rex-bin_tools 0.1.0

data/lib/rex/assembly/nasm.rb

@@ -0,0 +1,104 @@
+# -*- coding: binary -*-
+
+require 'tempfile'
+require 'rex/file'
+require 'rex/text'
+
+module Rex
+module Assembly
+
+###
+#
+# This class uses assembly to assemble and disassemble stuff.
+#
+###
+class Nasm
+
+  @@nasm_path    = 'assembly'
+  @@ndisasm_path = 'ndisasm'
+
+  #
+  # Ensures that the assembly environment is sane.
+  #
+  def self.check
+    @@nasm_path =
+      Rex::FileUtils.find_full_path('assembly')      ||
+      Rex::FileUtils.find_full_path('assembly.exe')  ||
+      Rex::FileUtils.find_full_path('nasmw.exe') ||
+      raise(RuntimeError, "No assembly installation was found.")
+
+    @@ndisasm_path =
+      Rex::FileUtils.find_full_path('ndisasm')      ||
+      Rex::FileUtils.find_full_path('ndisasm.exe')  ||
+      Rex::FileUtils.find_full_path('ndisasmw.exe') ||
+      raise(RuntimeError, "No ndisasm installation was found.")
+  end
+
+  #
+  # Assembles the supplied assembly and returns the raw opcodes.
+  #
+  def self.assemble(assembly, bits=32)
+    check
+
+    # Open the temporary file
+    tmp = Tempfile.new('nasmXXXX')
+    tmp.binmode
+
+    tpath = tmp.path
+    opath = tmp.path + '.out'
+
+    # Write the assembly data to a file
+    tmp.write("BITS #{bits}\n" + assembly)
+    tmp.flush()
+    tmp.seek(0)
+
+    # Run assembly
+    if (system(@@nasm_path, '-f', 'bin', '-o', opath, tpath) == false)
+      raise RuntimeError, "Assembler did not complete successfully: #{$?.exitstatus}"
+    end
+
+    # Read the assembled text
+    rv = ::IO.read(opath)
+
+    # Remove temporary files
+    File.unlink(opath)
+    tmp.close(true)
+
+    rv
+  end
+
+  #
+  # Disassembles the supplied raw opcodes
+  #
+  def self.disassemble(raw, bits=32)
+    check
+
+    tmp = Tempfile.new('nasmout')
+    tmp.binmode
+
+    tfd = File.open(tmp.path, "wb")
+
+    tfd.write(raw)
+    tfd.flush()
+    tfd.close
+
+    p = ::IO.popen("\"#{@@ndisasm_path}\" -b #{bits} \"#{tmp.path}\"")
+    o = ''
+
+    begin
+      until p.eof?
+        o += p.read
+      end
+    ensure
+      p.close
+    end
+
+    tmp.close(true)
+
+    o
+  end
+
+end
+
+end
+end

data/lib/rex/bin_tools.rb

@@ -0,0 +1,13 @@
+require "rex/bin_tools/version"
+require 'rex/image_source'
+require 'rex/elfparsey'
+require 'rex/elfscan'
+require 'rex/machparsey'
+require 'rex/machscan'
+require 'rex/peparsey'
+require 'rex/pescan'
+
+module Rex
+  module BinTools
+  end
+end

data/lib/rex/bin_tools/version.rb

@@ -0,0 +1,5 @@
+module Rex
+  module BinTools
+    VERSION = "0.1.0"
+  end
+end

data/lib/rex/elfparsey.rb

@@ -0,0 +1,9 @@
+# -*- coding: binary -*-
+
+module Rex
+module ElfParsey
+
+end
+end
+
+require 'rex/elfparsey/elf'

