本文整理汇总了Python中miasm2.analysis.machine.Machine.ira方法的典型用法代码示例。如果您正苦于以下问题:Python Machine.ira方法的具体用法?Python Machine.ira怎么用?Python Machine.ira使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类miasm2.analysis.machine.Machine
的用法示例。
在下文中一共展示了Machine.ira方法的7个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: run
# 需要导入模块: from miasm2.analysis.machine import Machine [as 别名]
# 或者: from miasm2.analysis.machine.Machine import ira [as 别名]
def run(self):
# Architecture
architecture = False
if self.args.architecture:
architecture = self.args.architecture
else:
with open(self.args.filename) as fdesc:
architecture = ArchHeuristic(fdesc).guess()
if not architecture:
raise ValueError("Unable to recognize the architecture, please specify it")
if self.args.verbose:
print "Guessed architecture: %s" % architecture
cont = Container.from_stream(open(self.args.filename))
machine = Machine(architecture)
addr_size = machine.ira().pc.size / 4
fh = FuncHeuristic(cont, machine)
# Enable / disable heuristics
for name in self.args.enable_heuristic:
heur = fh.name2heuristic(name)
if heur not in fh.heuristics:
fh.heuristics.append(heur)
for name in self.args.disable_heuristic:
heur = fh.name2heuristic(name)
fh.heuristics.remove(heur)
if self.args.verbose:
print "Heuristics to run: %s" % ", ".join(fh.heuristic_names)
# Launch guess
fmt = "0x{:0%dx}" % addr_size
for addr in fh.guess():
print fmt.format(addr)
示例2: Machine
# 需要导入模块: from miasm2.analysis.machine import Machine [as 别名]
# 或者: from miasm2.analysis.machine.Machine import ira [as 别名]
cont = Container.from_stream(fstream)
arch = args.architecture if args.architecture else cont.arch
machine = Machine(arch)
# Check elements
elements = set()
regs = machine.mn.regs.all_regs_ids_byname
for element in args.element:
try:
elements.add(regs[element])
except KeyError:
raise ValueError("Unknown element '%s'" % element)
mdis = machine.dis_engine(cont.bin_stream, dont_dis_nulstart_bloc=True)
ir_arch = machine.ira(mdis.symbol_pool)
# Common argument forms
init_ctx = {}
if args.rename_args:
if arch == "x86_32":
# StdCall example
for i in xrange(4):
e_mem = ExprMem(ExprId("ESP_init") + ExprInt32(4 * (i + 1)), 32)
init_ctx[e_mem] = ExprId("arg%d" % i)
# Disassemble the targeted function
blocks = mdis.dis_multibloc(int(args.func_addr, 0))
# Generate IR
for block in blocks:
示例3: Machine
# 需要导入模块: from miasm2.analysis.machine import Machine [as 别名]
# 或者: from miasm2.analysis.machine.Machine import ira [as 别名]
START_ADDR = 0
machine = Machine("x86_32")
# Assemble and disassemble a MOV
## Ensure that attributes 'offset' and 'l' are set
line = machine.mn.fromstring("MOV EAX, EBX", 32)
asm = machine.mn.asm(line)[0]
# Get back block
bin_stream = bin_stream_str(asm)
mdis = machine.dis_engine(bin_stream)
asm_block = mdis.dis_bloc(START_ADDR)
# Translate ASM -> IR
ira = machine.ira(mdis.symbol_pool)
ira.add_bloc(asm_block)
