当前位置: 首页>>代码示例>>Python>>正文


Python Machine.ira方法代码示例

本文整理汇总了Python中miasm2.analysis.machine.Machine.ira方法的典型用法代码示例。如果您正苦于以下问题:Python Machine.ira方法的具体用法?Python Machine.ira怎么用?Python Machine.ira使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在miasm2.analysis.machine.Machine的用法示例。


在下文中一共展示了Machine.ira方法的7个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。

示例1: run

# 需要导入模块: from miasm2.analysis.machine import Machine [as 别名]
# 或者: from miasm2.analysis.machine.Machine import ira [as 别名]
    def run(self):
        # Architecture
        architecture = False
        if self.args.architecture:
            architecture = self.args.architecture
        else:
            with open(self.args.filename) as fdesc:
                architecture = ArchHeuristic(fdesc).guess()
            if not architecture:
                raise ValueError("Unable to recognize the architecture, please specify it")
            if self.args.verbose:
                print "Guessed architecture: %s" % architecture

        cont = Container.from_stream(open(self.args.filename))
        machine = Machine(architecture)
        addr_size = machine.ira().pc.size / 4
        fh = FuncHeuristic(cont, machine)

        # Enable / disable heuristics
        for name in self.args.enable_heuristic:
            heur = fh.name2heuristic(name)
            if heur not in fh.heuristics:
                fh.heuristics.append(heur)
        for name in self.args.disable_heuristic:
            heur = fh.name2heuristic(name)
            fh.heuristics.remove(heur)

        if self.args.verbose:
            print "Heuristics to run: %s" % ", ".join(fh.heuristic_names)


        # Launch guess
        fmt = "0x{:0%dx}" % addr_size
        for addr in fh.guess():
            print fmt.format(addr)
开发者ID:commial,项目名称:Sibyl,代码行数:37,代码来源:func.py

示例2: Machine

# 需要导入模块: from miasm2.analysis.machine import Machine [as 别名]
# 或者: from miasm2.analysis.machine.Machine import ira [as 别名]
    cont = Container.from_stream(fstream)

arch = args.architecture if args.architecture else cont.arch
machine = Machine(arch)

# Check elements
elements = set()
regs = machine.mn.regs.all_regs_ids_byname
for element in args.element:
    try:
        elements.add(regs[element])
    except KeyError:
        raise ValueError("Unknown element '%s'" % element)

mdis = machine.dis_engine(cont.bin_stream, dont_dis_nulstart_bloc=True)
ir_arch = machine.ira(mdis.symbol_pool)

# Common argument forms
init_ctx = {}
if args.rename_args:
    if arch == "x86_32":
        # StdCall example
        for i in xrange(4):
            e_mem = ExprMem(ExprId("ESP_init") + ExprInt32(4 * (i + 1)), 32)
            init_ctx[e_mem] = ExprId("arg%d" % i)

# Disassemble the targeted function
blocks = mdis.dis_multibloc(int(args.func_addr, 0))

# Generate IR
for block in blocks:
开发者ID:Junraa,项目名称:miasm,代码行数:33,代码来源:depgraph.py

示例3: Machine

# 需要导入模块: from miasm2.analysis.machine import Machine [as 别名]
# 或者: from miasm2.analysis.machine.Machine import ira [as 别名]
START_ADDR = 0
machine = Machine("x86_32")

# Assemble and disassemble a MOV
## Ensure that attributes 'offset' and 'l' are set
line = machine.mn.fromstring("MOV EAX, EBX", 32)
asm = machine.mn.asm(line)[0]

# Get back block
bin_stream = bin_stream_str(asm)
mdis = machine.dis_engine(bin_stream)
asm_block = mdis.dis_bloc(START_ADDR)

# Translate ASM -> IR
ira = machine.ira(mdis.symbol_pool)
ira.add_bloc(asm_block)

# Instanciate a Symbolic Execution engine with default value for registers
## EAX = EAX_init, ...
symbols_init = ira.arch.regs.regs_init
symb = SymbolicExecutionEngine(ira, symbols_init)

