metasm 1.0.0

data/samples/win32genloader.rb

@@ -0,0 +1,132 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+# This samples generates a binary loader that will load and patch a Win32 program in memory
+# The patch data are read from assembly files named 'patch_<hex addr>.asm'
+# The 1st mandatory argument is the name of the target binary to load
+# The 2nd optional argument is the name of the loader to be generated
+
+require 'metasm'
+
+target = ARGV.shift
+loader = ARGV.shift || "loader.exe"
+
+abort "need a target binary name to load&patch" if not target
+
+cpu = Metasm::Ia32.new
+
+# assemble the patches, to put the binary in the C source
+patches = Dir['patch_*.asm'].map { |f|
+	puts " [+] assembling #{f}"
+	addr = f[/patch_(.*)\.asm/, 1].to_i(16)
+	sc = Metasm::Shellcode.assemble_file(cpu, f)
+	sc.base_addr = addr
+	raw = sc.encode_string
+	[addr, raw]
+}
+
+
+# the C program skeleton
+c_src = <<EOS
+
+void main(void)
+{
+	static PROCESS_INFORMATION pi;
+	static STARTUPINFO si = { .cb = sizeof(si) };
+	int i;
+
+	CreateProcess(#{target.inspect}, 0, 0, 0, 0, CREATE_SUSPENDED, 0, 0, &si, &pi);
+
+	#{patches.map { |addr, raw|
+		"WriteProcessMemory(pi.hProcess, (void*)#{'0x%X' % addr}, #{raw.inspect}, #{raw.length}, 0);"
+	}.join("\n\t")}
+
+	CloseHandle(pi.hProcess);
+
+	ResumeThread(pi.hThread);
+	CloseHandle(pi.hThread);
+
+	ExitProcess(0);
+}
+EOS
+
+
+# the winapi definitions (generated by factorize_headers.rb)
+c_hdr = <<EOS
+#define CREATE_SUSPENDED 0x00000004
+#define CreateProcess CreateProcessA
+
+typedef int BOOL;
+typedef unsigned char BYTE;
+typedef char CHAR;
+typedef unsigned long DWORD;
+typedef void *HANDLE;
+typedef const void *LPCVOID;
+typedef void *LPVOID;
+typedef unsigned int UINT;
+typedef unsigned long ULONG_PTR;
+typedef unsigned short WORD;
+
+__stdcall BOOL CloseHandle __attribute__((dllimport))(HANDLE hObject);
+__noreturn __stdcall void ExitProcess __attribute__((dllimport))(UINT uExitCode);
+typedef BYTE *LPBYTE;
+typedef const CHAR *LPCSTR;
+typedef CHAR *LPSTR;
+__stdcall DWORD ResumeThread __attribute__((dllimport))(HANDLE hThread);
+typedef ULONG_PTR SIZE_T;
+
+struct _PROCESS_INFORMATION {
+	HANDLE hProcess;
+	HANDLE hThread;
+	DWORD dwProcessId;
+	DWORD dwThreadId;
+};
+
+struct _SECURITY_ATTRIBUTES {
+	DWORD nLength;
+	LPVOID lpSecurityDescriptor;
+	BOOL bInheritHandle;
+};
+
+typedef struct _PROCESS_INFORMATION *LPPROCESS_INFORMATION;
+typedef struct _SECURITY_ATTRIBUTES *LPSECURITY_ATTRIBUTES;
+typedef struct _PROCESS_INFORMATION PROCESS_INFORMATION;
+__stdcall BOOL WriteProcessMemory __attribute__((dllimport))(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten);
+
+struct _STARTUPINFOA {
+	DWORD cb;
+	LPSTR lpReserved;
+	LPSTR lpDesktop;
+	LPSTR lpTitle;
+	DWORD dwX;
+	DWORD dwY;
+	DWORD dwXSize;
+	DWORD dwYSize;
+	DWORD dwXCountChars;
+	DWORD dwYCountChars;
+	DWORD dwFillAttribute;
+	DWORD dwFlags;
+	WORD wShowWindow;
+	WORD cbReserved2;
+	LPBYTE lpReserved2;
+	HANDLE hStdInput;
+	HANDLE hStdOutput;
+	HANDLE hStdError;
+};
+
+typedef struct _STARTUPINFOA *LPSTARTUPINFOA;
+typedef struct _STARTUPINFOA STARTUPINFOA;
+
+__stdcall BOOL CreateProcessA __attribute__((dllimport))(LPCSTR lpApplicationName, LPSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCSTR lpCurrentDirectory, LPSTARTUPINFOA lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation);
+typedef STARTUPINFOA STARTUPINFO;
+EOS
+
+
+puts c_src, ''
+
+# compile the loader
+Metasm::PE.compile_c(cpu, c_hdr+c_src).encode_file(loader)
+
+puts " [+] #{loader} saved"

