metasm 1.0.0

data/samples/wintrace.rb

@@ -0,0 +1,92 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+#
+# this is a simple executable tracer for Windows using the
+# Metasm windows debug api abstraction
+# all callbacks are full ruby, so this is extremely slow !
+#
+
+require 'metasm'
+Metasm.require 'samples/metasm-shell'
+
+class Tracer < Metasm::WinDbgAPI
+	def initialize(*a)
+		super(*a)
+		@label = {}
+		@prog = Metasm::ExeFormat.new(Metasm::Ia32.new)
+		loop
+		puts 'finished'
+	end
+
+	def handler_newprocess(pid, tid, info)
+		hide_debugger(pid, tid, info)
+		Metasm::WinAPI::DBG_CONTINUE
+	end
+
+	def handler_newthread(pid, tid, info)
+		do_singlestep(pid, tid)
+		Metasm::WinAPI::DBG_CONTINUE
+	end
+
+	def handler_exception(pid, tid, info)
+		do_singlestep(pid, tid) if @hthread[pid] and @hthread[pid][tid]
+		case info.code
+		when Metasm::WinAPI::STATUS_SINGLE_STEP
+			Metasm::WinAPI::DBG_CONTINUE
+		else super(pid, tid, info)
+		end
+	end
+
+	def handler_loaddll(pid, tid, info)
+		# update @label with exported symbols
+		pe = Metasm::LoadedPE.load(@mem[pid][info.imagebase, 0x1000000])
+		pe.decode_header
+		pe.decode_exports
+		libname = read_str_indirect(pid, info.imagename, info.unicode)
+		if pe.export
+			libname = pe.export.libname if libname == ''
+			pe.export.exports.each { |e|
+				next if not r = pe.label_rva(e.target)
+				@label[info.imagebase + r] = libname + '!' + (e.name || "ord_#{e.ordinal}")
+			}
+		end
+		super(pid, tid, info)
+	end
+
+	# dumps the opcode at eip, sets the trace flag
+	def do_singlestep(pid, tid)
+		ctx = get_context(pid, tid)
+		eip = ctx[:eip]
+
+		if l = @label[eip]
+			puts l + ':'
+		end
+		if $VERBOSE
+		bin = @mem[pid][eip, 16]
+		di = @prog.cpu.decode_instruction(Metasm::EncodedData.new(bin), eip)
+		puts "#{'%08X' % eip} #{di.instruction}"
+		end
+
+		ctx[:eflags] |= 0x100
+	end
+
+	# resets the DebuggerPresent field of the PEB
+	def hide_debugger(pid, tid, info)
+		peb = @mem[pid][info.threadlocalbase + 0x30, 4].unpack('L').first
+		@mem[pid][peb + 2, 2] = [0].pack('S')
+	end
+end
+
+if $0 == __FILE__
+	Metasm::WinOS.get_debug_privilege
+	if ARGV.empty?
+		# display list of running processes if no target found
+		puts Metasm::WinOS.list_processes.sort_by { |pr_| pr_.pid }
+		abort 'target needed'
+	end
+	Tracer.new ARGV.shift.dup
+end

data/tests/all.rb

@@ -0,0 +1,8 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+Dir['tests/*.rb'].each { |f| require f }
+