# Instanciate a Symbolic Execution engine with default value for registers
## EAX = EAX_init, ...
symbols_init = ira.arch.regs.regs_init
symb = SymbolicExecutionEngine(ira, symbols_init)
# Emulate one IR basic block
## Emulation of several basic blocks can be done through .emul_ir_blocks
cur_addr = symb.emul_ir_block(START_ADDR)
# Modified elements
print 'Modified registers:'
symb.dump_id()
print 'Modified memory (should be empty):'
示例4: Machine
# 需要导入模块: from miasm2.analysis.machine import Machine [as 别名]
# 或者: from miasm2.analysis.machine.Machine import ira [as 别名]
cont = Container.from_stream(fstream)
arch = args.architecture if args.architecture else cont.arch
machine = Machine(arch)
# Check elements
elements = set()
regs = machine.mn.regs.all_regs_ids_byname
for element in args.element:
try:
elements.add(regs[element])
except KeyError:
raise ValueError("Unknown element '%s'" % element)
mdis = machine.dis_engine(cont.bin_stream, dont_dis_nulstart_bloc=True)
ir_arch = machine.ira(mdis.loc_db)
# Common argument forms
init_ctx = {}
if args.rename_args:
if arch == "x86_32":
# StdCall example
for i in xrange(4):
e_mem = ExprMem(ExprId("ESP_init", 32) + ExprInt(4 * (i + 1), 32), 32)
init_ctx[e_mem] = ExprId("arg%d" % i, 32)
# Disassemble the targeted function
asmcfg = mdis.dis_multiblock(int(args.func_addr, 0))
# Generate IR
ircfg = ir_arch.new_ircfg_from_asmcfg(asmcfg)
示例5: ExtractRef
# 需要导入模块: from miasm2.analysis.machine import Machine [as 别名]
# 或者: from miasm2.analysis.machine.Machine import ira [as 别名]
class ExtractRef(object):
'''
Class used to concolic run a snapshot and extract references to input
'''
def __init__(self, testcreator, replayed_snapshot):
'''
@testcreator: TestCreator instance with associated information
@replayed_snapshot: snapshot to be used
'''
self.isFuncFound = False
self.filename = testcreator.program
self.learned_addr = testcreator.address
self.snapshot = replayed_snapshot
self.replayexception = []
self.abicls = testcreator.abicls
self.machine = Machine(testcreator.machine)
self.ira = self.machine.ira()
self.ptr_size = self.ira.sizeof_pointer()/8
self.types = testcreator.types
self.prototype = testcreator.prototype
self.logger = testcreator.logger
def use_snapshot(self, jitter):
'''Initilize the VM with the snapshot informations'''
for reg, value in self.snapshot.input_reg.iteritems():
setattr(jitter.cpu, reg, value)
# Set values for input memory
for addr, mem in self.snapshot.in_memory.iteritems():
assert mem.access != 0
if not jitter.vm.is_mapped(addr, mem.size):
jitter.vm.add_memory_page(addr, mem.access, mem.data)
else:
if jitter.vm.get_mem_access(addr) & 0b11 == mem.access & 0b11:
jitter.vm.set_mem(addr, mem.data)
else:
# TODO memory page is already set but have not the
# same access right. However delete page does not
# exist
jitter.vm.set_mem(addr, mem.data)
def compare_snapshot(self, jitter):
'''Compare the expected result with the real one to determine if the function is recognize or not'''
func_found = True
for reg, value in self.snapshot.output_reg.iteritems():
if value != getattr(jitter.cpu, reg):
self.replayexception += ["output register %s wrong : %i expected, %i found" % (reg, value, getattr(jitter.cpu, reg))]
func_found = False
for addr, mem in self.snapshot.out_memory.iteritems():
self.logger.debug("Check @%s, %s bytes: %r", hex(addr), hex(mem.size), mem.data[:0x10])
if mem.data != jitter.vm.get_mem(addr, mem.size):
self.replayexception += ["output memory wrong at 0x%x: %s expected, %s found" % (addr + offset, repr(mem.data), repr(jitter.vm.get_mem(addr + offset, mem.size)))]
func_found = False
return func_found
def end_func(self, jitter):
if jitter.vm.is_mapped(getattr(jitter.cpu, self.ira.ret_reg.name), 1):
self.replayexception += ["return value might be a pointer"]
self.isFuncFound = self.compare_snapshot(jitter)
jitter.run = False
return False
def is_pointer(self, expr):
"""Return True if expr may be a pointer"""
target_types = expr_to_types(self.c_handler, expr)
return any(objc_is_dereferenceable(target_type)
for target_type in target_types)
def is_symbolic(self, expr):
return expr.is_mem() and not expr.arg.is_int()
def get_arg_n(self, arg_number):
"""Return the Expression corresponding to the argument number
@arg_number"""
# TODO use abicls
abi_order = ["RDI", "RSI", "RDX", "RCX", "R8", "R9"]
size = 64
sp = m2_expr.ExprId("RSP", 64)
if arg_number < len(abi_order):
return m2_expr.ExprId(abi_order[arg_number], size)
else:
destack = (arg_number - len(abi_order) + 1)
return m2_expr.ExprMem(sp + m2_expr.ExprInt(destack * size / 8,
size),
size)
def callback(self, jitter):
# Check previous state
# When it is possible, consider only elements modified in the last run
# -> speed up to avoid browsing the whole memory
to_consider = self.symb.modified_exprs
#.........这里部分代码省略.........
