练习使用Unicorn、Capstone
Unicorn是一个轻量级的多平台,多体系结构的CPU仿真器框架。官网:http://www.unicorn-engine.org/
Capstone是一个轻量级的多平台,多体系结构的反汇编框架。官网:http://www.capstone-engine.org/
参考:https://bbs.pediy.com/thread-224330.htm
练习:分析混淆的shllcode
shellcode=b"\xe8\xff\xff\xff\xff\xc0\x5d\x6a\x05\x5b\x29\xdd\x83\xc5\x4e\x89\xe9\x6a\x02\x03\x0c\x24\x5b\x31\xd2\x66\xba\x12\x00\x8b\x39\xc1\xe7\x10\xc1\xef\x10\x81\xe9\xfe\xff\xff\xff\x8b\x45\x00\xc1\xe0\x10\xc1\xe8\x10\x89\xc3\x09\xfb\x21\xf8\xf7\xd0\x21\xd8\x66\x89\x45\x00\x83\xc5\x02\x4a\x85\xd2\x0f\x85\xcf\xff\xff\xff\xec\x37\x75\x5d\x7a\x05\x28\xed\x24\xed\x24\xed\x0b\x88\x7f\xeb\x50\x98\x38\xf9\x5c\x96\x2b\x96\x70\xfe\xc6\xff\xc6\xff\x9f\x32\x1f\x58\x1e\x00\xd3\x80"
使用capstone反汇编:
from capstone import*
md=Cs(CS_ARCH_X86,CS_MODE_32)//初始化,指定处理器架构
shellcode = b"\xe8\xff\xff\xff\xff\xc0\x5d\x6a\x05\x5b\x29\xdd\x83\xc5\x4e\x89\xe9\x6a\x02\x03\x0c\x24\x5b\x31\xd2\x66\xba\x12\x00\x8b\x39\xc1\xe7\x10\xc1\xef\x10\x81\xe9\xfe\xff\xff\xff\x8b\x45\x00\xc1\xe0\x10\xc1\xe8\x10\x89\xc3\x09\xfb\x21\xf8\xf7\xd0\x21\xd8\x66\x89\x45\x00\x83\xc5\x02\x4a\x85\xd2\x0f\x85\xcf\xff\xff\xff\xec\x37\x75\x5d\x7a\x05\x28\xed\x24\xed\x24\xed\x0b\x88\x7f\xeb\x50\x98\x38\xf9\x5c\x96\x2b\x96\x70\xfe\xc6\xff\xc6\xff\x9f\x32\x1f\x58\x1e\x00\xd3\x80"
for code in md.disasm(shellcode,0x0):
print("0x%x:\t%s\t%s"%(code.address,code.mnemonic,code.op_str))
反汇编结果:
0x0: call 4
0x5: rcr byte ptr [ebp + 0x6a], 5
0x9: pop ebx
0xa: sub ebp, ebx
0xc: add ebp, 0x4e
0xf: mov ecx, ebp
0x11: push 2
0x13: add ecx, dword ptr [esp]
0x16: pop ebx
0x17: xor edx, edx
0x19: mov dx, 0x12
0x1d: mov edi, dword ptr [ecx]
0x1f: shl edi, 0x10
0x22: shr edi, 0x10
0x25: sub ecx, 0xfffffffe
0x2b: mov eax, dword ptr [ebp]
0x2e: shl eax, 0x10
0x31: shr eax, 0x10
0x34: mov ebx, eax
0x36: or ebx, edi
0x38: and eax, edi
0x3a: not eax
0x3c: and eax, ebx
0x3e: mov word ptr [ebp], ax
0x42: add ebp, 2
0x45: dec edx
0x46: test edx, edx
0x48: jne 0x1d
0x4e: in al, dx
0x4f: aaa
0x50: jne 0xaf
0x52: jp 0x59
0x54: sub ch, ch
0x56: and al, 0xed
0x58: and al, 0xed
0x5a: or ecx, dword ptr [eax - 0x67af1481]
0x60: cmp cl, bh
0x62: pop esp
0x63: xchg eax, esi
0x64: sub edx, dword ptr [esi - 0x390190]
下面使用unicorn模拟执行
from unicorn import *
from unicorn.x86_const import *
from capstone import*
md=Cs(CS_ARCH_X86,CS_MODE_32)#初始化反汇编
BASE = 0x400000
STACK_ADDR = 0x0
STACK_SIZE = 1024 * 1024 mu = Uc(UC_ARCH_X86, UC_MODE_32)#初始化 mu.mem_map(BASE, 1024 * 1024)#开辟模拟运行的映射空间
mu.mem_map(STACK_ADDR, STACK_SIZE)#栈空间