# Emulate one IR basic block
## Emulation of several basic blocks can be done through .emul_ir_blocks
cur_addr = symb.emul_ir_block(START_ADDR)

# Modified elements
print 'Modified registers:'
symb.dump_id()
print 'Modified memory (should be empty):'
开发者ID:carolineLe,项目名称:miasm,代码行数:32,代码来源:single_instr.py

示例4: Machine

# 需要导入模块: from miasm2.analysis.machine import Machine [as 别名]
# 或者: from miasm2.analysis.machine.Machine import ira [as 别名]
    cont = Container.from_stream(fstream)

arch = args.architecture if args.architecture else cont.arch
machine = Machine(arch)

# Check elements
elements = set()
regs = machine.mn.regs.all_regs_ids_byname
for element in args.element:
    try:
        elements.add(regs[element])
    except KeyError:
        raise ValueError("Unknown element '%s'" % element)

mdis = machine.dis_engine(cont.bin_stream, dont_dis_nulstart_bloc=True)
ir_arch = machine.ira(mdis.loc_db)

# Common argument forms
init_ctx = {}
if args.rename_args:
    if arch == "x86_32":
        # StdCall example
        for i in xrange(4):
            e_mem = ExprMem(ExprId("ESP_init", 32) + ExprInt(4 * (i + 1), 32), 32)
            init_ctx[e_mem] = ExprId("arg%d" % i, 32)

# Disassemble the targeted function
asmcfg = mdis.dis_multiblock(int(args.func_addr, 0))

# Generate IR
ircfg = ir_arch.new_ircfg_from_asmcfg(asmcfg)
开发者ID:commial,项目名称:miasm,代码行数:33,代码来源:depgraph.py

示例5: ExtractRef

# 需要导入模块: from miasm2.analysis.machine import Machine [as 别名]
# 或者: from miasm2.analysis.machine.Machine import ira [as 别名]
class ExtractRef(object):
    '''
    Class used to concolic run a snapshot and extract references to input
    '''

    def __init__(self, testcreator, replayed_snapshot):
        '''
        @testcreator: TestCreator instance with associated information
        @replayed_snapshot: snapshot to be used
        '''
        self.isFuncFound = False
        self.filename = testcreator.program
        self.learned_addr = testcreator.address
        self.snapshot = replayed_snapshot
        self.replayexception = []
        self.abicls = testcreator.abicls
        self.machine = Machine(testcreator.machine)
        self.ira = self.machine.ira()
        self.ptr_size = self.ira.sizeof_pointer()/8
        self.types = testcreator.types
        self.prototype = testcreator.prototype
        self.logger = testcreator.logger

    def use_snapshot(self, jitter):
        '''Initilize the VM with the snapshot informations'''
        for reg, value in self.snapshot.input_reg.iteritems():
            setattr(jitter.cpu, reg, value)

        # Set values for input memory
        for addr, mem in self.snapshot.in_memory.iteritems():
            assert mem.access != 0
            if not jitter.vm.is_mapped(addr, mem.size):
                jitter.vm.add_memory_page(addr, mem.access, mem.data)
            else:
                if jitter.vm.get_mem_access(addr) & 0b11 == mem.access & 0b11:
                    jitter.vm.set_mem(addr, mem.data)
                else:
                    # TODO memory page is already set but have not the
                    # same access right. However delete page does not
                    # exist
                    jitter.vm.set_mem(addr, mem.data)

    def compare_snapshot(self, jitter):
        '''Compare the expected result with the real one to determine if the function is recognize or not'''
        func_found = True

        for reg, value in self.snapshot.output_reg.iteritems():
            if value != getattr(jitter.cpu, reg):
                self.replayexception += ["output register %s wrong : %i expected, %i found" % (reg, value, getattr(jitter.cpu, reg))]
                func_found = False

