Closed Summus-31c04089c3cd80 closed 9 years ago
Hi @rlesteve
I've tried your shellcode with this exception handler:
def handle(jitter):
jitter.vm.set_exception(0)
jitter.cpu.set_exception(0)
return True
sb.jitter.add_exception_handler(4L, handle)
I use the example/jitter/sandbox_pe_x86_32.py
script for convenience. I used a small elfesteem script to build a PE from your shellcode.
I got the following output:
RAX 000000000132FFE0 RBX 0000000000000005 RCX 0000000000000401 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000132FFE0 RBP 0000000000000000
zf 0000000000000001 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 000000000040101E
0040101F PUSH 0x4
RAX 000000000132FFE0 RBX 0000000000000005 RCX 0000000000000401 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000132FFDC RBP 0000000000000000
zf 0000000000000001 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 000000000040101F
00401021 POP EAX
RAX 0000000000000004 RBX 0000000000000005 RCX 0000000000000401 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000132FFE0 RBP 0000000000000000
zf 0000000000000001 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000000401021
00401022 JMP loc_0000000000401034:0x00401034
RAX 0000000000000004 RBX 0000000000000005 RCX 0000000000000401 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000132FFE0 RBP 0000000000000000
zf 0000000000000001 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000000401034
00401034 CALL loc_0000000000401024:0x00401024
RAX 0000000000000004 RBX 0000000000000005 RCX 0000000000000401 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000132FFDC RBP 0000000000000000
zf 0000000000000001 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000000401024
00401024 POP ECX
RAX 0000000000000004 RBX 0000000000000005 RCX 0000000000401039 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000132FFE0 RBP 0000000000000000
zf 0000000000000001 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000000401024
So, the JMP and the CALL are correclty handled.
It may come from your int 80
management.
Ok, i will compare it with my code ! Thank you
I examined the example/jitter/sandbox_pe_x86_32.py
script, but, if you load the shellcode as PE, so it is analysed as a windows shellcode, using the lib_imp for PE, etc, when it is a Linux shellcode, that's strange !
Ok i now understand ! The execution follows the call, it is the disas of the shellcode that doesnt.
container = Container.from_string(shellcode)
mdis = machine.dis_engine(container.bin_stream)
blocs = mdis.dis_multibloc(0)
for i, b in enumerate(blocs):
print b
This give the print I gave you in the first post, but the logs give what you got.
So now my problem is I don't know how to get the disas of the current bloc after a CALL
.
Is there a method to get it ?
Yop
You have the solution in miasm/example/disasm/full.py
miasm/example/disasm$ python full.py -h
usage: Disassemble a binary [-h] [-m ARCHITECTURE] [-f] [-b BLOCKWATCHDOG]
[-n FUNCSWATCHDOG] [-r] [-v] [-g] [-z] [-l] [-s]
[-o SHIFTOFFSET] [-a] [-i]
filename [address [address ...]]
positional arguments:
filename File to disassemble
address Starting address for disassembly engine
optional arguments:
-h, --help show this help message and exit
-m ARCHITECTURE, --architecture ARCHITECTURE
architecture: arml,armb,armtl,armtb,sh4,x86_16,x86_32,
x86_64,msp430,mips32b,mips32l
-f, --followcall Follow call instructions
-b BLOCKWATCHDOG, --blockwatchdog BLOCKWATCHDOG
Maximum number of basic block to disassemble
-n FUNCSWATCHDOG, --funcswatchdog FUNCSWATCHDOG
Maximum number of function to disassemble
-r, --recurfunctions Disassemble founded functions
-v, --verbose Verbose mode
-g, --gen_ir Compute the intermediate representation
-z, --dis-nulstart-block
Do not disassemble NULL starting block
-l, --dontdis-retcall
If set, disassemble only call destinations
-s, --simplify Use the liveness analysis pass
-o SHIFTOFFSET, --shiftoffset SHIFTOFFSET
Shift input binary by an offset
-a, --try-disasm-all Try to disassemble the whole binary
-i, --image Display image representation of disasm
More precisely:
-f, --followcall Follow call instructions
Don't hesitate to look at the code to understand how this is achieved.
Don't hesitate as well to look at all the examples: there are no docs in Miasm, but we tried to make some efforts in writing some many use cases, and most of them contain an embedded help.
It works ! I have spent many hours reading and trying to understand your code, using the search tool etc But in this example, the option -f is not used (try to search followcall, it only appears in the options when it should be a variable), so the last time I look at it for this issue I did not insist enough.
Thank you very much for you help !
You are right!
I have done a pull request #186 to correct the issue of the followcall
Hi,
I have an other question about the execution of a Linux shellcode, this is what miasm did :
4000001E XCHG EAX, EBX 4000001F PUSH 0x4 40000021 POP EAX 40000022 JMP loc_0000000040000034:0x40000034 40000034 CALL loc_0000000040000024:0x40000024 40000039 XOR DWORD PTR [EDX], ESI (...)
The jump to 0x34 is followed but not the call, did i miss something or have i to force the call ?
When i print the blocs we can see the "jump" of the call is not correct : loc_000000000000001E:0x0000001e XCHG EAX, EBX PUSH 0x4 POP EAX JMP loc_0000000000000034:0x00000034 -> c_to:loc_0000000000000034:0x00000034
loc_0000000000000034:0x00000034 CALL loc_0000000000000024:0x00000024 -> c_next:loc_0000000000000039:0x00000039
This is the complete shellcode : "\x31\xc9\xf7\xe1\xb0\x05\x51\x68\x6f\x73\x74\x73\x68\x2f\x2f\x2f\x68\x68\x2f\x65\x74\x63\x89\xe3\x66\xb9\x01\x04\xcd\x80\x93\x6a\x04\x58\xeb\x10\x59\x6a\x14\x5a\xcd\x80\x6a\x06\x58\xcd\x80\x6a\x01\x58\xcd\x80\xe8\xeb\xff\xff\xff\x31\x32\x37\x2e\x31\x2e\x31\x2e\x31\x20\x67\x6f\x6f\x67\x6c\x65\x2e\x63\x6f\x6d"