metasm 1.0.1 → 1.0.2

data/samples/dasm-plugins/hl_opcode.rb

@@ -0,0 +1,32 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+# metasm dasm GUI plugin: hilight lines of code based on the opcode name
+if gui
+	@gui_opcode_color = {
+		:call => :green_bg,
+		:jmp  => :red_bg,
+		:jcc  => :orange_bg,
+	}
+
+	obg = gui.bg_color_callback	# chain old callback
+	gui.bg_color_callback = lambda { |a|
+		if di = di_at(a) and pr = di.opcode.props
+			if pr[:saveip] and (@function[di.block.to_normal.to_a.first] or di.block.to_subfuncret.to_a.first)
+				# don't color call+pop
+				@gui_opcode_color[:call]
+			elsif pr[:stopexec]
+				@gui_opcode_color[:jmp]
+			elsif pr[:setip]
+				@gui_opcode_color[:jcc]
+			else
+				obg[a] if obg
+			end
+		else
+			obg[a] if obg
+		end
+	}
+end

data/samples/dasm-plugins/hotfix_gtk_dbg.rb

@@ -0,0 +1,19 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+#
+# This plugin will create a monitoring process running samples/hotfix_gtk_dbg.rb on the current process (to fix a GTK crash when closing a window)
+#
+
+mypid = Process.pid
+
+if (!Process.fork)
+	ARGV.clear
+	ARGV << mypid
+	$VERBOSE = false
+	Kernel.load File.join(Metasmdir, 'samples', 'hotfix_gtk_dbg.rb')
+	exit!
+end

data/samples/dasm-plugins/imm2off.rb

@@ -0,0 +1,34 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+# metasm dasm plugin
+# walks all disassembled instructions referencing an address
+# if the address is a label, update the instruction to use the label
+# esp. useful after a disassemble_fast, with a .map file
+
+def addrtolabel
+	bp = prog_binding.invert
+	@decoded.each_value { |di|
+		next if not di.kind_of?(DecodedInstruction)
+		di.each_expr { |e|
+			next unless e.kind_of?(Expression)
+			if l = bp[e.lexpr]
+				add_xref(e.lexpr, Xref.new(:addr, di.address))
+				e.lexpr = Expression[l]
+			end
+			if l = bp[e.rexpr]
+				add_xref(e.rexpr, Xref.new(:addr, di.address))
+				e.rexpr = (e.lexpr ? Expression[l] : l)
+			end
+		}
+	}
+	nil
+end
+
+if gui
+	addrtolabel
+	gui.gui_update
+end

data/samples/dasm-plugins/match_libsigs.rb

@@ -0,0 +1,93 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+# metasm dasm plugin: allow loading library signature files (see samples/generate_libsigs.rb)
+
+class LibSignature
+attr_accessor :sigs, :siglenmax, :giantregex
+# load signatures from a signature file
+def initialize(file)
+	# hash symbolname => signature
+	@sigs = {}
+
+	# populate sigs
+	symname = nil
+	sig = ''
+	File.read(file).each_line { |l|
+		case l
+		when /^ /
+			sig << l.strip
+		else
+			@sigs[symname] = sig
+			symname = l.strip
+			sig = ''
+		end
+	}
+	@sigs[symname] = sig
+	@sigs.delete nil
+	@siglenmax = @sigs.values.map { |v| v.length }.max
+
+	# compile a giant regex from the signatures
+	re = @sigs.values.uniq.map { |sigh|
+		sigh.gsub(/../) { |b| b == '..' ? '.' : ('\\x' + b) }
+	}.join('|')
+
+	# 'n' is a magic flag to allow high bytes in the regex (ruby1.9 + utfail)
+	@giantregex = Regexp.new re, Regexp::MULTILINE, 'n'
+end
+
+# we found a match on str at off, identify the specific symbol that matched
+# on conflict, only return the first match
+def matched_findsym(str, off)
+	str = str[off, @siglenmax].unpack('H*').first
+	@sigs.find { |sym, sig| str =~ /^#{sig}/i }[0]
+end
+
+# matches the signatures against a raw string
+# yields offset, symname for each match
+# returns nr of matches found
+def match_chunk(str)
+	count = 0
+	off = 0
+	while o = (str[off..-1] =~ @giantregex)
+		count += 1
+		off += o
+		sym = matched_findsym(str, off)
+		yield off, sym
+		off += 1
+	end
+	count
+end
+
+# matches the signatures against a big raw string
+# yields offset, symname for each match
+# returns nr of matches found
+def match(str)
+	chunksz = 1 << 20
+
+	chunkoff = 0
+	count = 0
+	while chunkoff < str.length
+		chunk = str[chunkoff, chunksz+@siglenmax]
+		count += match_chunk(chunk) { |o, sym| yield chunkoff+o, sym if o < chunksz }
+		chunkoff += chunksz
+	end
+	count
+end
+end
+
+def match_libsigs(sigfile)
+	ls = LibSignature.new(sigfile)
+	count = 0
+	@sections.each { |b, s|
+		count += ls.match(s.data) { |off, sym| set_label_at(b+off, sym) }
+	}
+	count
+end
+
+if gui
+	gui.openfile('signature file to load') { |f| gui.messagebox "#{match_libsigs(f)} signatures found" }
+end