        for addr, mem in self.snapshot.out_memory.iteritems():
            self.logger.debug("Check @%s, %s bytes: %r", hex(addr), hex(mem.size), mem.data[:0x10])
            if mem.data != jitter.vm.get_mem(addr, mem.size):
                self.replayexception += ["output memory wrong at 0x%x: %s expected, %s found" % (addr + offset, repr(mem.data), repr(jitter.vm.get_mem(addr + offset, mem.size)))]
                func_found = False

        return func_found

    def end_func(self, jitter):
        if jitter.vm.is_mapped(getattr(jitter.cpu, self.ira.ret_reg.name), 1):
            self.replayexception += ["return value might be a pointer"]

        self.isFuncFound = self.compare_snapshot(jitter)

        jitter.run = False
        return False

    def is_pointer(self, expr):
        """Return True if expr may be a pointer"""
        target_types = expr_to_types(self.c_handler, expr)

        return any(objc_is_dereferenceable(target_type)
                   for target_type in target_types)

    def is_symbolic(self, expr):
        return expr.is_mem() and not expr.arg.is_int()

    def get_arg_n(self, arg_number):
        """Return the Expression corresponding to the argument number
        @arg_number"""
        # TODO use abicls
        abi_order = ["RDI", "RSI", "RDX", "RCX", "R8", "R9"]
        size = 64
        sp = m2_expr.ExprId("RSP", 64)
        if arg_number < len(abi_order):
            return m2_expr.ExprId(abi_order[arg_number], size)
        else:
            destack = (arg_number - len(abi_order) + 1)
            return m2_expr.ExprMem(sp + m2_expr.ExprInt(destack * size / 8,
                                                        size),
                                   size)

    def callback(self, jitter):

        # Check previous state

        # When it is possible, consider only elements modified in the last run
        # -> speed up to avoid browsing the whole memory
        to_consider = self.symb.modified_exprs
#.........这里部分代码省略.........
开发者ID:serpilliere,项目名称:Sibyl,代码行数:103,代码来源:findref.py

示例6: Replay

# 需要导入模块: from miasm2.analysis.machine import Machine [as 别名]
# 或者: from miasm2.analysis.machine.Machine import ira [as 别名]
class Replay(object):
    '''
    Class used to run a snapshot and check that it recognize or not a given function code
    Potential replay errors are stored in self.learnexception
    '''

    def __init__(self, testcreator, replayed_snapshot):
        '''
        @testcreator: TestCreator instance with associated information
        @replayed_snapshot: snapshot to be used
        '''
        self.isFuncFound = False
        self.filename = testcreator.program
        self.learned_addr = testcreator.address
        self.snapshot = replayed_snapshot
        self.replayexception = []
        self.abicls = testcreator.abicls
        self.machine = Machine(testcreator.machine)
        self.trace = testcreator.trace
        self.logger = testcreator.logger
        self.ira = self.machine.ira()
        self.ptr_size = self.ira.sizeof_pointer()/8

    def use_snapshot(self, jitter):
        '''Initilize the VM with the snapshot informations'''
        for reg, value in self.snapshot.input_reg.iteritems():
            setattr(jitter.cpu, reg, value)

        # Set values for input memory
        for addr, mem in self.snapshot.in_memory.iteritems():
            assert mem.access != 0
            if not jitter.vm.is_mapped(addr, mem.size):
                jitter.vm.add_memory_page(addr, mem.access, mem.data)
            else:
                if jitter.vm.get_mem_access(addr) & 0b11 == mem.access & 0b11:
                    jitter.vm.set_mem(addr, mem.data)
                else:
                    # TODO memory page is already set but have not the
                    # same access right. However delete page does not
                    # exist
                    jitter.vm.set_mem(addr, mem.data)

    def compare_snapshot(self, jitter):
        '''Compare the expected result with the real one to determine if the function is recognize or not'''
        func_found = True

