metasm 1.0.0

data/samples/elf_list_needed.rb

@@ -0,0 +1,46 @@
+#!/usr/bin/env ruby
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+#
+# this script reads a list of elf files, and lists its dependencies recursively
+# libraries are searched in LD_LIBRARY_PATH, /usr/lib and /lib
+# includes the elf interpreter
+# can be useful when chrooting a binary
+#
+
+require 'metasm'
+
+
+paths = ENV['LD_LIBRARY_PATH'].to_s.split(':') + %w[/usr/lib /lib]
+todo = ARGV.map { |file| (file[0] == ?/) ? file : "./#{file}" }
+done = []
+while src = todo.shift
+	puts src
+	# could do a simple ELF.decode_file, but this is quicker
+	elf = Metasm::ELF.decode_file_header(src)
+
+	if s = elf.segments.find { |s_| s_.type == 'INTERP' }
+		interp = elf.encoded[s.offset, s.filesz].data.chomp("\0")
+		if not done.include? interp
+			puts interp
+			done << interp
+		end
+	end
+
+	elf.decode_tags
+	elf.decode_segments_tags_interpret
+	deps = elf.tag['NEEDED'].to_a - done
+	done.concat deps
+
+	deps.each { |dep|
+		if not path = paths.find { |path_| File.exist? File.join(path_, dep) }
+			$stderr.puts "cannot find #{dep} for #{src}"
+		else
+			todo << File.join(path, dep)
+		end
+	}
+end

data/samples/elf_listexports.rb

@@ -0,0 +1,33 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+#
+# this script takes a list of dll filenames as arguments, and outputs each lib export
+# libname, followed by the list of the exported symbol names, in a format usable
+# by the Elf class autoimport functionnality (see metasm/os/linux.rb)
+#
+
+require 'metasm'
+
+bd = 'GLOBAL'
+bd = 'WEAK' if ARGV.delete '--weak'
+obj = true if ARGV.delete '--obj'
+
+ARGV.each { |f|
+	e = Metasm::ELF.decode_file(f)
+	next if not e.tag['SONAME']
+	puts e.tag['SONAME']
+	line = ''
+	e.symbols.find_all { |s|
+		s.name and (obj ? s.type != 'FUNC' : s.type == 'FUNC') and s.shndx != 'UNDEF' and s.bind == bd
+	}.map { |s| ' ' << s.name }.sort.each { |s|
+		if line.length + s.length >= 160
+			puts line
+			line = ''
+		end
+		line << s
+	}
+	puts line if not line.empty?
+}

data/samples/elfencode.rb

@@ -0,0 +1,25 @@
+#!/usr/bin/env ruby
+
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+require 'metasm'
+$opts = { :execlass => Metasm::ELF, :exetype => :lib }
+load File.join(File.dirname(__FILE__), 'exeencode.rb')
+
+__END__
+.pt_gnu_stack rw
+// .nointerp    // to disable the dynamic section, eg for stuff with int80 only
+.text
+.entrypoint
+push bla
+push fmt
+call printf
+push 0
+call exit
+
+.data
+bla db "world", 0
+fmt db "Hello, %s !\n", 0

