RubyGems - metasm - Versions diffs - 1.0.0 - Mend

metasm 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (192) hide show

data/BUGS +11 -0
data/CREDITS +17 -0
data/README +270 -0
data/TODO +114 -0
data/doc/code_organisation.txt +146 -0
data/doc/const_missing.txt +16 -0
data/doc/core_classes.txt +75 -0
data/doc/feature_list.txt +53 -0
data/doc/index.txt +59 -0
data/doc/install_notes.txt +170 -0
data/doc/style.css +3 -0
data/doc/use_cases.txt +18 -0
data/lib/metasm.rb +80 -0
data/lib/metasm/arm.rb +12 -0
data/lib/metasm/arm/debug.rb +39 -0
data/lib/metasm/arm/decode.rb +167 -0
data/lib/metasm/arm/encode.rb +77 -0
data/lib/metasm/arm/main.rb +75 -0
data/lib/metasm/arm/opcodes.rb +177 -0
data/lib/metasm/arm/parse.rb +130 -0
data/lib/metasm/arm/render.rb +55 -0
data/lib/metasm/compile_c.rb +1457 -0
data/lib/metasm/dalvik.rb +8 -0
data/lib/metasm/dalvik/decode.rb +196 -0
data/lib/metasm/dalvik/main.rb +60 -0
data/lib/metasm/dalvik/opcodes.rb +366 -0
data/lib/metasm/decode.rb +213 -0
data/lib/metasm/decompile.rb +2659 -0
data/lib/metasm/disassemble.rb +2068 -0
data/lib/metasm/disassemble_api.rb +1280 -0
data/lib/metasm/dynldr.rb +1329 -0
data/lib/metasm/encode.rb +333 -0
data/lib/metasm/exe_format/a_out.rb +194 -0
data/lib/metasm/exe_format/autoexe.rb +82 -0
data/lib/metasm/exe_format/bflt.rb +189 -0
data/lib/metasm/exe_format/coff.rb +455 -0
data/lib/metasm/exe_format/coff_decode.rb +901 -0
data/lib/metasm/exe_format/coff_encode.rb +1078 -0
data/lib/metasm/exe_format/dex.rb +457 -0
data/lib/metasm/exe_format/dol.rb +145 -0
data/lib/metasm/exe_format/elf.rb +923 -0
data/lib/metasm/exe_format/elf_decode.rb +979 -0
data/lib/metasm/exe_format/elf_encode.rb +1375 -0
data/lib/metasm/exe_format/macho.rb +827 -0
data/lib/metasm/exe_format/main.rb +228 -0
data/lib/metasm/exe_format/mz.rb +164 -0
data/lib/metasm/exe_format/nds.rb +172 -0
data/lib/metasm/exe_format/pe.rb +437 -0
data/lib/metasm/exe_format/serialstruct.rb +246 -0
data/lib/metasm/exe_format/shellcode.rb +114 -0
data/lib/metasm/exe_format/xcoff.rb +167 -0
data/lib/metasm/gui.rb +23 -0
data/lib/metasm/gui/cstruct.rb +373 -0
data/lib/metasm/gui/dasm_coverage.rb +199 -0
data/lib/metasm/gui/dasm_decomp.rb +369 -0
data/lib/metasm/gui/dasm_funcgraph.rb +103 -0
data/lib/metasm/gui/dasm_graph.rb +1354 -0
data/lib/metasm/gui/dasm_hex.rb +543 -0
data/lib/metasm/gui/dasm_listing.rb +599 -0
data/lib/metasm/gui/dasm_main.rb +906 -0
data/lib/metasm/gui/dasm_opcodes.rb +291 -0
data/lib/metasm/gui/debug.rb +1228 -0
data/lib/metasm/gui/gtk.rb +884 -0
data/lib/metasm/gui/qt.rb +495 -0
data/lib/metasm/gui/win32.rb +3004 -0
data/lib/metasm/gui/x11.rb +621 -0
data/lib/metasm/ia32.rb +14 -0
data/lib/metasm/ia32/compile_c.rb +1523 -0
data/lib/metasm/ia32/debug.rb +193 -0
data/lib/metasm/ia32/decode.rb +1167 -0
data/lib/metasm/ia32/decompile.rb +564 -0
data/lib/metasm/ia32/encode.rb +314 -0
data/lib/metasm/ia32/main.rb +233 -0
data/lib/metasm/ia32/opcodes.rb +872 -0
data/lib/metasm/ia32/parse.rb +327 -0
data/lib/metasm/ia32/render.rb +91 -0
data/lib/metasm/main.rb +1193 -0
data/lib/metasm/mips.rb +11 -0
data/lib/metasm/mips/compile_c.rb +7 -0
data/lib/metasm/mips/decode.rb +253 -0
data/lib/metasm/mips/encode.rb +51 -0
data/lib/metasm/mips/main.rb +72 -0
data/lib/metasm/mips/opcodes.rb +443 -0
data/lib/metasm/mips/parse.rb +51 -0
data/lib/metasm/mips/render.rb +43 -0
data/lib/metasm/os/gnu_exports.rb +270 -0
data/lib/metasm/os/linux.rb +1112 -0
data/lib/metasm/os/main.rb +1686 -0
data/lib/metasm/os/remote.rb +527 -0
data/lib/metasm/os/windows.rb +2027 -0
data/lib/metasm/os/windows_exports.rb +745 -0
data/lib/metasm/parse.rb +876 -0
data/lib/metasm/parse_c.rb +3938 -0
