metasm 1.0.0

data/samples/linux_injectsyscall.rb

@@ -0,0 +1,95 @@
+#!/usr/bin/ruby
+
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+#
+# this exemple illustrates the use of the PTrace class to hijack a syscall in a running process
+# the next syscall made is patched to run the syscall with the arguments of our choice, then
+# run the original intended syscall
+# Works on linux/x86
+#
+
+
+require 'metasm'
+
+class SyscallHooker < Metasm::PTrace
+	CTX = ['EBX', 'ECX', 'EDX', 'ESI', 'EDI', 'EAX', 'ESP', 'EBP', 'EIP', 'ORIG_EAX']
+
+	def inject(sysnr, *args)
+		sysnr = syscallnr[sysnr] || sysnr
+
+		syscall
+		puts '[*] waiting syscall'
+		Process.waitpid(@pid)
+
+		savedctx = CTX.inject({}) { |ctx, reg| ctx.update reg => peekusr(REGS_I386[reg]) }
+
+		eip = (savedctx['EIP'] - 2) & 0xffffffff
+		fu = readmem(eip, 2)
+		if fu == "\xcd\x80"
+			mode = :int80
+		elsif fu == "\xeb\xf3" and readmem(eip-14, 7).unpack('H*').first == "51525589e50f34"	# aoenthuasn
+			mode = :sysenter
+		elsif fu == "\x0f\x05"
+			mode = :syscall
+		else
+			puts 'unhandled syscall convention, aborting, code = ' + readmem(eip-4, 8).unpack('H*').first
+			cont
+			return self
+		end
+
+		if args.length > 5
+			puts 'too may arguments, unsupported, aborting'
+		else
+			puts "[*] hooking #{syscallnr.index(savedctx['ORIG_EAX'])}"
+
+			# stack pointer to store buffers to
+			esp_ptr = savedctx['ESP']
+			write_string = lambda { |s|
+				esp_ptr -= s.length
+				esp_ptr &= 0xffff_fff0
+				writemem(esp_ptr, s)
+				[esp_ptr].pack('L').unpack('l').first
+			}
+			set_arg = lambda { |a|
+				case a
+				when String; write_string[a + 0.chr]
+				when Array; write_string[a.map { |aa| set_arg[aa] }.pack('L*')]
+				else a
+				end
+			}
+			args.zip(CTX).map { |arg, reg|
+				# set syscall args, put buffers on the stack as needed
+				pokeusr(REGS_I386[reg], set_arg[arg])
+			}
+			# patch syscall number
+			pokeusr(REGS_I386['ORIG_EAX'], sysnr)
+
+
+			# run hooked syscall
+			syscall
+			Process.waitpid(@pid)
+			retval = peekusr(REGS_I386['EAX'])
+			puts "[*] retval: #{'%X' % retval}#{" (Errno::#{ERRNO.index(-retval)})" if retval < 0}"
+
+			if syscallnr.index(sysnr) == 'execve' and retval >= 0
+				cont
+				return self
+			end
+
+			# restore eax & eip to run the orig syscall
+			savedctx['EIP'] -= 2
+			savedctx['EAX'] = savedctx['ORIG_EAX']
+			savedctx.each { |reg, val| pokeusr(REGS_I386[reg], val) }
+		end
+
+		self
+	end
+end
+
+if $0 == __FILE__
+	SyscallHooker.new(ARGV.shift.to_i).inject('write', 2, "testic\n", 7).detach
+end

data/samples/machoencode.rb

@@ -0,0 +1,31 @@
+#!/usr/bin/env ruby
+
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+require 'metasm'
+$opts = { :execlass => Metasm::MachO }
+load File.join(File.dirname(__FILE__), 'exeencode.rb')
+
+__END__
+.text
+
+str db "Hello, World !\n", 0
+strlen equ $-str
+.align 8
+
+.entrypoint
+push strlen
+push str
+push 1		// stdout
+mov eax, 4	// sys_write
+push eax
+int 80h
+add esp, 12
+
+push 0
+mov eax, 1	// sys_exit
+push eax
+int 80h

