metasm 1.0.1 → 1.0.2

data/samples/dbg-plugins/trace_func.rb

@@ -0,0 +1,214 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+# metasm debugger plugin
+# adds a 'trace_func' method to the debugger
+# the methods sets a breakpoint at the beginning of a function, and logs the execution of the instruction blocks
+# does not descend in subfunctions
+
+# setup the initial breakpoint at func start
+def trace_func(addr, oneshot = false)
+	@trace_terminate = false
+	# distinguish different hits on the same function entry
+	counter = 0
+	bp = bpx(addr, oneshot) {
+		counter += 1
+		id = [disassembler.normalize(addr), counter, func_retaddr]
+		trace_func_newtrace(id)
+		trace_func_block(id)
+		continue
+	}
+	if addr == pc
+		del_bp bp if oneshot
+		bp.action.call
+	end
+end
+
+# start tracing now, and stop only when @trace_terminate is set
+def trace
+	@trace_subfuncs = true
+	@trace_terminate = false
+	id = [pc, 0, 0]
+	trace_func_newtrace(id)
+	trace_func_block(id)
+	continue
+end
+
+# we hit the beginning of a block we want to trace
+def trace_func_block(id)
+	blockaddr = pc
+	if b = trace_get_block(blockaddr)
+		trace_func_add_block(id, blockaddr)
+		if b.list.length == 1
+			trace_func_blockend(id, blockaddr)
+		else
+			bpx(b.list.last.address, true) {
+				finished = trace_func_blockend(id, blockaddr)
+				continue if not finished
+			}
+		end
+	else
+		# invalid opcode ?
+		trace_func_blockend(id, blockaddr)
+	end
+end
+
+# we are at the end of a traced block, find whats next
+def trace_func_blockend(id, blockaddr)
+	if di = disassembler.di_at(pc)
+		if end_stepout(di) and trace_func_istraceend(id, di)
+			# trace ends there
+			trace_func_finish(id)
+			return true
+		elsif di.opcode.props[:saveip] and not trace_func_entersubfunc(id, di)
+			# call to a subfunction
+			bpx(di.next_addr, true) {
+				trace_func_block(id)
+				continue
+			}
+			continue
+		else
+			singlestep {
+				newaddr = pc
+				trace_func_block(id)
+
+				trace_func_linkdasm(di.address, newaddr)
+				continue
+			}
+		end
+	else
+		# XXX should link in the dasm somehow
+		singlestep {
+			trace_func_block(id)
+			continue
+		}
+	end
+	false
+end
+
+# retrieve an instructionblock, disassemble if needed
+def trace_get_block(addr)
+	# TODO trace all blocks from addr for which we know the target, stop on call / jmp [foo]
+	disassembler.disassemble_fast_block(addr)
+	if di = disassembler.di_at(addr)
+		di.block
+	end
+end
+
+# update the blocks links in the disassembler
+def trace_func_linkdasm(from_addr, new_addr)
+	di = disassembler.di_at(from_addr)
+	ndi = disassembler.di_at(new_addr)
+
+	return if not di
+
+	# is it a subfunction return ?
+	if end_stepout(di) and cdi = (1..8).map { |i|
+				disassembler.di_at(new_addr - i)
+			}.compact.find { |cdi_|
+				cdi_.opcode.props[:saveip] and cdi_.next_addr == new_addr
+			}
+		cdi.block.add_to_subfuncret new_addr
+		ndi.block.add_from_subfuncret cdi.address if ndi
+		cdi.block.each_to_normal { |f|
+			disassembler.function[f] ||= DecodedFunction.new if disassembler.di_at(f)
+		}
+	else
+		di.block.add_to_normal new_addr
+		ndi.block.add_from_normal from_addr if ndi
+	end
+end
+
+################################################################################################
+# you can redefine the following functions in another plugin to handle trace events differently
+
+# a new trace is about to begin
+def trace_func_newtrace(id)
+	@trace_func_counter ||= {}
+	@trace_func_counter[id] = 0
+
+	puts "start tracing #{Expression[id[0]]}"
+
+	# setup a bg_color_callback on the disassembler
+	if not defined? @trace_func_dasmcolor
+		@trace_func_dasmcolor = true
+		return if not disassembler.gui
+		oldcb = disassembler.gui.bg_color_callback
+		disassembler.gui.bg_color_callback = lambda { |addr|
+			if oldcb and c = oldcb[addr]
+				c
+			elsif di = disassembler.di_at(addr) and di.block.list.first.comment.to_s =~ /functrace/
+				'ff0'
+			end
+		}
+	end
+end
+
+# a new block is added to a trace
+def trace_func_add_block(id, blockaddr)
+	@trace_func_counter[id] += 1
+	if di = disassembler.di_at(blockaddr)
+		di.add_comment "functrace #{@trace_func_counter[id]}"
+	end
+end
+
+# the trace is finished
+def trace_func_finish(id)
+	puts "finished tracing #{Expression[id[0]]}"
+end
+
+def trace_subfuncs=(v) @trace_subfuncs = v end
+def trace_subfuncs; @trace_subfuncs ||= false end
+
+# the tracer is on a end-of-func instruction, should the trace end ?
+def trace_func_istraceend(id, di)
+	if trace_subfuncs
+		if @trace_terminate
+			true
+		elsif id[2] == 0	# trace VS func_trace
+		elsif target = disassembler.get_xrefs_x(di)[0]
+			# check the current return address against the one saved at trace start
+			resolve(disassembler.normalize(target)) == id[2]
+		end
+	else
+		true
+	end
+end
+
+# the tracer is on a subfunction call instruction, should it trace into or stepover ?
+def trace_func_entersubfunc(id, di)
+	if trace_subfuncs
+		@trace_func_subfunccache ||= {}
+		if not target = @trace_func_subfunccache[di.address]
+			# even if the target is dynamic, its module should be static
+			if target = disassembler.get_xrefs_x(di)[0]
+				@trace_func_subfunccache[di.address] =
+				target = resolve(disassembler.normalize(target))
+			end
+		end
+		# check if the target subfunction is in the same module as the main
+		# XXX should check against the list of loaded modules etc
+		# XXX call thunk_foo -> jmp [other_module]
+		true if target.kind_of? Integer and target & 0xffc0_0000 == id[0] & 0xffc0_0000
+	else
+		false
+	end
+end
+
+if gui
+	gui.new_command('trace_func', 'trace execution inside a target function') { |arg| trace_func arg }
+	gui.new_command('trace_func_once', 'trace one execution inside the target function') { |arg| trace_func arg, true }
+	gui.new_command('trace_now', 'trace til the end of the current function') { trace_func pc, true ; gui.wrap_run { continue } }
+	gui.new_command('trace', 'start tracing from the current pc until trace_stop') { trace }
+	gui.new_command('trace_stop', 'stop tracing') { @trace_terminate = true }
+	gui.new_command('trace_subfunctions', 'define if the tracer should enter subfunctions') { |arg|
+		case arg.strip
+		when 'on', '1', 'yes', 'y'; @trace_subfuncs = true
+		else @trace_subfuncs = false
+		end
+		puts "#{'not ' if not @trace_subfuncs}tracing subfunctions"
+	}
+end