data/samples/exeencode.rb

@@ -0,0 +1,128 @@
+#!/usr/bin/env ruby
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+#
+# this sample shows how to compile an executable file from source
+# use --exe PE to compile a PE/ELF/MachO etc
+# use --cpu MIPS/--16/--be to change the CPU
+# the arg is a source file (c or asm) (some arch may not yet support C compiling)
+# defaults to encoding a shellcode, use --exe to override (or the scripts samples/{elf,pe}encode)
+# to compile a shellcode to a cstring, use --cstring
+#
+
+require 'metasm'
+require 'optparse'
+
+$opts ||= {}
+$opts = {
+ :execlass => Metasm::Shellcode,
+ :cpu => Metasm::Ia32.new,
+ :exetype => :bin,
+ :macros => {}
+}.merge($opts)
+
+OptionParser.new { |opt|
+	opt.on('-o file', 'output filename') { |f| $opts[:outfilename] = f }
+	opt.on('-f') { $opts[:overwrite_outfile] = true }
+	opt.on('--c', 'parse source as a C file') { $opts[:srctype] = 'c' }
+	opt.on('--asm', 'parse asm as an ASM file') { $opts[:srctype] = 'asm' }
+	opt.on('--stdin', 'parse source on stdin') { ARGV << '-' }
+	opt.on('-v', '-W', 'verbose') { $VERBOSE=true }
+	opt.on('-d', 'debug') { $DEBUG=$VERBOSE=true }
+	opt.on('-D var=val', 'define a preprocessor macro') { |v| v0, v1 = v.split('=', 2) ; $opts[:macros][v0] = v1 }
+	opt.on('--cstring', 'encode output as a C string') { $opts[:to_string] = :c }
+	opt.on('--jsstring', 'encode output as a js string') { $opts[:to_string] = :js }
+	opt.on('--string', 'encode output as a string to stdout') { $opts[:to_string] = :inspect }
+	opt.on('--varname name', 'the variable name for string output') { |v| $opts[:varname] = v }
+	opt.on('-e class', '--exe class', 'use a specific ExeFormat class') { |c| $opts[:execlass] = Metasm.const_get(c) }
+	opt.on('--cpu cpu', 'use a specific CPU class') { |c| $opts[:cpu] = Metasm.const_get(c).new }
+	# must come after --cpu in commandline
+	opt.on('--16', 'set cpu in 16bit mode') { $opts[:cpu].size = 16 }
+	opt.on('--le', 'set cpu in little-endian mode') { $opts[:cpu].endianness = :little }
+	opt.on('--be', 'set cpu in big-endian mode') { $opts[:cpu].endianness = :big }
+	opt.on('--fno-pic', 'generate position-dependant code') { $opts[:cpu].generate_PIC = false }
+	opt.on('--shared', 'generate shared library') { $opts[:exetype] = :lib }
+	opt.on('--ruby-module-hack', 'use the dynldr module hack to use any ruby lib available for ruby symbols') { $opts[:dldrhack] = true }
+}.parse!
+
+src = $opts[:macros].map { |k, v| "#define #{k} #{v}\n" }.join
+
+if file = ARGV.shift
+	$opts[:srctype] ||= 'c' if file =~ /\.c$/
+	if file == '-'
+		src << $stdin.read
+	else
+		src << File.read(file)
+	end
+else
+	$opts[:srctype] ||= $opts[:srctype_data]
+	src << DATA.read	# the text after __END__ in this file
+end
+
+if $opts[:outfilename] and not $opts[:overwrite_outfile] and File.exist?($opts[:outfilename])
+		abort "Error: target file exists !"
+end
+
+if $opts[:srctype] == 'c'
+	exe = $opts[:execlass].compile_c($opts[:cpu], src, file)
+else
+	exe = $opts[:execlass].assemble($opts[:cpu], src, file)
+end
+
+if $opts[:to_string]
+	str = exe.encode_string
+
+	$opts[:varname] ||= File.basename(file.to_s)[/^\w+/] || 'sc'	# derive varname from filename
+	case $opts[:to_string]
+	when :inspect
+		str = "#{$opts[:varname]} = #{str.inspect}"
+	when :c
+		str = ["unsigned char #{$opts[:varname]}[#{str.length}] = "] + str.scan(/.{1,19}/m).map { |l|
+			'"' + l.unpack('C*').map { |c| '\\x%02x' % c }.join + '"'
+		}
+		str.last << ?;
+	when :js
+		str << 0 if str.length & 1 != 0
+		str = ["#{$opts[:varname]} = "] + str.scan(/.{2,20}/m).map { |l|
+			'"' + l.unpack($opts[:cpu].endianness == :little ? 'v*' : 'n*').map { |c| '%%u%04x' % c }.join + '"+'
+		}
+		str.last[-1] = ?;
+	end
+
+	if of = $opts[:outfilename]
+		abort "Error: target file #{of.inspect} exists !" if File.exists? of and not $opts[:overwrite_outfile]
+		File.open(of, 'w') { |fd| fd.puts str }
+		puts "saved to file #{of.inspect}"
+	else
+		puts str
+	end
+else
+	of = $opts[:outfilename] ||= 'a.out'
+	abort "Error: target file #{of.inspect} exists !" if File.exists? of and not $opts[:overwrite_outfile]
+	Metasm::DynLdr.compile_binary_module_hack(exe) if $opts[:dldrhack]
+	exe.encode_file(of, $opts[:exetype])
+	puts "saved to file #{of.inspect}"
+end
+
+__END__
+#include <asm/unistd.h>
+jmp getip
+gotip:
+mov eax, __NR_write
+mov ebx, 1
+pop ecx
+mov edx, strend-str
+int 80h
+
+mov eax, __NR_exit
+mov ebx, 1
+int 80h
+
+getip:
+call gotip
+
+str db "Hello, world!", 0xa
+strend:

