metasm 1.0.1 → 1.0.2

data/samples/dasm-plugins/stringsxrefs.rb

@@ -0,0 +1,28 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+# metasm dasm plugin
+# walks all disassembled instructions referencing an address
+# if this address points a C string, show that in the instruction comments
+# esp. useful after a disassemble_fast
+
+def stringsxrefs(maxsz = 32)
+	@decoded.each_value { |di|
+		next if not di.kind_of?(DecodedInstruction)
+		di.instruction.args.grep(Expression).each { |e|
+			if str = decode_strz(e) and str.length >= 4 and str =~ /^[\x20-\x7e]*$/
+				di.add_comment str[0, maxsz].inspect
+				add_xref(normalize(e), Xref.new(:r, di.address, 1))
+			end
+		}
+	}
+	nil
+end
+
+if gui
+	stringsxrefs
+	gui.gui_update
+end

data/samples/dasmnavig.rb

@@ -115,7 +115,7 @@ class Viewer
 		$stdout.write Ansi::ClearScreen
 		begin
 			loop do
-				refresh if not s = IO.select([$stdin], nil, nil, 0)
+				refresh if not IO.select([$stdin], nil, nil, 0)
 				handle_key(Ansi.getkey)
 			end
 		ensure

data/samples/dbg-apihook.rb

@@ -17,6 +17,8 @@
 require 'metasm'
 
 class ApiHook
+	attr_accessor :dbg
+
 	# rewrite this function to list the hooks you want
 	# return an array of hashes
 	def setup
@@ -33,19 +35,31 @@ class ApiHook
 			raise 'no such process' if not process
 			dbg = process.debugger
 		end
-		dbg.loadallsyms
 		@dbg = dbg
-		setup.each { |h| setup_hook(h) }
-		init_prerun if respond_to?(:init_prerun)	# allow subclass to do stuff before main loop
-		@dbg.run_forever
+		begin
+			setup.each { |h| setup_hook(h) }
+			init_prerun if respond_to?(:init_prerun)	# allow subclass to do stuff before main loop
+			@dbg.run_forever
+		rescue Interrupt
+			@dbg.detach #rescue nil
+		end
 	end
 
 	# setup one function hook
 	def setup_hook(h)
+		@las ||= false
+		if not h[:lib] and not @las
+			@dbg.loadallsyms
+			@las = false
+		elsif h[:lib]
+			# avoid loadallsyms if specified (regexp against pathname, not exported lib name)
+			@dbg.loadsyms(h[:lib])
+		end
+
 		pre  =  "pre_#{h[:hookname] || h[:function]}"
 		post = "post_#{h[:hookname] || h[:function]}"
 
-		@nargs = h[:nargs] || method(pre).arity if respond_to?(pre)
+		nargs = h[:nargs] || method(pre).arity if respond_to?(pre)
 
 		if target = h[:address]
 		elsif target = h[:rva]
@@ -56,7 +70,8 @@ class ApiHook
 			target = h[:function]
 		end
 
-		@dbg.bpx(target) {
+		@dbg.bpx(target, false, h[:condition]) {
+			@nargs = nargs
 			catch(:finish) {
 				@cur_abi = h[:abi]
 				@ret_longlong = h[:ret_longlong]
@@ -206,7 +221,8 @@ class MyHook < ApiHook
 		#patch_retval(42)
 
 		# finish messing with the args: fake the nrofbyteswritten
-		handle, pbuf, size, pwritten, overlap = arglistcopy
+		#handle, pbuf, size, pwritten, overlap = arglistcopy
+		size, pwritten = arglistcopy.values_at(2, 3)
 		written = @dbg.memory_read_int(pwritten)
 		if written == size
 			# if written everything, patch the value so that the program dont detect our intervention
@@ -217,8 +233,7 @@ class MyHook < ApiHook
 	end
 end
 
-# name says it all
-Metasm::WinOS.get_debug_privilege
+Metasm::OS.current.get_debug_privilege if Metasm::OS.current.respond_to? :get_debug_privilege
 
