selective function execution using miasm. about miasm HOT 16 CLOSED

Hi @bsmondal,

The examples in example/jitter are a good starting point for this kind of applications. For instance, example/jitter/sandbox_pe_x86_32.py is a minimalistic example to execute a PE.

However, I wrote another example that shows how to retrieve a function's address from a PE's export table and execute it (here it is atoi in msvcrt.dll):

#!/usr/bin/env python

from miasm2.analysis.sandbox import Sandbox_Win_x86_32
from miasm2.jitter.csts import PAGE_READ, PAGE_WRITE

# Create a Sandbox: it is an helper class to manage platform dependant object
# easily: executable format (PE, ELF) and architecture (x86_32, x86_64,
# armb...)
parser = Sandbox_Win_x86_32.parser()
args = parser.parse_args()
sb = Sandbox_Win_x86_32("MSVCRT.DLL", args)
exe = sb.pe

# Get the virtual address of the function you want to execute from the PE's
# export table. The PE object is defined in elfesteem.pe (external lib).
atoi_addr = exe.DirExport.get_funcvirt("atoi")

# Map a page initialized with "\x00"*1000 to write a buffer of data
data_addr = 0x1000
sb.jitter.vm.add_memory_page(data_addr, PAGE_READ | PAGE_WRITE, "\x00"*1000)

# Write the string you want to atoi with helper function that takes care of
# the final "\x00"
data = "42"
sb.jitter.set_str_ansi(data_addr, data)

print "Input:", repr(data), "\tType:", data.__class__

# Push the argument on the stack. Most functions in x86_32 receive args on the
# stack
sb.jitter.push_uint32_t(data_addr)
# Push a return address. This one is a hack, by default Sandbox places a
# breakpoint handler on 0x1337beef address, and this handler stops the
# execution. This is used to know when the function you called returns, and
# to stop the execution when it is the case. By default, it is pushed on the
# stack in Sandbox_Win_x86_32.__init__, but as we pushed a custom argument
# since, you have to push the return address again so that the stack is well
# formed for atoi.
sb.jitter.push_uint32_t(0x1337beef)
# Run from atoi address. You could run at any address of the binary, if no
# symbol is available you may find the function address with IDA or objdump
# and hardcode it here.
sb.run(atoi_addr)

# When atoi returns, it puts its return value in EAX (always the case in x86_32
# AFAIK)
result = sb.jitter.cpu.EAX

# The return is a long int, and it is 42. Awesome.
print "Result:", repr(result), "\tType:", result.__class__

You can use the same kind of pattern to retrieve the function address and symb exec it.

I hope this helps. Do not hesitate if you have any further question! Some helper methods could be added here, but the code stays rather minimal.

Florent

from miasm.

Thanks to the complete answer of @fmonjalet , you should have the keys to continue.
Also, you can take a look at Sibyl, which uses this kind of functionality to call independent functions while testing different arguments / ABI.

Feel free to reopen this issue if this does not answer your question!

from miasm.

Hi @fmonjalet
I have got a complete idea from your example. Thanks for your quick response and such a good example.

But after running the example I am getting the following error.

$ python yourtestcode.py
Error:--------------------------------------------
Traceback (most recent call last):
File "yourtestcode.py", line 11, in
sb = Sandbox_Win_x86_32("/home/osboxes/miasm/test/MSVCRT.DLL", args)
File "/usr/local/lib/python2.7/dist-packages/miasm2/analysis/sandbox.py", line 325, in init
Sandbox.init(self, _args, *_kwargs)
File "/usr/local/lib/python2.7/dist-packages/miasm2/analysis/sandbox.py", line 51, in init
cls.init(self)
File "/usr/local/lib/python2.7/dist-packages/miasm2/analysis/sandbox.py", line 271, in init
super(Arch_x86, self).init()
File "/usr/local/lib/python2.7/dist-packages/miasm2/analysis/sandbox.py", line 145, in init
self.jitter = self.machine.jitter(self.options.jitter)
File "/usr/local/lib/python2.7/dist-packages/miasm2/arch/x86/jit.py", line 50, in init
jitter.init(self, ir_x86_32(sp), _args, *_kwargs)
File "/usr/local/lib/python2.7/dist-packages/miasm2/jitter/jitload.py", line 204, in init
self.jit = JitCore_Tcc(self.ir_arch, self.bs)
NameError: global name 'JitCore_Tcc' is not defined

May be I am missing something. I am learning python, though still not good enough. Can you help me out from this error.

