metasm 1.0.0

data/samples/scan_pt_gnu_stack.rb

@@ -0,0 +1,54 @@
+#!/usr/bin/env ruby
+
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+#
+# this script scans directories recursively for ELF files which have a PT_GNU_STACK rwe or absent
+# usage : scan_pt_gnu_stack.rb <dir> [<dir>]
+#
+
+require 'metasm'
+
+def _puts(a)
+	puts a.to_s.ljust(60)
+end
+def _printadv(a)
+	$stderr.print a.to_s.ljust(60)[-60, 60] + "\r"
+end
+
+# the recursive scanning procedure
+iter = lambda { |f|
+	if File.symlink? f
+	elsif File.directory? f
+		# show where we are & recurse
+		_printadv f
+		Dir[ File.join(f, '*') ].each { |ff|
+ 			iter[ff]
+ 		}
+	else
+		# interpret any file as a ELF
+		begin
+			elf = Metasm::ELF.decode_file_header(f)
+			next if not elf.segments or elf.header.type == 'REL'
+			seg = elf.segments.find { |seg_| seg_.type == 'GNU_STACK' }
+			if not seg
+				_puts "PT_GNU_STACK absent : #{f}"
+			elsif seg.flags.include? 'X'
+				_puts "PT_GNU_STACK RWE :    #{f}"
+			else
+				_puts "#{f} : #{seg.inspect}" if $VERBOSE
+			end
+		rescue
+			# the file is not a valid ELF
+			_puts "E: #{f} #{$!}" if $VERBOSE
+		end
+	end
+}
+
+# go
+ARGV.each { |dir| iter[dir] }
+
+_printadv ''

data/samples/scanpeexports.rb

@@ -0,0 +1,62 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+# 
+# this script scans a directory for PE files which export a given symbol name (regexp case-insensitive)
+# usage : ruby scanpeexports.rb <dir> <pattern>
+#
+
+require 'metasm'
+
+if not base = ARGV.shift
+	puts 'base dir ?'
+	base = gets.chomp
+end
+if not pat = ARGV.shift
+	puts 'pattern ?'
+	pat = gets.chomp
+	puts 'searching...'
+end
+
+def _puts(a)
+	puts a.to_s.ljust(60)
+end
+def _printadv(a)
+	$stderr.print a.to_s.ljust(60)[-60, 60] + "\r"
+end
+
+# the recursive scanning procedure
+iter = lambda { |f, match|
+	if File.directory? f
+		# show where we are & recurse
+		_printadv f
+		Dir[ File.join(f, '*') ].each { |ff|
+ 			iter[ff, match]
+ 		}
+	else
+		# interpret any file as a PE
+		begin
+			pe = Metasm::PE.decode_file_header(f)
+			pe.decode_exports
+			next if not pe.export
+			# scan the export directory for the symbol pattern, excluding forwarders
+			pe.export.exports.each { |exp|
+				if exp.name =~ /#{match}/i and not exp.forwarder_lib
+					_puts f + " : " + exp.name
+				end
+			}
+		rescue
+			# the file is not a valid PE
+		end
+	end
+}
+
+# go
+iter[base, pat]
+
+if RUBY_PLATFORM =~ /win32/i
+	_puts "press [enter] to exit"
+	gets
+end

data/samples/shellcode-c.rb

@@ -0,0 +1,40 @@
+#!/usr/bin/env ruby
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+#
+# in this exemple we can write a shellcode using a C function
+#
+
+require 'metasm'
+
+# load and decode the file
+sc = Metasm::Shellcode.new(Metasm::Ia32.new)
+sc.parse <<EOS
+jmp c_func
+
+some_func:
+mov eax, 42
+ret
+EOS
+
+cp = sc.cpu.new_cparser
+cp.parse <<EOS
+void some_func(void);
+/* __declspec(naked) */ void c_func() {
+	int i;
+	for (i=0 ; i<10 ; ++i)
+		some_func();
+}
+EOS
+asm = sc.cpu.new_ccompiler(cp, sc).compile
+
+sc.parse asm
+sc.assemble
+
+sc.encode_file 'shellcode.raw'
+
+puts Metasm::Shellcode.load_file('shellcode.raw', Metasm::Ia32.new).disassemble