 # run our Hook engine on a running 'notepad' instance
 MyHook.new('notepad')

data/samples/dbg-plugins/heapscan.rb

@@ -0,0 +1,283 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+# metasm debugger plugin
+# adds some heap_* functions to interract with the target heap chunks
+# functions:
+#  heap_scan, scan for malloc chunks in the heaps and xrefs between them
+#  heap_scanstruct, scan for arrays/linkedlists in the chunk graph
+#  heap_chunk [addr], display a chunk
+#  heap_array [addr], display an array of chunks from their root
+#  heap_list [addr], display a linkedlist
+#  heap_strscan [str], scan the memory for a raw string, display chunks xrefs
+#  heap_snap, make a snapshot of the currently displayed structure, hilight fields change
+
+
+# use precompiled native version when available
+$heapscan_dir = File.join(File.dirname(plugin_filename).gsub('\\', '/'), 'heapscan')
+require File.join($heapscan_dir, 'heapscan')
+
+fname = case OS.current.shortname
+when 'linos'
+	'compiled_heapscan_lin'
+when 'winos'
+	case OS.current.version[0]
+	when 5; 'compiled_heapscan_win'
+	when 6; 'compiled_heapscan_win7'
+	end
+end
+fname = File.join($heapscan_dir, fname)
+if not File.exist?(fname + '.so') and File.exist?(fname + '.c')
+	puts "compiling native scanner..."
+	exe = DynLdr.host_exe.compile_c_file(DynLdr.host_cpu, fname + '.c')
+	DynLdr.compile_binary_module_hack(exe)
+	exe.encode_file(fname + '.so', :lib)
+end
+require fname if File.exist?(fname + '.so')
+
+def heapscan_time(s='')
+	@heapscan_time ||= nil
+	t = Time.now
+	log s + ' %.2fs' % (t-@heapscan_time) if @heapscan_time and s != ''
+	@heapscan_time = t
+	Gui.main_iter if gui
+end
+
+def heap; @heap ; end
+def heap=(h) ; @heap = h ; end
+
+def heapscan_scan(xr=true)
+	heaps = []
+	mmaps = []
+	libc = nil
+	pr = os_process
+	pr.mappings.each { |a, l, p, f|
+		case f.to_s
+		when /heap/
+			heaps << [a, l]
+		when /libc[^a-zA-Z]/
+			libc ||= a if p == 'r-xp'
+		when ''
+			mmaps << [a, l]
+		end
+	}
+
+	heapscan_time ''
+	@disassembler.parse_c ''
+	if pr and OS.current.name =~ /winos/i
+		if OS.current.version[0] == 5
+			@heap = WindowsHeap.new(self)
+			@heap.cp = @disassembler.c_parser
+			@heap.cp.parse_file File.join($heapscan_dir, 'winheap.h') unless @heap.cp.toplevel.struct['_HEAP']
+		else
+			@heap = Windows7Heap.new(self)
+			@heap.cp = @disassembler.c_parser
+			@heap.cp.parse_file File.join($heapscan_dir, 'winheap7.h') unless @heap.cp.toplevel.struct['_HEAP']
+		end
+		@heap.heaps = heaps
+	else
+		@heap = LinuxHeap.new(self)
+		@heap.cp = @disassembler.c_parser
+		@heap.mmaps = mmaps
+		@heap.scan_libc(libc)
+		heapscan_time "libc!main_arena #{'%x' % @heap.main_arena_ptr}"
+	end
+
+	hsz = 0
+	(heaps + mmaps).each { |a, l|
+		hsz += l
+		@heap.range.update a => l
+	}
+
+	log "#{hsz/1024/1024}M heap"
+
+	@heap.scan_chunks
+	heapscan_time "#{@heap.chunks.length} chunks"
+	return if not xr
+
+	@heap.scan_chunks_xr
