Comments (12)
Can you supply the whole shellcode, or at least a minimalist example with the associated Python code ? That way, we will be able to reproduce and fix this issue.
In addition, please move your second question in a separate issue (and add the aforementioned code snippet).
from miasm.
This was the used shellcode : "\x31\xc0\x83\xc0\x29\x6a\x02\x5b\xcd\x80\x83\xe8\x04\xcd\x80"
I've since modified the python code , but it was a "basic" code, similar to this one : https://github.com/cea-sec/miasm/blob/master/example/jitter/x86_32.py (with the above given code part)
from miasm.
For the moment, put aside the libs. To have the same conditions, I first generate the following shellcode:
main:
XOR EAX, EAX
MOV AL, 1
XOR EBX,EBX
INT 0x80
RET
So I assemble it:
python example/asm/shellcode.py x86_32 example/samples/x86_32_int80.S out.bin
And I emulate it:
$ python example/jitter/x86_32.py out.bin
RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFFC RBP 0000000000000000
zf 0000000000000000 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000000
40000000 XOR EAX, EAX
RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFFC RBP 0000000000000000
zf 0000000000000001 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000000
40000002 MOV AL, 0x1
RAX 0000000000000001 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFFC RBP 0000000000000000
zf 0000000000000001 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000002
40000004 XOR EBX, EBX
RAX 0000000000000001 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFFC RBP 0000000000000000
zf 0000000000000001 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000004
40000006 INT 0x80
Traceback (most recent call last):
File "example/jitter/x86_32.py", line 40, in <module>
myjit.continue_run()
File "/usr/local/lib/python2.7/dist-packages/miasm2/jitter/jitload.py", line 339, in continue_run
return self.run_iterator.next()
File "/usr/local/lib/python2.7/dist-packages/miasm2/jitter/jitload.py", line 311, in runiter_once
assert(self.get_exception() == 0)
AssertionError
We have an error on the int 0x80
. This instruction through an exception. The basic emulation code doesn't handle exceptions. To deal with it, you have to add an exception handler::
def exception_int(jitter):
print 'interrupt!'
return False
myjit.add_exception_handler(EXCEPT_INT_XX, exception_int)
(You have to import EXCEPT_INT_XX
something like: from miasm2.jitter.csts import PAGE_READ, PAGE_WRITE, EXCEPT_INT_XX
)
Result:
$ python xxx.py out.bin
RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFFC RBP 0000000000000000
zf 0000000000000000 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000000
40000000 XOR EAX, EAX
RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFFC RBP 0000000000000000
zf 0000000000000001 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000000
40000002 MOV AL, 0x1
RAX 0000000000000001 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFFC RBP 0000000000000000
zf 0000000000000001 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000002
40000004 XOR EBX, EBX
RAX 0000000000000001 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFFC RBP 0000000000000000
zf 0000000000000001 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000004
40000006 INT 0x80
interrupt!
And the shellcode stops (the return false makes the execution stop)
Now you have to implement your own system call for the int 0x80
!
For example:
def exception_int(jitter):
print 'interrupt!'
print 'syscall num:', hex(jitter.cpu.EAX)
jitter.cpu.EAX = 0x1337
jitter.cpu.set_exception(0)
return True
(Here, jitter.cpu.set_exception(0)
resets the exception generated by the int 0x80
)
And the result:
$ python xxx.py out.bin
RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFFC RBP 0000000000000000
zf 0000000000000000 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000000
40000000 XOR EAX, EAX
RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFFC RBP 0000000000000000
zf 0000000000000001 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000000
40000002 MOV AL, 0x1
RAX 0000000000000001 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFFC RBP 0000000000000000
zf 0000000000000001 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000002
40000004 XOR EBX, EBX
RAX 0000000000000001 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFFC RBP 0000000000000000
zf 0000000000000001 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000004
40000006 INT 0x80
interrupt!
syscall num: 0x1L
RAX 0000000000001337 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFFC RBP 0000000000000000
zf 0000000000000001 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000008
40000008 RET
See EAX
is 1337
after the system call.
from miasm.
It seems your posted shellcode doesn't have any call
so it doesn't match your issue.
As @commial said, move this sub issue in another topic.
from miasm.
Ok thank you !
I moved the question about call in another topic, this shellcode was about this issue :)
So is it possible to execute an external function in the miasm VM ?
If i implement a syscall in python and execute it in the exception_handler, the environment should be different from the one where is executed the shellcode, right ?
from miasm.
No, if you modify jitter.cpu.EAX
, it modify the EAX
in the current VM.
I may not have understand your request: What do you mean by "external" function?
from miasm.
For example : getuid. I'm asking if the return will be the same if it is called by the python code or if it is called directly by the shellcode (in the VM) ?
from miasm.
The Miasm VM is there to simulate the behavior of a real machine. So you can set EAX
to any uid you want here.
from miasm.
Note: the discussion on the second issue continues on #184.
from miasm.
Yeah that wasn't a good example, and i can not find another one.
The problem comes when the shellcode is expecting a specific value, but even in the VM this can not work since it is different from the target machine ...
from miasm.
Have you got a "good" example or the original shell code? (if you can share it with us)
from miasm.
I have not yet found a shellcode which generates a such problem.
So I'll close this issue, thank you for all the help you have given me !
from miasm.
Related Issues (20)
- x86-64 out of order IR block (add_asmblock_to_ircfg -> add_instr_to_current_state) HOT 2
- Miasm mn_x86.fromstring does not recognize JE/JNE instructions HOT 1
- CMP and CMOV? analysis HOT 2
- [ARM-semantic] Implement carry flag for basic shifters HOT 2
- Convert miasm IR to llvm IR: AttributeError: 'LLVMContext_IRCompilation' object has no attribute 'vmcpu' HOT 2
- Rebasing program in graph HOT 2
- Error when using iterator from DependencyGraph object HOT 2
- Unrolling of loop in SSA through symbolic execution HOT 10
- Exporting `AsmCFG` to `dot` format might generate `dot` code that fails to parse if the `HTML` node label if it contains `>]<`
- miasm in Rust #2 HOT 2
- confusing doc on how to compile on windows. doc added on readme
- FreeBSD Build Error HOT 1
- ImportError: cannot import name 'JitCore_x86' from 'miasm.jitter.arch' HOT 2
- Early stop of IR CFG's Symbolic Execution (stops at SHR instruction) HOT 12
- Apply repo-review suggestions?
- Make disassembly output AT&T syntax? HOT 1
- Getting access to miasm-rs
- jit error HOT 2
- [ARCH64] Jit/sem instruction SUBS (extended register) :-( HOT 3
- RIP relative instruction assembly fails with 4 bytes values on x86 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from miasm.