tduehr-ragweed 0.1.5

data/lib/ragweed/rasm/util.rb

@@ -0,0 +1,26 @@
+# Cheating; monkeypatching Object is evil.
+class Object
+  # self-evident
+  def callable?; respond_to? :call; end
+  def number?; kind_of? Numeric; end
+
+  # while X remains callable, keep calling it to get its value
+  def derive
+    x = self
+    while x.callable?
+      x = x()
+    end
+    return x
+  end
+end
+
+# class String
+#   # this is just horrible
+#   def distorm
+#     Frasm::DistormDecoder.new.decode(self)
+#   end
+# 
+#   def disasm
+#     distorm.each {|i| puts i.mnem}
+#   end
+# end

data/lib/ragweed/rasm.rb

@@ -0,0 +1,53 @@
+# Dir[File.expand_path("#{File.dirname(__FILE__)}/rasm/*.rb")].each do |file|
+#   require file
+# end
+module Ragweed; end
+module Ragweed::Rasm
+
+  # :stopdoc:
+  VERSION = '0.1.5'
+  LIBPATH = ::File.expand_path(::File.dirname(__FILE__)) + ::File::SEPARATOR
+  PATH = ::File.dirname(LIBPATH) + ::File::SEPARATOR
+  # :startdoc:
+
+  # Returns the version string for the library.
+  #
+  def self.version
+    VERSION
+  end
+
+  # Returns the library path for the module. If any arguments are given,
+  # they will be joined to the end of the libray path using
+  # <tt>File.join</tt>.
+  #
+  def self.libpath( *args )
+    args.empty? ? LIBPATH : ::File.join(LIBPATH, args.flatten)
+  end
+
+  # Returns the lpath for the module. If any arguments are given,
+  # they will be joined to the end of the path using
+  # <tt>File.join</tt>.
+  #
+  def self.path( *args )
+    args.empty? ? PATH : ::File.join(PATH, args.flatten)
+  end
+
+  # Utility method used to require all files ending in .rb that lie in the
+  # directory below this file that has the same name as the filename passed
+  # in. Optionally, a specific _directory_ name can be passed in such that
+  # the _filename_ does not have to be equivalent to the directory.
+  #
+  def self.require_all_libs_relative_to( fname, dir = nil )
+    dir ||= ::File.basename(fname, '.*')
+    search_me = ::File.expand_path(
+        ::File.join(::File.dirname(fname), dir, '**', '*.rb'))
+    
+    Dir.glob(search_me).sort.each {|rb| require rb}
+    # require File.dirname(File.basename(__FILE__)) + "/#{x}"
+
+  end
+end  # module Ragweed::Rasm
+
+Ragweed::Rasm.require_all_libs_relative_to(__FILE__)
+
+# EOF