+	heapscan_time "#{@heap.xrchunksto.length} src, #{@heap.xrchunksfrom.length} dst"
+end
+
+def heapscan_structs
+	heapscan_time
+	@heap.bucketize
+	heapscan_time "#{@heap.buckets.length} buckets"
+
+	@heap.find_arrays
+	heapscan_time "#{@heap.allarrays.length} arrays (#{@heap.allarrays.flatten.length} elems)"
+
+	@heap.find_linkedlists
+	heapscan_time "#{@heap.alllists.length} lists (#{@heap.alllists.flatten.length} elems)"
+end
+
+def heapscan_kernels
+	heapscan_time
+	@heap.find_kernels
+	heapscan_time "#{@heap.kernels.length} kernels"
+end
+
+def heapscan_roots
+	heapscan_time
+	@heap.find_roots
+	heapscan_time "#{@heap.roots.length} roots"
+end
+
+def heapscan_graph
+	heapscan_time
+	@heap.dump_graph
+	heapscan_time 'graph.gv'
+end
+
+def gui_show_list(addr)
+	a = resolve(addr)
+	#@heap.cp.parse("struct ptr { void *ptr; };") if not @heap.cp.toplevel.struct['ptr']
+	h = @heap.linkedlists[a]
+	off = h.keys.first
+	lst = h[off]
+
+	if not st = lst.map { |l| @heap.chunk_struct[l] }.compact.first
+		st = Metasm::C::Struct.new
+		st.name = "list_#{'%x' % lst.first}"
+		st.members = []
+		(@heap.chunks[lst.first] / 4).times { |i|
+			n = "u#{i}"
+			t = Metasm::C::BaseType.new(:int)
+			if i == off/4
+				n = "next"
+				t = Metasm::C::Pointer.new(st)
+			end
+			st.members << Metasm::C::Variable.new(n, t)
+		}
+		@heap.cp.toplevel.struct[st.name] = st
+	end
+	lst.each { |l| @heap.chunk_struct[l] = st }
+
+	$ghw.addr_struct = {}
+	lst.each { |aa|
+		$ghw.addr_struct[aa] = @heap.cp.decode_c_struct(st.name, @memory, aa)
+	}
+	gui.parent_widget.mem.focus_addr(lst.first, :graphheap)
+end
+
+def gui_show_array(addr)
+	head = resolve(addr)
+	e = @heap.xrchunksto[head].to_a.find { |ee| @heap.arrays[ee] and @heap.arrays[ee][head] }
+	return if not e
+	lst = @heap.arrays[e][head]
+
+	if not st = @heap.chunk_struct[head]
+		st = Metasm::C::Struct.new
+		st.name = "array_#{'%x' % head}"
+		st.members = []
+		(@heap.chunks[head] / 4).times { |i|
+			n = "u#{i}"
+			v = @memory[head+4*i, 4].unpack('L').first
+			if @heap.chunks[v]
+				t = Metasm::C::Pointer.new(Metasm::C::BaseType.new(:void))
+			else
+				t = Metasm::C::BaseType.new(:int)
+			end
+			st.members << Metasm::C::Variable.new(n, t)
+		}
+		@heap.cp.toplevel.struct[st.name] ||= st
+	end
+	@heap.chunk_struct[head] = st
+
+	$ghw.addr_struct = { head => @heap.cp.decode_c_struct(st.name, @memory, head) }
+
+	if not st = lst.map { |l| @heap.chunk_struct[l] }.compact.first
+		e = lst.first
+		st = Metasm::C::Struct.new
+		st.name = "elem_#{'%x' % head}"
+		st.members = []
+		(@heap.chunks[e] / 4).times { |i|
+			n = "u#{i}"
+			v = @memory[e+4*i, 4].unpack('L').first
+			if @heap.chunks[v]
+				t = Metasm::C::Pointer.new(Metasm::C::BaseType.new(:void))
+			else
+				t = Metasm::C::BaseType.new(:int)
+			end
+			st.members << Metasm::C::Variable.new(n, t)
+		}
+		@heap.cp.toplevel.struct[st.name] ||= st
+	end
+	lst.each { |l| @heap.chunk_struct[l] = st }
