rex-bin_tools 0.1.0

data/lib/rex/elfparsey/exceptions.rb

@@ -0,0 +1,25 @@
+# -*- coding: binary -*-
+
+module Rex
+module ElfParsey
+
+class ElfError < ::RuntimeError
+end
+
+class ParseError < ElfError
+end
+
+class ElfHeaderError < ParseError
+end
+
+class ProgramHeaderError < ParseError
+end
+
+class BoundsError < ElfError
+end
+
+class ElfParseyError < ElfError
+end
+
+end
+end

data/lib/rex/elfscan.rb

@@ -0,0 +1,10 @@
+# -*- coding: binary -*-
+
+module Rex
+module ElfScan
+
+end
+end
+
+require 'rex/elfscan/scanner'
+require 'rex/elfscan/search'

data/lib/rex/elfscan/scanner.rb

@@ -0,0 +1,226 @@
+# -*- coding: binary -*-
+require 'metasm'
+
+module Rex
+module ElfScan
+module Scanner
+class Generic
+
+  attr_accessor :elf, :regex
+
+  def initialize(elf)
+    self.elf = elf
+  end
+
+  def config(param)
+  end
+
+  def scan(param)
+    config(param)
+
+    $stdout.puts "[#{param['file']}]"
+    elf.program_header.each do |program_header|
+
+      # Scan only loadable segment entries in the program header table
+      if program_header.p_type == Rex::ElfParsey::ElfBase::PT_LOAD
+        hits = scan_segment(program_header, param)
+        hits.each do |hit|
+          rva  = hit[0]
+          message  = hit[1].is_a?(Array) ? hit[1].join(" ") : hit[1]
+          $stdout.puts elf.ptr_s(rva) + " " + message
+          if(param['disasm'])
+            message.gsub!("; ", "\n")
+            if message.include?("retn")
+              message.gsub!("retn", "ret")
+            end
+
+            begin
+              d2 = Metasm::Shellcode.assemble(Metasm::Ia32.new, message).disassemble
+            rescue Metasm::ParseError
+              d2 = Metasm::Shellcode.disassemble(Metasm::Ia32.new, [message].pack('H*'))
+            end
+
+            addr = 0
+            while ((di = d2.disassemble_instruction(addr)))
+              disasm = "0x%08x\t" % (rva + addr)
+              disasm << di.instruction.to_s
+              $stdout.puts disasm
+              addr = di.next_addr
+            end
+          end
+        end
+      end
+
+    end
+  end
+
+  def scan_segment(program_header, param={})
+    []
+  end
+end
+
+class JmpRegScanner < Generic
+
+  def config(param)
+    regnums = param['args']
+
+    # build a list of the call bytes
+    calls  = _build_byte_list(0xd0, regnums - [4]) # note call esp's don't work..
+    jmps   = _build_byte_list(0xe0, regnums)
+    pushs1 = _build_byte_list(0x50, regnums)
+    pushs2 = _build_byte_list(0xf0, regnums)
+
+    regexstr = '('
+    if !calls.empty?
+      regexstr += "\xff[#{calls}]|"
+    end
+
+    regexstr += "\xff[#{jmps}]|([#{pushs1}]|\xff[#{pushs2}])(\xc3|\xc2..))"
+
+    self.regex = Regexp.new(regexstr, nil, 'n')
+  end
+
+  # build a list for regex of the possible bytes, based on a base
+  # byte and a list of register numbers..
+  def _build_byte_list(base, regnums)
+    regnums.collect { |regnum| Regexp.escape((base | regnum).chr) }.join('')
+  end
+
+  def _ret_size(offset)
+    case elf.read(offset, 1)
+      when "\xc3"
+        return 1
+      when "\xc2"
+        return 3
+    end
+
+    raise "Cannot read at offset: #{offset}"
+  end
+
+  def _parse_ret(data)
+    if data.length == 1
+      return "ret"
+    else
+      return "retn 0x%04x" % data[1, 2].unpack('v')[0]
+    end
+  end
+
+
+  def scan_segment(program_header, param={})
+    offset = program_header.p_offset
+
+    hits = []
+
+    while (offset = elf.index(regex, offset)) != nil
+
+      rva     = elf.offset_to_rva(offset)