示例6: Replay
# 需要导入模块: from miasm2.analysis.machine import Machine [as 别名]
# 或者: from miasm2.analysis.machine.Machine import ira [as 别名]
class Replay(object):
'''
Class used to run a snapshot and check that it recognize or not a given function code
Potential replay errors are stored in self.learnexception
'''
def __init__(self, testcreator, replayed_snapshot):
'''
@testcreator: TestCreator instance with associated information
@replayed_snapshot: snapshot to be used
'''
self.isFuncFound = False
self.filename = testcreator.program
self.learned_addr = testcreator.address
self.snapshot = replayed_snapshot
self.replayexception = []
self.abicls = testcreator.abicls
self.machine = Machine(testcreator.machine)
self.trace = testcreator.trace
self.logger = testcreator.logger
self.ira = self.machine.ira()
self.ptr_size = self.ira.sizeof_pointer()/8
def use_snapshot(self, jitter):
'''Initilize the VM with the snapshot informations'''
for reg, value in self.snapshot.input_reg.iteritems():
setattr(jitter.cpu, reg, value)
# Set values for input memory
for addr, mem in self.snapshot.in_memory.iteritems():
assert mem.access != 0
if not jitter.vm.is_mapped(addr, mem.size):
jitter.vm.add_memory_page(addr, mem.access, mem.data)
else:
if jitter.vm.get_mem_access(addr) & 0b11 == mem.access & 0b11:
jitter.vm.set_mem(addr, mem.data)
else:
# TODO memory page is already set but have not the
# same access right. However delete page does not
# exist
jitter.vm.set_mem(addr, mem.data)
def compare_snapshot(self, jitter):
'''Compare the expected result with the real one to determine if the function is recognize or not'''
func_found = True
for reg, value in self.snapshot.output_reg.iteritems():
if value != getattr(jitter.cpu, reg):
self.replayexception += ["output register %s wrong : %i expected, %i found" % (reg, value, getattr(jitter.cpu, reg))]
func_found = False
for addr, mem in self.snapshot.out_memory.iteritems():
self.logger.debug("Check @%s, %s bytes: %r", hex(addr), hex(mem.size), mem.data[:0x10])
if mem.data != jitter.vm.get_mem(addr, mem.size):
self.replayexception += ["output memory wrong at 0x%x: %s expected, %s found" % (addr + offset, repr(mem.data), repr(jitter.vm.get_mem(addr + offset, mem.size)))]
func_found = False
return func_found
def end_func(self, jitter):
if jitter.vm.is_mapped(getattr(jitter.cpu, self.ira.ret_reg.name), 1):
self.replayexception += ["return value might be a pointer"]
self.isFuncFound = self.compare_snapshot(jitter)
jitter.run = False
return False
def run(self):
'''Main function that is in charge of running the test and return the result:
true if the snapshot has recognized the function, false else.'''
# Retrieve miasm tools
jitter = self.machine.jitter(config.miasm_engine)
vm_load_elf(jitter.vm, open(self.filename, "rb").read())
# Init segment
jitter.ir_arch.do_stk_segm = True
jitter.ir_arch.do_ds_segm = True
jitter.ir_arch.do_str_segm = True
jitter.ir_arch.do_all_segm = True
FS_0_ADDR = 0x7ff70000
jitter.cpu.FS = 0x4
jitter.cpu.set_segm_base(jitter.cpu.FS, FS_0_ADDR)
jitter.vm.add_memory_page(
FS_0_ADDR + 0x28, PAGE_READ, "\x42\x42\x42\x42\x42\x42\x42\x42", "Stack canary FS[0x28]")
# Init the jitter with the snapshot
self.use_snapshot(jitter)
# Get the return address for our breakpoint
return_addr = struct.unpack("P", jitter.vm.get_mem(jitter.cpu.RSP,
0x8))[0]
jitter.add_breakpoint(return_addr, self.end_func)
# Run the execution
jitter.init_run(self.learned_addr)
#.........这里部分代码省略.........
示例7: Machine
# 需要导入模块: from miasm2.analysis.machine import Machine [as 别名]
# 或者: from miasm2.analysis.machine.Machine import ira [as 别名]
machine = Machine("x86_32")
loc_db = LocationDB()
# Assemble and disassemble a MOV
## Ensure that attributes 'offset' and 'l' are set
line = machine.mn.fromstring("MOV EAX, EBX", loc_db, 32)
asm = machine.mn.asm(line)[0]
# Get back block
bin_stream = bin_stream_str(asm)
mdis = machine.dis_engine(bin_stream, loc_db=loc_db)
mdis.lines_wd = 1
asm_block = mdis.dis_block(START_ADDR)
# Translate ASM -> IR
ira = machine.ira(mdis.loc_db)
ircfg = ira.new_ircfg()
ira.add_asmblock_to_ircfg(asm_block, ircfg)
# Instanciate a Symbolic Execution engine with default value for registers
symb = SymbolicExecutionEngine(ira)
# Emulate one IR basic block
## Emulation of several basic blocks can be done through .emul_ir_blocks
cur_addr = symb.run_at(ircfg, START_ADDR)
# Modified elements
print 'Modified registers:'
symb.dump(mems=False)
print 'Modified memory (should be empty):'
symb.dump(ids=False)