data/samples/disassemble-gui.rb

@@ -40,7 +40,7 @@ OptionParser.new { |opt|
 	opt.on('--map <mapfile>', 'load a map file (addr <-> name association)') { |f| opts[:map] = f }
 	opt.on('--fast', 'dasm cli args with disassemble_fast_deep') { opts[:fast] = true }
 	opt.on('--decompile') { opts[:decompile] = true }
-	opt.on('--gui <gtk|win32|qt>') { |g| require 'metasm/gui/' + g }
+	opt.on('--gui <gtk|win32|qt>') { |g| ENV['METASM_GUI'] = g }
 	opt.on('--cpu <cpu>', 'the CPU class to use for a shellcode (Ia32, X64, ...)') { |c| opts[:sc_cpu] = c }
 	opt.on('--exe <exe_fmt>', 'the executable file format to use (PE, ELF, ...)') { |c| opts[:exe_fmt] = c }
 	opt.on('--rebase <addr>', 'rebase the loaded file to <addr>') { |a| opts[:rebase] = Integer(a) }
@@ -49,6 +49,8 @@ OptionParser.new { |opt|
 	opt.on('-v', '--verbose') { $VERBOSE = true }	# default
 	opt.on('-q', '--no-verbose') { $VERBOSE = false }
 	opt.on('-d', '--debug') { $DEBUG = $VERBOSE = true }
+	opt.on('-S <file>', '--session <sessionfile>', 'save user actions in this session file') { |a|  opts[:session] = a }
+	opt.on('-N', '--new-session', 'start new session, discard old one') { opts[:newsession] = true }
 }.parse!(ARGV)
 
