lunixbochs / usercorn Goto Github PK

hooking insn_x86_syscall doesn't make any sense on arm/mips/etc.

could probably just make this an init function and remove the syscall hooks at root level.

identify stack variables pointing at the stack (or input/output buffer offset on the stack), automatically build a useful address chain for arbitrary memory control

look for obvious rops in return (instructions that return to no call site)

hello with printf: world
args (11):
01 @0x1000001 = "bins/x86_64.darwin.macho"
test: hi
strcmp: -11, 11, 01
file test 1: success

file test 2: success
success

Traceback (most recent call last):
File "_ctypes/callbacks.c", line 314, in 'calling callback function'
File "/usr/local/lib/python2.7/site-packages/unicorn/unicorn.py", line 249, in _hook_insn_syscall_cb
cb(self, data)
File "/Users/aegis/projects/usercorn/py/usercorn/cls.py", line 110, in hook_syscall
self.os.syscall(self.uc)
File "/Users/aegis/projects/usercorn/py/usercorn/arch/x64/darwin.py", line 26, in syscall
ret = syscalls.call(cls, SYSCALLS, num, lambda n: args[:n])
File "/Users/aegis/projects/usercorn/py/usercorn/syscalls.py", line 59, in call
return f(cls, *args) or 0
File "/Users/aegis/projects/usercorn/py/usercorn/syscalls.py", line 16, in write
return os.write(a1, cls.mem_read(a2, a3))
File "/usr/local/lib/python2.7/site-packages/unicorn/unicorn.py", line 189, in mem_read
data = ctypes.create_string_buffer(size)
File "/usr/local/Cellar/python/2.7.10_2/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ctypes/init.py", line 65, in create_string_buffer
buftype = c_char * init
ValueError: Array length must be >= 0, not -17958193

• if type == EXEC, it's a normal executable
• if type == DYN, we mmap it somewhere
• also PT_INTERP gets vm_mmap()'d after elf_map runs and maps the whole elf
• so for exec'd linker, I need to start with DYN
• for INTERP ld-linux, I need to map the elf, then load and map the interpreter
• be careful to not map linker after the data segment so we can brk()

• support linux auxv
• support linux vdso
• support osx auxv equivalent (not sure 100% how the ABI plays out yet but dyld source is short)
• support osx commpage
• branch protect master when this is done and switch dev to an unstable branch

• Linux
  • x86-32
  • x86-64
  • arm
  • arm64
  • mips
• OS X
  • x86-32
  • x86-64
  • arm
  • arm64
  • ppc
• Windows ??
• DOS ??????????
• *BSD (use brandelf?)

invoke the interpreter to load dynamic libraries and stuff, then return or continue with hooks enabled at the real entry point

can also bound the addresses automatically based on increment vs store

array bound detection via accumulator too - if we're in a loop that's incrementing one or more memory addresses and affecting an accumulator in a proportional manner...

from a recorded trace, ability to select pages and slide across time - see register and memory state at specific time

annotate disassembler like ida with state of program at basic block entry, at register level, etc

"this instruction was hit 3000 times, with values X Y Z etc"

"this instruction touched these regions of memory [picture]" (with time slider to see when)

consider how different operating systems would map the binary
also look at literally copying offsets from /proc/self/maps

unicorn-engine/unicorn#149

Just need "is this your kind of file?", "symbolicate", and "return segments"?

this allows you to quickly glance down the row to compare values

how do I do breakpoints? dump an architecture specific trap at the target location?

Maybe have each loader return a list of symbols with Name string, Addr, Size uint64, Dynamic bool that get merged and handled by the Usercorn object.

run the program as normal, but trace specific memory access address(es), instructions

script a breakpoint and print buffers or registers at it, state diffing built in

depends on #7

every time we enter a new block, check the stack pointer
we can tell if we did ret or call based on this

I shouldn't need to maintain these by hand

• Linux/x86
• Linux/x86_64
• Linux/arm
• Linux/mips
• Linux/m68k
• Linux/sparc
• Darwin/x86
• Darwin/arm

If I don't read the data before passing to mem_write() (binascii.hexlify(data) works) I get a segfault.

https://github.com/lunixbochs/usercorn/blob/master/usercorn.py#L325

Need generic syscall backend and frontends to decode for each arch/OS pair.

haven't found a reproduction case, happens on both linux and osx

like esp + 0x4, ebp + 0x4, and [heap] + N, [libc.so.6] + N, etc

• Smoke test
• Travis

does cffi have this?

execution state on the left, registers and memory on the right

this is important for performance