data/lib/metasm/pic16c/decode.rb +42 -0
data/lib/metasm/pic16c/main.rb +17 -0
data/lib/metasm/pic16c/opcodes.rb +68 -0
data/lib/metasm/ppc.rb +11 -0
data/lib/metasm/ppc/decode.rb +264 -0
data/lib/metasm/ppc/decompile.rb +251 -0
data/lib/metasm/ppc/encode.rb +51 -0
data/lib/metasm/ppc/main.rb +129 -0
data/lib/metasm/ppc/opcodes.rb +410 -0
data/lib/metasm/ppc/parse.rb +52 -0
data/lib/metasm/preprocessor.rb +1277 -0
data/lib/metasm/render.rb +130 -0
data/lib/metasm/sh4.rb +8 -0
data/lib/metasm/sh4/decode.rb +336 -0
data/lib/metasm/sh4/main.rb +292 -0
data/lib/metasm/sh4/opcodes.rb +381 -0
data/lib/metasm/x86_64.rb +12 -0
data/lib/metasm/x86_64/compile_c.rb +1025 -0
data/lib/metasm/x86_64/debug.rb +59 -0
data/lib/metasm/x86_64/decode.rb +268 -0
data/lib/metasm/x86_64/encode.rb +264 -0
data/lib/metasm/x86_64/main.rb +135 -0
data/lib/metasm/x86_64/opcodes.rb +118 -0
data/lib/metasm/x86_64/parse.rb +68 -0
data/misc/bottleneck.rb +61 -0
data/misc/cheader-findpppath.rb +58 -0
data/misc/hexdiff.rb +74 -0
data/misc/hexdump.rb +55 -0
data/misc/metasm-all.rb +13 -0
data/misc/objdiff.rb +47 -0
data/misc/objscan.rb +40 -0
data/misc/pdfparse.rb +661 -0
data/misc/ppc_pdf2oplist.rb +192 -0
data/misc/tcp_proxy_hex.rb +84 -0
data/misc/txt2html.rb +440 -0
data/samples/a.out.rb +31 -0
data/samples/asmsyntax.rb +77 -0
data/samples/bindiff.rb +555 -0
data/samples/compilation-steps.rb +49 -0
data/samples/cparser_makestackoffset.rb +55 -0
data/samples/dasm-backtrack.rb +38 -0
data/samples/dasmnavig.rb +318 -0
data/samples/dbg-apihook.rb +228 -0
data/samples/dbghelp.rb +143 -0
data/samples/disassemble-gui.rb +102 -0
data/samples/disassemble.rb +133 -0
data/samples/dump_upx.rb +95 -0
data/samples/dynamic_ruby.rb +1929 -0
data/samples/elf_list_needed.rb +46 -0
data/samples/elf_listexports.rb +33 -0
data/samples/elfencode.rb +25 -0
data/samples/exeencode.rb +128 -0
data/samples/factorize-headers-elfimports.rb +77 -0
data/samples/factorize-headers-peimports.rb +109 -0
data/samples/factorize-headers.rb +43 -0
data/samples/gdbclient.rb +583 -0
data/samples/generate_libsigs.rb +102 -0
data/samples/hotfix_gtk_dbg.rb +59 -0
data/samples/install_win_env.rb +78 -0
data/samples/lindebug.rb +924 -0
data/samples/linux_injectsyscall.rb +95 -0
data/samples/machoencode.rb +31 -0
data/samples/metasm-shell.rb +91 -0
data/samples/pe-hook.rb +69 -0
data/samples/pe-ia32-cpuid.rb +203 -0
data/samples/pe-mips.rb +35 -0
data/samples/pe-shutdown.rb +78 -0
data/samples/pe-testrelocs.rb +51 -0
data/samples/pe-testrsrc.rb +24 -0
data/samples/pe_listexports.rb +31 -0
data/samples/peencode.rb +19 -0
data/samples/peldr.rb +494 -0
data/samples/preprocess-flatten.rb +19 -0
data/samples/r0trace.rb +308 -0
data/samples/rubstop.rb +399 -0
data/samples/scan_pt_gnu_stack.rb +54 -0
data/samples/scanpeexports.rb +62 -0
data/samples/shellcode-c.rb +40 -0
data/samples/shellcode-dynlink.rb +146 -0
data/samples/source.asm +34 -0
data/samples/struct_offset.rb +47 -0
data/samples/testpe.rb +32 -0
data/samples/testraw.rb +45 -0
data/samples/win32genloader.rb +132 -0
data/samples/win32hooker-advanced.rb +169 -0
data/samples/win32hooker.rb +96 -0
data/samples/win32livedasm.rb +33 -0
data/samples/win32remotescan.rb +133 -0
data/samples/wintrace.rb +92 -0
data/tests/all.rb +8 -0
data/tests/dasm.rb +39 -0
data/tests/dynldr.rb +35 -0
data/tests/encodeddata.rb +132 -0
data/tests/ia32.rb +82 -0
data/tests/mips.rb +116 -0
data/tests/parse_c.rb +239 -0
data/tests/preprocessor.rb +269 -0
data/tests/x86_64.rb +62 -0
metadata +255 -0

data/samples/preprocess-flatten.rb ADDED

@@ -0,0 +1,19 @@
+#!/usr/bin/env ruby
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+#