+
+	lst.each { |aa|
+		$ghw.addr_struct[aa] = @heap.cp.decode_c_struct(st.name, @memory, aa)
+	}
+	gui.parent_widget.mem.focus_addr(head, :graphheap)
+end
+
+
+if gui
+	require File.join($heapscan_dir, 'graphheap')
+	$ghw = Metasm::Gui::GraphHeapWidget.new(@disassembler, gui.parent_widget.mem)
+	gui.parent_widget.mem.addview :graphheap, $ghw
+	$ghw.show if $ghw.respond_to?(:show)
+
+	gui.new_command('heap_scan', 'scan the heap(s)') { |*a| heapscan_scan ; $ghw.heap = @heap }
+	gui.new_command('heap_scan_noxr', 'scan the heap(s), no xrefs') { |*a| heapscan_scan(false) ; $ghw.heap = @heap }
+	gui.new_command('heap_scan_xronly', 'scan the heap(s) for xrefs') { |*a| $ghw.heap.scan_chunks_xr }
+	gui.new_command('heap_scanstructs', 'scan the heap for arrays/lists') { |*a| heapscan_structs }
+	gui.new_command('heap_list', 'show a linked list') { |a|
+		if a.to_s != ''
+			gui_show_list(a)
+		else
+			l = [['addr', 'len']]
+			@heap.alllists.each { |al|
+				l << [Expression[al.first], al.length]
+			}
+			gui.listwindow('lists', l) { |*aa| gui_show_list(aa[0][0]) }
+		end
+	}
+	gui.new_command('heap_array', 'show an array') { |a|
+		if a.to_s != ''
+			gui_show_array(a)
+		else
+			l = [['addr', 'len']]
+			@heap.allarrays.each { |al|
+				l << [Expression[al.first], al.length]
+			}
+			gui.listwindow('arrays', l) { |*aa| gui_show_array(aa[0][0]) }
+		end
+	}
+	gui.new_command('heap_chunk', 'show a chunk') { |a|
+		a = resolve(a)
+		gui.parent_widget.mem.focus_addr(a, :graphheap)
+		$ghw.do_focus_addr(a)
+	}
+	gui.new_command('heap_strscan', 'scan a string') { |a|
+		sa = pattern_scan(a)
+		log "found #{sa.length} strings : #{sa.map { |aa| Expression[aa] }.join(' ')}"
+		sa.each { |aa|
+			next if not ck = @heap.find_chunk(aa)
+			log "ptr #{Expression[aa]} in chunk #{Expression[ck]} (#{Expression[@heap.chunks[ck]]}) in list #{@heap.linkedlists && @heap.linkedlists[ck] && true} in array #{@heap.arrays[ck].map { |k, v| "#{Expression[k]} (#{v.length})" }.join(', ') if @heap.arrays and @heap.arrays[ck]}"
+		}
+	}
+	gui.new_command('heap_ptrscan', 'scan a pointer') { |a|
+		a = resolve(a)
+		if @heap.chunks[a]
+			pa = @heap.xrchunksfrom[a].to_a
+		else
+			pa = pattern_scan(Expression.encode_imm(a, @cpu.size/8, @cpu.endianness))
+		end
+		log "found #{pa.length} pointers : #{pa.map { |aa| Expression[aa] }.join(' ')}"
+		pa.each { |aa|
+			next if not ck = @heap.find_chunk(aa)
+			log "ptr @#{Expression[aa]} in chunk #{Expression[ck]} (#{Expression[@heap.chunks[ck]]}) in list #{@heap.linkedlists && @heap.linkedlists[ck] && true} in array #{@heap.arrays[ck].map { |k, v| "#{Expression[k]} (#{v.length})" }.join(', ') if @heap.arrays and @heap.arrays[ck]}"
+		}
+	}
+
+	gui.new_command('heap_snap', 'snapshot the current heap struct') { |a|
+		$ghw.snap
+	}
+	gui.new_command('heap_snap_add', 'snapshot, ignore fields changed between now and last snap') { |a|
+		$ghw.snap_add
+	}
+end