data/tests/dasm.rb

@@ -0,0 +1,39 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'test/unit'
+require 'metasm'
+
+class TestPreproc < Test::Unit::TestCase
+	include Metasm
+
+	def asm_dasm(src)
+		@cpu ||= Ia32.new
+		raw = Shellcode.assemble(src, @cpu).encode_string
+		dasm = Shellcode.decode(raw, @cpu).disassembler
+		dasm.disassemble_fast(0)
+		dasm
+	end
+
+	def do_test_bd2(src, bd)
+		d = asm_dasm(src)
+		calc_bd = d.compose_bt_binding(*d.decoded[0].block.list)
+		calc_bd.delete_if { |k, v| k.to_s =~ /flag/ }
+		assert_equal bd, calc_bd
+	end
+
+	def test_compose_bt_binding
+		do_test_bd2 'mov eax, 1  mov ebx, 2', :eax => Expression[1], :ebx => Expression[2]
+		do_test_bd2 'mov eax, 1  push eax', :eax => Expression[1], Indirection[:esp, 4] => Expression[1], :esp => Expression[:esp, :+, -4]
+		do_test_bd2 'mov [eax], ebx  mov [eax], ecx', Indirection[:eax, 4] => Expression[:ecx]
+		do_test_bd2 'add eax, 4  mov [eax], ecx', Indirection[:eax, 4] => Expression[:ecx], :eax => Expression[:eax, :+, 4]
+		do_test_bd2 'mov [eax], ecx  mov ebx, eax', :ebx => Expression[:eax], Indirection[:eax, 4] => Expression[:ecx], Indirection[:ebx, 4] => Expression[:ecx]
+		do_test_bd2 'mov [eax], ecx  add eax, 4', :eax => Expression[:eax, :+, 4], Indirection[[:eax, :+, -4], 4] => Expression[:ecx]
+		do_test_bd2 'mov [eax+4], ecx  add eax, 4', :eax => Expression[:eax, :+, 4], Indirection[:eax, 4] => Expression[:ecx]
+		do_test_bd2 'push 1  push 2', :esp => Expression[:esp, :+, -8], Indirection[:esp, 4] => Expression[2], Indirection[[:esp, :+, 4], 4] => Expression[1]
+	end
+end
+

data/tests/dynldr.rb

@@ -0,0 +1,35 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+require 'test/unit'
+require 'metasm'
+
+class TestDynldr < Test::Unit::TestCase
+
+	def test_dynldr
+		str = "1234"
+		d = Metasm::DynLdr
+		d.new_api_c('int memcpy(char*, char*, int)')
+		d.memcpy(str, "9999", 2)
+		assert_equal('9934', str)
+
+		c_src = <<EOS
+int sprintf(char*, char*, ...);
+void fufu(int i, char* ptr)
+{
+	sprintf(ptr, "lolzor %i\\n", i);
+}
+EOS
+		buf = 'aaaaaaaaaaaaaaaaaa'
+		d.new_func_c(c_src) { d.fufu(42, buf) }
+		assert_equal("lolzor 42\n\000aaaaaaa", buf)
+
+		if d.host_cpu.shortname == 'ia32'
+			ret = d.new_func_asm('int __fastcall bla(int)', "lea eax, [ecx+1]\nret") { d.bla(42) }
+			assert_equal(43, ret)
+			assert_equal(false, d.respond_to?(:bla))
+		end
+	end
+end