 case exename = ARGV.shift
@@ -66,6 +68,8 @@ when /^(tcp:|udp:)?..+:/
 else
 	w = Metasm::Gui::DasmWindow.new("#{exename + ' - ' if exename}metasm disassembler")
 	if exename
+		opts[:sc_cpu] = eval(opts[:sc_cpu]) if opts[:sc_cpu] =~ /[.(\s:]/
+		opts[:exe_fmt] = eval(opts[:exe_fmt]) if opts[:exe_fmt] =~ /[.(\s:]/
 		exe = w.loadfile(exename, opts[:sc_cpu], opts[:exe_fmt])
 		exe.disassembler.rebase(opts[:rebase]) if opts[:rebase]
 		if opts[:autoload]
@@ -73,6 +77,7 @@ else
 			opts[:map] ||= basename + '.map' if File.exist?(basename + '.map')
 			opts[:cheader] ||= basename + '.h' if File.exist?(basename + '.h')
 			(opts[:plugin] ||= []) << (basename + '.rb') if File.exist?(basename + '.rb')
+			opts[:session] ||= basename + '.metasm-session'
 		end
 	end
 end
@@ -80,21 +85,46 @@ end
 ep = ARGV.map { |arg| (?0..?9).include?(arg[0]) ? Integer(arg) : arg }
 
 if exe
-	dasm = exe.init_disassembler
+	dasm = exe.disassembler
 
 	dasm.load_map opts[:map] if opts[:map]
 	dasm.parse_c_file opts[:cheader] if opts[:cheader]
 	dasm.backtrace_maxblocks_data = -1 if opts[:nodatatrace]
 	dasm.debug_backtrace = true if opts[:debugbacktrace]
-	dasm.disassemble_fast_deep(*ep) if opts[:fast]
 	dasm.callback_finished = lambda { w.dasm_widget.focus_addr w.dasm_widget.curaddr, :decompile ; dasm.decompiler.finalize } if opts[:decompile]
+	dasm.disassemble_fast_deep(*ep) if opts[:fast]
 elsif dbg
 	dbg.load_map opts[:map] if opts[:map]
-	opts[:plugin].to_a.each { |p| dbg.load_plugin(p) }
+	dbg.disassembler.parse_c_file opts[:cheader] if opts[:cheader]
+	opts[:plugin].to_a.each { |p|
+		begin
+			dbg.load_plugin(p)
+		rescue ::Exception
+			puts "Error with plugin #{p}: #{$!.class} #{$!}"
+		end
+	}
 end
 if dasm
 	w.display(dasm, ep)
-	opts[:plugin].to_a.each { |p| dasm.load_plugin(p) }
+	opts[:plugin].to_a.each { |p|
+		begin
+			dasm.load_plugin(p)
+		rescue ::Exception
+			puts "Error with plugin #{p}: #{$!.class} #{$!}"
+		end
+	}
+
+	if opts[:session]
+		if File.exist?(opts[:session])
+			if opts[:newsession]
+				File.unlink(opts[:session])
+			else
+				puts "replaying session #{opts[:session]}"
+				w.widget.replay_session(opts[:session])
+			end
+		end
+		w.widget.save_session opts[:session]
+	end
 end
 