+# this file takes preprocessor files as arguments
+# it preprocesses their content and dump the result to stdout
+# it also dumps all macro definitions
+#
+require 'metasm/preprocessor'
+p = Metasm::Preprocessor.new
+p.feed(ARGF.read)
+raw = p.dump
+puts p.dump_macros(p.definition.keys, false)
+puts raw

data/samples/r0trace.rb ADDED

@@ -0,0 +1,308 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+# This creates/uses a ring0 driver for tracing a program
+# x86/windows/singlecore only
+# the scripts allows interacting with the driver
+# you still have to set the target thread in singlestep mode (eg using Debugger)
+# How does it work:
+# the driver hooks the IDT int1/int0f (NOT SMP PROOF)
+# on int1, it logs eip in a memory buffer
+# on int0f, it returns the memory buffer (memcopy to mem pointed by eax)
+# the buffer 1st dword is the number of used dwords in the buffer (0 = empty)
+# on overflow, eips are lost
+require 'metasm'
+include Metasm
+$drv = 'r0trace.sys'
+# size of the eip buffer (in dwords)
+TRACE_BUF_SZ = 4*1024*1024-4
+if not File.exist? $drv
+PE.assemble(Ia32.new, <<EOS).encode_file($drv, 'kmod')
+#define bufsz #{TRACE_BUF_SZ}
+.data
+oldi1 dd 0,0
+oldi15 dd 0,0
+buf dd bufsz dup(?)
+.text
+.entrypoint
+mov eax, [esp+4]
+mov dword ptr [eax+0x34], unload	// drv->DriverUnload
+call setup_idt
+xor eax, eax
+mov [buf], eax	// buf used size
+ret
+unload:
+// XXX smp
+call get_idt
+push [oldi1+4]
+push [oldi1]
+pop [eax+8*1]
+pop [eax+8*1+4]
+push [oldi15+4]
+push [oldi15]
+pop [eax+8*15]
+pop [eax+8*15+4]
+xor eax, eax
+ret
+setup_idt:
+// XXX smp
+call get_idt
+push [eax+8*1]
+push [eax+8*1+4]
+pop [oldi1+4]
+pop [oldi1]
+push [eax+8*15]
+push [eax+8*15+4]
+pop [oldi15+4]
+pop [oldi15]
+mov ecx, i1hook
+mov [eax+8*1], ecx
+mov [eax+8*1+4], ecx
+mov ecx, cs
+mov [eax+8*1+2], cx
+mov word ptr [eax+8*1+4], (15 + (3<<5) + (1<<7)) << 8	// call gate
+mov ecx, i15hook
+mov [eax+8*15], ecx
+mov [eax+8*15+4], ecx
+mov ecx, cs
+mov [eax+8*15+2], cx
+mov word ptr [eax+8*15+4], (15 + (3<<5) + (1<<7)) << 8	// call gate
+ret
+get_idt:
+sub esp, 8
+sidt [esp]
+mov eax, [esp+2]
+add esp, 8
+ret
+i1hook:
+push eax
+mov eax, buf
+cmp [eax], bufsz
+jae 1f
+inc [eax]
+add eax, [eax]
+push [esp+4]
+pop [eax]
+1:
+pop eax
+iret
+i15hook:
+push esi
+push edi
+push ecx
+mov esi, buf
+mov edi, eax
+mov ecx, [esi]
+inc ecx
+rep movsd
+mov dword ptr [buf], 0
+pop ecx
+pop edi
+pop esi
+iret
+EOS
+end
+DynLdr.new_api_c <<EOS
+typedef int BOOL;
+typedef char CHAR;
+typedef unsigned long DWORD;
+typedef const CHAR *LPCSTR;
+typedef DWORD *LPDWORD;
+typedef void *HANDLE;
+struct SC_HANDLE__ { int unused; };
+struct _SERVICE_STATUS {
+	DWORD dwServiceType;
+	DWORD dwCurrentState;
+	DWORD dwControlsAccepted;
+	DWORD dwWin32ExitCode;
+	DWORD dwServiceSpecificExitCode;
+	DWORD dwCheckPoint;
+	DWORD dwWaitHint;
+};
+typedef struct SC_HANDLE__ *SC_HANDLE;
+typedef struct _SERVICE_STATUS *LPSERVICE_STATUS;
+__stdcall BOOL CloseServiceHandle(SC_HANDLE hSCObject __attribute__((in)));
+__stdcall SC_HANDLE CreateServiceA(SC_HANDLE hSCManager __attribute__((in)), LPCSTR lpServiceName __attribute__((in)), LPCSTR lpDisplayName __attribute__((in)), DWORD dwDesiredAccess __attribute__((in)), DWORD dwServiceType __attribute__((in)), DWORD dwStartType __attribute__((in)), DWORD dwErrorControl __attribute__((in)), LPCSTR lpBinaryPathName __attribute__((in)), LPCSTR lpLoadOrderGroup __attribute__((in)), LPDWORD lpdwTagId __attribute__((out)), LPCSTR lpDependencies __attribute__((in)), LPCSTR lpServiceStartName __attribute__((in)), LPCSTR lpPassword __attribute__((in)));
+__stdcall BOOL DeleteService(SC_HANDLE hService __attribute__((in)));