data/samples/dbg-plugins/heapscan/compiled_heapscan_lin.c

@@ -0,0 +1,155 @@
+#ifdef __ELF__
+asm .pt_gnu_stack rw;
+#endif
+typedef uintptr_t VALUE;
+static VALUE const_File;
+static VALUE const_LinuxHeap;
+VALUE rb_ary_new(void);
+VALUE rb_ary_push(VALUE, VALUE);
+extern VALUE *rb_cObject __attribute__((import));
+VALUE rb_const_get(VALUE, VALUE);
+void rb_define_method(VALUE, char*, VALUE(*)(), int);
+VALUE rb_funcall(VALUE recv, unsigned int id, int nargs, ...);
+VALUE rb_gv_get(const char*);
+VALUE rb_intern(char*);
+VALUE rb_ivar_get(VALUE, unsigned int);
+VALUE rb_iv_get(VALUE, char*);
+void *rb_method_node(VALUE, unsigned int);
+VALUE rb_obj_as_string(VALUE);
+VALUE rb_str_append(VALUE, VALUE);
+VALUE rb_str_cat2(VALUE, const char*);
+VALUE rb_str_new2(const char*);
+VALUE rb_hash_aset(VALUE, VALUE, VALUE);
+VALUE rb_hash_aref(VALUE, VALUE);
+VALUE rb_uint2inum(VALUE);
+VALUE rb_num2ulong(VALUE);
+char *rb_string_value_ptr(VALUE*);
+
+
+int printf(char*, ...);
+
+static VALUE heap_entry(void *heap, VALUE idx, VALUE psz)
+{
+	if (psz == 4)
+		return (VALUE)(((__int32*)heap)[idx]);
+	return (VALUE)(((__int64*)heap)[idx]);
+}
+
+static VALUE m_LinuxHeap23scan_heap(VALUE self, VALUE vbase, VALUE vlen, VALUE ar)
+{
+	VALUE *heap;
+	VALUE chunks;
+	VALUE base = rb_num2ulong(vbase);
+	VALUE len = vlen >> 1;
+	VALUE sz, clen;
+	VALUE page;
+	VALUE psz = rb_iv_get(self, "@ptsz") >> 1;
+	VALUE ptr = 0;
+
+	chunks = rb_iv_get(self, "@chunks");
+	page = rb_funcall(self, rb_intern("pagecache"), 2, vbase, vlen);
+	heap = rb_string_value_ptr(&page);
+
+	sz = heap_entry(heap, 1, psz);
+	if (heap_entry(heap, 0, psz) != 0 || (sz & 1) != 1)
+		return 4;
+
+	base += 8;
+
+	for (;;) {
+		clen = sz & -8;
+		ptr += clen/psz;
+		if (ptr >= len/psz || clen == 0)
+			break;
+		
+		sz = heap_entry(heap, ptr+1, psz);
+		if (sz & 1)
+			rb_hash_aset(chunks, rb_uint2inum(base), ((clen-psz)<<1)|1);
+		base += clen;
+	}
+
+	rb_funcall(self, rb_intern("del_fastbin"), 1, ar);
+
+	return 4;
+}
+
+
+
+static VALUE m_LinuxHeap23scan_heap_xr(VALUE self, VALUE vbase, VALUE vlen)
+{
+	VALUE *heap;
+	VALUE chunks, xrchunksto, xrchunksfrom;
+	VALUE psz = rb_iv_get(self, "@ptsz") >> 1;
+	VALUE base = rb_num2ulong(vbase) + 2*psz;
+	VALUE len = vlen >> 1;
+	VALUE sz, clen;
+	VALUE page;
+
+	chunks = rb_iv_get(self, "@chunks");
+	xrchunksto = rb_iv_get(self, "@xrchunksto");
+	xrchunksfrom = rb_iv_get(self, "@xrchunksfrom");
+	page = rb_funcall(self, rb_intern("pagecache"), 2, vbase, vlen);
+	heap = rb_string_value_ptr(&page);
+
+	sz = heap_entry(heap, 1, psz);
+	if (heap_entry(heap, 0, psz) != 0 || (sz & 1) != 1)
+		return 4;
+
+	/* re-walk the heap, simpler than iterating over @chunks */
+	VALUE ptr = 0;
+	VALUE ptr0, ptrl;
+	for (;;) {
+		clen = sz & -8;
+		ptr0 = ptr+2;
+		ptrl = clen/psz-1;
+		ptr += clen/psz;
+		if (ptr >= len/psz || clen == 0)
+			break;
+		
+		sz = heap_entry(heap, ptr+1, psz);
+		if ((sz & 1) &&
+		    ((rb_hash_aref(chunks, rb_uint2inum(base))|4) != 4)) {
+			VALUE tabto = 0;
+			VALUE tabfrom;
+			while (ptrl--) {
+				VALUE p = heap_entry(heap, ptr0++, psz);
+				//if (p == base)	// ignore self-references
+				//	continue;
+				if ((rb_hash_aref(chunks, rb_uint2inum(p))|4) != 4) {
+					if (!tabto) {
+						tabto = rb_ary_new();
+						rb_hash_aset(xrchunksto, rb_uint2inum(base), tabto);
+					}
+					rb_ary_push(tabto, rb_uint2inum(p));
+
+					tabfrom = rb_hash_aref(xrchunksfrom, rb_uint2inum(p));
+					if ((tabfrom|4) == 4) {
+						tabfrom = rb_ary_new();
+						rb_hash_aset(xrchunksfrom, rb_uint2inum(p), tabfrom);
+					}
+					rb_ary_push(tabfrom, rb_uint2inum(base));
+				}
+			}
+		}
+		base += clen;
+	}
+	return 4;
+}
+
+
+
+static void do_init_once(void)
+{
+	const_LinuxHeap = rb_const_get(*rb_cObject, rb_intern("Metasm"));
+	const_LinuxHeap = rb_const_get(const_LinuxHeap, rb_intern("LinuxHeap"));
+	rb_define_method(const_LinuxHeap, "scan_heap", m_LinuxHeap23scan_heap, 3);
+	rb_define_method(const_LinuxHeap, "scan_heap_xr", m_LinuxHeap23scan_heap_xr, 2);
+}
+
+
+
+int Init_compiled_heapscan_lin __attribute__((export))(void)
+{
+	do_init_once();
+	return 0;
+}