 opts[:hookstr].to_a.each { |f| eval f }

data/samples/disassemble.rb

@@ -48,10 +48,23 @@ t0 = Time.now if opts[:benchmark]
 if exename =~ /^live:(.*)/
 	raise 'no such live target' if not target = OS.current.find_process($1)
 	p target if $VERBOSE
-	exe = Shellcode.decode(target.memory, Metasm.const_get(opts[:sc_cpu]).new)
+	opts[:sc_cpu] = eval(opts[:sc_cpu]) if opts[:sc_cpu] =~ /[.(\s:]/
+	opts[:sc_cpu] = Metasm.const_get(opts[:sc_cpu]) if opts[:sc_cpu].kind_of(::String)
+	opts[:sc_cpu] = opts[:sc_cpu].new if opts[:sc_cpu].kind_of?(::Class)
+	exe = Shellcode.decode(target.memory, opts[:sc_cpu])
 else
-	exefmt = opts[:exe_fmt] ? Metasm.const_get(opts[:exe_fmt]) : AutoExe.orshellcode { Metasm.const_get(opts[:sc_cpu]).new }
-	exefmt = exefmt.withcpu(Metasm.const_get(opts[:sc_cpu]).new) if opts[:exe_fmt] == 'Shellcode' and opts[:sc_cpu]
+	opts[:sc_cpu] = eval(opts[:sc_cpu]) if opts[:sc_cpu] =~ /[.(\s:]/
+	opts[:exe_fmt] = eval(opts[:exe_fmt]) if opts[:exe_fmt] =~ /[.(\s:]/
+	if opts[:exe_fmt].kind_of?(::String)
+		exefmt = opts[:exe_fmt] = Metasm.const_get(opts[:exe_fmt])
+	else
+		exefmt = opts[:exe_fmt] || AutoExe.orshellcode {
+			opts[:sc_cpu] = Metasm.const_get(opts[:sc_cpu]) if opts[:sc_cpu].kind_of?(::String)
+			opts[:sc_cpu] = opts[:sc_cpu].new if opts[:sc_cpu].kind_of?(::Class)
+			opts[:sc_cpu]
+		}
+	end
+	exefmt = exefmt.withcpu(opts[:sc_cpu]) if exefmt.kind_of?(::Class) and exefmt.name.to_s.split('::').last == 'Shellcode'
 	exe = exefmt.decode_file(exename)
 	exe.disassembler.rebase(opts[:rebase]) if opts[:rebase]
 	if opts[:autoload]
@@ -62,7 +75,7 @@ else
 	end
 end
 # set options
-dasm = exe.init_disassembler
+dasm = exe.disassembler
 makeint = lambda { |addr|
 	case addr
 	when /^[0-9].*h/; addr.to_i(16)
@@ -75,7 +88,13 @@ dasm.parse_c_file opts[:cheader] if opts[:cheader]
 dasm.backtrace_maxblocks_data = -1 if opts[:nodatatrace]
 dasm.debug_backtrace = true if opts[:debugbacktrace]
 opts[:stopaddr].to_a.each { |addr| dasm.decoded[makeint[addr]] = true }
-opts[:plugin].to_a.each { |p| dasm.load_plugin p }
+opts[:plugin].to_a.each { |p|
+	begin
+		dasm.load_plugin p
+	rescue ::Exception
+		puts "Error with plugin #{p}: #{$!.class} #{$!}"
+	end
+}
 opts[:hookstr].to_a.each { |f| eval f }
 
 t1 = Time.now if opts[:benchmark]
@@ -98,7 +117,13 @@ if opts[:decompile]
 	tdc = Time.now if opts[:benchmark]
 end
 
-opts[:post_plugin].to_a.each { |p| dasm.load_plugin p }
+opts[:post_plugin].to_a.each { |p|
+	begin
+		dasm.load_plugin p
+	rescue ::Exception
+		puts "Error with plugin #{p}: #{$!.class} #{$!}"
+	end
+}
 
 dasm.save_file(opts[:savefile]) if opts[:savefile]
 

data/samples/dump_upx.rb

@@ -10,7 +10,7 @@
 # original entrypoint by disassembling the UPX stub, set breakpoint on it,
 # run the program, and dump the loaded image to an executable PE.
 #
-# usage: dump_upx.rb <packed.exe> [<dumped.exe>] [<rva iat>]
+# usage: dump_upx.rb <packed.exe> [<dumped.exe>] [<iat (r)va>] [--oep <rva>]
 #
 
 require 'metasm'
@@ -21,17 +21,22 @@ class UPXUnpacker
 	# find the oep by disassembling
 	# run it until the oep
 	# dump the memory image
-	def initialize(file, dumpfile, iat_rva=nil)
-		@dumpfile = dumpfile || 'upx-dumped.exe'
-		@iat = iat_rva
+	def initialize(file, oep, iat, dumpfile)
+		@dumpfile = dumpfile
+		@dumpfile ||= file.chomp('.exe') + '.dump.exe'
 
