练习使用Unicorn、Capstone
Unicorn是一个轻量级的多平台,多体系结构的CPU仿真器框架。官网:http://www.unicorn-engine.org/
Capstone是一个轻量级的多平台,多体系结构的反汇编框架。官网:http://www.capstone-engine.org/
参考:https://bbs.pediy.com/thread-224330.htm
练习:分析混淆的shllcode
shellcode=b"\xe8\xff\xff\xff\xff\xc0\x5d\x6a\x05\x5b\x29\xdd\x83\xc5\x4e\x89\xe9\x6a\x02\x03\x0c\x24\x5b\x31\xd2\x66\xba\x12\x00\x8b\x39\xc1\xe7\x10\xc1\xef\x10\x81\xe9\xfe\xff\xff\xff\x8b\x45\x00\xc1\xe0\x10\xc1\xe8\x10\x89\xc3\x09\xfb\x21\xf8\xf7\xd0\x21\xd8\x66\x89\x45\x00\x83\xc5\x02\x4a\x85\xd2\x0f\x85\xcf\xff\xff\xff\xec\x37\x75\x5d\x7a\x05\x28\xed\x24\xed\x24\xed\x0b\x88\x7f\xeb\x50\x98\x38\xf9\x5c\x96\x2b\x96\x70\xfe\xc6\xff\xc6\xff\x9f\x32\x1f\x58\x1e\x00\xd3\x80"
使用capstone反汇编:
from capstone import*
md=Cs(CS_ARCH_X86,CS_MODE_32)//初始化,指定处理器架构
shellcode = b"\xe8\xff\xff\xff\xff\xc0\x5d\x6a\x05\x5b\x29\xdd\x83\xc5\x4e\x89\xe9\x6a\x02\x03\x0c\x24\x5b\x31\xd2\x66\xba\x12\x00\x8b\x39\xc1\xe7\x10\xc1\xef\x10\x81\xe9\xfe\xff\xff\xff\x8b\x45\x00\xc1\xe0\x10\xc1\xe8\x10\x89\xc3\x09\xfb\x21\xf8\xf7\xd0\x21\xd8\x66\x89\x45\x00\x83\xc5\x02\x4a\x85\xd2\x0f\x85\xcf\xff\xff\xff\xec\x37\x75\x5d\x7a\x05\x28\xed\x24\xed\x24\xed\x0b\x88\x7f\xeb\x50\x98\x38\xf9\x5c\x96\x2b\x96\x70\xfe\xc6\xff\xc6\xff\x9f\x32\x1f\x58\x1e\x00\xd3\x80"
for code in md.disasm(shellcode,0x0):
print("0x%x:\t%s\t%s"%(code.address,code.mnemonic,code.op_str))
反汇编结果:
0x0: call 4
0x5: rcr byte ptr [ebp + 0x6a], 5
0x9: pop ebx
0xa: sub ebp, ebx
0xc: add ebp, 0x4e
0xf: mov ecx, ebp
0x11: push 2
0x13: add ecx, dword ptr [esp]
0x16: pop ebx
0x17: xor edx, edx
0x19: mov dx, 0x12
0x1d: mov edi, dword ptr [ecx]
0x1f: shl edi, 0x10
0x22: shr edi, 0x10
0x25: sub ecx, 0xfffffffe
0x2b: mov eax, dword ptr [ebp]
0x2e: shl eax, 0x10
0x31: shr eax, 0x10
0x34: mov ebx, eax
0x36: or ebx, edi
0x38: and eax, edi
0x3a: not eax
0x3c: and eax, ebx
0x3e: mov word ptr [ebp], ax
0x42: add ebp, 2
0x45: dec edx
0x46: test edx, edx
0x48: jne 0x1d
0x4e: in al, dx
0x4f: aaa
0x50: jne 0xaf
0x52: jp 0x59
0x54: sub ch, ch
0x56: and al, 0xed
0x58: and al, 0xed
0x5a: or ecx, dword ptr [eax - 0x67af1481]
0x60: cmp cl, bh
0x62: pop esp
0x63: xchg eax, esi
0x64: sub edx, dword ptr [esi - 0x390190]
下面使用unicorn模拟执行
from unicorn import *
from unicorn.x86_const import *
from capstone import*
md=Cs(CS_ARCH_X86,CS_MODE_32)#初始化反汇编
BASE = 0x400000
STACK_ADDR = 0x0
STACK_SIZE = 1024 * 1024 mu = Uc(UC_ARCH_X86, UC_MODE_32)#初始化 mu.mem_map(BASE, 1024 * 1024)#开辟模拟运行的映射空间
mu.mem_map(STACK_ADDR, STACK_SIZE)#栈空间
shellcode = b"\xe8\xff\xff\xff\xff\xc0\x5d\x6a\x05\x5b\x29\xdd\x83\xc5\x4e\x89\xe9\x6a\x02\x03\x0c\x24\x5b\x31\xd2\x66\xba\x12\x00\x8b\x39\xc1\xe7\x10\xc1\xef\x10\x81\xe9\xfe\xff\xff\xff\x8b\x45\x00\xc1\xe0\x10\xc1\xe8\x10\x89\xc3\x09\xfb\x21\xf8\xf7\xd0\x21\xd8\x66\x89\x45\x00\x83\xc5\x02\x4a\x85\xd2\x0f\x85\xcf\xff\xff\xff\xec\x37\x75\x5d\x7a\x05\x28\xed\x24\xed\x24\xed\x0b\x88\x7f\xeb\x50\x98\x38\xf9\x5c\x96\x2b\x96\x70\xfe\xc6\xff\xc6\xff\x9f\x32\x1f\x58\x1e\x00\xd3\x80"
mu.mem_write(BASE, shellcode)//载入需模拟的代码指令
mu.reg_write(UC_X86_REG_ESP, STACK_ADDR + STACK_SIZE // 2)#设置栈指针 def syscall_num_to_name(num):
syscalls = {1: "sys_exit", 15: "sys_chmod"}