data/samples/metasm-shell.rb

@@ -0,0 +1,91 @@
+#!/usr/bin/env ruby
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+# modifies the standard ruby class String to add #decode and #encode methods
+# they will respectively disassemble binary data / assemble asm source
+# the default CPU is x86 32bits, change it using eg String.cpu = Metasm::MIPS.new(:big) (mips bigendian)
+#
+# it also defines the toplevel 'asm' method, that will start an interactive
+# assembler shell (type in assembly statements, they are shown assembled in binary escaped form)
+#
+# eg:
+# ruby metasm-shell
+# > nop ; nop
+# "\x90\x90"
+# > exit
+
+require 'metasm'
+
+class String
+	@@cpu = Metasm::Ia32.new
+	class << self
+		def cpu()   @@cpu   end
+		def cpu=(c)
+			c = Metasm.const_get(c).new if c.kind_of? String
+			@@cpu=c
+		end
+	end
+
+	# encodes the current string as a Shellcode, returns the resulting EncodedData
+	def encode_edata
+		s = Metasm::Shellcode.assemble @@cpu, self
+		s.encoded
+	end
+
+	# encodes the current string as a Shellcode, returns the resulting binary String
+	# outputs warnings on unresolved relocations
+	def encode
+		ed = encode_edata
+		if not ed.reloc.empty?
+			puts 'W: encoded string has unresolved relocations: ' + ed.reloc.map { |o, r| r.target.inspect }.join(', ')
+		end
+		ed.fill
+		ed.data
+	end
+
+	# decodes the current string as a Shellcode, with specified base address
+	# returns the resulting Disassembler
+	def decode_blocks(base_addr=0, eip=base_addr)
+		sc = Metasm::Shellcode.decode(self, @@cpu)
+		sc.base_addr = base_addr
+		sc.disassemble(eip)
+	end
+
+	# decodes the current string as a Shellcode, with specified base address
+	# returns the asm source equivallent
+	def decode(base_addr=0, eip=base_addr)
+		decode_blocks(base_addr, eip).to_s
+	end
+end
+
+# get in interactive assembler mode
+def asm
+	puts 'type "exit" or "quit" to quit', 'use ";" for newline', ''
+	while (print "asm> " ; $stdout.flush ; l = gets)
+		break if %w[quit exit].include? l.chomp
+		if l.chomp == 'help'
+			puts "Metasm assembly shell: type in opcodes to see their binary form",
+				"You can use ';' to type multi-line stuff",
+				"e.g. 'nop nop' will display \"\\x90\\x90\""
+			next
+		end
+	
+		begin
+			data = l.gsub(';', "\n")
+			next if data.strip.empty?
+			data = data.encode
+			puts '"' + data.unpack('C*').map { |c| '\\x%02x' % c }.join + '"'
+		rescue Metasm::Exception => e
+			puts "Error: #{e.class} #{e.message}"
+		end
+	end
+
+	puts
+end
+
+if __FILE__ == $0
+	asm
+end