data/samples/factorize-headers-elfimports.rb

@@ -0,0 +1,77 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+#
+# this exemple illustrates the use of the cparser/preprocessor #factorize functionnality:
+# it generates code that references to the functions imported by an ELF executable
+# usage: factorize-imports.rb <exe> [<path to include dir>] [<additional func names>... !<func to exclude>]
+#
+
+require 'metasm'
+include Metasm
+
+require 'optparse'
+opts = { :hdrs => [], :defs => {}, :path => [] }
+OptionParser.new { |opt|
+	opt.on('-o outfile') { |f| opts[:outfile] = f }
+	opt.on('-H additional_header') { |f| opts[:hdrs] << f }
+	opt.on('--exe executable') { |f| opts[:exe] = f }
+	opt.on('-I path', '--includepath path') { |f| opts[:path] << f }
+	opt.on('-D var') { |f| k, v = f.split('=', 2) ; opts[:defs].update k => (v || '') }
+	opt.on('--gcc') { opts[:gcc] = true }
+	opt.on('--vs', '--visualstudio') { opts[:vs] = true }
+}.parse!(ARGV)
+
+exe = AutoExe.decode_file_header(opts[:exe] || ARGV.shift)
+opts[:path] ||= [ARGV.shift] if not ARGV.empty?
+
+case exe
+when PE
+	exe.decode_imports
+	funcnames = exe.imports.map { |id| id.imports.map { |i| i.name } }
+when ELF
+	exe.decode_segments_dynamic
+	funcnames = exe.symbols.map { |s| s.name if s.shndx == 'UNDEF' and s.type == 'FUNC' }
+	opts[:hdrs] << 'stdio.h' << 'stdlib.h' << 'unistd.h'
+	opts[:gcc] = true if not opts[:vs]
+else raise "unsupported #{exe.class}"
+end
+
+funcnames = funcnames.flatten.compact.uniq.sort
+
+ARGV.each { |n|
+	if n[0] == ?!
+		funcnames.delete n[1..-1]
+	else
+		funcnames |= [n]
+	end
+}
+
+src = opts[:hdrs].map { |h| "#include <#{h}>" }.join("\n")
+
+parser = Ia32.new.new_cparser
+parser.prepare_gcc if opts[:gcc]
+parser.prepare_visualstudio if opts[:vs]
+pp = parser.lexer
+pp.warn_redefinition = false
+pp.include_search_path[0, 0] = opts[:path]
+opts[:defs].each { |k, v| pp.define k, v }
+parser.factorize_init
+parser.parse src
+
+
+# delete imports not present in the header files
+funcnames.delete_if { |f|
+	if not parser.toplevel.symbol[f]
+		puts "// #{f.inspect} is not defined in the headers"
+		true
+	end
+}
+
+parser.parse "void *fnptr[] = { #{funcnames.map { |f| '&'+f }.join(', ')} };"
+
+outfd = (opts[:outfile] ? File.open(opts[:outfile], 'w') : $stdout)
+outfd.puts parser.factorize_final
+outfd.close