data/samples/win32hooker-advanced.rb

@@ -0,0 +1,169 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+#
+# in this exemple we will patch a process specified on the commandline (pid or part of the image name)
+# we will retrieve the user32.dll library mapped, and hook every exported function.
+# each hook will redirect the code flow to our shellcode, which will display the hooked function
+# name in a messagebox.
+# The hook is this time a real hook: we overwrite the first instructions with a jump to our code,
+# and run those overwritten instruction again before giving control back to original function.
+#
+# usage: ruby w32hook-advance.rb notepad
+# use ruby -d to impress your friends :)
+#
+# XXX obsolete, should replace all virtallocex etc by WinOS calls
+
+require 'metasm'
+
+include Metasm
+
+# open target
+WinOS.get_debug_privilege
+if not pr = WinOS.find_process(ARGV.first)
+	# display list of running processes and exit
+	puts WinOS.list_processes.sort_by { |pr_| pr_.pid }
+	exit
+end
+raise 'cannot open target process' if not pr.handle
+
+# the main shellcode
+sc = Shellcode.assemble Ia32.new, <<EOS
+main_hook:
+ pushfd				; save registers
+ pushad
+
+ mov eax, dword ptr [in_hook]	; check if we are in the hook (yay threadsafe)
+ test eax, eax
+ jnz main_hook_done
+ mov dword ptr [in_hook], 1
+
+ mov eax, dword ptr [esp+4+4*9]	; get the function name (1st argument)
+
+ push 0
+ push eax
+ push eax
+ push 0
+ call messageboxw
+
+ mov dword ptr [in_hook], 0
+main_hook_done:
+ popad
+ popfd
+ ret 4
+
+.align 4
+in_hook   dd 0			; l33t mutex
+EOS
+
+# this is where we store every function hook
+hooks = {}
+prepare_hook = lambda { |mpe, base, export|
+	hooklabel = sc.new_label('hook')
+	namelabel = sc.new_label('name')
+
+	# this will overwrite the function entrypoint
+	target = base + export.target
+	hooks[target] = Shellcode.new(sc.cpu).share_namespace(sc).parse("jmp #{hooklabel}").assemble.encoded
+
+	# backup the overwritten instructions
+	# retrieve instructions until their length is >= our hook length
+	mpe.encoded.ptr = export.target
+	sz = 0
+	overwritten = []
+	while sz < hooks[target].length
+		di = sc.cpu.decode_instruction mpe.encoded, target
+		if not di or not di.opcode or not di.instruction
+			puts "W: unknown instruction in #{export.name} !"
+			break
+		end
+		overwritten << di.instruction
+		sz += di.bin_length
+	end
+	puts "overwritten at #{export.name}:", overwritten, '' if $DEBUG
+	resumeaddr = target + sz
+
+	# append the call-specific shellcode to the main hook code
+	sc.cursource << Label.new(hooklabel)
+	sc.parse <<EOS
+ push #{namelabel}
+ call main_hook		; log the call
+; rerun the overwritten instructions
+#{overwritten.join("\n")}
+ jmp #{resumeaddr}	; get back to original code flow
+EOS
+	sc.cursource << Label.new(namelabel)
+	sc.parse "dw #{export.name.inspect}, 0"
+}
+
+msgboxw = nil
+# decode interesting libraries from address space
+pr.modules[1..-1].each { |m|
+	# search for messageboxw
+	if m.path =~ /user32/i
+		mpe = LoadedPE.load pr.memory[m.addr, 0x1000000]
+		mpe.decode_header
+		mpe.decode_exports
+		mpe.export.exports.each { |e| msgboxw = m.addr + mpe.label_rva(e.target) if e.name == 'MessageBoxW' }
+	end
+	# prepare hooks
+	next if m.path !~ /user32/i	# filter interesting libraries
+	puts "handling #{File.basename m.path}" if $VERBOSE
+
+	if not mpe
+		mpe = LoadedPE.load pr.memory[m.addr, 0x1000000]
+		mpe.decode_header
+		mpe.decode_exports
+	end
+	next if not mpe.export or not mpe.export.exports
+
+	# discard exported data
+	text = mpe.sections.find { |s| s.name == '.text' }
+	mpe.export.exports.each { |e|
+		next if not e.target or not e.name
+		next if e.name =~ /(?:Translate|Get|Dispatch)Message|CallNextHookEx|TranslateAccelerator/
+
+		# ensure we have an offset and not a label name
+		e.target = mpe.label_rva(e.target)
+
+		# ensure the exported thing is in the .text section
+		next if e.target < text.virtaddr or e.target >= text.virtaddr + text.virtsize
+
+		# prepare the hook
+		prepare_hook[mpe, m.addr, e]
+	}
+}
+
+raise 'Did not find MessageBoxW !' if not msgboxw
+
+puts 'linking...'
+sc.assemble
+puts 'done'
+
+# allocate memory for our code
+raise 'remote allocation failed' if not injected_addr = WinAPI.virtualallocex(pr.handle, 0, sc.encoded.length, WinAPI::MEM_COMMIT|WinAPI::MEM_RESERVE, WinAPI::PAGE_EXECUTE_READWRITE)
+
+puts "Injecting hooks at #{'%x' % injected_addr}"
+
+# fixup & inject our code
+binding = { 'messageboxw' => msgboxw }
+hooks.each { |addr, edata| binding.update edata.binding(addr) }
+binding.update sc.encoded.binding(injected_addr)
+
+# fixup
+sc.encoded.fixup(binding)
+# inject
+pr.memory[injected_addr, sc.encoded.data.length] = sc.encoded.data
+
+# now overwrite entry points
+hooks.each { |addr, edata|
+	edata.fixup(binding)
+	pr.memory[addr, edata.data.length] = edata.data
+}
+
+puts 'done'
+
+WinAPI.closehandle(pr.handle)