data/lib/ragweed/sbuf.rb

@@ -0,0 +1,197 @@
+# Stolen (mostly) from Net::SSH
+
+# a* string a10 string 10 bytes A* string trimmed
+# C uchar
+# L native u32, l signed
+# N BE u32, n 16
+# Qq quad
+# Ss native u16
+# Vv LE u32
+
+# Encapsulate a buffer of data with structured data accessors
+class Ragweed::Sbuf
+  attr_reader :content
+  attr_accessor :position
+
+  def self.from(*args)
+    raise ArgumentError, "odd argument count" if args.length.odd?
+
+    b = self.new
+    while not args.empty?
+      t = args.shift; v = args.shift
+      if t == :raw
+        b.straw(v)
+      elsif v.kind_of? Array
+        b.st t, *v
+      else
+        b.st t, v
+      end
+    end
+
+    return b
+  end
+
+  def st(t, *args)
+    send "st#{ t }", *args
+  end
+
+  def straw(*args)
+    args.each do |raw|
+      @content << raw.to_s
+    end
+    self
+  end
+
+  def initialize(opts={})
+    @content = opts[:content] || ""
+    @position = 0
+  end
+
+  def consume!(n=position)
+    if(n >= length); clear!
+    elsif n > 0
+      @content = remainder(n)
+      @position -= n
+      @position = 0 if @position < 0
+    end
+    self
+  end
+
+  def ldraw(n=length)
+    n = ((self.length) - position) if(position + n > length)
+    @position += n
+    @content[position-n, n]
+  end
+
+  def ld(t, *args)
+    return ldraw(t) if t.kind_of? Numeric
+
+    begin
+      send "ld#{ t }", *args
+    rescue => e
+      case t.to_s
+      when /^strz(\d+)?/
+        n = $1.to_i if not $1.empty?
+        n ||= 0
+        ldsz(n)
+      when /^strs(\d+)?/
+        n = $1.to_i if not $1.empty?
+        n ||= 0
+        ldss(n)
+      else
+        raise e
+      end
+    end
+  end
+
+  def sz(t, *args); self.class.sz(t, *args); end
+  def self.sz(t, *args)
+    begin
+      send "sz#{ t }", *args
+    rescue => e
+      case t.to_s
+      when /^strz(\d+)/
+        $1.to_i
+      when /^strs(\d+)/
+        $1.to_i
+      when /^str.*/
+        raise Exception, "can't take size of unbounded string"
+      else
+        raise e
+      end
+    end
+  end
+
+  def shraw(n=length)
+    ret = ldraw(n)
+    consume!
+    return ret
+  end
+
+  def sh(t, *args)
+    return shraw(t) if t.kind_of? Numeric
+    ret = send "ld#{ t }", *args
+    consume!
+    return ret
+  end
+
+  def ldsz(n=0)
+    n = @content.size - @position if n == 0
+    ld(n).unpack("a#{ n }").first
+  end
+
+  def ldss(n=0)
+    n = @content.size - @position if n == 0
+    ld(n).unpack("A#{ n }").first
+  end
+
+  def length; @content.length; end
+  def size; @content.size; end
+  def empty?; @content.empty?; end
+
+  def available; length - position; end
+  alias_method :remaining, :available
+
+  def to_s; @content.dup; end
+  def ==(b); to_s == b.to_s; end
+  def reset; @position = 0; end
+  def eof?; @position >= length; end
+  def clear!; @content = "" and reset; end
+  def remainder(n = position); @content[n..-1] || ""; end
+  def remainder_as_buffer(t=Sbuf); t.new(:content => remainder); end
+
+  def self.szl64; 8; end
+  def self.szb64; 8; end
+  def self.szn64; 8; end
+
+  def ldl64; ld(8).unpack("Q").first; end
+  def ldb64; ld(8).reverse.unpack("Q").first; end
+  alias_method :ldn64, :ldb64
+
+  def stl64(v); straw([v].pack("Q")); end
+  def stb64(v); straw([v].pack("Q").reverse); end
+  alias_method :stn64, :stb64
+
+  def self.szl32; 4; end
+  def self.szb32; 4; end
+  def self.szn32; 4; end
+
+  def ldl32; ld(4).unpack("L").first; end
+  def ldb32; ld(4).unpack("N").first; end
+  alias_method :ldn32, :ldb32
+
+  def stl32(v); straw([v].pack("L")); end
+  def stb32(v); straw([v].pack("N")); end
+  alias_method :stn32, :stb32
+
+  def self.szl16; 2; end
+  def self.szb16; 2; end
+  def self.szn16; 2; end
+
+  def ldl16; ld(2).unpack("v").first; end
+  def ldb16; ld(2).unpack("n").first; end
+  alias_method :ldn16, :ldb16
+
+  def stl16(v); straw([v].pack("v")); end
+  def stb16(v); straw([v].pack("n")); end
+  alias_method :stn16, :stb16
+
+  def self.szl8; 1; end;
+  def self.szb8; 1; end;
+  def self.szn8; 1; end;
+
+  def ldl8; ld(1)[0]; end
+  def ldb8; ldl8; end
+  alias_method :ldn8, :ldb8
+
+  def stl8(v)
+    if v.kind_of? String
+      straw(v[0].chr)
+    else
+      straw([v].pack("c"))
+    end
+  end
+
+  def stb8(v); stl8(v); end
+  alias_method :stn8, :stb8
+end