data/lib/rex/elfparsey/elf.rb

@@ -0,0 +1,121 @@
+# -*- coding: binary -*-
+
+require 'rex/elfparsey/elfbase'
+require 'rex/elfparsey/exceptions'
+require 'rex/image_source'
+
+module Rex
+module ElfParsey
+class Elf < ElfBase
+
+  attr_accessor :elf_header, :program_header, :base_addr, :isource
+
+  def initialize(isource)
+    offset = 0
+    base_addr = 0
+
+    # ELF Header
+    elf_header = ElfHeader.new(isource.read(offset, ELF_HEADER_SIZE))
+
+    # Data encoding
+    ei_data = elf_header.e_ident[EI_DATA,1].unpack("C")[0]
+
+    e_phoff = elf_header.e_phoff
+    e_phentsize = elf_header.e_phentsize
+    e_phnum = elf_header.e_phnum
+
+    # Program Header Table
+    program_header = []
+
+    e_phnum.times do |i|
+      offset = e_phoff + (e_phentsize * i)
+
+      program_header << ProgramHeader.new(
+        isource.read(offset, PROGRAM_HEADER_SIZE), ei_data
+      )
+
+      if program_header[-1].p_type == PT_LOAD && program_header[-1].p_flags & PF_EXEC > 0
+        base_addr = program_header[-1].p_vaddr
+      end
+
+    end
+
+    self.elf_header = elf_header
+    self.program_header = program_header
+    self.base_addr = base_addr
+    self.isource = isource
+  end
+
+  def self.new_from_file(filename, disk_backed = false)
+
+    file = ::File.new(filename)
+    # file.binmode # windows... :\
+
+    if disk_backed
+      return self.new(ImageSource::Disk.new(file))
+    else
+      obj = new_from_string(file.read)
+      file.close
+      return obj
+    end
+  end
+
+  def self.new_from_string(data)
+    return self.new(ImageSource::Memory.new(data))
+  end
+
+  #
+  # Returns true if this binary is for a 64-bit architecture.
+  #
+  def ptr_64?
+    unless [ ELFCLASS32, ELFCLASS64 ].include?(
+    elf_header.e_ident[EI_CLASS,1].unpack("C*")[0])
+      raise ElfHeaderError, 'Invalid class', caller
+    end
+
+    elf_header.e_ident[EI_CLASS,1].unpack("C*")[0] == ELFCLASS64
+  end
+
+  #
+  # Returns true if this binary is for a 32-bit architecture.
+  # This check does not take into account 16-bit binaries at the moment.
+  #
+  def ptr_32?
+    ptr_64? == false
+  end
+
+  #
+  # Converts a virtual address to a string representation based on the
+  # underlying architecture.
+  #
+  def ptr_s(rva)
+    (ptr_32?) ? ("0x%.8x" % rva) : ("0x%.16x" % rva)
+  end
+
+  def offset_to_rva(offset)
+    base_addr + offset
+  end
+
+  def rva_to_offset(rva)
+    rva - base_addr
+  end
+
+  def read(offset, len)
+    isource.read(offset, len)
+  end
+
+  def read_rva(rva, len)
+    isource.read(rva_to_offset(rva), len)
+  end
+
+  def index(*args)
+    isource.index(*args)
+  end
+
+  def close
+    isource.close
+  end
+
+end
+end
+end