+__stdcall SC_HANDLE OpenSCManagerA(LPCSTR lpMachineName __attribute__((in)), LPCSTR lpDatabaseName __attribute__((in)), DWORD dwDesiredAccess __attribute__((in)));
+__stdcall SC_HANDLE OpenServiceA(SC_HANDLE hSCManager __attribute__((in)), LPCSTR lpServiceName __attribute__((in)), DWORD dwDesiredAccess __attribute__((in)));
+__stdcall BOOL StartServiceA(SC_HANDLE hService __attribute__((in)), DWORD dwNumServiceArgs __attribute__((in)), LPCSTR *lpServiceArgVectors __attribute__((in)));
+__stdcall BOOL ControlService(SC_HANDLE hService __attribute__((in)), DWORD dwControl __attribute__((in)), LPSERVICE_STATUS lpServiceStatus __attribute__((out)));
+__stdcall HANDLE OpenThread(DWORD dwDesiredAccess __attribute__((in)), BOOL bInheritHandle __attribute__((in)), DWORD dwThreadId __attribute__((in)));
+__stdcall DWORD ResumeThread(HANDLE hThread __attribute__((in)));
+__stdcall DWORD SuspendThread(HANDLE hThread __attribute__((in)));
+__stdcall BOOL SetThreadContext(HANDLE hThread __attribute__((in)), void *lpContext __attribute__((in)));
+__stdcall BOOL GetThreadContext(HANDLE hThread __attribute__((in)), void *lpContext);
+__stdcall BOOL CloseHandle(HANDLE hObject __attribute__((in)));
+#define STANDARD_RIGHTS_REQUIRED         (0x000F0000L)
+#define SC_MANAGER_CONNECT             0x0001
+#define SC_MANAGER_CREATE_SERVICE      0x0002
+#define SC_MANAGER_ENUMERATE_SERVICE   0x0004
+#define SC_MANAGER_LOCK                0x0008
+#define SC_MANAGER_QUERY_LOCK_STATUS   0x0010
+#define SC_MANAGER_MODIFY_BOOT_CONFIG  0x0020
+#define SC_MANAGER_ALL_ACCESS          (STANDARD_RIGHTS_REQUIRED      | \
+                                        SC_MANAGER_CONNECT            | \
+                                        SC_MANAGER_CREATE_SERVICE     | \
+                                        SC_MANAGER_ENUMERATE_SERVICE  | \
+                                        SC_MANAGER_LOCK               | \
+                                        SC_MANAGER_QUERY_LOCK_STATUS  | \
+                                        SC_MANAGER_MODIFY_BOOT_CONFIG)
+#define SERVICE_QUERY_CONFIG           0x0001
+#define SERVICE_CHANGE_CONFIG          0x0002
+#define SERVICE_QUERY_STATUS           0x0004
+#define SERVICE_ENUMERATE_DEPENDENTS   0x0008
+#define SERVICE_START                  0x0010
+#define SERVICE_STOP                   0x0020
+#define SERVICE_PAUSE_CONTINUE         0x0040
+#define SERVICE_INTERROGATE            0x0080
+#define SERVICE_USER_DEFINED_CONTROL   0x0100
+#define SERVICE_ALL_ACCESS             (STANDARD_RIGHTS_REQUIRED     | \
+                                        SERVICE_QUERY_CONFIG         | \
+                                        SERVICE_CHANGE_CONFIG        | \
+                                        SERVICE_QUERY_STATUS         | \
+                                        SERVICE_ENUMERATE_DEPENDENTS | \
+                                        SERVICE_START                | \
+                                        SERVICE_STOP                 | \
+                                        SERVICE_PAUSE_CONTINUE       | \
+                                        SERVICE_INTERROGATE          | \
+                                        SERVICE_USER_DEFINED_CONTROL)
+#define SERVICE_KERNEL_DRIVER          0x00000001
+#define SERVICE_FILE_SYSTEM_DRIVER     0x00000002
+#define SERVICE_ADAPTER                0x00000004
+#define SERVICE_RECOGNIZER_DRIVER      0x00000008
+#define SERVICE_DRIVER                 (SERVICE_KERNEL_DRIVER | \
+                                        SERVICE_FILE_SYSTEM_DRIVER | \
+                                        SERVICE_RECOGNIZER_DRIVER)
+#define SERVICE_WIN32_OWN_PROCESS      0x00000010