data/samples/dasm-plugins/patch_file.rb

@@ -0,0 +1,95 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+# metasm dasm plugin: allow patching the file from the dasm interface
+# use P to assemble a new instruction at the current address
+
+# backup the executable file
+def backup_program_file
+	f = @program.filename
+	if File.exist?(f) and not File.exist?(f + '.bak')
+		File.open(f + '.bak', 'wb') { |wfd|
+			File.open(f, 'rb') { |rfd|
+				while buf = rfd.read(1024*1024)
+					wfd.write buf
+				end
+			}
+		}
+	end
+end
+
+# create a backup and reopen the backend VirtualFile RW
+def reopen_rw(addr=nil, edata=nil)
+	if not edata
+		sections.each { |k, v| reopen_rw(k, v) }
+		return true
+	end
+
+	return if not File.writable?(@program.filename)
+	backup_program_file
+	if not edata.data.kind_of? VirtualFile
+		# section too small, loaded as real String
+		# force reopen as VFile (allow hexediting in gui)
+		return if not off = addr_to_fileoff(addr)
+		len = edata.data.length
+		edata.data = VirtualFile.read(@program.filename, 'rb+').dup(off, len)
+	else
+		edata.data.fd.reopen @program.filename, 'rb+'
+	end
+end
+
+raise "cant find original file" if not @program.filename or not File.exist? @program.filename
+
+reopen_rw
+
+def patch_instrs(addr, asmsrc)
+	sc = Metasm::Shellcode.new(cpu, addr)	# pfx needed for autorequire
+	sc.assemble(asmsrc, cpu)
+	sc.encoded.fixup! prog_binding	# allow references to dasm labels in the shellcode
+	raw = sc.encode_string
+
+	if s = get_section_at(addr) and s[0].data.kind_of? VirtualFile
+		s[0][s[0].ptr, raw.length] = raw
+	elsif o = addr_to_fileoff(addr)	# section too small, not loaded as a VirtFile
+		backup_program_file
+		File.open(@program.filename, 'rb+') { |fd|
+			fd.pos = o
+			fd.write raw
+		}
+		s[0][s[0].ptr, raw.length] = raw if s
+	else
+		return
+	end
+
+	b = split_block(addr)
+
+	# clear what we had in the rewritten space
+	raw.length.times { |rawoff|
+		next if not di = di_at(addr+rawoff)
+		di.block.list.each { |ldi| @decoded.delete ldi.address }
+	}
+
+	disassemble_fast(addr) if b
+	if b and @decoded[addr]
+		nb = @decoded[addr].block
+		nb.from_normal = b.from_normal
+		nb.from_subfuncret = b.from_subfuncret
+		nb.from_indirect = b.from_indirect
+	end
+	true
+end
+
+if gui
+	gui.keyboard_callback[?P] = lambda { |k|
+		addr = gui.curaddr
+		gui.inputbox('new instructions') { |src|
+			src = src.gsub(/;\s+/, "\n")
+			patch_instrs(addr, src)
+			gui.gui_update
+		}
+		true
+	}
+end

data/samples/dasm-plugins/scanfuncstart.rb

@@ -0,0 +1,36 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+# metasm dasm plugin: scan the memory for a 'ret' which could indicate the beginning of the current function
+# (x86 only)
+def scanfuncstart(addr)
+	if o = (1..16).find { |off| @decoded[addr-off].kind_of? DecodedInstruction } and @decoded[addr-o].bin_length == o
+		addr -= o
+	end
+	if @decoded[addr].kind_of? DecodedInstruction
+		fs = find_function_start(addr)
+		return fs if fs != addr
+	end
+	edata = get_edata_at(addr)
+	if o = (1..1000).find { |off|
+		@decoded[addr-off-1] or
+		edata.data[edata.ptr-off-1] == ?\xcc or
+		edata.data[edata.ptr-off-1] == ?\xc3 or
+		edata.data[edata.ptr-off-3] == ?\xc2
+	}
+		o -= @decoded[addr-o-1].bin_length-1 if @decoded[addr-o-1].kind_of? DecodedInstruction
+		addr-o
+	end
+end
+
+if gui
+	gui.keyboard_callback_ctrl[?P] = lambda { |*a|
+		if o = scanfuncstart(gui.curaddr)
+			gui.focus_addr(o)
+		end
+		true
+	}
+end