data/lib/rex/elfparsey/elfbase.rb

@@ -0,0 +1,265 @@
+# -*- coding: binary -*-
+
+require 'rex/struct2'
+
+module Rex
+module ElfParsey
+class ElfBase
+
+  # ELF Header
+
+  ELF_HEADER_SIZE = 52
+
+  EI_NIDENT = 16
+
+  ELF32_EHDR_LSB = Rex::Struct2::CStructTemplate.new(
+    [ 'string',  'e_ident',     EI_NIDENT, '' ],
+    [ 'uint16v', 'e_type',      0 ],
+    [ 'uint16v', 'e_machine',   0 ],
+    [ 'uint32v', 'e_version',   0 ],
+    [ 'uint32v', 'e_entry',     0 ],
+    [ 'uint32v', 'e_phoff',     0 ],
+    [ 'uint32v', 'e_shoff',     0 ],
+    [ 'uint32v', 'e_flags',     0 ],
+    [ 'uint16v', 'e_ehsize',    0 ],
+    [ 'uint16v', 'e_phentsize', 0 ],
+    [ 'uint16v', 'e_phnum',     0 ],
+    [ 'uint16v', 'e_shentsize', 0 ],
+    [ 'uint16v', 'e_shnum',     0 ],
+    [ 'uint16v', 'e_shstrndx',  0 ]
+  )
+
+  ELF32_EHDR_MSB = Rex::Struct2::CStructTemplate.new(
+    [ 'string',  'e_ident',     EI_NIDENT, '' ],
+    [ 'uint16n', 'e_type',      0 ],
+    [ 'uint16n', 'e_machine',   0 ],
+    [ 'uint32n', 'e_version',   0 ],
+    [ 'uint32n', 'e_entry',     0 ],
+    [ 'uint32n', 'e_phoff',     0 ],
+    [ 'uint32n', 'e_shoff',     0 ],
+    [ 'uint32n', 'e_flags',     0 ],
+    [ 'uint16n', 'e_ehsize',    0 ],
+    [ 'uint16n', 'e_phentsize', 0 ],
+    [ 'uint16n', 'e_phnum',     0 ],
+    [ 'uint16n', 'e_shentsize', 0 ],
+    [ 'uint16n', 'e_shnum',     0 ],
+    [ 'uint16n', 'e_shstrndx',  0 ]
+  )
+
+  # e_type  This member identifies the object file type
+
+  ET_NONE   = 0       # No file type
+  ET_REL    = 1       # Relocatable file
+  ET_EXEC   = 2       # Executable file
+  ET_DYN    = 3       # Shared object file
+  ET_CORE   = 4       # Core file
+  ET_LOPROC = 0xff00  # Processor-specific
+  ET_HIPROC = 0xffff  # Processor-specific
+
+  #
+  # e_machine  This member's value specifies the required architecture for an
+  # individual file.
+  #
+
+  # ET_NONE        = 0   # No machine
+  EM_M32         = 1   # AT&T WE 32100
+  EM_SPARC       = 2   # SPARC
+  EM_386         = 3   # Intel Architecture
+  EM_68K         = 4   # Motorola 68000
+  EM_88K         = 5   # Motorola 88000
+  EM_860         = 7   # Intel 80860
+  EM_MIPS        = 8   # MIPS RS3000 Big-Endian
+  EM_MIPS_RS4_BE = 10  # MIPS RS4000 Big-Endian
+
+  # e_version  This member identifies the object file version
+
+  EV_NONE    = 0  # Invalid version
+  EV_CURRENT = 1  # Current version
+
+
+  # ELF Identification
+
+  # e_ident[]  Identification indexes
+
+  EI_MAG0    = 0   # File identification
+  EI_MAG1    = 1   # File identification
+  EI_MAG2    = 2   # File identification
+  EI_MAG3    = 3   # File identification
+  EI_CLASS   = 4   # File class
+  EI_DATA    = 5   # Data encoding
+  EI_VERSION = 6   # File version
+  EI_PAD     = 7   # Start of padding bytes
+  # EI_NIDENT  = 16  # Size of e_ident[]
+
+  #
+  # EI_MAG0 to EI_MAG3  A file's first 4 bytes hold a "magic number",
+  # identifying the file as an ELF object file.
+  #
+
+  ELFMAG0 = 0x7f  # e_ident[EI_MAG0]
+  ELFMAG1 = ?E   # e_ident[EI_MAG1]
+  ELFMAG2 = ?L   # e_ident[EI_MAG2]
+  ELFMAG3 = ?F   # e_ident[EI_MAG3]
+
+  ELFMAG = ELFMAG0.chr + ELFMAG1.chr + ELFMAG2.chr + ELFMAG3.chr
+
+  # EI_CLASS  Identifies the file's class, or capacity
+
+  ELFCLASSNONE = 0  # Invalid class
+  ELFCLASS32   = 1  # 32-bit objects
+  ELFCLASS64   = 2  # 64-bit objects
+
+  #
+  # EI_DATA  Specifies the data encoding of the processor-specific data in
+  # the object file. The following encodings are currently defined.
+  #
+
+  ELFDATANONE = 0  # Invalid data encoding