data/tests/encodeddata.rb

@@ -0,0 +1,132 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'test/unit'
+require 'metasm/exe_format/shellcode'
+
+class TestEncodedData < Test::Unit::TestCase
+	def compile(src)
+		p = Metasm::Shellcode.assemble(Metasm::UnknownCPU.new(32, :little), src)
+		p.encoded
+	end
+
+	def test_basic
+		e = compile <<EOS
+toto db 42
+tutu db 48
+dd bla
+EOS
+		assert_equal(6, e.virtsize)
+		assert_equal(2, e.export.keys.length)
+		assert_equal(0, e.export['toto'])
+		assert_equal(1, e.reloc.keys.length)
+		assert_equal('bla', e.reloc[2].target.reduce.rexpr)
+	end
+
+	def test_slice
+		e = compile <<EOS
+db 4 dup(1)
+toto:
+db 4 dup(2)
+db 4 dup(?)
+foo:
+dd bla
+tutu:
+EOS
+		e1 = e[4, 8]
+		e2 = e[4..11]
+		e3 = e[4...12]
+		e4 = e['toto', 8]
+		e5 = e['toto'...'foo']
+		assert_equal([e1.data, e1.virtsize], [e2.data, e2.virtsize])
+		assert_equal([e1.data, e1.virtsize], [e3.data, e3.virtsize])
+		assert_equal([e1.data, e1.virtsize], [e4.data, e4.virtsize])
+		assert_equal([e1.data, e1.virtsize], [e5.data, e5.virtsize])
+		assert_equal(nil, e[53, 12])
+		assert_equal(2, e[2,  2].export['toto'])
+		assert_equal(4, e[0,  4].export['toto'])
+		assert_equal(1, e[0, 16].reloc.length)
+		assert_equal(0, e[0, 15].reloc.length)
+		assert_equal(0, e[13, 8].reloc.length)
+		assert_equal(1, e[12, 4].reloc.length)
+		assert_equal(16, e[0, 50].virtsize)
+		assert_equal(1, e[15, 50].virtsize)
+		e.align 5
+		assert_equal(20, e.virtsize)
+		e.align 5
+		assert_equal(20, e.virtsize)
+		e.fill 30
+		assert_equal(30, e.virtsize)
+	end
+
+	def test_slice2
+		e = compile <<EOS
+db '1'
+toto:
+.pad
+tutu:
+db '0'
+.offset toto+11
+EOS
+		assert_equal(12, e.virtsize)
+		assert_equal(11, e.export['tutu'])
+		e[1..10] = 'abcdefghij'
+		assert_equal(12, e.virtsize)
+		assert_equal(2, e.export.length)
+		e[1, 10] = 'jihgfedcba'
+		assert_equal(12, e.virtsize)
+		e[1...11] = 'abcdefghij'
+		assert_equal(12, e.virtsize)
+		e.patch('toto', 'tutu', 'xxx')
+		assert_equal('1xxxdefghij0', e.data)
+		e[1..10] = 'z'
+		assert_equal(3, e.virtsize)
+		assert_equal(2, e.export['tutu'])
+		assert_raise(Metasm::EncodeError) { e.patch('toto', 'tutu', 'toolong') }
+
+		e = compile <<EOS
+db '1'
+dd rel
+db '2'
+EOS
+		assert_equal(1, e.reloc.length)
+		assert_equal(1, e[1, 4].reloc.length)
+		assert_equal(1, e[1..4].reloc.length)
+		assert_equal(1, e[1...5].reloc.length)
+		assert_equal(0, e[2, 8].reloc.length)
+		assert_equal(0, e[1, 3].reloc.length)
+	end
+
+	def test_fixup
+		e = compile <<EOS
+db 1
+db toto + tata
+dd tutu
+EOS
+		assert_equal(2, e.reloc.length)
+		e.fixup!('toto' => 42)
+		assert_raise(Metasm::EncodeError) { e.fixup('tata' => 192349129) }
+		e.fixup('tata' => -12)
+		assert_equal(30.chr[0], e.data[1])
+		assert_equal(1, e.reloc.length)
+		assert_equal(2, e.offset_of_reloc('tutu'))
+		assert_equal(2, e.offset_of_reloc(Metasm::Expression[:+, 'tutu']))
+		e.fixup('tutu' => 1024)
+		assert_equal("\1\x1e\0\4\0\0", e.data)
+
+		ee = Metasm::Expression[:+, 'bla'].encode(:u16, :big)
+		ee.fixup('bla' => 1024)
+		assert_equal("\4\0", ee.data)
+		
+		eee = compile <<EOS
+db abc - def
+def:
+db 12 dup(?, 3 dup('x'))
+abc:
+EOS
+		assert_equal((12*4).chr[0], eee.data[0])
+	end
+end

