librex 0.0.1

data/lib/rex/pescan/scanner.rb

@@ -0,0 +1,206 @@
+module Rex
+module PeScan
+module Scanner
+
+	class Generic
+
+		attr_accessor :pe, :regex
+
+		def initialize(pe)
+			self.pe = pe
+		end
+
+		def config(param)
+		end
+
+		def scan(param)
+			config(param)
+
+			$stdout.puts "[#{param['file']}]"
+			pe.all_sections.each do |section|
+				hits = scan_section(section, param)
+				hits.each do |hit|
+					vma  = pe.rva_to_vma(hit[0])
+
+					next if (param['filteraddr'] and [vma].pack("V").reverse !~ /#{param['filteraddr']}/)
+
+					msg  = hit[1].is_a?(Array) ? hit[1].join(" ") : hit[1]
+					$stdout.puts pe.ptr_s(vma) + " " + msg
+					if(param['disasm'])
+						::Rex::Assembly::Nasm.disassemble([msg].pack("H*")).split("\n").each do |line|
+							$stdout.puts "\t#{line.strip}"
+						end
+					end
+				end
+			end
+		end
+
+		def scan_section(section, param={})
+			[]
+		end
+	end
+
+	class JmpRegScanner < Generic
+
+		def config(param)
+			regnums = param['args']
+
+			# build a list of the call bytes
+			calls  = _build_byte_list(0xd0, regnums - [4]) # note call esp's don't work..
+			jmps   = _build_byte_list(0xe0, regnums)
+			pushs1 = _build_byte_list(0x50, regnums)
+			pushs2 = _build_byte_list(0xf0, regnums)
+
+			regexstr = '('
+			if !calls.empty?
+				regexstr += "\xff[#{calls}]|"
+			end
+
+			regexstr += "\xff[#{jmps}]|([#{pushs1}]|\xff[#{pushs2}])(\xc3|\xc2..))"
+
+			self.regex = Regexp.new(regexstr, nil, 'n')
+		end
+
+		# build a list for regex of the possible bytes, based on a base
+		# byte and a list of register numbers..
+		def _build_byte_list(base, regnums)
+			regnums.collect { |regnum| Regexp.escape((base | regnum).chr) }.join('')
+		end
+
+		def _ret_size(section, index)
+			d = section.read(index, 1)
+			case d
+				when "\xc3"
+					return 1
+				when "\xc2"
+					return 3
+			end
+
+			raise RuntimeError, "invalid return opcode"
+		end
+
+		def _parse_ret(data)
+			if data.length == 1
+				return "ret"
+			else
+				return "retn 0x%04x" % data[1, 2].unpack('v')[0]
+			end
+		end
+
+
+		def scan_section(section, param={})
+			index = 0
+
+			hits  = [ ]
+
+			while (index = section.index(regex, index)) != nil
+				rva     = section.offset_to_rva(index)
+				message = ''
+
+				parse_ret = false
+
+				byte1 = section.read(index, 1).unpack("C*")[0]
+
+				if byte1 == 0xff
+					byte2   = section.read(index+1, 1).unpack("C*")[0]
+					regname = Rex::Arch::X86.reg_name32(byte2 & 0x7)
+
+					case byte2 & 0xf8
+					when 0xd0
+						message = "call #{regname}"
+						index += 2
+					when 0xe0
+						message = "jmp #{regname}"
+						index += 2
+					when 0xf0
+						retsize = _ret_size(section, index+2)
+						message = "push #{regname}; " + _parse_ret(section.read(index+2, retsize))
+						index += 2 + retsize
+					else
+						raise "wtf"
+					end
+				else
+					regname = Rex::Arch::X86.reg_name32(byte1 & 0x7)
+					retsize = _ret_size(section, index+1)
+					message = "push #{regname}; " + _parse_ret(section.read(index+1, retsize))
+					index += 1 + retsize
+				end
+
+				hits << [ rva, message ]
+			end
+
+			return hits
+		end
+	end
+
+	class PopPopRetScanner < JmpRegScanner
+
+		def config(param)
+			pops = _build_byte_list(0x58, (0 .. 7).to_a - [4]) # we don't want pop esp's...
+			self.regex = Regexp.new("[#{pops}][#{pops}](\xc3|\xc2..)", nil, 'n')
+		end
+
+		def scan_section(section, param={})
+
+			index = 0
+
+			hits  = [ ]
+
+			while index < section.size && (index = section.index(regex, index)) != nil
+				rva     = section.offset_to_rva(index)
+				message = ''
+
+				pops = section.read(index, 2)
+				reg1 = Rex::Arch::X86.reg_name32(pops[0,1].unpack("C*")[0] & 0x7)
+				reg2 = Rex::Arch::X86.reg_name32(pops[1,1].unpack("C*")[0] & 0x7)
+
+				message = "pop #{reg1}; pop #{reg2}; "
+
+				retsize = _ret_size(section, index+2)
+				message += _parse_ret(section.read(index+2, retsize))
+
+				index += 2 + retsize
+
+				hits << [ rva, message ]
+			end
+
+			return hits
+		end
+	end
+
+	class RegexScanner < Generic
+
+		def config(param)
+			self.regex = Regexp.new(param['args'], nil, 'n')
+		end
+
+		def scan_section(section, param={})
+			index = 0
+
+			hits  = [ ]
+
+			while index < section.size && (index = section.index(regex, index)) != nil
+
+				idx = index
+				buf = ''
+				mat = nil
+
+				while (! (mat = buf.match(regex)))
+					buf << section.read(idx, 1)
+					idx += 1
+				end
+
+				rva = section.offset_to_rva(index)
+
+				hits << [ rva, buf.unpack("H*") ]
+				index += buf.length
+			end
+
+			return hits
+		end
+	end
+
+end
+end
+end
+