data/samples/win32hooker.rb

@@ -0,0 +1,96 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+#
+# in this exemple we will patch a process specified on the commandline (pid or part of image name)
+# the IAT entry matching /WriteFile/ will be replaced by a pointer to a malicious code we inject,
+# which calls back the original function.
+# Our shellcode will display the first bytes of the data to be written, using MessageBoxW (whose
+# pointer is also retrieved from the target IAT)
+#
+# usage: ruby w32hook.rb notepad ; then go in notepad, type some words and save to a file
+#
+
+require 'metasm'
+
+include Metasm
+
+# open target
+WinOS.get_debug_privilege
+if not pr = WinOS.find_process(ARGV.first)
+	# display list of running processes if no target found
+	puts WinOS.list_processes.sort_by { |pr_| pr_.pid }
+	exit
+end
+raise 'cannot open target process' if not pr.handle
+
+# read the target PE structure
+pe = LoadedPE.load pr.memory[pr.modules[0].addr, 0x1000000]
+pe.decode_header
+pe.decode_imports
+
+# find iat entries
+target = nil
+target_p = nil
+msgboxw_p = nil
+iat_entry_len = pe.encode_xword(0).length	# 64bits portable ! (shellcode probably won't work)
+pe.imports.each { |id|
+	id.imports.each_with_index { |i, idx|
+		case i.name
+		when 'MessageBoxW'
+			msgboxw_p = pr.modules[0].addr + id.iat_p + iat_entry_len * idx
+		when /WriteFile/
+			target_p  = pr.modules[0].addr + id.iat_p + iat_entry_len * idx
+			target = id.iat[idx]
+		end
+	}
+}
+raise "iat entries not found" if not target or not msgboxw_p
+
+# here we write our shellcode (no need to code position-independant)
+sc = Shellcode.assemble(Ia32.new, <<EOS)
+pushad
+mov esi, dword ptr [esp+20h+8]	; 2nd arg = buffer
+mov edi, message
+mov ecx, 19
+xor eax, eax
+copy_again:
+lodsb
+stosw
+loop copy_again
+
+push 0
+push title
+push message
+push 0
+call [msgboxw]
+popad
+jmp  target
+
+.align 4
+; strings to display
+message dw 20 dup(?)
+title dw 'I see what you did there...', 0
+EOS
+
+# alloc some space in the remote process to put our shellcode
+raise 'remote allocation failed' if not injected = WinAPI.virtualallocex(pr.handle, 0, sc.encoded.length, WinAPI::MEM_COMMIT|WinAPI::MEM_RESERVE, WinAPI::PAGE_EXECUTE_READWRITE)
+puts "injected malicous code at %x" % injected
+
+# fixup the shellcode with its known base address, and with the addresses it will need from the IAT
+sc.base_addr = injected
+sc.encoded.fixup! 'msgboxw' => msgboxw_p, 'target' => target
+raw = sc.encode_string
+
+# inject the shellcode
+pr.memory[injected, raw.length] = raw
+
+# rewrite iat entry
+iat_h = pe.encode_xword(injected).data
+pr.memory[target_p, iat_h.length] = iat_h
+
+# done
+WinAPI.closehandle(pr.handle)