+#define SERVICE_WIN32_SHARE_PROCESS    0x00000020
+#define SERVICE_WIN32                  (SERVICE_WIN32_OWN_PROCESS | \
+                                        SERVICE_WIN32_SHARE_PROCESS)
+#define SERVICE_INTERACTIVE_PROCESS    0x00000100
+#define SERVICE_TYPE_ALL               (SERVICE_WIN32  | \
+                                        SERVICE_ADAPTER | \
+                                        SERVICE_DRIVER  | \
+                                        SERVICE_INTERACTIVE_PROCESS)
+#define SERVICE_BOOT_START             0x00000000
+#define SERVICE_SYSTEM_START           0x00000001
+#define SERVICE_AUTO_START             0x00000002
+#define SERVICE_DEMAND_START           0x00000003
+#define SERVICE_DISABLED               0x00000004
+#define SERVICE_ERROR_IGNORE           0x00000000
+#define SERVICE_ERROR_NORMAL           0x00000001
+#define SERVICE_ERROR_SEVERE           0x00000002
+#define SERVICE_ERROR_CRITICAL         0x00000003
+#define SYNCHRONIZE                    0x00100000L
+#define THREAD_TERMINATE               0x0001
+#define THREAD_SUSPEND_RESUME          0x0002
+#define THREAD_GET_CONTEXT             0x0008
+#define THREAD_SET_CONTEXT             0x0010
+#define THREAD_SET_INFORMATION         0x0020
+#define THREAD_QUERY_INFORMATION       0x0040
+#define THREAD_SET_THREAD_TOKEN        0x0080
+#define THREAD_IMPERSONATE             0x0100
+#define THREAD_DIRECT_IMPERSONATION    0x0200
+#define THREAD_ALL_ACCESS         (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x3FF)
+#define CONTEXT_i386    0x00010000
+#define CONTEXT_CONTROL         (CONTEXT_i386 | 0x00000001L) // SS:SP, CS:IP, FLAGS, BP
+EOS
+DynLdr.new_func_c <<EOS
+int get_trace_buf(void *ptr)
+{
+	asm("mov eax, [ebp+8] int 0fh");
+	return *(int*)ptr;
+}
+EOS
+def loadmod(mod=$drv)
+	sh = DynLdr.openscmanagera(0, 0, DynLdr::SC_MANAGER_ALL_ACCESS)
+	raise "cannot openscm" if (sh == 0)
+	rh = DynLdr.createservicea(sh, mod, mod, DynLdr::SERVICE_ALL_ACCESS, DynLdr::SERVICE_KERNEL_DRIVER, DynLdr::SERVICE_DEMAND_START, DynLdr::SERVICE_ERROR_NORMAL, File.expand_path(mod), 0, 0, 0, 0, 0)
+	if (DynLdr.startservicea(rh, 0, 0) == 0)
+		raise "cannot start service"
+	end
+	DynLdr.CloseServiceHandle(rh)
+	DynLdr.CloseServiceHandle(sh)
+end
+def unloadmod(mod=$drv)
+	sh = DynLdr.openscmanagera(0, 0, DynLdr::SC_MANAGER_ALL_ACCESS)
+	raise "cannot openscm" if (sh == 0)
+	rh = DynLdr.openservicea(sh, mod, DynLdr::SERVICE_ALL_ACCESS)
+	DynLdr.controlservice(rh, DynLdr::SERVICE_CONTROL_STOP, 0.chr*4*32)
+	DynLdr.deleteservice(rh)
+	DynLdr.CloseServiceHandle(rh)
+	DynLdr.CloseServiceHandle(sh)
+end
+def trace(tid, delay=1)
+	# put thread in singlestep mode
+	th = DynLdr.openthread(DynLdr::THREAD_GET_CONTEXT | DynLdr::THREAD_SET_CONTEXT | DynLdr::THREAD_SUSPEND_RESUME, 0, tid)
+	raise "openthread" if (th == 0)
+	DynLdr.suspendthread(th)
+	ctx = 0.chr * 1024
+	ctx[0, 4] = [DynLdr::CONTEXT_CONTROL].pack('V')
+	DynLdr.getthreadcontext(th, ctx)
+	ctx[192, 4] = [ctx[192, 4].unpack('V').first | (1 << 8)].pack('V')
+	DynLdr.setthreadcontext(th, ctx)
+	DynLdr.resumethread(th)
+	DynLdr.closehandle(th)
+	buf = 0.chr * 4 * TRACE_BUF_SZ
+	loop do
+		sleep delay.to_f
+		nr = DynLdr.get_trace_buf(buf)
+		puts "got #{'%x' % nr} instrs"
+		# eips = buf[4, 4*nr].unpack('V*')
+	end
+ensure
+	th = DynLdr.openthread(DynLdr::THREAD_GET_CONTEXT | DynLdr::THREAD_SET_CONTEXT | DynLdr::THREAD_SUSPEND_RESUME, 0, tid)
+	if (th != 0)
+		DynLdr.suspendthread(th)
+		ctx = 0.chr * 1024
+		ctx[0, 4] = [DynLdr::CONTEXT_CONTROL].pack('V')
+		DynLdr.getthreadcontext(th, ctx)
+		ctx[192, 4] = [ctx[192, 4].unpack('V').first & ~(1 << 8)].pack('V')
