb that lie in the
+  # directory below this file that has the same name as the filename passed
+  # in. Optionally, a specific _directory_ name can be passed in such that
+  # the _filename_ does not have to be equivalent to the directory.
+  #
+  def self.require_all_libs_relative_to( fname, dir = nil )
+    dir ||= ::File.basename(fname, '.*')
+    search_me = ::File.expand_path(
+        ::File.join(::File.dirname(fname), dir, '**', '*.rb'))
+    
+    Dir.glob(search_me).sort.each {|rb| require rb}
+    # require File.dirname(File.basename(__FILE__)) + "/#{x}"
+
+  end
+end  # module Ragweed::Wrap32
+
+Ragweed::Wrap32.require_all_libs_relative_to(__FILE__)
+
+# EOF