data/lib/ragweed/trampoline.rb

@@ -0,0 +1,103 @@
+class Ragweed::Trampoline
+
+  # Normally called through WinProcess#remote_call, but, for
+  # what it's worth: needs a WinProcess instance and a location,
+  # which can be a string module!function or a pointer.
+  def initialize(p, loc, opts={})
+    @p = p
+    @loc = @p.get_proc loc
+    @argc = opts[:argc]
+    @a = @p.arena
+    @mem = @a.alloc(1024)
+    @arg_mem = @mem + 512
+    @wait = opts[:wait] || true
+    @chicken = opts[:chicken] 
+    @opts = opts
+  end
+
+  # Call the remote function. Returns the 32 bit EAX return value provided
+  # by stdcall. 
+  def call(*args)
+    raise "Insufficient Arguments" if @argc and @argc != args.size
+    
+    @shim = Ragweed::Blocks::remote_trampoline(args.size, @opts)
+
+    # Won't leak memory.
+    @p.arena do |a|
+      # 1024 is a SWAG. Divide it in half, one for the trampoline
+      # (which is unrolled, because I am lazy and dumb) and the other
+      # for the call stack.
+      base = @p.ptr(a.alloc(1024))
+      
+      argm = base + 512
+      cur = argm
+
+      # Write the location for the tramp to call
+      cur.write(@loc)
+      cur += 4
+
+      # Write the function arguments into the call stack.
+      (0...args.size).each_backwards do |i|
+        if args[i].kind_of? Integer
+          val = args[i].to_l32
+        elsif args[i].kind_of? String
+          stash = a.copy(args[i])
+          val = stash.to_l32
+        else
+          val = args[i].to_s
+        end
+        cur.write(val)
+        cur += 4
+      end if args.size.nonzero?
+
+      # Write a placeholder for the return value
+      cur.write(0xDEADBEEF.to_l32)
+
+      # Write the tramp
+      s = @shim.assemble
+      base.write(s)
+
+      th = Wrap32::create_remote_thread(@p.handle, base, argm)
+      Wrap32::wait_for_single_object(th) if @wait
+      Wrap32::close_handle(th)
+      ret = @p.read32(cur)
+      if ret == 0xDEADBEEF
+        ret = nil
+      end
+      ret
+    end
+  end
+end
+
+class Trevil
+  def initialize(p)
+    @p = p
+    @ev1, @ev2 = [WinEvent.new, WinEvent.new]
+    @a = @p.arena
+  end
+
+  def clear!
+    @a.release
+  end
+
+  def go
+    mem = @a.alloc(1024)
+    base = @p.ptr(mem)
+    data = base + 512
+    swch = ["OpenProcess",
+            "DuplicateHandle",
+            "ResetEvent",
+            "SetEvent",
+            "WaitForSingleObject"].
+      map {|x| @p.get_proc("kernel32!#{x}").to_i}.
+      pack("LLLLL")
+    state = [Wrap32::get_current_process_id, @ev1.handle, @ev2.handle].
+      pack("LLL")
+
+    data.write(swch + state)
+    base.write(event_pair_stub(:debug => false).assemble)
+    Wrap32::create_remote_thread(@p.handle, base, data)
+    @ev1.wait
+    @ev2
+  end
+end

data/lib/ragweed/utils.rb

@@ -0,0 +1,87 @@
+# These should probably be extensions to Module since that's the location of instance_eval and friends.
+class Object
+    module ObjectExtensions
+      # Every object has a "singleton" class, which you can think
+      # of as the class (ie, 1.metaclass =~ Fixnum) --- but that you
+      # can modify and extend without fucking up the actual class.
+      def metaclass; class << self; self; end; end
+      def meta_eval(&blk) metaclass.instance_eval &blk; end
+      def meta_def(name, &blk) meta_eval { define_method name, &blk }; end
+      def try(meth, *args); send(meth, *args) if respond_to? meth; end
+
+      def through(meth, *args)
+          if respond_to? meth
+              send(meth, *args)
+          else
+              self
+          end
+      end
+
+      def pbpaste
+        `pbpaste`
+      end if RUBY_PLATFORM =~ /darwin/
+
+      ## This is from Topher Cyll's Stupd IRB tricks
+      def mymethods
+        (self.methods - self.class.superclass.methods).sort
+      end
+    end
+    include ObjectExtensions
+end
+
+class String
+  def to_l32; unpack("L").first; end
+  def to_b32; unpack("N").first; end
+  def to_l16; unpack("v").first; end
+  def to_b16; unpack("n").first; end
+  def to_u8; self[0]; end
+  def shift_l32; shift(4).to_l32; end
+  def shift_b32; shift(4).to_b32; end
+  def shift_l16; shift(2).to_l16; end
+  def shift_b16; shift(2).to_b16; end
+  def shift_u8; shift(1).to_u8; end
+end
+
+class Integer
+  module IntegerExtensions
+    # Convert integers to binary strings
+    def to_l32; [self].pack "L"; end
+    def to_b32; [self].pack "N"; end
+    def to_l16; [self].pack "v"; end
+    def to_b16; [self].pack "n"; end
+    def to_u8; [self].pack "C"; end
+    def ffs
+      i = 0
+      v = self
+      while((v >>= 1) != 0)
+          i += 1
+      end
+      return i
+    end
+  end
+  include IntegerExtensions
+end
+
+class Module
+  def flag_dump(i)
+    @bit_map ||= constants.map do |k|
+      [k, const_get(k.intern).ffs]
+    end.sort {|x, y| x[1] <=> y[1]}
+
+    last = 0
+    r = ""
+    @bit_map.each do |tup|
+      if((v = (tup[1] - last)) > 1)
+        r << ("." * (v-1))
+      end
+
+      if((i & (1 << tup[1])) != 0)
+        r << tup[0][0].chr
+      else
+        r << tup[0][0].chr.downcase
+      end
+      last = tup[1]
+    end
+    return r.reverse
+  end
+end