data/samples/factorize-headers-peimports.rb

@@ -0,0 +1,109 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+#
+# this exemple illustrates the use of the cparser/preprocessor #factorize functionnality:
+# it generates code that references to the functions imported by a windows executable
+# usage: factorize-imports.rb <exe> <exe2> <path to visual studio installation> [<additional func names>... ^<func to exclude>]
+#
+
+require 'metasm'
+include Metasm
+
+require 'optparse'
+opts = { :hdrs => [], :defs => {}, :path => [], :exe => [] }
+OptionParser.new { |opt|
+	opt.on('-o outfile') { |f| opts[:outfile] = f }
+	opt.on('-H additional_header') { |f| opts[:hdrs] << f }
+	opt.on('-e exe', '--exe executable') { |f| opts[:exe] << f }
+	opt.on('-I path', '--includepath path') { |f| opts[:path] << f }
+	opt.on('-D var') { |f| k, v = f.split('=', 2) ; opts[:defs].update k => (v || '') }
+	opt.on('--ddk') { opts[:ddk] = true }
+	opt.on('--vspath path') { |f| opts[:vspath] = f }
+}.parse!(ARGV)
+
+ARGV.delete_if { |e|
+	next if not File.file? e
+	opts[:exe] << e
+}
+
+if opts[:vspath] ||= ARGV.shift
+	opts[:vspath] = opts[:vspath].tr('\\', '/')
+	opts[:vspath] = opts[:vspath].chop if opts[:vspath][-1] == ?/
+	if opts[:ddk]
+		opts[:path] << (opts[:vspath]+'/ddk') << (opts[:vspath]+'/api') << (opts[:vspath]+'/crt')
+	else
+		opts[:vspath] = opts[:vspath][0...-3] if opts[:vspath][-3..-1] == '/VC'
+		opts[:path] << (opts[:vspath]+'/VC/platformsdk/include') << (opts[:vspath]+'/VC/include')
+	end
+end
+
+funcnames = opts[:exe].map { |e|
+	pe = PE.decode_file_header(e)
+	pe.decode_imports
+	if not pe.imports
+		puts "#{e} has no imports"
+		next
+	end
+	pe.imports.map { |id| id.imports.map { |i| i.name } }
+}.flatten.compact.uniq.sort
+
+ARGV.each { |n|
+	if n[0] == ?! or n[0] == ?- or n[0] == ?^
+		funcnames.delete n[1..-1]
+	else
+		funcnames |= [n]
+	end
+}
+exit if funcnames.empty?
+
+src = <<EOS + opts[:hdrs].to_a.map { |h| "#include <#{h}>\n" }.join
+#ifdef DDK
+ #define NO_INTERLOCKED_INTRINSICS
+ typedef struct _CONTEXT CONTEXT;	// needed by ntddk.h, but this will pollute the factorized output..
+ typedef CONTEXT *PCONTEXT;
+ #define dllimport stdcall		// wtff
+ #define SORTPP_PASS			// C_ASSERT proprocessor assert..
+ #define _MSC_EXTENSIONS		// __volatile stuff
+ #include <ntddk.h>
+ #include <stdio.h>
+#else
+ #define WIN32_LEAN_AND_MEAN
+ #include <windows.h>
+ #include <winternl.h>
+#endif
+EOS
+
+parser = Ia32.new.new_cparser
+parser.prepare_visualstudio
+pp = parser.lexer
+pp.warn_redefinition = false
+pp.define('_WIN32_WINNT', '0x0600')
+pp.define('DDK') if opts[:ddk]
+pp.define_strong('IN', '__attribute__((in))')
+pp.define_strong('__in', '__attribute__((in))')
+pp.define_strong('OUT', '__attribute__((out))')
+pp.define_strong('__out', '__attribute__((out))')
+pp.include_search_path = opts[:path]
+opts[:defs].each { |k, v| pp.define k, v }
+parser.factorize_init
+parser.parse src
+
+
+outfd = (opts[:outfile] ? File.open(opts[:outfile], 'w') : $stdout)
+
+# delete imports not present in the header files
+funcnames.delete_if { |f|
+	if not parser.toplevel.symbol[f]
+		puts "// #{f.inspect} is not defined in the headers"
+		outfd.puts "// #{f.inspect} is not defined in the headers" if opts[:outfile]
+		true
+	end
+}
+
+parser.parse "void *fnptr[] = { #{funcnames.map { |f| '&'+f }.join(', ')} };"
+
+outfd.puts parser.factorize_final
+outfd.close

data/samples/factorize-headers.rb

@@ -0,0 +1,43 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+#
+# this exemple illustrates the use of the cparser/preprocessor #factorize functionnality:
+# we write some code using standard headers, and the factorize call on CParser
+# gives us back the macro/C definitions that we use in our code, so that we can
+# get rid of the header
+# Argument: C file to factorize, [path to visual studio installation]
+# with a single argument, uses GCC standard headers
+#
+
+require 'metasm'
+include Metasm
+
+abort 'target needed' if not file = ARGV.shift
+
+visualstudiopath = ARGV.shift
+if visualstudiopath
+	stub = <<EOS
+// add the path to the visual studio std headers
+#ifdef __METASM__
+ #pragma include_dir #{(visualstudiopath+'/platformsdk/include').inspect}
+ #pragma include_dir #{(visualstudiopath+'/include').inspect}
+ #pragma prepare_visualstudio
+ #pragma no_warn_redefinition
+#endif
+EOS
+else
+	stub = <<EOS
+#ifdef __METASM__
+ #pragma prepare_gcc
+#endif
+EOS
+end
+stub << "#line 0\n"
+
+# to trace only pp macros (using eg an asm source), use Preprocessor#factorize instead
+
+puts Ia32.new.new_cparser.factorize(stub + File.read(file), file)
+