data/lib/rex/pescan/search.rb

@@ -0,0 +1,56 @@
+module Rex
+module PeScan
+module Search
+
+	require "rex/assembly/nasm"
+	
+	class DumpRVA
+		attr_accessor :pe
+		
+		def initialize(pe)
+			self.pe = pe
+		end
+		
+		def config(param)
+			@address = pe.vma_to_rva(param['args'])
+		end
+		
+		def scan(param)
+			config(param)
+			
+			$stdout.puts "[#{param['file']}]"
+			
+			# Adjust based on -A and -B flags
+			pre = param['before'] || 0
+			suf = param['after']  || 16
+			
+			@address -= pre
+			@address = 0 if (@address < 0 || ! @address)
+			
+			begin
+				buf = pe.read_rva(@address, suf)
+			rescue ::Rex::PeParsey::WtfError
+				return
+			end
+			
+			$stdout.puts pe.ptr_s(pe.rva_to_vma(@address)) + " " + buf.unpack("H*")[0]
+			if(param['disasm'])
+				::Rex::Assembly::Nasm.disassemble(buf).split("\n").each do |line|
+					$stdout.puts "\t#{line.strip}"
+				end
+			end
+			
+		end	
+	end
+
+	class DumpOffset < DumpRVA
+		def config(param)
+			begin
+				@address = pe.file_offset_to_rva(param['args'])
+			rescue Rex::PeParsey::BoundsError
+			end
+		end
+	end	
+end
+end
+end

data/lib/rex/platforms.rb

@@ -0,0 +1 @@
+require 'rex/platforms/windows'

data/lib/rex/platforms/windows.rb

@@ -0,0 +1,51 @@
+module Rex
+module Platforms
+module Windows
+
+
+
+#
+# Windows Registry Constants
+#
+	REG_NONE = 1
+	REG_SZ = 1
+	REG_EXPAND_SZ = 2
+	REG_BINARY = 3
+	REG_DWORD = 4
+	REG_LITTLE_ENDIAN = 4
+	REG_BIG_ENDIAN = 5
+	REG_LINK = 6
+	REG_MULTI_SZ = 7
+
+	HKEY_CLASSES_ROOT = 0x80000000
+	HKEY_CURRENT_USER = 0x80000001
+	HKEY_LOCAL_MACHINE = 0x80000002
+	HKEY_USERS = 0x80000003
+	HKEY_PERFORMANCE_DATA = 0x80000004
+	HKEY_CURRENT_CONFIG = 0x80000005
+	HKEY_DYN_DATA = 0x80000006
+
+	def registry_hive_lookup(hive)
+		case hive
+		when 'HKCR'
+			HKEY_LOCAL_MACHINE
+		when 'HKCU'
+			HKEY_CURRENT_USER
+		when 'HKLM'
+			HKEY_LOCAL_MACHINE
+		when 'HKU'
+			HKEY_USERS
+		when 'HKPD'
+			HKEY_PERFORMANCE_DATA
+		when 'HKCC'
+			HKEY_CURRENT_CONFIG
+		when 'HKDD'
+			HKEY_DYN_DATA
+		else
+			HKEY_LOCAL_MACHINE
+		end
+	end
+	
+end
+end
+end