+		DynLdr.setthreadcontext(th, ctx)
+		DynLdr.resumethread(th)
+		DynLdr.closehandle(th)
+	end
+end
+if $0 == __FILE__
+	case ARGV.shift
+	when /unload/; unloadmod(*ARGV)
+	when /load/; loadmod(*ARGV)
+	when /trace/; trace(*ARGV)
+	end
+end

data/samples/rubstop.rb ADDED

@@ -0,0 +1,399 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+#
+# this exemple illustrates the use of the PTrace class to implement a pytstop-like functionnality
+# Works on linux/x86
+#
+require 'metasm'
+class Rubstop < Metasm::PTrace
+	EFLAGS = {0 => 'c', 2 => 'p', 4 => 'a', 6 => 'z', 7 => 's', 9 => 'i', 10 => 'd', 11 => 'o'}
+	# define accessors for registers
+	%w[eax ebx ecx edx ebp esp edi esi eip orig_eax eflags dr0 dr1 dr2 dr3 dr6 dr7 cs ds es fs gs].each { |reg|
+		define_method(reg) { peekusr(REGS_I386[reg.upcase]) & 0xffffffff }
+		define_method(reg+'=') { |v|
+			@regs_cache[reg] = v
+			v = [v & 0xffffffff].pack('L').unpack('l').first if v >= 0x8000_0000
+			pokeusr(REGS_I386[reg.upcase], v)
+		}
+	}
+	def cont(signal=0)
+		@ssdontstopbp = nil
+		singlestep(true) if @wantbp
+		super(signal)
+		::Process.waitpid(@pid)
+		return if child.exited?
+		@oldregs.update @regs_cache
+		readregs
+		checkbp
+	end
+	def singlestep(justcheck=false)
+		super()
+		::Process.waitpid(@pid)
+		return if child.exited?
+		case @wantbp
+		when ::Integer; bpx @wantbp ; @wantbp = nil
+		when ::String; self.dr7 |= 1 << (2*@wantbp[2, 1].to_i) ; @wantbp = nil
+		end
+		return if justcheck
+		@oldregs.update @regs_cache
+		readregs
+		checkbp
+	end
+	def stepover
+		i = curinstr.instruction if curinstr
+		if i and (i.opname == 'call' or (i.prefix and i.prefix[:rep]))
+			eaddr = @regs_cache['eip'] + curinstr.bin_length
+			bpx eaddr, true
+			cont
+		else
+			singlestep
+		end
+	end
+	def stepout
+		# XXX @regs_cache..
+		stepover until curinstr.opcode.name == 'ret'
+		singlestep
+	end
+	def syscall
+		@ssdontstopbp = nil
+		singlestep(true) if @wantbp
+		super()
+		::Process.waitpid(@pid)
+		return if child.exited?
+		@oldregs.update @regs_cache
+		readregs
+		checkbp
+	end
+	def state; :stopped end
+	def ptrace; self end
+	attr_accessor :pgm, :regs_cache, :breakpoints, :singleshot, :wantbp,
+		:symbols, :symbols_len, :filemap, :has_pax, :oldregs
+	def initialize(*a)
+		super(*a)
+		@pgm = Metasm::ExeFormat.new Metasm::Ia32.new
+		@pgm.encoded = Metasm::EncodedData.new Metasm::LinuxRemoteString.new(@pid)
+		@pgm.encoded.data.dbg = self
+		@regs_cache = {}
+		@oldregs = {}
+		readregs
+		@oldregs.update @regs_cache
+		@breakpoints = {}
+		@singleshot = {}
+		@wantbp = nil
+		@symbols = {}
+		@symbols_len = {}
+		@filemap = {}
+		@has_pax = false
+		stack = self[regs_cache['esp'], 0x1000].to_str.unpack('L*')
+		stack.shift	# argc
+		stack.shift until stack.empty? or stack.first == 0	# argv
+		stack.shift
+		stack.shift until stack.empty? or stack.first == 0	# envp
+		stack.shift
+		stack.shift until stack.empty? or stack.shift == 3	# find PHDR ptr in auxv
+		if phdr = stack.shift
+			phdr &= 0xffff_f000
+			loadsyms phdr, phdr.to_s(16)
+		end
+	end
+	def set_pax(bool)
+		if bool
+			@pgm.encoded.data.invalidate
+			code = @pgm.encoded.data[eip, 4]
+			if code != "\0\0\0\0" and @pgm.encoded.data[eip+0x6000_0000, 4] == code
+				@has_pax = 'segmexec'
+			else
+				@has_pax = 'pax'
+			end
+		else
+			@has_pax = false
+		end
+	end
+	def readregs
+		%w[eax ebx ecx edx esi edi esp ebp eip orig_eax eflags dr0 dr1 dr2 dr3 dr6 dr7 cs ds].each { |r| @regs_cache[r] = send(r) }
+		@curinstr = nil if @regs_cache['eip'] != @oldregs['eip']
+		@pgm.encoded.data.invalidate
+	end
+	def curinstr
+		@curinstr ||= mnemonic_di
+	end
+	def child
+		$?