data/tests/ia32.rb

@@ -0,0 +1,82 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+require 'test/unit'
+require 'metasm'
+
+class TestIa32 < Test::Unit::TestCase
+	@@cpu32 = Metasm::Ia32.new
+	@@cpu16 = Metasm::Ia32.new(16)
+	def assemble(src, cpu=@@cpu32)
+		Metasm::Shellcode.assemble(cpu, src).encode_string
+	end
+
+	def assert_equal(a, b) super(b, a) end
+
+	def test_basic
+		assert_equal(assemble("nop"), "\x90")
+		assert_equal(assemble("push eax"), "\x50")
+		assert_equal(assemble("push 2"), "\x6a\x02")
+		assert_equal(assemble("push 142"), "\x68\x8e\0\0\0")
+	end
+
+	def test_sz
+		assert_equal(assemble("dec eax"), "\x48")
+		assert_equal(assemble("dec ax"), "\x66\x48")
+		assert_equal(assemble("dec al"), "\xfe\xc8")
+		assert_equal(assemble("arpl [edi+70h], bp"), "cop")
+	end
+
+	def test_16
+		assert_equal(assemble("push 142", @@cpu16), "\x68\x8e\0")
+		assert_equal(assemble("code16 push 142", @@cpu16), "\x68\x8e\0")
+		assert_equal(assemble("code16 push 142"), "\x68\x8e\0")
+		assert_equal(assemble("push.i16 142"), "\x66\x68\x8e\0")
+		assert_equal(assemble("mov eax, 42"), "\xb8\x2a\0\0\0")
+		assert_equal(assemble("code16 mov ax, 42"), "\xb8\x2a\0")
+	end
+
+	def test_jmp
+		assert_equal(assemble("jmp $"), "\xeb\xfe")
+		assert_equal(assemble("jmp.i32 $"), "\xe9\xfb\xff\xff\xff")
+	end
+
+	def test_mrmsz
+		assert_equal(assemble("mov [eax], ebx"), "\x89\x18")
+		assert_equal(assemble("mov [eax], bl"), "\x88\x18")
+		assert_equal(assemble("mov ebx, [eax]"), "\x8b\x18")
+		assert_equal(assemble("mov bl, [eax]"), "\x8a\x18")
+		assert_equal(assemble("mov bl, [bx]"), "\x67\x8a\x1f")
+		assert_equal(assemble("mov bl, [bx]", @@cpu16), "\x8a\x1f")
+		assert_equal(assemble("code16 mov bl, [bx]"), "\x8a\x1f")
+		assert_equal(assemble("mov bl, [0]"), "\x8a\x1d\0\0\0\0")
+		assert_equal(assemble("mov.a16 bl, [0]"), "\x67\x8a\x1e\0\0")
+	end
+
+	def test_err
+		assert_raise(Metasm::ParseError) { assemble("add eax") }
+		assert_raise(Metasm::ParseError) { assemble("add add, ebx") }
+		assert_raise(Metasm::ParseError) { assemble("add 42, ebx") }
+		assert_raise(Metasm::ParseError) { assemble("add [bx+ax]") }
+	end
+
+	def test_C
+		src = "int bla(void) { volatile int i=0; return ++i; }"
+		assert_equal(Metasm::Shellcode.compile_c(@@cpu32, src).encode_string,
+				["5589E583EC04C745FC00000000FF45FC8B45FC89EC5DC3"].pack('H*'))
+	end
+
+	def disassemble(bin, cpu=@@cpu32)
+		Metasm::Shellcode.disassemble(cpu, bin)
+	end
+
+	def test_dasm
+		d = disassemble("\x90")
+		assert_equal(d.decoded[0].class, Metasm::DecodedInstruction)
+		assert_equal(d.decoded[0].opcode.name, "nop")
+	end
+
+end