+      message = ''
+
+      parse_ret = false
+
+      byte1 = elf.read(offset, 1).unpack('C')[0]
+
+      if byte1 == 0xff
+        byte2   = elf.read(offset+1, 1).unpack('C')[0]
+        regname = Rex::Arch::X86.reg_name32(byte2 & 0x7)
+
+        case byte2 & 0xf8
+        when 0xd0
+          message = "call #{regname}"
+          offset += 2
+        when 0xe0
+          message = "jmp #{regname}"
+          offset += 2
+        when 0xf0
+          retsize = _ret_size(offset+2)
+          message = "push #{regname}; " + _parse_ret(elf.read(offset+2, retsize))
+          offset += 2 + retsize
+        else
+          raise "Unexpected value at #{offset}"
+        end
+      else
+        regname = Rex::Arch::X86.reg_name32(byte1 & 0x7)
+        retsize = _ret_size(offset+1)
+        message = "push #{regname}; " + _parse_ret(elf.read(offset+1, retsize))
+        offset += 1 + retsize
+      end
+
+      hits << [ rva, message ]
+    end
+
+    return hits
+  end
+end
+
+class PopPopRetScanner < JmpRegScanner
+
+  def config(param)
+    pops = _build_byte_list(0x58, (0 .. 7).to_a - [4]) # we don't want pop esp's...
+    self.regex = Regexp.new("[#{pops}][#{pops}](\xc3|\xc2..)", nil, 'n')
+  end
+
+  def scan_segment(program_header, param={})
+    offset = program_header.p_offset
+
+    hits = []
+
+    while offset < program_header.p_offset + program_header.p_filesz &&
+    (offset = elf.index(regex, offset)) != nil
+
+      rva     = elf.offset_to_rva(offset)
+      message = ''
+
+      pops = elf.read(offset, 2)
+      reg1 = Rex::Arch::X86.reg_name32(pops[0,1].unpack('C*')[0] & 0x7)
+      reg2 = Rex::Arch::X86.reg_name32(pops[1,1].unpack('C*')[0] & 0x7)
+
+      message = "pop #{reg1}; pop #{reg2}; "
+
+      retsize = _ret_size(offset+2)
+      message += _parse_ret(elf.read(offset+2, retsize))
+
+      offset += 2 + retsize
+
+      hits << [ rva, message ]
+    end
+
+    return hits
+  end
+end
+
+class RegexScanner < JmpRegScanner
+
+  def config(param)
+    self.regex = Regexp.new(param['args'], nil, 'n')
+  end
+
+  def scan_segment(program_header, param={})
+    offset = program_header.p_offset
+
+    hits = []
+
+    while offset < program_header.p_offset + program_header.p_filesz &&
+    (offset = elf.index(regex, offset)) != nil
+
+      idx = offset
+      buf = ''
+      mat = nil
+
+      while (! (mat = buf.match(regex)))
+        buf << elf.read(idx, 1)
+        idx += 1
+      end
+
+      rva = elf.offset_to_rva(offset)
+
+      hits << [ rva, buf.unpack("H*") ]
+      offset += buf.length
+    end
+
+    return hits
+  end
+end
+
+end
+end
+end

data/lib/rex/elfscan/search.rb

@@ -0,0 +1,44 @@
+# -*- coding: binary -*-
+
+module Rex
+module ElfScan
+module Search
+
+  class DumpRVA
+    attr_accessor :elf
+
+    def initialize(elf)
+      self.elf = elf
+    end
+
+    def config(param)
+      @address = param['args']
+    end
+
+    def scan(param)
+      config(param)
+
+      $stdout.puts "[#{param['file']}]"
+
+      # Adjust based on -A and -B flags
+      pre = param['before'] || 0
+      suf = param['after']  || 16
+
+      @address -= pre
+      @address = 0 if (@address < 0 || ! @address)
+      buf = elf.read_rva(@address, suf)
+      $stdout.puts elf.ptr_s(@address) + " " + buf.unpack("H*")[0]
+    end
+  end
+
+  class DumpOffset < DumpRVA
+    def config(param)
+      begin
+        @address = elf.offset_to_rva(param['args'])
+      rescue Rex::ElfParsey::BoundsError
+      end
+    end
+  end
+end
+end
+end