+	end
+	def checkbp
+		::Process::waitpid(@pid, ::Process::WNOHANG) if not child
+		return if not child
+		if not child.stopped?
+			if child.exited?;      log "process exited with status #{child.exitstatus}"
+			elsif child.signaled?; log "process exited due to signal #{child.termsig} (#{Signal.list.index child.termsig})"
+			else                log "process in unknown status #{child.inspect}"
+			end
+			return
+		elsif child.stopsig != ::Signal.list['TRAP']
+			log "process stopped due to signal #{child.stopsig} (#{Signal.list.index child.stopsig})"
+			return	# do not check 0xcc at eip-1 ! ( if curinstr.bin_length == 1 )
+		end
+		ccaddr = @regs_cache['eip']-1
+		if @breakpoints[ccaddr] and self[ccaddr] == 0xcc
+			if @ssdontstopbp != ccaddr
+				self[ccaddr] = @breakpoints.delete ccaddr
+				self.eip = ccaddr
+				@wantbp = ccaddr if not @singleshot.delete ccaddr
+				@ssdontstopbp = ccaddr
+			else
+				@ssdontstopbp = nil
+			end
+		elsif @regs_cache['dr6'] & 15 != 0
+			dr = (0..3).find { |dr_| @regs_cache['dr6'] & (1 << dr_) != 0 }
+			@wantbp = "dr#{dr}" if not @singleshot.delete @regs_cache['eip']
+			self.dr6 = 0
+			self.dr7 = @regs_cache['dr7'] & (0xffff_ffff ^ (3 << (2*dr)))
+			readregs
+		end
+	end
+	def bpx(addr, singleshot=false)
+		@singleshot[addr] = singleshot
+		return if @breakpoints[addr]
+		if @has_pax
+			set_hwbp 'x', addr
+		else
+			begin
+				@breakpoints[addr] = self[addr]
+				self[addr] = 0xcc
+			rescue Errno::EIO
+				log 'i/o error when setting breakpoint, switching to PaX mode'
+				set_pax true
+				@breakpoints.delete addr
+				bpx(addr, singleshot)
+			end
+		end
+	end
+	def mnemonic_di(addr = eip)
+		@pgm.encoded.ptr = addr
+		di = @pgm.cpu.decode_instruction(@pgm.encoded, addr)
+		@curinstr = di if addr == @regs_cache['eip']
+		di
+	end
+	def mnemonic(addr=eip)
+		mnemonic_di(addr).instruction
+	end
+	def regs_dump
+		[%w[eax ebx ecx edx orig_eax], %w[ebp esp edi esi eip]].map { |l|
+			l.map { |reg| "#{reg}=#{'%08x' % @regs_cache[reg]}" }.join(' ')
+		}.join("\n")
+	end
+	def findfilemap(s)
+		@filemap.keys.find { |k| @filemap[k][0] <= s and @filemap[k][1] > s } || '???'
+	end
+	def findsymbol(k)
+		file = findfilemap(k) + '!'
+		if s = @symbols[k] ? k : @symbols.keys.find { |s_| s_ < k and s_ + @symbols_len[s_].to_i > k }
+			file + @symbols[s] + (s == k ? '' : "+#{(k-s).to_s(16)}")
+		else
+			file + ('%08x' % k)
+		end
+	end
+	def set_hwbp(type, addr, len=1)
+		dr = (0..3).find { |dr_| @regs_cache['dr7'] & (1 << (2*dr_)) == 0 and @wantbp != "dr#{dr}" }
+		if not dr
+			log 'no debug reg available :('
+			return false
+		end
+		@regs_cache['dr7'] &= 0xffff_ffff ^ (0xf << (16+4*dr))
+		case type
+		when 'x'; addr += (@has_pax == 'segmexec' ? 0x6000_0000 : 0)
+		when 'r'; @regs_cache['dr7'] |= (((len-1)<<2)|3) << (16+4*dr)
+		when 'w'; @regs_cache['dr7'] |= (((len-1)<<2)|1) << (16+4*dr)
+		end
+		send("dr#{dr}=", addr)
+		self.dr6 = 0
+		self.dr7 = @regs_cache['dr7'] | (1 << (2*dr))
+		readregs
+		true
+	end
+	def clearbreaks
+		@wantbp = nil if @wantbp == @regs_cache['eip']
+		@breakpoints.each { |addr, oct| self[addr, 1] = oct }
+		@breakpoints.clear
+		if @regs_cache['dr7'] & 0xff != 0
+			self.dr7 = 0
+			readregs
+		end
+	end
+	def loadsyms(baseaddr, name)
+		@loadedsyms ||= {}
+		return if @loadedsyms[name] or self[baseaddr, 4] != "\x7fELF"
+		@loadedsyms[name] = true
+		set_status " loading symbols from #{name}..."