data/samples/win32livedasm.rb

@@ -0,0 +1,33 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'metasm'
+Metasm.require 'samples/metasm-shell'
+
+include Metasm
+
+# open target
+WinOS.get_debug_privilege
+if not pr = WinOS.find_process(ARGV.first)
+	puts WinOS.list_processes.sort_by { |pr_| pr_.pid }
+	exit
+end
+
+# retrieve the pe load address
+baseaddr = pr.modules[0].addr
+
+# decode the COFF headers
+pe = Metasm::LoadedPE.load pr.memory[baseaddr, 0x100000]
+pe.decode_header
+
+# get the entrypoint address
+eip = baseaddr + pe.label_rva(pe.optheader.entrypoint)
+
+# use degraded disasm mode: assume all calls will return
+String.cpu.opcode_list.each { |op| op.props.delete :stopexec if op.props[:saveip] }
+
+# disassemble & dump opcodes
+puts pe.encoded[pe.optheader.entrypoint, 0x100].data.decode(eip)

data/samples/win32remotescan.rb

@@ -0,0 +1,133 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+# here we compile and inject a C stub into a running process
+# the sample stub will scan the whole process memory for a 32bit value (aligned)
+# and report the results using MessageBox
+#
+# This shows how to mix C and asm, and a few WinOS functions.
+
+require 'metasm'
+
+include Metasm
+
+abort 'usage: scan <targetprocess> <value>' if ARGV.length != 2
+targetproc = ARGV.shift
+searchval = Integer(ARGV.shift)
+
+raise 'cannot find target' if not target = WinOS.find_process(targetproc)
+
+sc = Shellcode.compile_c(Ia32.new, <<'EOC')
+asm {
+sc_start:
+xor edi, edi
+mov ebp, edi	// ebp = match count
+push fs:[edi]	// backup UEH
+call setup_ueh
+
+// our UEH: edi += 4k, check for end of addrspace
+ueh:
+mov eax, [esp+0ch]
+add eax, 7ch		// optimize code size
+add dword ptr [eax+21h], 10h	// ctx[edi] += 4k
+cmp word ptr [eax+22h], -1
+jb ueh_retloc
+
+call ueh_endloop	// ctx[eip] = &jmp walk_loop_end
+jmp walk_loop_end
+ueh_endloop:
+pop dword ptr [eax+3ch]
+
+ueh_retloc:
+xor eax, eax
+ret			// UEH: return(CONTINUE)
+// end of UEH
+
+setup_ueh:
+push -1
+mov fs:[edi], esp
+mov eax, SEARCHEDVALUE
+
+walk_loop_next:
+cmp edi, 0xffff_fff0
+jae walk_loop_end
+scasd
+jnz walk_loop_next
+
+found:
+call found_value
+
+jmp walk_loop_next
+
+walk_loop_end:
+pop eax
+pop ebx
+inc eax
+pop dword ptr fs:[eax]
+
+call metasm_intern_geteip
+mov [eax+matchcount-metasm_intern_geteip], ebp
+
+call scan_finished
+
+// virtualfree shellcode & exitthread
+push 8000h	// type = MEM_RELEASE
+push 0		// size = 0
+call end_getaddr	// addr = sc_start
+end_getaddr:
+add dword ptr [esp], end_getaddr - sc_start
+push ExitThread
+jmp VirtualFree
+// end of main
+
+
+// found new match at edi
+found_value:
+push eax
+cmp ebp, 1024
+jae skipsave
+call metasm_intern_geteip
+add eax, table - metasm_intern_geteip
+sub edi, 4
+mov dword ptr [eax+4*ebp], edi
+add edi, 4
+inc ebp
+skipsave:
+pop eax
+mov dword ptr [esp-4], 0	// hide the searched value from our stack
+ret
+
+}
+
+__declspec(stdcall) void MessageBoxA(int, char*, char*, int);
+int wsprintfA(char *buf, char *fmt, ...);
+
+unsigned long table[1024];
+unsigned long matchcount;
+char outbuf[4096];
+
+void scan_finished(void)
+{
+	int off = 0;
+	int i;
+
+	off += wsprintfA(outbuf+off, "Found %d matches: ", matchcount);
+	for (i=0 ; i<matchcount ; i++) {
+		if (off > sizeof(outbuf)-20)
+			break;
+		off += wsprintfA(outbuf+off, "%X, ", table[i]);
+	}
+	outbuf[off-2] = '.';
+	outbuf[off-1] = 0;
+
+	MessageBoxA(0, outbuf, "search finished", 0);
+}
+EOC
+
+sc = sc.encoded
+
+sc.fixup! 'SEARCHEDVALUE' => searchval
+
+WinOS.inject_run_shellcode(target, sc)