rex-bin_tools 0.1.0

data/lib/rex/machscan.rb

@@ -0,0 +1,9 @@
+# -*- coding: binary -*-
+
+module Rex
+module MachScan
+
+end
+end
+
+require 'rex/machscan/scanner'

data/lib/rex/machscan/scanner.rb

@@ -0,0 +1,217 @@
+# -*- coding: binary -*-
+
+module Rex
+module MachScan
+module Scanner
+class Generic
+
+  attr_accessor :mach, :fat, :regex
+
+  def initialize(binary)
+    if binary.class == Rex::MachParsey::Mach
+      self.mach = binary
+    else
+      self.fat = binary
+    end
+  end
+
+  def config(param)
+  end
+
+  def scan(param)
+      config(param)
+
+      $stdout.puts "[#{param['file']}]"
+
+      if !self.mach
+        for mach in fat.machos
+          if mach.mach_header.cputype == 0x7 #since we only support intel for the time being its all we process
+            self.mach = mach
+          end
+        end
+      end
+
+      self.mach.segments.each do |segment|
+        if segment.segname.include? "__TEXT"
+          scan_segment(segment, param).each do |hit|
+            vaddr  = hit[0]
+            message  = hit[1].is_a?(Array) ? hit[1].join(" ") : hit[1]
+            $stdout.puts self.mach.ptr_s(vaddr - self.mach.fat_offset) + " " + message
+          end
+        end
+      end
+
+  end
+
+  def scan_segment(segment, param={})
+    []
+  end
+end
+
+class JmpRegScanner < Generic
+
+  def config(param)
+    regnums = param['args']
+
+    # build a list of the call bytes
+    calls  = _build_byte_list(0xd0, regnums - [4]) # note call esp's don't work..
+    jmps   = _build_byte_list(0xe0, regnums)
+    pushs1 = _build_byte_list(0x50, regnums)
+    pushs2 = _build_byte_list(0xf0, regnums)
+
+    regexstr = '('
+    if !calls.empty?
+        regexstr += "\xff[#{calls}]|"
+    end
+
+    regexstr += "\xff[#{jmps}]|([#{pushs1}]|\xff[#{pushs2}])(\xc3|\xc2..))"
+
+    self.regex = Regexp.new(regexstr, nil, 'n')
+  end
+
+  # build a list for regex of the possible bytes, based on a base
+  # byte and a list of register numbers..
+  def _build_byte_list(base, regnums)
+    regnums.collect { |regnum| Regexp.escape((base | regnum).chr) }.join('')
+  end
+
+  def _ret_size(offset)
+    case mach.read(offset, 1)
+    when "\xc3"
+        return 1
+    when "\xc2"
+        return 3
+    end
+    $stderr.puts("Invalid return instruction")
+  end
+
+  def _parse_ret(data)
+    if data.length == 1
+      return "ret"
+    else
+      return "retn 0x%04x" % data[1, 2].unpack('v')[0]
+    end
+  end
+
+  def scan_segment(segment, param={})
+    base_addr = segment.vmaddr
+    segment_offset = segment.fileoff
+    offset = segment_offset
+
+    hits = []
+
+    while (offset = mach.index(regex, offset)) != nil
+
+      vaddr = base_addr + (offset - segment_offset)
+      message = ''
+
+      parse_ret = false
+
+      byte1 = mach.read(offset, 1).unpack("C*")[0]
+
+      if byte1 == 0xff
+        byte2   = mach.read(offset+1, 1).unpack("C*")[0]
+        regname = Rex::Arch::X86.reg_name32(byte2 & 0x7)
+
+        case byte2 & 0xf8
+        when 0xd0
+            message = "call #{regname}"
+            offset += 2
+        when 0xe0
+            message = "jmp #{regname}"
+            offset += 2
+        when 0xf0
+            retsize = _ret_size(offset+2)
+            message = "push #{regname}; " + _parse_ret(mach.read(offset+2, retsize))
+            offset += 2 + retsize
+        else
+            raise "Unexpected value at offset: #{offset}"
+        end
+      else
+        regname = Rex::Arch::X86.reg_name32(byte1 & 0x7)
+        retsize = _ret_size(offset+1)
+        message = "push #{regname}; " + _parse_ret(mach.read(offset+1, retsize))
+        offset += 1 + retsize
+      end
+
+      hits << [ vaddr, message ]
+    end
+
+    return hits
+  end
+end
+
+class PopPopRetScanner < JmpRegScanner
+
+  def config(param)
+    pops = _build_byte_list(0x58, (0 .. 7).to_a - [4]) # we don't want pop esp's...
+    self.regex = Regexp.new("[#{pops}][#{pops}](\xc3|\xc2..)", nil, 'n')
+  end
+
+  def scan_segment(segment, param={})
+    base_addr = segment.vmaddr
+    segment_offset = segment.fileoff
+    offset = segment_offset
+
+    hits = []
+
+    while offset < segment.fileoff + segment.filesize && (offset = mach.index(regex, offset)) != nil
+
+      vaddr = base_addr + (offset - segment_offset)
+      message = ''
+
+      pops = mach.read(offset, 2)
+      reg1 = Rex::Arch::X86.reg_name32(pops[0,1].unpack("C*")[0] & 0x7)
+      reg2 = Rex::Arch::X86.reg_name32(pops[1,1].unpack("C*")[0] & 0x7)
+
+      message = "pop #{reg1}; pop #{reg2}; "
+
+      retsize = _ret_size(offset+2)
+      message += _parse_ret(mach.read(offset+2, retsize))
+
+      offset += 2 + retsize
+
+      hits << [ vaddr, message ]
+    end
+
+    return hits
+  end
+end
+
+class RegexScanner < JmpRegScanner
+
+  def config(param)
+    self.regex = Regexp.new(param['args'], nil, 'n')
+  end
+
+  def scan_segment(segment, param={})
+    base_addr = segment.vmaddr
+    segment_offset = segment.fileoff
+    offset = segment_offset
+
+    hits = []
+
+    while offset < segment.fileoff + segment.filesize && (offset = mach.index(regex, offset)) != nil
+
+      idx = offset
+      buf = ''
+      mat = nil
+
+      while (! (mat = buf.match(regex)))
+        buf << mach.read(idx, 1)
+        idx += 1
+      end
+
+      vaddr = base_addr + (offset - segment_offset)
+
+      hits << [ vaddr, buf.unpack("H*") ]
+      offset += buf.length
+    end
+    return hits
+  end
+end
+
+end
+end
+end
+