+		e = Metasm::LoadedELF.load self[baseaddr, 0x100_0000]
+		e.load_address = baseaddr
+		begin
+			e.decode
+			#e = Metasm::ELF.decode_file name rescue return 	# read from disk
+		rescue
+			log "failed to load symbols from #{name}: #$!"
+			($!.backtrace - caller).each { |l| log l.chomp }
+			@filemap[baseaddr.to_s(16)] = [baseaddr, baseaddr+0x1000]
+			return
+		end
+		if e.tag['SONAME']
+			name = e.tag['SONAME']
+			return if name and @loadedsyms[name]
+			@loadedsyms[name] = true
+		end
+		last_s = e.segments.reverse.find { |s| s.type == 'LOAD' }
+		vlen = last_s.vaddr + last_s.memsz
+		vlen -= baseaddr if e.header.type == 'EXEC'
+		@filemap[name] = [baseaddr, baseaddr + vlen]
+		oldsyms = @symbols.length
+		e.symbols.each { |s|
+			next if not s.name or s.shndx == 'UNDEF'
+			sname = s.name
+			sname = 'weak_'+sname if s.bind == 'WEAK'
+			sname = 'local_'+sname if s.bind == 'LOCAL'
+			v = s.value
+			v = baseaddr + v if v < baseaddr
+			@symbols[v] = sname
+			@symbols_len[v] = s.size
+		}
+		if e.header.type == 'EXEC'
+			@symbols[e.header.entry] = 'entrypoint'
+		end
+		set_status nil
+		log "loaded #{@symbols.length-oldsyms} symbols from #{name} at #{'%08x' % baseaddr}"
+	end
+	def loadallsyms
+		File.read("/proc/#{@pid}/maps").each { |l|
+			name = l.split[5]
+			loadsyms l.to_i(16), name if name and name[0] == ?/
+		}
+	end
+	def loadmap(mapfile)
+		# file fmt: addr type name eg 'c01001ba t setup_idt'
+		minaddr = maxaddr = nil
+		File.read(mapfile).each { |l|
+			addr, type, name = l.chomp.split
+			addr = addr.to_i(16)
+			minaddr = addr if not minaddr or minaddr > addr
+			maxaddr = addr if not maxaddr or maxaddr < addr
+			@symbols[addr] = name
+		}
+		if minaddr
+			@filemap[minaddr.to_s(16)] = [minaddr, maxaddr+1]
+		end
+	end
+	def scansyms
+		addr = 0
+		fd = @pgm.encoded.data.readfd
+		while addr <= 0xffff_f000
+			addr = 0xc000_0000 if @has_pax and addr == 0x6000_0000
+			log "scansym: #{'%08x' % addr}" if addr & 0x0fff_ffff == 0
+			fd.pos = addr
+			loadsyms(addr, '%08x'%addr) if (fd.read(4) == "\x7fELF" rescue false)
+			addr += 0x1000
+		end
+	end
+	def backtrace
+		s = findsymbol(@regs_cache['eip'])
+		if block_given?
+			yield s
+		else
+			bt = []
+			bt << s
+		end
+		fp = @regs_cache['ebp']
+		while fp >= @regs_cache['esp'] and fp <= @regs_cache['esp']+0x10000
+			s = findsymbol(self[fp+4, 4].unpack('L').first)
+			if block_given?
+				yield s
+			else
+				bt << s
+			end
+			fp = self[fp, 4].unpack('L').first
+		end
+		bt
+	end
+	def [](addr, len=nil)
+		@pgm.encoded.data[addr, len]
+	end
+	def []=(addr, len, str=nil)
+		@pgm.encoded.data[addr, len] = str
+	end
+	attr_accessor :logger
+	def log(s)
+		@logger ||= $stdout
+		@logger.puts s
+	end
+	# set a temporary status info (nil for default value)
+	def set_status(s)
+		@logger ||= $stdout
+		if @logger != $stdout
+			@logger.statusline = s
+		else
+			s ||= ' '*72
+			@logger.print s + "\r"
+			@logger.flush
+		end
+	end
+end
+if $0 == __FILE__
+	# start debugging
+	rs = Rubstop.new(ARGV.shift)
+	begin
+		while rs.child.stopped? and rs.child.stopsig == Signal.list['TRAP']
+			if $VERBOSE
+				puts "#{'%08x' % rs.eip} #{rs.mnemonic}"
+				rs.singlestep
+			else
+				rs.syscall ; rs.syscall	# wait return of syscall
+				puts "#{rs.orig_eax.to_s.ljust(3)} #{rs.syscallnr.index rs.orig_eax}"
+			end
+		end
+		p rs.child
+		puts rs.regs_dump
+	rescue Interrupt
+		rs.detach rescue nil
+		puts 'interrupted!'
+	rescue Errno::ESRCH
+	end
+end