data/tests/mips.rb

@@ -0,0 +1,116 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+require 'test/unit'
+require 'metasm'
+
+class TestMips < Test::Unit::TestCase
+
+	def test_enc
+		sc = Metasm::Shellcode.assemble(Metasm::MIPS.new(:big), <<EOS)
+;
+; MIPS nul-free xor decoder
+;
+; (C) 2006 Julien TINNES
+; <julien at cr0.org>
+;
+; The first four bytes in encoded shellcode must be the xor key
+; This means that you have to put the xor key right after
+; this xor decoder
+; This key will be considered part of the encoded shellcode
+; by this decoder and will be xored, thus becoming 4NULs, meaning nop
+;
+; This is Linux-only because I use the cacheflush system call
+;
+; You can use shellforge to assemble this, but be sure to discard all
+; the nul bytes at the end (everything after x01\\x4a\\x54\\x0c)
+;
+; change 2 bytes in the first instruction's opcode with the number of passes
+; the number of passes is the number of xor operations to apply, which should be
+; 1 (for the key) + the number of 4-bytes words you have in your shellcode
+; you must encode ~(number_of_passes + 1) (to ensure that you're nul-free)
+
+
+;.text
+;.align	2
+;.globl	main
+;.ent	main
+;.type		 main,@function
+
+main:
+
+	li	$14, -5			; 4 passes
+	nor	$14, $14, $0		; put number of passes in $14
+
+	li	$11,-73			; addend to calculated PC is 73
+;.set noreorder
+next:
+	bltzal  $8, next
+;.set reorder
+	slti	$8, $0, 0x8282
+	nor	$11, $11, $0		; addend in $9
+	addu	$25, $31, $11		; $25 points to encoded shellcode +4
+;	addu	$16, $31, $11		; $16 too (enable if you want to pass correct parameters to cacheflush
+
+;	lui	$2, 0xDDDD		; first part of the xor (old method)
+	slti	$23, $0, 0x8282 	; store 0 in $23 (our counter)
+;	ori	$17, $2, 0xDDDD 	; second part of the xor (old method)
+	lw	$17, -4($25)		; load xor key in $17
+
+
+	li	$13, -5
+	nor	$13, $13, $0		; 4 in $13
+
+	addi	$15, $13, -3		; 1 in $15
+loop:
+	lw	$8, -4($25)
+
+	addu	$23, $23, $15		; increment counter
+	xor	$3, $8, $17
+	sltu	$30, $23, $14		; enough loops?
+	sw	$3, -4($25)
+	addi	$6, $13, -1		; 3 in $6 (for cacheflush)
+	bne	$0, $30, loop
+	addu	$25, $25, $13		; next instruction to decode :)
+
+
+;	addiu	$4, $16, -4		; not checked by Linux
+;	li	$5,40			; not checked by Linux
+;	li	$6,3			; $6 is set above
+
+;	.set	noreorder
+	li	$2, 4147		; cacheflush
+	;.ascii "\\x01JT\\x0c"		; nul-free syscall
+	syscall 0x52950
+;	.set	reorder
+
+
+					; write last decoder opcode and decoded shellcode
+;	li	$4,1			; stdout
+;	addi	$5, $16, -8
+;	li	$6,40			; how much to write
+;	.set	noreorder
+;	li	$2, 4004		; write
+;	syscall
+;	.set	reorder
+
+
+	nop				; encoded shellcoded must be here (xor key right here ;)
+; $t9 (aka $25) points here
+EOS
+		# ruby19 string.encoding. What a wonderful feature!
+		# if we use a "\x<80 or more>", the encoding is 8bits
+		# '' << "\x80" => 8bits
+		# '' << 0x80 => ascii
+		# Edata.data is ascii for now, so this is needed to make the test work.
+		str = ''
+		"\x24\x0e\xff\xfb\x01\xc0\x70\x27\x24\x0b\xff\xb7\x05\x10\xff\xff\x28\x08\x82\x82\x01\x60\x58\x27\x03\xeb\xc8\x21\x28\x17\x82\x82\x8f\x31\xff\xfc\x24\x0d\xff\xfb\x01\xa0\x68\x27\x21\xaf\xff\xfd\x8f\x28\xff\xfc\x02\xef\xb8\x21\x01\x11\x18\x26\x02\xee\xf0\x2b\xaf\x23\xff\xfc\x21\xa6\xff\xff\x17\xc0\xff\xf9\x03\x2d\xc8\x21\x24\x02\x10\x33\x01\x4a\x54\x0c\0\0\0\0".each_byte { |b| str << b }
+		assert_equal(str, sc.encoded.data)
+
+		dasm_src = Metasm::Shellcode.disassemble(Metasm::MIPS.new(:big), sc.encoded.data).to_s
+		lines = dasm_src.respond_to?(:lines) ? dasm_src.lines : dasm_src.to_a
+		assert_equal(28, lines.grep(/\S/).length)
+	end
+end