data/lib/ragweed/wrap32/debugging.rb

@@ -0,0 +1,163 @@
+module Ragweed::Wrap32
+  module DebugCodes
+    CREATE_PROCESS = 3
+    CREATE_THREAD = 2
+    EXCEPTION = 1
+    EXIT_PROCESS = 5
+    EXIT_THREAD = 4
+    LOAD_DLL = 6
+    OUTPUT_DEBUG_STRING = 8
+    RIP = 9
+    UNLOAD_DLL = 7
+  end
+
+  module ExceptionCodes
+    ACCESS_VIOLATION = 0xC0000005
+    BREAKPOINT = 0x80000003
+    ALIGNMENT =  0x80000002
+    SINGLE_STEP = 0x80000004
+    BOUNDS = 0xC0000008
+    DIVIDE_BY_ZERO = 0xC0000094
+    INT_OVERFLOW = 0xC0000095
+    INVALID_HANDLE = 0xC0000008
+    PRIV_INSTRUCTION = 0xC0000096
+    STACK_OVERFLOW = 0xC00000FD
+    INVALID_DISPOSITION = 0xC0000026
+  end
+
+  module ContinueCodes
+    CONTINUE = 0x10002
+    BREAK = 0x40010008
+    CONTROL_C = 0x40010005
+    UNHANDLED = 0x80010001
+    TERMINATE_THREAD = 0x40010003
+    TERMINATE_PROCESS = 0x40010004
+  end
+end
+
+class Ragweed::Wrap32::DebugEvent
+  (FIELDS = [ :code,
+              :pid,
+              :tid,
+              :file_handle,
+              :process_handle,
+              :thread_handle,
+              :base,
+              :offset,
+              :info_size,
+              :thread_base,
+              :start_address,
+              :image_name,
+              :unicode,
+              :exception_code,
+              :exception_flags,
+              :exception_record,
+              :exception_address,
+              :parameters,
+              :exit_code,
+              :dll_base,
+              :rip_error,
+              :rip_type]).each {|x| attr_accessor x}
+
+  def initialize(str)
+    @code, @pid, @tid = str.unpack("LLL")
+    str.shift 12
+    case @code
+    when Wrap32::DebugCodes::CREATE_PROCESS 
+      @file_handle, @process_handle, @thread_handle,
+      @base, @offset,
+      @info_size, @thread_base, @start_address,
+      @image_name, @unicode = str.unpack("LLLLLLLLLH")
+    when Wrap32::DebugCodes::CREATE_THREAD 
+      @thread_handle, @thread_base, @start_address = str.unpack("LLL")
+    when Wrap32::DebugCodes::EXCEPTION 
+      @exception_code, @exception_flags,
+      @exception_record, @exception_address, @parameter_count = str.unpack("LLLLL")
+      str = str[20..-1]
+      @parameters = []
+      @parameter_count.times do
+        begin
+          @parameters << (str.unpack("L").first)
+          str = str[4..-1]
+        rescue;end
+      end
+    when Wrap32::DebugCodes::EXIT_PROCESS 
+      @exit_code = str.unpack("L").first
+    when Wrap32::DebugCodes::EXIT_THREAD 
+      @exit_code = str.unpack("L").first
+    when Wrap32::DebugCodes::LOAD_DLL 
+      @file_handle, @dll_base, @offset,
+      @info_size, @image_name, @unicode = str.unpack("LLLLLH")
+    when Wrap32::DebugCodes::OUTPUT_DEBUG_STRING 
+    when Wrap32::DebugCodes::RIP 
+      @rip_error, @rip_type = str.unpack("LL")
+    when Wrap32::DebugCodes::UNLOAD_DLL 
+      @dll_base = str.unpack("L").first
+    else
+      raise WinX.new(:wait_for_debug_event)
+    end
+  end
+
+  def inspect_code(c)
+    Wrap32::DebugCodes.to_key_hash[c].to_s || c.to_i
+  end
+  
+  def inspect_exception_code(c)
+    Wrap32::ExceptionCodes.to_key_hash[c].to_s || c.to_i.to_s(16)
+  end
+
+  def inspect_parameters(p)
+    "[ " + p.map {|x| x.to_i.to_s}.join(", ") + " ]"
+  end
+
+  def inspect
+    body = lambda do 
+      FIELDS.map do |f| 
+        if (v = send(f))
+          f.to_s + "=" + (try("inspect_#{f.to_s}".intern, v) || v.to_i.to_s(16))
+        end
+      end.compact.join(" ")
+    end
+    
+    "#<DebugEvent #{body.call}>"
+  end
+end
+
+module Ragweed::Wrap32
+  class << self
+    def wait_for_debug_event(ms=1000)
+      buf = "\x00" * 1024
+      r = CALLS["kernel32!WaitForDebugEvent:PL=L"].call(buf, ms)
+      raise WinX.new(:wait_for_debug_event) if r == 0 and get_last_error != 121
+      return Wrap32::DebugEvent.new(buf) if r != 0
+      return nil
+    end
+
+    def continue_debug_event(pid, tid, code)
+      r = CALLS["kernel32!ContinueDebugEvent:LLL=L"].call(pid, tid, code)
+      raise WinX.new(:continue_debug_event) if r == 0
+      return r
+    end
+
+    def debug_active_process(pid)
+      r = CALLS["kernel32!DebugActiveProcess:L=L"].call(pid)
+      raise WinX.new(:debug_active_process) if r == 0
+      return r
+    end
+
+    def debug_set_process_kill_on_exit(val=0)
+      r = CALLS["kernel32!DebugSetProcessKillOnExit:L=L"].call(val)
+      raise WinX.new(:debug_set_process_kill_on_exit) if r == 0
+      return r
+    end
+
+    def debug_active_process_stop(pid)
+      # don't care about failure
+      CALLS["kernel32!DebugActiveProcessStop:L=L"].call(pid)
+    end
+
+    def flush_instruction_cache(h, v1=0, v2=0)
+      CALLS["kernel32!FlushInstructionCache:LLL=L"].call(h, v1, v2)
+    end
+  end
+end