Thank you for your time.

from miasm.

Hi,

It looks like Miasm has been installed without the tcc jitter. You may have had some log lines between "*****" saying that in the install log. This can happen when libtcc.so is not found. On my computer, it is located in /usr/local/lib64 (it may differ for you). Did you successfully install tcc with the good options (as indicated in the README) before installing Miasm? Is it found by Miasm during the installation? (it could also be a path issue.)

Edit: Do the Miasm tests pass? (cd test; python ./test_all.py)

from miasm.

Hi @fmonjalet ,

Thank you for your valuable time.
I again installed the tcc and miasm accroding to documentation. I didn't get any error during installation. My libtcc.so file located in /usr/local/lib. Then I run Miasm test by using python ./test_all.py. But I am having an error message. Here I put the error message.
--------------------------------------- ERROR MESSAGE --------------------------------
FAIL:x86/unit/mn_strings.py
Traceback (most recent call last):
File "x86/unit/mn_strings.py", line 48, in
[test()() for test in [Test_SCAS, Test_MOVS]]
File "/home/briti/miasm/test/arch/x86/unit/asm_test.py", line 25, in init
self.myjit = Machine("x86_32").jitter()
File "/usr/local/lib/python2.7/dist-packages/miasm2/arch/x86/jit.py", line 50, in init
jitter.init(self, ir_x86_32(sp), _args, *_kwargs)
File "/usr/local/lib/python2.7/dist-packages/miasm2/jitter/jitload.py", line 204, in init
self.jit = JitCore_Tcc(self.ir_arch, self.bs)

NameError: global name 'JitCore_Tcc' is not defined

Please let me know, what wrong I am doing.
Thank you.

from miasm.

Hi @bsmondal,
You can try to remove the try... except ImportError statement (and keep only the import) in file miasm2/jitter/jitload.py, line 21:

try:
    from miasm2.jitter.jitcore_tcc import JitCore_Tcc
except ImportError:
    log.error('cannot import jit tcc')

And then reinstall Miasm and re-launch tests. That way, you'll obtain a more detailed error.

Waiting for your feedback.

from miasm.

Hi commial
Sorry for my previous version of post. I didn't look into the error carefuly thats why I wrote that post. However, I followed your instruction and after re-launch test, I got the following error.

FAIL:x86/unit/mn_strings.py
Traceback (most recent call last):
File "x86/unit/mn_strings.py", line 48, in
[test()() for test in [Test_SCAS, Test_MOVS]]
File "/home/briti/miasm/test/arch/x86/unit/asm_test.py", line 25, in init
self.myjit = Machine("x86_32").jitter()
File "/usr/local/lib/python2.7/dist-packages/miasm2/analysis/machine.py", line 70, in init
from miasm2.arch.x86 import arch, jit
File "/usr/local/lib/python2.7/dist-packages/miasm2/arch/x86/jit.py", line 3, in
from miasm2.jitter.jitload import jitter, named_arguments
File "/usr/local/lib/python2.7/dist-packages/miasm2/jitter/jitload.py", line 22, in
from miasm2.jitter.jitcore_tcc import JitCore_Tcc
File "/usr/local/lib/python2.7/dist-packages/miasm2/jitter/jitcore_tcc.py", line 9, in
import Jittcc
ImportError: libtcc.so.1.0: cannot open shared object file: No such file or directory

Waiting for your feedback. Thank you.

from miasm.

Hi @bsmondal ,

Apparently, TCC is not fully installed. The error does not come from Miasm.
You can check if libtcc is fundable (locate), you can try to refresh libs thanks to ldconfig and you can check that /usr/local/lib is actually in your lib path.

In addition, please check that you're using the good version of TCC (that is to say, rev d5e22108a0dc48899e44a158f91d5b3215eb7fe6).

It's an error depending on your system, your configuration and the way you've installed TCC. I'm not sure to be able to help you more than these few hints.