        for reg, value in self.snapshot.output_reg.iteritems():
            if value != getattr(jitter.cpu, reg):
                self.replayexception += ["output register %s wrong : %i expected, %i found" % (reg, value, getattr(jitter.cpu, reg))]
                func_found = False

        for addr, mem in self.snapshot.out_memory.iteritems():
            self.logger.debug("Check @%s, %s bytes: %r", hex(addr), hex(mem.size), mem.data[:0x10])
            if mem.data != jitter.vm.get_mem(addr, mem.size):
                self.replayexception += ["output memory wrong at 0x%x: %s expected, %s found" % (addr + offset, repr(mem.data), repr(jitter.vm.get_mem(addr + offset, mem.size)))]
                func_found = False

        return func_found

    def end_func(self, jitter):
        if jitter.vm.is_mapped(getattr(jitter.cpu, self.ira.ret_reg.name), 1):
            self.replayexception += ["return value might be a pointer"]

        self.isFuncFound = self.compare_snapshot(jitter)

        jitter.run = False
        return False

    def run(self):
        '''Main function that is in charge of running the test and return the result:
        true if the snapshot has recognized the function, false else.'''

        # Retrieve miasm tools
        jitter = self.machine.jitter(config.miasm_engine)

        vm_load_elf(jitter.vm, open(self.filename, "rb").read())

        # Init segment
        jitter.ir_arch.do_stk_segm = True
        jitter.ir_arch.do_ds_segm = True
        jitter.ir_arch.do_str_segm = True
        jitter.ir_arch.do_all_segm = True

        FS_0_ADDR = 0x7ff70000
        jitter.cpu.FS = 0x4
        jitter.cpu.set_segm_base(jitter.cpu.FS, FS_0_ADDR)
        jitter.vm.add_memory_page(
            FS_0_ADDR + 0x28, PAGE_READ, "\x42\x42\x42\x42\x42\x42\x42\x42", "Stack canary FS[0x28]")

        # Init the jitter with the snapshot
        self.use_snapshot(jitter)

        # Get the return address for our breakpoint
        return_addr = struct.unpack("P", jitter.vm.get_mem(jitter.cpu.RSP,
                                                           0x8))[0]
        jitter.add_breakpoint(return_addr, self.end_func)

        # Run the execution
        jitter.init_run(self.learned_addr)

#.........这里部分代码省略.........
开发者ID:cea-sec,项目名称:Sibyl,代码行数:103,代码来源:replay.py

示例7: Machine

# 需要导入模块: from miasm2.analysis.machine import Machine [as 别名]
# 或者: from miasm2.analysis.machine.Machine import ira [as 别名]
machine = Machine("x86_32")
loc_db = LocationDB()

# Assemble and disassemble a MOV
## Ensure that attributes 'offset' and 'l' are set
line = machine.mn.fromstring("MOV EAX, EBX", loc_db, 32)
asm = machine.mn.asm(line)[0]

# Get back block
bin_stream = bin_stream_str(asm)
mdis = machine.dis_engine(bin_stream, loc_db=loc_db)
mdis.lines_wd = 1
asm_block = mdis.dis_block(START_ADDR)

# Translate ASM -> IR
ira = machine.ira(mdis.loc_db)
ircfg = ira.new_ircfg()
ira.add_asmblock_to_ircfg(asm_block, ircfg)

# Instanciate a Symbolic Execution engine with default value for registers
symb = SymbolicExecutionEngine(ira)

# Emulate one IR basic block
## Emulation of several basic blocks can be done through .emul_ir_blocks
cur_addr = symb.run_at(ircfg, START_ADDR)

# Modified elements
print 'Modified registers:'
symb.dump(mems=False)
print 'Modified memory (should be empty):'
symb.dump(ids=False)
开发者ID:commial,项目名称:miasm,代码行数:33,代码来源:single_instr.py


注:本文中的miasm2.analysis.machine.Machine.ira方法示例由纯净天空整理自Github/MSDocs等开源代码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。