data/samples/pe-hook.rb

@@ -0,0 +1,69 @@
+#!/usr/bin/env ruby
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+#
+# in this file, we open an existing PE, add some code to its last section and
+# patch the entrypoint so that we are executed at program start
+#
+
+require 'metasm'
+
+# read original file
+raise 'need a target filename' if not target = ARGV.shift
+pe_orig = Metasm::PE.decode_file(target)
+pe = pe_orig.mini_copy
+pe.mz.encoded = pe_orig.encoded[0, pe_orig.coff_offset-4]
+pe.mz.encoded.export = pe_orig.encoded[0, 512].export.dup
+pe.header.time = pe_orig.header.time
+
+has_mb = pe.imports.find { |id| id.imports.find { |i| i.name == 'MessageBoxA' } } ? 1 : 0
+# hook code to run on start
+newcode = Metasm::Shellcode.assemble(pe.cpu, <<EOS).encoded
+hook_entrypoint:
+pushad
+#if ! #{has_mb}
+push hook_libname
+call [iat_LoadLibraryA]
+push hook_funcname
+push eax
+call [iat_GetProcAddress]
+#else
+mov eax, [iat_MessageBoxA]
+#endif
+
+push 0
+push hook_title
+push hook_msg
+push 0
+call eax
+
+popad
+jmp entrypoint
+
+.align 4
+hook_msg db '(c) David Hasselhoff', 0
+hook_title db 'Hooked on a feeling', 0
+#if ! #{has_mb}
+hook_libname db 'user32', 0
+hook_funcname db 'MessageBoxA', 0
+#endif
+EOS
+
+# modify last section
+s = Metasm::PE::Section.new
+s.name = '.hook'
+s.encoded = newcode
+s.characteristics = %w[MEM_READ MEM_WRITE MEM_EXECUTE]
+s.encoded.fixup!('entrypoint' => pe.optheader.image_base + pe.optheader.entrypoint)	# tell the original entrypoint address to our hook
+pe.sections << s
+pe.invalidate_header
+
+# patch entrypoint
+pe.optheader.entrypoint = 'hook_entrypoint'
+
+# save
+pe.encode_file(target.sub(/\.exe$/i, '-patch.exe'))