+  ELFDATA2LSB = 1  # Least significant byte first
+  ELFDATA2MSB = 2  # Most significant byte first
+
+  class GenericStruct
+    attr_accessor :struct
+    def initialize(_struct)
+      self.struct = _struct
+    end
+
+    # The following methods are just pass-throughs for struct
+
+    # Access a value
+    def v
+      struct.v
+
+    end
+
+    # Access a value by array
+    def [](*args)
+      struct[*args]
+    end
+
+    # Obtain an array of all fields
+    def keys
+      struct.keys
+    end
+
+    def method_missing(meth, *args)
+      v[meth.to_s] || (raise NoMethodError.new, meth)
+    end
+  end
+
+  class GenericHeader < GenericStruct
+  end
+
+  class ElfHeader < GenericHeader
+    def initialize(rawdata)
+
+      # Identify the data encoding and parse ELF Header
+      elf_header = ELF32_EHDR_LSB.make_struct
+
+      if !elf_header.from_s(rawdata)
+        raise ElfHeaderError, "Couldn't parse ELF Header", caller
+      end
+
+      if elf_header.v['e_ident'][EI_DATA,1].unpack('C')[0] == ELFDATA2MSB
+        elf_header = ELF32_EHDR_MSB.make_struct
+
+        if !elf_header.from_s(rawdata)
+          raise ElfHeaderError, "Couldn't parse ELF Header", caller
+        end
+      end
+
+      unless [ ELFDATA2LSB, ELFDATA2MSB ].include?(
+      elf_header.v['e_ident'][EI_DATA,1].unpack('C')[0])
+        raise ElfHeaderError, "Invalid data encoding", caller
+      end
+
+      # Identify the file as an ELF object file
+      unless elf_header.v['e_ident'][EI_MAG0, 4] == ELFMAG
+        raise ElfHeaderError, 'Invalid magic number', caller
+      end
+
+      self.struct = elf_header
+    end
+
+    def e_ident
+      struct.v['e_ident']
+    end
+
+  end
+
+
+  # Program Header
+
+  PROGRAM_HEADER_SIZE = 32
+
+  ELF32_PHDR_LSB = Rex::Struct2::CStructTemplate.new(
+    [ 'uint32v', 'p_type',   0 ],
+    [ 'uint32v', 'p_offset', 0 ],
+    [ 'uint32v', 'p_vaddr',  0 ],
+    [ 'uint32v', 'p_paddr',  0 ],
+    [ 'uint32v', 'p_filesz', 0 ],
+    [ 'uint32v', 'p_memsz',  0 ],
+    [ 'uint32v', 'p_flags',  0 ],
+    [ 'uint32v', 'p_align',  0 ]
+  )
+
+  ELF32_PHDR_MSB = Rex::Struct2::CStructTemplate.new(
+    [ 'uint32n', 'p_type',   0 ],
+    [ 'uint32n', 'p_offset', 0 ],
+    [ 'uint32n', 'p_vaddr',  0 ],
+    [ 'uint32n', 'p_paddr',  0 ],
+    [ 'uint32n', 'p_filesz', 0 ],
+    [ 'uint32n', 'p_memsz',  0 ],
+    [ 'uint32n', 'p_flags',  0 ],
+    [ 'uint32n', 'p_align',  0 ]
+  )
+
+  # p_flags  This member tells which permissions should have the segment
+
+  # Flags
+
+  PF_EXEC    = 1
+  PF_WRITE   = 2
+  PF_READ    = 4 
+
+
+  #
+  # p_type  This member tells what kind of segment this array element
+  # describes or how to interpret the array element's information.
+  #
+
+  # Segment Types
+
+  PT_NULL    = 0
+  PT_LOAD    = 1
+  PT_DYNAMIC = 2
+  PT_INTERP  = 3
+  PT_NOTE    = 4
+  PT_SHLIB   = 5
+  PT_PHDR    = 6
+  PT_LOPROC  = 0x70000000
+  PT_HIPROC  = 0x7fffffff
+
+  class ProgramHeader < GenericHeader
+    def initialize(rawdata, ei_data)
+      # Identify the data encoding and parse Program Header
+      if ei_data == ELFDATA2LSB
+        program_header = ELF32_PHDR_LSB.make_struct
+      elsif ei_data == ELFDATA2MSB
+        program_header = ELF32_PHDR_MSB.make_struct
+      else
+        raise ElfHeaderError, "Invalid data encoding", caller
+      end
+
+      if !program_header.from_s(rawdata)
+        raise ProgramHeaderError, "Couldn't parse Program Header", caller
+      end
+
+      self.struct = program_header
+    end
+
+  end
+
+end
+end
+end