shellcode = b"\xe8\xff\xff\xff\xff\xc0\x5d\x6a\x05\x5b\x29\xdd\x83\xc5\x4e\x89\xe9\x6a\x02\x03\x0c\x24\x5b\x31\xd2\x66\xba\x12\x00\x8b\x39\xc1\xe7\x10\xc1\xef\x10\x81\xe9\xfe\xff\xff\xff\x8b\x45\x00\xc1\xe0\x10\xc1\xe8\x10\x89\xc3\x09\xfb\x21\xf8\xf7\xd0\x21\xd8\x66\x89\x45\x00\x83\xc5\x02\x4a\x85\xd2\x0f\x85\xcf\xff\xff\xff\xec\x37\x75\x5d\x7a\x05\x28\xed\x24\xed\x24\xed\x0b\x88\x7f\xeb\x50\x98\x38\xf9\x5c\x96\x2b\x96\x70\xfe\xc6\xff\xc6\xff\x9f\x32\x1f\x58\x1e\x00\xd3\x80"
mu.mem_write(BASE, shellcode)//载入需模拟的代码指令
mu.reg_write(UC_X86_REG_ESP, STACK_ADDR + STACK_SIZE // 2)#设置栈指针 def syscall_num_to_name(num):
syscalls = {1: "sys_exit", 15: "sys_chmod"}
return syscalls[num] def hook_code(mu, address, size, user_data):#hook代码 # print('>>> Tracing instruction at 0x%x, instruction size = 0x%x' %(address, size)) machine_code = mu.mem_read(address, size)
for code in md.disasm(machine_code,address):
print(" 0x%x:\t%s\t%s" % (code.address, code.mnemonic, code.op_str))
if machine_code == b"\xcd\x80": r_eax = mu.reg_read(UC_X86_REG_EAX)
r_ebx = mu.reg_read(UC_X86_REG_EBX)
r_ecx = mu.reg_read(UC_X86_REG_ECX)
r_edx = mu.reg_read(UC_X86_REG_EDX)
syscall_name = syscall_num_to_name(r_eax)
print("--------------")
print("We intercepted system call: " + syscall_name) if syscall_name == "sys_chmod":
s = mu.mem_read(r_ebx, 20).split(b"\x00")[0]
print("arg0 = 0x%x -> %s" % (r_ebx, s))
print("arg1 = " + oct(r_ecx))
elif syscall_name == "sys_exit":
print("arg0 = " + hex(r_ebx))
exit()
mu.reg_write(UC_X86_REG_EIP, address + size) mu.hook_add(UC_HOOK_CODE, hook_code)//添加hook函数,每条指令执行前都先调用hook函数
mu.emu_start(BASE, BASE - 1)//开始执行
执行结果:
0x400000: call 0x400004
0x400004: inc eax
0x400006: pop ebp
0x400007: push 5
0x400009: pop ebx
0x40000a: sub ebp, ebx
0x40000c: add ebp, 0x4e
0x40000f: mov ecx, ebp
0x400011: push 2
0x400013: add ecx, dword ptr [esp]
0x400016: pop ebx
0x400017: xor edx, edx
0x400019: mov dx, 0x12
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40004e: cdq
0x40004f: push 0xf
0x400051: pop eax
0x400052: push edx
0x400053: call 0x400064
0x400064: pop ebx
0x400065: push 0x1b6
0x40006a: pop ecx
0x40006b: int 0x80
--------------
We intercepted system call: sys_chmod
arg0 = 0x400058 -> bytearray(b'/etc/shadow')
arg1 = 0o666
0x40006d: push 1
0x40006f: pop eax
0x400070: int 0x80
--------------
We intercepted system call: sys_exit
arg0 = 0x400058
练习使用Unicorn、Capstone的更多相关文章
- 反汇编工具capstone安装后import error
使用sudo pip install capstone后,使用如下代码import时出现error. from capstone import * 错误信息: File "/usr/loca ...