data/samples/dasm-plugins/scanxrefs.rb

@@ -0,0 +1,26 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+# metasm dasm plugin: scan for xrefs to the target address, incl. relative offsets (eg near call/jmp)
+def scanxrefs(target)
+	ans = []
+	sections.sort.each { |s_addr, edata|
+		raw = edata.data.to_str
+		(0..raw.length-4).each { |off|
+			r = raw[off, 4].unpack('V').first
+			ans << (s_addr + off) if (r + off+4 + s_addr)&0xffffffff == target or r == target
+		}
+	}
+	ans
+end
+
+gui.keyboard_callback[?X] = lambda { |*a|
+	target = gui.curaddr
+	ans = scanxrefs(target)
+	list = [['addr']] + ans.map { |off| [Expression[off].to_s] }
+	gui.listwindow("scanned xrefs to #{Expression[target]}", list) { |i| gui.focus_addr i[0] }
+	true
+} if gui

data/samples/dasm-plugins/selfmodify.rb

@@ -0,0 +1,197 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+#
+# This file tries to handle simple self-modifying code patterns
+# To be used as a --plugin for a Disassembler object
+#
+
+module SMC
+
+# a copy-on-write copy of dasm address space (continuous segment only)
+class CoWData
+	attr_accessor :startaddr, :data
+	def initialize(dasm)
+		@dasm = dasm
+		@startaddr = 0
+		@data = ''
+	end
+
+	# return a substring, either from the local cache or from dasm
+	# handles overlap
+	def [](addr, len)
+		if @data.empty?
+			s, e = @dasm.get_section_at(addr)
+			return if not s
+			return s.read(len)
+		end
+		raddr = addr - @base
+		rstart = @startaddr - @base
+		if raddr >= rstart and raddr+len <= rstart+@data.length
+			@data[0, raddr+len-rstart]
+		else
+			s, e = @dasm.get_section_at(addr)
+			return if not s
+			obuf = s.read(len)
+			len = obuf.length
+			if raddr < rstart and raddr+len > rstart
+				olen = [raddr+len-rstart, @data.length].min
+				obuf[rstart-raddr, olen] = @data[0, olen]
+			elsif raddr < rstart+@data.length and raddr+len > rstart+@data.length
+				obuf[0, rstart+@data.length-raddr] = @data[raddr-rstart, rstart+@data.length-raddr]
+			end
+			obuf
+		end
+	end
+
+	# set a substring value in the cache
+	def []=(addr, len, newdata)
+		raise 'len mismatch' if len != newdata.length
+		if @data.empty?
+			@base = @startaddr = addr
+			@data << newdata
+			return
+		end
+		raddr = addr - @base
+		rstart = @startaddr - @base
+		if raddr+newdata.length < rstart
+			s, e = @dasm.get_section_at(addr)
+			raise if not s
+			obuf = s.read(rstart-(raddr+newdata.length))
+			raise if obuf.length != rstart-(raddr+newdata.length)
+			newdata += obuf
+		elsif raddr > rstart+@data.length
+			s, e = @dasm.get_section_at(@startaddr+@data.length)
+			raise if not s
+			obuf = s.read(raddr-(rstart+@data.length))
+			raise if obuf.length != raddr-(rstart+@data.length)
+			@data += obuf
+		end
+		if raddr < rstart
+			@data = newdata + @data[raddr+newdata.length-rstart..-1].to_s
+			@startaddr = addr
+		else
+			@data[raddr-rstart, newdata.length] = newdata
+		end
+	end
+end
+
+VirtSections = {}
+
+# try to emulate the byte modifications
+# creates a new virtual section in dasm holding decoded data
+# adds the virtual section to the dasm, stores the addresses in VirtSections[dasm]
+# returns true if successful
+def self.emu(dasm, addr)
+	puts "emulate SMC @#{Metasm::Expression[addr]}" if $VERBOSE
+
+	writer = nil
+	dasm.each_xref(addr, :w) { |xr| writer = xr.origin }
+	return if not dasm.di_at(writer)
+
+	a_pre, a_entry, a_cond, a_out, loop_bd = find_loop(dasm, writer)
+	return if not a_pre
+