data/lib/rex/poly.rb

@@ -0,0 +1,132 @@
+module Rex
+module Poly
+
+require 'rex/poly/register'
+require 'rex/poly/block'
+
+###
+#
+# This class encapsulates the state of a single polymorphic block set
+# generation.  It tracks the current set of consumed registers, the linear
+# list of blocks generated, the end-result buffer, and the phase of
+# generation.  The fields exposed by the State class are intended for use only
+# by the polymorphic generation subsystem and should not be modified directly.
+#
+###
+class State
+
+	#
+	# Initializes the polymorphic generation state.
+	#
+	def initialize
+		@block_list = nil
+		reset
+	end
+
+	#
+	# Resets the generation state to have a plain start by clearing all
+	# consumed registers, resetting the polymorphic buffer back to its
+	# beginning and destroying any block generation state.
+	#
+	def reset
+		# Reset the generation flag on any blocks in the block list
+		@block_list.each { |block|
+			block[0].generated = false
+		} if (@block_list)
+
+		@regnums     = Hash.new
+		@buffer      = ''
+		@block_list  = []
+		@curr_offset = 0
+		@first_phase = true
+		@badchars    = nil
+	end
+
+	#
+	# Returns true if the supplied register number is already consumed.
+	#
+	def consumed_regnum?(regnum)
+		@regnums[regnum]
+	end
+
+	#
+	# Consumes a register number, thus removing it from the pool that can be
+	# assigned.  The consumed register number is returned to the caller.
+	#
+	def consume_regnum(regnum)
+		raise RuntimeError, "Register #{regnum} is already consumed." if (consumed_regnum?(regnum))
+
+		@regnums[regnum] = true	
+
+		regnum
+	end
+
+	#
+	# Acquires a register number that has not already been consumed from the
+	# supplied register number set and consumes it, returning the selected
+	# register number to the caller.  The register number is selected from the
+	# set at random.
+	#
+	def consume_regnum_from_set(regnum_set)
+		# Pick a random starting point within the supplied set.
+		idx = rand(regnum_set.length)
+
+		# Try each index in the set.
+		regnum_set.length.times { |x|
+			regnum = regnum_set[(idx + x) % regnum_set.length]
+
+			next if (consumed_regnum?(regnum))
+
+			return consume_regnum(regnum)
+		}
+
+		# If we get through the entire iteration without finding a register,
+		# then we are out of registers to assign.
+		raise RuntimeError, "No registers are available to consume from the set"
+	end
+
+	#
+	# Eliminates a register number from the consumed pool so that it can be
+	# used in the future.  This happens after a block indicates that a register
+	# has been clobbered.
+	#
+	def defecate_regnum(regnum)
+		@regnums.delete(regnum)
+	end
+
+	#
+	# The buffer state for the current polymorphic generation.  This stores the
+	# end-result of a call to generate on a LogicalBlock.
+	#
+	attr_accessor :buffer
+
+	#
+	# The linear list of blocks that is generated by calling the generate
+	# method on a LogicalBlock.
+	#
+	attr_accessor :block_list
+
+	#
+	# The current offset into the polymorphic buffer that is being generated.
+	# This is updated as blocks are appended to the block_list.
+	#
+	attr_accessor :curr_offset
+
+	#
+	# A boolean field that is used by the LogicalBlock class to track whether
+	# or not it is in the first phase (generating the block list), or in the
+	# second phase (generating the polymorphic buffer).  This phases are used
+	# to indicate whether or not the offset_of and regnum_of methods will
+	# return actual results.
+	#
+	attr_accessor :first_phase
+
+	#
+	# Characters to avoid when selecting permutations, if any.
+	#
+	attr_accessor :badchars
+
+end
+
+end
+end