data/samples/shellcode-dynlink.rb

@@ -0,0 +1,146 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+# this script compiles a source file (asm or C) into a shellcode that will
+# dynamically resolve the address of functions it uses
+# windows only, supposes the shellcode is run in the address space of a process
+# whose PEB allows to find all required libraries.
+
+require 'metasm'
+
+sc = Metasm::Shellcode.new(Metasm::Ia32.new)
+
+case ARGV[0]
+when /\.c(pp)?$/i
+ 	src_c = File.read(ARGV[0])
+	sc.assemble 'jmp main'
+	sc.compile_c src_c
+when /\.asm$/i
+	src = File.read(ARGV[0])
+	sc.assemble src
+when nil; abort "need sourcefile"
+else abort "unknown srcfile extension"
+end
+
+# find external symbols needed by the shellcode
+ext_syms = sc.encoded.reloc_externals
+
+# resolver code
+sc.parse <<EOS
+get_libbase:
+	mov eax, fs:[0x30]	// peb
+	mov eax, [eax+12]	// peb_ldr
+	add eax, 12		// &inloadorder
+libbase_loop:
+	mov eax, [eax]		// next
+	mov edx, [eax+12*4]	// basename ptr
+	mov cl, [edx+6]
+	shl ecx, 8
+	mov cl, [edx+4]
+	shl ecx, 8
+	mov cl, [edx+2]
+	shl ecx, 8
+	mov cl, [edx]
+	or ecx, 0x20202020	// downcase
+	cmp ecx, [esp+4]
+	jnz libbase_loop
+	mov eax, [eax+6*4]	// baseaddr
+	ret 4
+
+hash_name:
+	push ecx
+	push edx
+	xor eax, eax
+	xor ecx, ecx
+	mov edx, [esp+12]
+	dec edx
+hash_loop:
+	ror eax, 0dh
+	add eax, ecx
+	inc edx
+	mov cl, [edx]
+	test cl, cl
+	jnz hash_loop
+	pop edx
+	pop ecx
+	ret 4
+
+resolve_proc:
+	push ecx
+	push edx
+	push ebp
+	push dword ptr [esp+0x14]	// arg_2
+	call get_libbase
+	mov ebp, eax		// imagebase
+	add eax, [eax+0x3c]	// coffhdr
+	mov edx, [eax+0x78]	// exportdirectory
+	add edx, ebp
+	or ecx, -1
+resolve_loop:
+	inc ecx
+	mov eax, [edx+0x20]	// name
+	add eax, ebp
+	mov eax, [eax+4*ecx]
+	add eax, ebp
+	push eax
+	call hash_name
+	cmp eax, [esp+0x10]	// cmp hash(name[i]), arg_1
+	jnz resolve_loop
+	mov eax, [edx+0x24]	// ord
+	add eax, ebp
+	movzx ecx, word ptr [eax+2*ecx]
+	mov eax, [edx+0x1c]	// func
+	add eax, ebp
+	mov eax, [eax+4*ecx]	// func[ord[i]]
+	add eax, ebp
+	pop ebp
+	pop edx
+	pop ecx
+	ret 8
+EOS
+
+def hash_name(sym)
+	hash = 0
+	sym.each_byte { |char|
+		hash = (((hash >> 0xd) | (hash << (32-0xd))) + char) & 0xffff_ffff
+	}
+	hash
+end
+
+def lib_name(sym)
+	raise "unknown libname for #{sym}" if not lib = Metasm::WindowsExports::EXPORT[sym]
+	n = lib.downcase[0, 4].unpack('C*')
+	n[0] + (n[1]<<8) + (n[2] << 16) + (n[3] << 24)
+end
+
+# encode stub for each symbol
+ext_syms.uniq.each { |sym|
+	next if sym == 'next_payload'
+	sc.parse <<EOS
+#{sym}:
+	push #{lib_name(sym)}
+	push #{hash_name(sym)}
+	call resolve_proc
+	jmp eax
+EOS
+}
+
+# marker to the next payload if the payload is a stager
+sc.assemble "next_payload:"
+
+# output to a file
+sc.encode_file 'shellcode-dynlink.raw'
+
+__END__
+// sample payload
+
+extern __stdcall int MessageBoxA(int, char*, char*, int);
+extern void next_payload(void);
+
+int main(void)
+{
+	MessageBoxA(0, "Hello, world !", "Hi", 0);
+	next_payload();
+}