data/lib/rex/peparsey.rb

@@ -0,0 +1,10 @@
+# -*- coding: binary -*-
+
+module Rex
+module PeParsey
+
+end
+end
+
+require 'rex/peparsey/pe'
+require 'rex/peparsey/pe_memdump'

data/lib/rex/peparsey/exceptions.rb

@@ -0,0 +1,30 @@
+# -*- coding: binary -*-
+
+module Rex
+module PeParsey
+
+class PeError < ::RuntimeError
+end
+
+class ParseError < PeError
+end
+
+class DosHeaderError < ParseError
+end
+
+class FileHeaderError < ParseError
+end
+
+class OptionalHeaderError < ParseError
+end
+
+class BoundsError < PeError
+end
+
+class PeParseyError < PeError
+end
+
+class SkipError < PeError
+end
+
+end end

data/lib/rex/peparsey/pe.rb

@@ -0,0 +1,210 @@
+# -*- coding: binary -*-
+
+require 'rex/image_source'
+require 'rex/peparsey/exceptions'
+require 'rex/peparsey/pebase'
+require 'rex/peparsey/section'
+require 'rex/struct2'
+
+module Rex
+module PeParsey
+class Pe < PeBase
+
+  def initialize(isource)
+
+    #
+    # DOS Header
+    #
+    # Parse the initial dos header, starting at the file beginning
+    #
+    offset = 0
+    dos_header = self.class._parse_dos_header(isource.read(offset, IMAGE_DOS_HEADER_SIZE))
+
+    #
+    # File Header
+    #
+    # If there is going to be a PE, the dos header tells us where to find it
+    # So now we try to parse the file (pe) header
+    #
+    offset += dos_header.e_lfanew
+
+    # most likely an invalid e_lfanew...
+    if offset > isource.size
+      raise FileHeaderError, "e_lfanew looks invalid", caller
+    end
+
+    file_header = self.class._parse_file_header(isource.read(offset, IMAGE_FILE_HEADER_SIZE))
+
+    #
+    # Optional Header
+    #
+    # After the file header, we find the optional header.  Right now
+    # we require a optional header.  Despite it's name, all binaries
+    # that we are interested in should have one.  We need this
+    # header for a lot of stuff, so we die without it...
+    #
+    offset += IMAGE_FILE_HEADER_SIZE
+    optional_header = self.class._parse_optional_header(
+      isource.read(offset, file_header.SizeOfOptionalHeader)
+    )
+
+    if !optional_header
+      raise OptionalHeaderError, "No optional header!", caller
+    end
+
+    base = optional_header.ImageBase
+
+    #
+    # Section Headers
+    #
+    # After the optional header should be the section headers.
+    # We know how many there should be from the file header...
+    #
+    offset += file_header.SizeOfOptionalHeader
+
+    num_sections = file_header.NumberOfSections
+    section_headers = self.class._parse_section_headers(
+      isource.read(offset, IMAGE_SIZEOF_SECTION_HEADER * num_sections)
+    )
+
+    #
+    # End of Headers
+    #
+    # After the section headers (which are padded to FileAlignment)
+    # we should find the section data, described by the section
+    # headers...
+    #
+    # So this is the end of our header data, lets store this
+    # in an image source for possible access later...
+    #
+    offset += IMAGE_SIZEOF_SECTION_HEADER * num_sections
+    offset = self.class._align_offset(offset, optional_header.FileAlignment)
+
+    header_section = Section.new(isource.subsource(0, offset), 0, nil)
+
+    #
+    # Sections
+    #
+    # So from here on out should be section data, and then any