- puma vs passenger vs rainbows! vs unicorn vs thin 适用场景 及 performance
ruby的几个web server,按照开发活跃度.并发方案及要点.适用场景等分析puma vs passenger vs rainbows! vs unicorn vs thin. 1. thin: ...
- different between unicorn / unicorn_rails
$ unicorn_rails -h Usage: unicorn_rails [ruby options] [unicorn_rails options] [rackup config file] ...
- 利用Unicorn和Idaemu辅助解决Geekpwn SecretCode
在前面的些文章里,我提到了怎么交叉编译Unicorn-engine,以及在windows上使用Unicorn python bindings进行分析程序.这一次我介绍下如何使用Unicorn-engi ...
- Nginx + unicorn 运行多个Rails应用程序
PS:第一次写的很详细,可惜发布失败,然后全没了,这是第二次,表示只贴代码,剩下的自己领悟好了,这就是所谓的一鼓作气再而衰吧,希望没有第三次. 版本: ruby 2.1.0 rails 4.0.2 n ...
- unicorn与nginx通讯--[ruby unix socket]
[龍昌博客] http://www.xefan.com/archives/84146.html unicorn是如何与nginx通讯的——介绍ruby中的unix socket Ruby 应用服务典型 ...
- puppet master 用 nginx + unicorn 作为前端
目录 1. 概要 2. nginx + unicorn 配置 2.1. package 安装 2.2. 配置文件设置 2.2.1. 配置 unicorn 2.2.2. 配置nginx 2.3. 测试配 ...
- 复现 360 Unicorn Team 黑科技之 HackNFC
看了2条360 Unicorn Team的微博后,感觉蛮有趣的,打算复现一下 谷歌了下相关资料,在HACKADAY找到了介绍文章 还有2篇北邮工学硕士的论文,欢迎有兴趣的朋友和我一起交流~ 联系方式在 ...
- Setting up Unicorn with Nginx
gem install unicorn or gem 'unciron' 1 install Nginx yum install ... 2 Configuration vi /etc/nginx/n ...
随机推荐
- 内存耗尽后Redis会发生什么
前言 作为一台服务器来说,内存并不是无限的,所以总会存在内存耗尽的情况,那么当 Redis 服务器的内存耗尽后,如果继续执行请求命令,Redis 会如何处理呢? 内存回收 使用Redis 服务时,很多 ...
- Linux 驱动框架---linux 设备
Linux 设备 Linux驱动中的三大主要基础成员主要是设备,总线和驱动.今天先来从设备开始分析先把设备相关的数据结构放到这里方便后面看到来查,其中有些进行了简单的注释. struct device ...
- cheerio & jQuery for server
cheerio & jQuery for server Fast, flexible & lean implementation of core jQuery designed spe ...
- website SEO all in one
website SEO all in one SEO 指标量化 https://www.similarweb.com/zh/top-websites/ demo https://www.similar ...
- js add Struct to ArrayBuffer
使用struct-buffer为ArrayBuffer添加结构体 $ npm i struct-buffer 1. 创建结构体 import { DWORD, string_t, StructBuff ...
- nodejs package.json中的exports
test/package.json { "name": "test", "main": "index.js", &quo ...
- Nice!JavaScript基础语法知识都在这儿了
好好学习,天天向上 本文已收录至我的Github仓库DayDayUP:github.com/RobodLee/DayDayUP,欢迎Star 转载请注明出处! 链接:https://blog.csdn ...
- [C#] 尝鲜.net6.0的C#代码热重载
看到.NET 6 Preview 1 发布,里面"除了 XAML 热重载之外,还将支持 C# 代码的热重载"一句,觉得有必要试试看,因为XAML热重载功能用起来确实很爽. 首先要下 ...
- MYSQL 悲观锁和乐观锁简单介绍及实现
1:悲观锁 1.1 特点: 每次查询都会进行锁行,怕"其他人"进行数据的修改. 1.2 实现步骤: 步骤1:开启事务test1,并对id=2的记录进行查询,并加锁,如: 步骤2 ...
- 开工大吉:TcaplusDB将持续为您提供可靠的数据服务
开工大吉 新的一年 新的开始 我们也带着新的心意 向您奔赴而来 在此,TcaplusDB祝广大客户朋友,开工大吉,2021,我们将一如既往地守护您的数据,继续做您最坚实的后盾. 作为专为游 ...