data/samples/pe-ia32-cpuid.rb

@@ -0,0 +1,203 @@
+#!/usr/bin/env ruby
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+#
+# this sample shows the compilation of a slightly more complex program
+# it displays in a messagebox the result of CPUID
+#
+
+require 'metasm'
+
+pe = Metasm::PE.assemble Metasm::Ia32.new, <<EOS
+.text
+m_cpuid macro nr
+	xor ebx, ebx
+	and ecx, ebx
+	and edx, ebx
+	mov eax, nr
+	cpuid
+endm
+
+.entrypoint
+
+push ebx push ecx push edx
+
+m_cpuid(0)
+mov [cpuname], ebx
+mov [cpuname+4], edx
+mov [cpuname+8], ecx
+and byte ptr [cpuname+12], 0
+
+m_cpuid(0x8000_0000)
+and eax, 0x8000_0000
+jz extended_unsupported
+
+m_str_cpuid macro nr
+	m_cpuid(0x8000_0002 + nr)
+	mov [cpubrand + 16*nr + 0], eax
+	mov [cpubrand + 16*nr + 4], ebx
+	mov [cpubrand + 16*nr + 8], ecx
+	mov [cpubrand + 16*nr + 12], edx
+endm
+
+m_str_cpuid(0)
+m_str_cpuid(1)
+m_str_cpuid(2)
+
+extended_unsupported:
+and byte ptr[cpubrand+48], 0
+
+push cpubrand
+push cpuname
+push format
+push buffer
+call wsprintf
+add esp, 4*4
+
+push 0
+push title
+push buffer
+push 0
+call messagebox
+
+pop edx pop ecx pop ebx
+
+xor eax, eax
+ret
+
+.import user32 MessageBoxA messagebox
+.import user32 wsprintfA wsprintf
+
+#define PE_HOOK_TARGET
+#ifdef PE_HOOK_TARGET
+; import these to be a good target for pe-hook.rb
+.import kernel32 LoadLibraryA
+.import kernel32 GetProcAddress
+#endif
+
+.data
+format  db 'CPU: %s\\nBrandstring: %s', 0
+title   db 'cpuid', 0
+
+.bss
+buffer  db 1025 dup(?)
+.align 4
+cpuname db 3*4+1 dup(?)
+.align 4
+cpubrand db 3*4*4+1 dup(?)
+
+EOS
+
+pe.encode_file('metasm-cpuid.exe')
+
+__END__
+
+// original C code (more complete)
+
+#include <unistd.h>
+#include <stdio.h>
+
+static char *featureinfo[32] = {
+	"fpu", "vme", "de", "pse", "tsc", "msr", "pae", "mce", "cx8",
+	"apic", "unk10", "sep", "mtrr", "pge", "mca", "cmov", "pat",
+	"pse36", "psn", "clfsh", "unk20", "ds", "acpi", "mmx",
+	"fxsr", "sse", "sse2", "ss", "htt", "tm", "unk30", "pbe"
+}, *extendinfo[32] = {
+	"sse3", "unk1", "unk2", "monitor", "ds-cpl", "unk5-vt", "unk6", "est",
+	"tm2", "unk9", "cnxt-id", "unk12", "cmpxchg16b", "unk14", "unk15",
+	"unk16", "unk17", "unk18", "unk19", "unk20", "unk21", "unk22", "unk23",
+	"unk24", "unk25", "unk26", "unk27", "unk28", "unk29", "unk30", "unk31"
+};
+
+#define cpuid(id) __asm__( "cpuid" : "=a"(eax), "=b"(ebx), "=c"(ecx), "=d"(edx) : "a"(id), "b"(0), "c"(0), "d"(0))
+#define b(val, base, end) ((val << (31-end)) >> (31-end+base))
+int main(void)
+{
+	unsigned long eax, ebx, ecx, edx;
+	unsigned long i, max;
+	int support_extended;
+
+	printf("%8s - %8s %8s %8s %8s\n", "query", "eax", "ebx", "ecx", "edx");
+
+	max = 0;
+	for (i=0 ; i<=max ; i++) {
+		cpuid(i);
+		if (!i)
+			max = eax;
+		printf("%.8lX - %.8lX %.8lX %.8lX %.8lX\n", i, eax, ebx, ecx, edx);
+	}
+	printf("\n");
+
+	max = 0x80000000;
+	for (i=0x80000000 ; i<=max ; i++) {
+		cpuid(i);
+		if (!(i << 1)) {
+			max = eax;
+			support_extended = eax >> 31;
+		}
+		printf("%.8lX - %.8lX %.8lX %.8lX %.8lX\n", i, eax, ebx, ecx, edx);
+	}
+	printf("\n");
+
+	cpuid(0);
+	printf("identification: \"%.4s%.4s%.4s\"\n", (char *)&ebx, (char *)&edx, (char *)&ecx);
+
+	printf("cpu information:\n");
+	cpuid(1);
+	printf(" family %ld model %ld stepping %ld efamily %ld emodel %ld\n",
+			b(eax, 8, 11), b(eax, 4, 7), b(eax, 0, 3), b(eax, 20, 27), b(eax, 16, 19));
+	printf(" brand %ld cflush sz %ld*8 nproc %ld apicid %ld\n",
+			b(ebx, 0, 7), b(ebx, 8, 15), b(ebx, 16, 23), b(ebx, 24, 31));
+
+	printf(" feature information:");
+	for (i=0 ; i<32 ; i++)
+		if (edx & (1 << i))
+			printf(" %s", featureinfo[i]);
+
+	printf("\n extended information:");
+	for (i=0 ; i<32 ; i++)
+		if (ecx & (1 << i))
+			printf(" %s", extendinfo[i]);
+	printf("\n");
+
+	if (!support_extended)
+		return 0;
+
+	printf("extended cpuid:\n", eax);
+	cpuid(0x80000001);
+	printf(" %.8lX %.8lX %.8lX %.8lX + ", eax, ebx, ecx & ~1, edx & ~0x00800102);
+	if (ecx & 1)
+		printf(" lahf64");
+
+	if (edx & (1 << 11))
+		printf(" syscall64");
+	if (edx & (1 << 20))
+		printf(" nx");
+	if (edx & (1 << 29))
+		printf(" em64t");
+
+	char brandstring[48];
+	unsigned long *p = (unsigned long*)brandstring;
+	cpuid(0x80000002);
+	*p++ = eax;
+	*p++ = ebx;
+	*p++ = ecx;
+	*p++ = edx;
+	cpuid(0x80000003);
+	*p++ = eax;
+	*p++ = ebx;
+	*p++ = ecx;
+	*p++ = edx;
+	cpuid(0x80000004);
+	*p++ = eax;
+	*p++ = ebx;
+	*p++ = ecx;
+	*p++ = edx;
+	printf("\n brandstring: \"%.48s\"\n", brandstring);
+
+	return 0;
+}