+    # trailing data (like authenticode and stuff I think)
+    #
+
+    sections = [ ]
+
+    section_headers.each do |section_header|
+
+      rva         = section_header.VirtualAddress
+      size        = section_header.SizeOfRawData
+      file_offset = section_header.PointerToRawData
+
+      sections << Section.new(
+        isource.subsource(file_offset, size),
+        rva,
+        section_header
+      )
+    end
+
+
+
+    #
+    # Save the stuffs!
+    #
+    # We have parsed enough to load the file up here, now we just
+    # save off all of the structures and data... We will
+    # save our fake header section, the real sections, etc.
+    #
+
+    #
+    # These should not be accessed directly
+    #
+
+    self._isource          = isource
+
+    self._dos_header       = dos_header
+    self._file_header      = file_header
+    self._optional_header  = optional_header
+    self._section_headers  = section_headers
+
+    self.image_base        = base
+    self.sections          = sections
+    self.header_section    = header_section
+
+    self._config_header    = _parse_config_header()
+    self._tls_header       = _parse_tls_header()
+
+    # These can be accessed directly
+    self.hdr               = HeaderAccessor.new
+    self.hdr.dos           = self._dos_header
+    self.hdr.file          = self._file_header
+    self.hdr.opt           = self._optional_header
+    self.hdr.sections      = self._section_headers
+    self.hdr.config        = self._config_header
+    self.hdr.tls           = self._tls_header
+    self.hdr.exceptions    = self._exception_header
+
+    # We load the exception directory last as it relies on hdr.file to be created above.
+    self._exception_header = _load_exception_directory()
+  end
+
+  #
+  # Return everything that's going to be mapped in the process
+  # and accessable.  This should include all of the sections
+  # and our "fake" section for the header data...
+  #
+  def all_sections
+    [ header_section ] + sections
+  end
+
+  #
+  # Returns true if this binary is for a 64-bit architecture.
+  #
+  def ptr_64?
+    [
+      IMAGE_FILE_MACHINE_IA64,
+      IMAGE_FILE_MACHINE_ALPHA64,
+      IMAGE_FILE_MACHINE_AMD64
+    ].include?(self._file_header.Machine)
+  end
+
+  #
+  # Returns true if this binary is for a 32-bit architecture.
+  # This check does not take into account 16-bit binaries at the moment.
+  #
+  def ptr_32?
+    ptr_64? == false
+  end
+
+  #
+  # Converts a virtual address to a string representation based on the
+  # underlying architecture.
+  #
+  def ptr_s(va)
+    (ptr_32?) ? ("0x%.8x" % va) : ("0x%.16x" % va)
+  end
+
+  #
+  # Converts a file offset into a virtual address
+  #
+  def file_offset_to_va(offset)
+    image_base + file_offset_to_rva(offset)
+  end
+
+  #
+  # Read raw bytes from the specified offset in the underlying file
+  #
+  # NOTE: You should pass raw file offsets into this, not offsets from
+  # the beginning of the section. If you need to read from within a
+  # section, add section.file_offset prior to passing the offset in.
+  #
+  def read(offset, len)
+    _isource.read(offset, len)
+  end
+
+  def size
+    _isource.size
+  end
+  def length
+    _isource.size
+  end
+
+end end end