data/samples/source.asm

@@ -0,0 +1,34 @@
+.pt_gnu_stack rw	// elf-specific instruction
+//.interp none		// request minimal elf, no section/dynamic/interpreter
+
+#define __i386__
+#include <asm/unistd.h>	// can use the C preprocessor
+
+stdout    equ 1		// 'equ' constant definition
+
+syscall macro nr	// asm-style macros
+ mov eax, nr		; the syscall number goes in eax
+ int 80h
+endm
+
+#define syscall1(nr, arg) mov ebx, arg  syscall(__NR_##nr)	// c++-style macros
+#define syscall3(nr, arg1, arg2, arg3) mov edx, arg3  mov ecx, arg2  syscall1(nr, arg1)
+
+.entrypoint		// the elf entrypoint
+ nop nop
+ call 1f		// 1f is the first label named '1' found forward
+toto_str db "toto\n"
+toto_str_len equ $ - toto_str	// $ is the address of the start of the current instruction/data
+
+1:
+ pop ebp
+
+syscall3(write, stdout, ebp, toto_str_len)
+
+/*
+; hang forever
+ jmp $
+*/
+
+syscall1(exit, 0)
+hlt

data/samples/struct_offset.rb

@@ -0,0 +1,47 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+#
+# This exemple illustrates the usage of the C parser to compute the offset of members of a given structure
+# usage: struct_offset.rb <c file> <struct name>
+#
+
+require 'metasm'
+include Metasm
+
+require 'optparse'
+opts = { :hdrs => [], :defs => {}, :path => [], :cpu => 'X86', :offbase => 16 }
+OptionParser.new { |opt|
+	opt.on('-o outfile') { |f| opts[:outfile] = f }
+	opt.on('-H additional_header') { |f| opts[:hdrs] << f }
+	opt.on('-I path', '--includepath path') { |f| opts[:path] << f }
+	opt.on('-D var') { |f| k, v = f.split('=', 2) ; opts[:defs].update k => (v || '') }
+	opt.on('-d') { opts[:offbase] = 10 }
+	opt.on('--cpu CpuClass') { |c| opts[:cpu] = c }
+	opt.on('--gcc') { opts[:gcc] = true }
+	opt.on('--vs', '--visualstudio') { opts[:vs] = true }
+}.parse!(ARGV)
+
+cp = Metasm.const_get(opts[:cpu]).new.new_cparser
+
+cp.prepare_gcc if opts[:gcc]
+cp.prepare_visualstudio if opts[:vs]
+
+pp = cp.lexer
+pp.warn_redefinition = false
+pp.include_search_path[0, 0] = opts[:path]
+opts[:defs].each { |k, v| pp.define k, v }
+
+cp.parse opts[:hdrs].map { |h| "#include <#{h}>" }.join("\n")
+
+abort 'need source + struct name' unless ARGV.length >= 2
+
+cp.parse_file(ARGV.shift)
+
+$stdout.reopen File.open(opts[:outfile], 'w') if opts[:outfile]
+
+ARGV.each { |structname|
+	puts cp.alloc_c_struct(structname)
+}

data/samples/testpe.rb

@@ -0,0 +1,32 @@
+#!/usr/bin/env ruby
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+#
+# a sample application
+#
+
+
+require 'metasm'
+
+pe = Metasm::PE.assemble Metasm::Ia32.new, <<EOS
+.entrypoint
+push 0
+push title
+push message
+push 0
+call messagebox
+
+xor eax, eax
+ret
+
+.import 'user32' MessageBoxA messagebox
+
+.data
+message db 'kikoo lol', 0
+title   db 'blaaa', 0
+EOS
+pe.encode_file 'testpe.exe'

data/samples/testraw.rb

@@ -0,0 +1,45 @@
+#!/usr/bin/env ruby
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+
+# usage: test.rb < source.asm
+
+require 'metasm'
+
+
+dump = ARGV.delete '--dump'
+
+source = ARGF.read
+
+cpu = Metasm::Ia32.new
+shellcode = Metasm::Shellcode.assemble(cpu, source).encode_string
+shellstring = shellcode.unpack('C*').map { |b| '\\x%02x' % b }.join
+
+if dump
+	puts shellstring
+	exit
+end
+
+File.open('test-testraw.c', 'w') { |fd|
+	fd.puts <<EOS
+unsigned char sc[] = "#{shellstring}";
+int main(void)
+{
+	((void (*)())sc)();
+	return 42;
+}
+EOS
+}
+
+system 'gcc -W -Wall -o test-testraw test-testraw.c'
+system 'chpax -psm test-testraw'
+
+puts "running"
+system './test-testraw'
+puts "done"
+#File.unlink 'test-testraw'
+File.unlink 'test-testraw.c'