 		puts 'disassembling UPX loader...'
 		pe = PE.decode_file(file)
-		@oep = find_oep(pe)
-		raise 'cant find oep...' if not @oep
-		puts "oep found at #{Expression[@oep]}"
 		@baseaddr = pe.optheader.image_base
-		@iat -= @baseaddr if @iat > @baseaddr	# va => rva
+
+		@oep = oep
+		@oep -= @baseaddr if @oep and @oep > @baseaddr	# va => rva
+		@oep ||= find_oep(pe)
+		raise 'cant find oep...' if not @oep
+		puts "oep found at #{Expression[@oep]}" if not oep
+
+		@iat = iat
+		@iat -= @baseaddr if @iat and @iat > @baseaddr
 
 		@dbg = OS.current.create_process(file).debugger
 		puts 'running...'
@@ -40,7 +45,7 @@ class UPXUnpacker
 
 	# disassemble the upx stub to find a cross-section jump (to the real entrypoint)
 	def find_oep(pe)		
-		dasm = pe.disassemble_fast 'entrypoint'
+		dasm = pe.disassemble_fast_deep 'entrypoint'
 		
 		return if not jmp = dasm.decoded.find { |addr, di|
 			# check only once per basic block
@@ -80,7 +85,8 @@ class UPXUnpacker
 		dump.sections.each { |s| s.characteristics |= ['MEM_WRITE'] }
 
 		# write the PE file to disk
-		dump.encode_file @dumpfile
+		# as UPX strips the relocation information, mark the exe to opt-out from ASLR
+		dump.encode_file @dumpfile, 'exe', false
 
 		puts 'dump complete'
 	ensure
@@ -90,6 +96,12 @@ class UPXUnpacker
 end
 
 if __FILE__ == $0
-	# args: packed [unpacked] [iat rva]
-	UPXUnpacker.new(ARGV.shift, ARGV.shift, (Integer(ARGV.shift) rescue nil))
+	fn = ARGV.shift
+	oep = Integer(ARGV.shift) unless ARGV.empty?
+	oep = nil if oep == -1
+	iat = Integer(ARGV.shift) unless ARGV.empty?
+	iat = nil if iat == -1
+	out = ARGV.shift
+	abort 'usage: dump <exe> [<oep>] [<iat>] [<outfile>]' if not File.exist?(fn)
+	UPXUnpacker.new(fn, oep, iat, out)
 end

data/samples/dynamic_ruby.rb

@@ -289,12 +289,15 @@ EOS
 		m ? @cp.dump_definition(m) : @cp.to_s
 	end
 
+	@@optim_hint = {}
+	def self.optim_hint; @@optim_hint; end
+
 	attr_accessor :optim_hint
 	def initialize(cp=nil)
 		@cp = cp || DynLdr.host_cpu.new_cparser
 		@cp.parse RUBY_H
 		@iter_break = nil
-		@optim_hint = {}
+		@optim_hint = @@optim_hint.dup
 	end
 
 	# convert a ruby AST to a new C function
@@ -1135,10 +1138,10 @@ EOS
 		args = ast[3][1..-1] if ast[3] and ast[3][0] == :array
 		arg0 = args[0] if args and args[0]
 
-		if arg0 and arg0[0] == :lit and arg0[1].kind_of? Fixnum
+		if arg0 and arg0[0] == :lit and arg0[1].kind_of?(Fixnum) and %w[== > < >= <= + -].include?(op)
+			# TODO or @optim_hint[ast[1]] == 'fixnum'
 			# optimize 'x==42', 'x+42', 'x-42'
 			o2 = arg0[1]
-			return if not %w[== > < >= <= + -].include? op
 			if o2 < 0 and ['+', '-'].include? op
 				# need o2 >= 0 for overflow detection
 				op = {'+' => '-', '-' => '+'}[op]
@@ -1819,6 +1822,12 @@ end
 
 if __FILE__ == $0 or ARGV.delete('ignore_argv0')
 
+while i = ARGV.index('-e')
+	# setup optim_hint etc
+	ARGV.delete_at(i)
+	eval ARGV.delete_at(i)
+end
+
 demo = case ARGV.first
        when nil;        :test_jit
        when 'asm';      :inlineasm