data/lib/rex/image_source.rb

@@ -0,0 +1,10 @@
+# -*- coding: binary -*-
+
+module Rex
+module ImageSource
+
+end
+end
+
+require 'rex/image_source/disk'
+require 'rex/image_source/memory'

data/lib/rex/image_source/disk.rb

@@ -0,0 +1,58 @@
+# -*- coding: binary -*-
+
+require 'rex/image_source/image_source'
+require 'rex/struct2'
+
+module Rex
+module ImageSource
+class Disk < ImageSource
+
+  attr_accessor :file, :file_offset, :size
+
+  WINDOW_SIZE     = 4096
+  WINDOW_OVERLAP  = 64
+
+  def initialize(_file, _offset = 0, _len = nil)
+    _len = _file.stat.size if !_len
+
+    self.file         = _file
+    self.file_offset  = _offset
+    self.size         = _len
+  end
+
+  def read(offset, len)
+    if offset < 0 || offset+len > size
+      raise RangeError, "Offset #{offset} outside of image source", caller
+    end
+
+    file.seek(file_offset + offset)
+    file.read(len)
+  end
+
+  def index(search, offset = 0)
+    # do a sliding window search across the disk
+    while offset < size
+
+      # get a full window size if we can, we
+      # don't want to read past our boundaries
+      wsize = size - offset
+      wsize = WINDOW_SIZE if wsize > WINDOW_SIZE
+
+      window = self.read(offset, wsize)
+      res = window.index(search)
+      return res + offset if res
+      offset += WINDOW_SIZE - WINDOW_OVERLAP
+    end
+  end
+
+  def subsource(offset, len)
+    self.class.new(file, file_offset+offset, len)
+  end
+
+  def close
+    file.close
+  end
+end
+
+end
+end

data/lib/rex/image_source/image_source.rb

@@ -0,0 +1,48 @@
+# -*- coding: binary -*-
+
+module Rex
+module ImageSource
+class ImageSource
+
+  #
+  # Um, just some abstract class stuff I guess, this is the interface
+  # that any image sources should subscribe to...
+  #
+
+  def subsource(offset, len)
+    raise "do something"
+  end
+
+  def size
+    raise "do something"
+  end
+
+  def file_offset
+    raise "do something"
+  end
+
+  def close
+    raise "do something"
+  end
+
+  def read_asciiz(offset)
+    # FIXME, make me better
+    string = ''
+    loop do
+      begin
+        char = read(offset, 1)
+      rescue RangeError
+        break
+      end
+      break if char.nil? || char == "\x00"
+      offset += 1
+      string << char
+    end
+    return string
+  end
+
+
+end
+
+end
+end

data/lib/rex/image_source/memory.rb

@@ -0,0 +1,35 @@
+# -*- coding: binary -*-
+
+require 'rex/image_source/image_source'
+require 'rex/struct2'
+
+module Rex
+module ImageSource
+class Memory < ImageSource
+
+  attr_accessor :rawdata, :size, :file_offset
+
+  def initialize(_rawdata, _file_offset = 0)
+    self.rawdata     = _rawdata
+    self.size        = _rawdata.length
+    self.file_offset = _file_offset
+  end
+
+  def read(offset, len)
+    rawdata[offset, len]
+  end
+
+  def subsource(offset, len)
+    self.class.new(rawdata[offset, len], offset + file_offset)
+  end
+
+  def close
+  end
+
+  def index(*args)
+    rawdata.index(*args)
+  end
+end
+
+end
+end