data/lib/ragweed/wrap32/device.rb

@@ -0,0 +1,49 @@
+module Ragweed
+  class Device
+    def initialize(path, options={})
+      @path = path
+      @options = options
+      @h = Wrap32::create_file(@path, :flags => Wrap32::FileAttributes::OVERLAPPED|Wrap32::FileAttributes::NORMAL)
+    end
+
+    def ioctl(code, inbuf, outbuf)
+      overlap(lambda do |o|
+        Wrap32::device_io_control(@h, code, inbuf, outbuf, o)
+      end) do |ret, count|
+        outbuf[0..count]
+      end  
+    end
+    
+    def read(sz)
+      overlap(lambda do |o|
+        Wrap32::read_file(@h, sz, o)
+      end) do |ret, count|
+        ret[0..count]
+      end
+    end
+    
+    def write(buf)
+      overlap(lambda do |o|
+        Wrap32::write_file(@h, buf, o)
+      end) do |ret, count|
+        count
+      end
+    end 
+    
+    def release
+      Wrap32::close_handle(@h)
+      @h = nil
+    end
+
+    private
+
+    def overlap(proc)
+      o = Wrap32::Overlapped.get
+      ret = proc.call(o)
+      count = o.wait(@h)
+      r = yield ret, count
+      o.release
+      ret = r if r
+    end
+  end
+end