search

merrychap / shellen

:cherry_blossom: Interactive shellcoding environment to easily craft shellcodes
MIT License
888 stars 97 forks source link

enable system call argument sorting #24

Closed f0rki closed 3 years ago

f0rki commented 3 years ago

Related to my previous pull request #23, which fixed bug #22, but made the output somewhat weird.

I introduced additional system call argument sorting (based on the contents of man 2 syscall) for several architectures. This is primarily useful on x86_64, where the system call arguments are mapped to ISA registers that do not follow any lexicographic ordering.

Before:

L:asm:x86_64 > sys mmap

╔════════╦═══════╦══════╦══════╦═════════╦═════════╦══════════╦═════╗
║ NAME   ║ R10   ║ RAX  ║ RDI  ║ RDX     ║ RSI     ║ R8       ║ R9  ║
╠════════╬═══════╬══════╬══════╬═════════╬═════════╬══════════╬═════╣
║ mmap   ║ flags ║ 0x09 ║ addr ║ prot    ║ len     ║ fd       ║ off ║
║ munmap ║ -     ║ 0x0b ║ addr ║ -       ║ len     ║ -        ║ -   ║
║ mremap ║ flags ║ 0x19 ║ addr ║ new_len ║ old_len ║ new_addr ║ -   ║
╚════════╩═══════╩══════╩══════╩═════════╩═════════╩══════════╩═════╝

Now:

L:asm:x86_64 > sys mmap

╔════════╦══════╦══════╦═════════╦═════════╦═══════╦══════════╦═════╗
║ NAME   ║ RAX  ║ RDI  ║ RSI     ║ RDX     ║ R10   ║ R8       ║ R9  ║
╠════════╬══════╬══════╬═════════╬═════════╬═══════╬══════════╬═════╣
║ mmap   ║ 0x09 ║ addr ║ len     ║ prot    ║ flags ║ fd       ║ off ║
║ munmap ║ 0x0b ║ addr ║ len     ║ -       ║ -     ║ -        ║ -   ║
║ mremap ║ 0x19 ║ addr ║ old_len ║ new_len ║ flags ║ new_addr ║ -   ║
╚════════╩══════╩══════╩═════════╩═════════╩═══════╩══════════╩═════╝

It is also useful on ARM, where the system call number is passed in r7, while the arguments are passed in r0 to r6. So now the system call number is consistently output as the first column after name for all architectures regardless of the name of the register. Example on arm32:

L:asm:arm32 > sys mmap

╔════════╦══════════╦══════╦═════════╦═════════╦═══════╦══════════╦═══════╗
║ NAME   ║ R7       ║ R0   ║ R1      ║ R2      ║ R3    ║ R4       ║ R5    ║
╠════════╬══════════╬══════╬═════════╬═════════╬═══════╬══════════╬═══════╣
║ mmap   ║ 0x90005a ║ *arg ║ -       ║ -       ║ -     ║ -        ║ -     ║
║ munmap ║ 0x90005b ║ addr ║ len     ║ -       ║ -     ║ -        ║ -     ║
║ mremap ║ 0x9000a3 ║ addr ║ old_len ║ new_len ║ flags ║ new_addr ║ -     ║
║ mmap2  ║ 0x9000c0 ║ addr ║ len     ║ prot    ║ flags ║ fd       ║ pgoff ║
╚════════╩══════════╩══════╩═════════╩═════════╩═══════╩══════════╩═══════╝