Questions about the code

[ivan-kulikov-dev]

https://github.com/wisk/medusa/blob/dev/src/os/windows/windows.cpp#L51 why you need to add _TEB/_PEB structures?How the medusa should use them?(When it analyzing pe file)?

[wisk]

These structures are used when medusa emulates code (not fully implemented). At this time, it's just a placeholder to support simple access like SEH installation (fs:[0]). I'd like to fully implement it to support SEH, LastError, and so on.

[ivan-kulikov-dev]

1)How to get the path to the file analyzed by medusa from ldr_pe?

[wisk]

This info is not available since you may want to analyze a data from memory or, if you save a database, don't want to keep the original file (since it's already contained in the db file). The object BinaryStream offers an abstraction to avoid to keep this information. However if you explain why you need this feature, I could probably provide a workaround.

[ivan-kulikov-dev]

I need the file path for the analysis of the pdb file(pdb files is located next to the exe)

2)How load external files?(pdb files,and other) should I use https://github.com/wisk/medusa/blob/master/inc/medusa/binary_stream.hpp#L236 and analyse them?

[wisk]

1) Could you use another folder to store this file? If I remember correctly, the path to the PDB is stored in the executable by the compiler (Visual Studio) into the executable. In the case you download it (like official Windows binaries) from a symbol server, you can store it anywhere you want. I think it would be more convenient to look for the environment variable _NT_SYMBOL_PATH to decide where to store or/and load PDB file. For instance, Windows users can simply download the symbol package (http://msdn.microsoft.com/en-us/windows/hardware/gg463028.aspx) and use them if it's possible.

2) You can use anything you want (FILE, std::fstream, ...), however I strongly encourage you to use BinaryStream since it supports swap to handle endianness and it's be portable for UNIX/Windows.

[ivan-kulikov-dev]

I do parser pdb files and microsoft symbols loader for linux too ;)

[wisk]

Which is really awesome! I can't wait to see the result. :) If you don't want to rely on environment variable _NT_SYMBOL_PATH I think we can define a path to a resources folder on the medusa.ini (see UserConfiguration) like ~/.medusa/resources. I really think it'd be better to regroup PDB files on the same location.

[ivan-kulikov-dev]

Does it make sense to write tests for medusa?(e.g., Tests architecture)

[wisk]

Yes, and that's a good idea. Of course, some features cannot be tested (e.g. GUI), but it'd be better to have unit test in Medusa. Is CTest ok for you? Do you prefer something else?

[ivan-kulikov-dev]

Yes,but CTest only run tests.Will you use https://code.google.com/p/googlemock/ and google tests for tests?(How to write tests for core and modules?e.g. ldr/x86.)

[wisk]

Shame on me, I've never used one of these libraries before. What do you think about boost test (http://www.boost.org/doc/libs/1_56_0/libs/test/doc/html/index.html>)? Tell me which one is the best for medusa. :)

About the test itself, it's hard to tell: I guess we can test how loader modules parse some executable stored in the repository (corkami is a good source of windows for instance), and test architectures modules by disassembling raw instruction (e.g. Disasm("\x33\xc0") == "xor eax, eax"). https://code.google.com/p/corkami/downloads/detail?name=opcodes32pe-r79.zip&can=2&q= is a good start to test x86.

We should discuss about it on IRC, what do you think?

[ivan-kulikov-dev]

Hi .I experimented with the code in my fork. https://github.com/gunmetal313/medusa/compare/gunmetal313:dev...addpluginsupport e.x. I want add new module,but core: Module: "./libplg_hello.so" is unknown (ignored) (The module is not even recognized)

[wisk]

Hi,

It seems medusa fails to find the exported function GetPlugin. Please, try to run objdump and make sure this function is exported:

objdump -T libplg_hello.so | grep GetPlugin

[ivan-kulikov-dev]

• processor: ['ARMv6T2', 'ARMv7'] format: 'SXTAB , , {,}' semantic: [] mode: T1 attribute: [ 'could_jmp' ] encoding: [ 1,1,1,1,1,0,1,0,0,1,0,0,_Rn_4,1,1,1,1,_Rd_4,1,(0),_rotate,_Rm_4 ]

your generator architecture of yaml files very cool :) :+1: But why do not you use "encoding" for x86 architecture?And how to use "encoding" for other architectures? )

[wisk]

Thanks :) Encoding field is more suited for RISC architecture because basically an instruction is decoded using a mask (e.g. (insn & mask) == val), whereas in CISC architecture I prefer to use a table, especially for x86, because it allows to rely on a dispatcher and thus handle tedious cases (e.g. op_size, ad_size, segment_prefix...).

[ivan-kulikov-dev]

encoding: [ 1,1,1,1,1,0,1,0,0,1,0,0,*Rn_4,1,1,1,1,*Rd_4,1,(0),*rotate,*Rm_4 ]

What difference between 0 and (0)?

[wisk]

According to the official documentation of ARM:

An instruction is UNPREDICTABLE if:
* it is declared as UNPREDICTABLE in an instruction description or in this chapter
* the pseudocode for that encoding does not indicate that a different special case applies, and a bit marked (0) or (1) in the encoding diagram of an instruction is not 0 or 1 respectively.

So I guess it means if (0) does not match with 0 (in the encoding) the instruction is unpredictable.

[ivan-kulikov-dev]

Medusa is not supported Ms dos exe files?

[wisk]

Not at this time, but I guess DOS file format won't be hard to handle.

[ivan-kulikov-dev]

I want try write dos support.This is normal? target_link_libraries(ldr_dos Medusa) target_link_libraries(ldr_dos ldr_pe) ?? Or all of the modules should be independent from each other?

[wisk]

Well, you could extend ldr_pe to handle DOS format (they rely on the same structure IMAGE_DOS_HEADER after all), but I advise you to make a loader from scratch. I don't think you can directly link a Medusa module with another one (i.e. target_link_libraries(ldr_dos ldr_pe)), If you add a different loader, please link with the Medusa target_link_libraries(ldr_dos Medusa).

[ivan-kulikov-dev]

How are you use emulator?

[wisk]

Basically, you should rely on object Execution to use Emulator (let's say it'll be more easier). If you want an example, take a look at https://github.com/wisk/medusa/blob/dev/src/ui/emulator/main.cpp You can also use Emulator in Python with pydusa, I can provide you an example if you need it. :)