+	# expression checking if we get out of the loop
+	loop_again_cond = dasm.cpu.get_jump_condition(dasm.decoded[a_cond])
+	loop_again_cond = Expression[:'!', loop_again_cond] if dasm.decoded[a_cond].next_addr != a_out
+
+	init_bd = {}
+	loop_bd.keys.grep(Symbol).each { |reg|
+		bt = dasm.backtrace(reg, a_pre, :include_start => true)
+		init_bd[reg] = bt.first if bt.length == 1 and bt.first != Metasm::Expression::Unknown and bt.first != Metasm::Expression[reg]
+	}
+
+	# reject non-determinist memory write
+	loop_bd.delete_if { |k, v| k.kind_of? Metasm::Indirection and not dasm.get_section_at(k.pointer.bind(init_bd).reduce) }
+
+	cow_data = CoWData.new(dasm)
+
+	puts "emulation running..." if $VERBOSE
+	pre_bd = init_bd
+	loop do
+		# the effects of the loop
+		post_bd = loop_bd.inject({}) { |bd, (k, v)|
+	       		if k.kind_of? Metasm::Indirection
+				k = k.bind(pre_bd).reduce_rec
+				raise "bad ptr #{k}" if not dasm.get_section_at(k.pointer.reduce)
+			end
+		       	bd.update k => Metasm::Expression[v.bind(pre_bd).reduce]
+		}
+
+		# the indirections used by the loop
+		# read mem from cow_data
+		# ignores stacked indirections & keys
+		ind_bd = {}
+		post_bd.values.map { |v| v.expr_indirections }.flatten.uniq.each { |ind|
+			p = ind.pointer.reduce
+			raise "bad loop read #{ind}" if not p.kind_of? Integer
+			ind_bd[ind] = Metasm::Expression.decode_imm(cow_data[p, ind.len], "u#{ind.len*8}".to_sym, dasm.cpu.endianness)
+		}
+
+		post_bd.each { |k, v|
+			next if not k.kind_of? Metasm::Indirection
+			cow_data[k.pointer.reduce, k.len] = Metasm::Expression.encode_imm(v.bind(ind_bd).reduce, "u#{k.len*8}".to_sym, dasm.cpu.endianness)
+		}
+
+		break if loop_again_cond.bind(post_bd).reduce == 0
+
+		pre_bd = post_bd
+		pre_bd.delete_if { |k, v| not k.kind_of? Symbol }
+	end
+
+	puts "emulation done (#{cow_data.data.length} bytes)" if $VERBOSE
+
+	VirtSections[dasm] ||= {}
+	newbase = "smc#{VirtSections[dasm].length}"
+	VirtSections[dasm][addr] = newbase
+	dasm.add_section(Metasm::EncodedData.new(cow_data.data), newbase)
+	dasm.comment[Metasm::Expression[newbase]] = "SelfModifyingCode from #{dasm.decoded[writer]}"
+
+	true
+end
+
+# find the loop containing addr
+# only trivial loops handled
+# returns [loop start, last instr before loop, loop conditionnal jump, 1st instr after loop, loop binding]
+def self.find_loop(dasm, addr)
+	b = dasm.decoded[addr].block
+	return if not b.to_normal.to_a.include? b.address
+	b1 = b2 = b
+
+	pre = (b1.from_normal - [b2.list.last.address]).first
+	first = b1.address
+	last = b2.list.last.address
+	post = (b2.to_normal - [b1.address]).first
+	loop_bd = dasm.code_binding(first, post)
+
+	[pre, first, last, post, loop_bd]
+end
+
+# redirects the code flow from addr to the decoded section
+def self.redirect(dasm, addr)
+	return if not VirtSections[dasm] or not newto = Metasm::Expression[VirtSections[dasm][addr]]
+	dasm.each_instructionblock { |b|
+		next if not b.to_normal.to_a.include? addr
+		b.to_normal.map! { |tn| dasm.normalize(tn) == addr ? newto : tn }
+		dasm.add_xref(newto, Metasm::Xref.new(:x, b.list.last.address))
+		b.list.last.add_comment "x:#{newto}"
+		dasm.addrs_todo << [newto, b.list.last.address]
+	}
+end
+end
+
+if self.kind_of? Metasm::Disassembler
+# setup the smc callbacks
+dasm = self
+list = []
+dasm.callback_selfmodifying = lambda { |addr| list << addr }
+dasm.callback_finished = lambda {
+	while addr = list.pop
+		SMC.emu(dasm, addr) and SMC.redirect(dasm, addr)
+	end
+}
+end