Hope it'll work!

from miasm.

Hi,
Thank you so much. After using "ldconfig", I have successfully managed to run it. Also lots of thanks to fmonjalet for your precious example for selective execution. It works perfectly.

However after launching "test_all.py", I have got another issue. But I think, its not a major issue, because it succeeded at the end without any error.

If you can look into it.

Traceback (most recent call last):
File "test_all.py", line 492, in
testset.run()
File "/home/briti/miasm/test/utils/testset.py", line 230, in run
self._messages_handler()
File "/home/briti/miasm/test/utils/testset.py", line 108, in _messages_handler
message = self.message_queue.get()
File "/usr/lib/python2.7/multiprocessing/queues.py", line 117, in get
res = self._recv()
IOError: [Errno 4] Interrupted system call

Thanks again for your effort and time.

from miasm.

Hi @bsmondal,

I'm glad it helped! For this issue, you can refer to PR #35, it is a bug in Python <= 2.7.5 or something. The best workaround is to run the tests with "-m" (monothread).

Happy miasming.

from miasm.

From your above example (execution of atoi in msvcrt.dll) I tried to run a function inside exe.

int power(int val)
{
    int res = val*val;
    return res;
}

Above power function was inside the exe. I extracted starting address of that function using IDA Por and the address was 0x401000.. Then I modified your code to execute this function. Here I put the modified code.

#!/usr/bin/env python
from miasm2.analysis.sandbox import Sandbox_Win_x86_32
from miasm2.jitter.csts import PAGE_READ, PAGE_WRITE

parser = Sandbox_Win_x86_32.parser()
args = parser.parse_args()
sb = Sandbox_Win_x86_32("test.exe", args)
exe = sb.pe
#atoi_addr = exe.DirExport.get_funcvirt("charToInt")
atoi_addr = 0x401000
data_addr = 0x1000
sb.jitter.vm.add_memory_page(data_addr, PAGE_READ | PAGE_WRITE, "\x00"*1000)
data = 5
print "Input:", repr(data), "\tType:", data.__class__
sb.jitter.push_uint32_t(data_addr) 
sb.jitter.push_uint32_t(0x1337beef)
sb.run(atoi_addr)
result = sb.jitter.cpu.EAX
print "Result:", repr(result), "\tType:", result.__class__

Output of this execution is given bellow

Input: 5    Type: <type 'int'>
Result: 320447265L  Type: <type 'long'>

Where expected output is 25. Could you please tell me why I am not getting the exact output.
Thank you for your time.

from miasm.

Firstly, what is your ABI? Stdcall?

Secondly, it seems you never use your variable named data.

If it is actually StdCall ABI, you should just push the value of data on the stack. You don't need to alloc a memory page here, there are no pointers at all.

Finally, can you use the example/disasm/full.py on this function to print out the actual assembly code?

If it doesn't solve your problem, please re-open the issue.

from miasm.

Thank a lot again for your prompt reply. It was StdCall ABI and your suggestion has worked perfectly. Few more questions: if I want to pass a single character or double data type then what should I do to push data ? I found that in jit.py miasm have few options: push_uint16_t , push_uint32_t and push_uint64_t and all of these for integer, if I am not wrong. Could you explain little bit for char type and double type?
For example I want to pass 'A' and it will return me 64:

int charToInt(char ch)
{
    int val = ch;
    return val;
}
--------------------
data = 5
sb.jitter.push_------_t(data) 

Is there any good way to learn more about miasm. Does it handle complex data type like struct and union for this type of selective execution? I am feeling deep interest on it.
Thanks again and waiting for your valuable response.

from miasm.

In fact, the question of passing a char, long or a struct is not really a Miasm question: it's more about a compiler/ABI question, so a reverse engineering question. Miasm can manipulate every registers/memory bytes so now you have to look at your assembly code to understand how it will handle its arguments.

from miasm.

To answer your second question, there is no way to handle "complex data type like struct and union" in Miasm.

It could be an useful feature, but as @serpilliere said, this is very dependent of the way your code handle them (are they packed, etc.).

from miasm.

Thanks both of you. Hope after some analysis in this area I will come back again to you.
Have a nice time.

from miasm.