return syscalls[num] def hook_code(mu, address, size, user_data):#hook代码 # print('>>> Tracing instruction at 0x%x, instruction size = 0x%x' %(address, size)) machine_code = mu.mem_read(address, size)
for code in md.disasm(machine_code,address):
print(" 0x%x:\t%s\t%s" % (code.address, code.mnemonic, code.op_str))
if machine_code == b"\xcd\x80": r_eax = mu.reg_read(UC_X86_REG_EAX)
r_ebx = mu.reg_read(UC_X86_REG_EBX)
r_ecx = mu.reg_read(UC_X86_REG_ECX)
r_edx = mu.reg_read(UC_X86_REG_EDX)
syscall_name = syscall_num_to_name(r_eax)
print("--------------")
print("We intercepted system call: " + syscall_name) if syscall_name == "sys_chmod":
s = mu.mem_read(r_ebx, 20).split(b"\x00")[0]
print("arg0 = 0x%x -> %s" % (r_ebx, s))
print("arg1 = " + oct(r_ecx))
elif syscall_name == "sys_exit":
print("arg0 = " + hex(r_ebx))
exit()
mu.reg_write(UC_X86_REG_EIP, address + size) mu.hook_add(UC_HOOK_CODE, hook_code)//添加hook函数,每条指令执行前都先调用hook函数
mu.emu_start(BASE, BASE - 1)//开始执行
执行结果:
0x400000: call 0x400004
0x400004: inc eax
0x400006: pop ebp
0x400007: push 5
0x400009: pop ebx
0x40000a: sub ebp, ebx
0x40000c: add ebp, 0x4e
0x40000f: mov ecx, ebp
0x400011: push 2
0x400013: add ecx, dword ptr [esp]
0x400016: pop ebx
0x400017: xor edx, edx
0x400019: mov dx, 0x12
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40001d: mov edi, dword ptr [ecx]
0x40001f: shl edi, 0x10
0x400022: shr edi, 0x10
0x400025: sub ecx, 0xfffffffe
0x40002b: mov eax, dword ptr [ebp]
0x40002e: shl eax, 0x10
0x400031: shr eax, 0x10
0x400034: mov ebx, eax
0x400036: or ebx, edi
0x400038: and eax, edi
0x40003a: not eax
0x40003c: and eax, ebx
0x40003e: mov word ptr [ebp], ax
0x400042: add ebp, 2
0x400045: dec edx
0x400046: test edx, edx
0x400048: jne 0x40001d
0x40004e: cdq
0x40004f: push 0xf
0x400051: pop eax
0x400052: push edx
0x400053: call 0x400064
0x400064: pop ebx
0x400065: push 0x1b6
0x40006a: pop ecx
0x40006b: int 0x80
--------------
We intercepted system call: sys_chmod
arg0 = 0x400058 -> bytearray(b'/etc/shadow')
arg1 = 0o666
0x40006d: push 1
0x40006f: pop eax
0x400070: int 0x80
--------------
We intercepted system call: sys_exit
arg0 = 0x400058
练习使用Unicorn、Capstone的更多相关文章
- 反汇编工具capstone安装后import error
使用sudo pip install capstone后,使用如下代码import时出现error. from capstone import * 错误信息: File "/usr/loca ...
- puma vs passenger vs rainbows! vs unicorn vs thin 适用场景 及 performance
ruby的几个web server,按照开发活跃度.并发方案及要点.适用场景等分析puma vs passenger vs rainbows! vs unicorn vs thin. 1. thin: ...
- different between unicorn / unicorn_rails
$ unicorn_rails -h Usage: unicorn_rails [ruby options] [unicorn_rails options] [rackup config file] ...
- 利用Unicorn和Idaemu辅助解决Geekpwn SecretCode
在前面的些文章里,我提到了怎么交叉编译Unicorn-engine,以及在windows上使用Unicorn python bindings进行分析程序.这一次我介绍下如何使用Unicorn-engi ...
- Nginx + unicorn 运行多个Rails应用程序
PS:第一次写的很详细,可惜发布失败,然后全没了,这是第二次,表示只贴代码,剩下的自己领悟好了,这就是所谓的一鼓作气再而衰吧,希望没有第三次. 版本: ruby 2.1.0 rails 4.0.2 n ...
- unicorn与nginx通讯--[ruby unix socket]
[龍昌博客] http://www.xefan.com/archives/84146.html unicorn是如何与nginx通讯的——介绍ruby中的unix socket Ruby 应用服务典型 ...
- puppet master 用 nginx + unicorn 作为前端
目录 1. 概要 2. nginx + unicorn 配置 2.1. package 安装 2.2. 配置文件设置 2.2.1. 配置 unicorn 2.2.2. 配置nginx 2.3. 测试配 ...
- 复现 360 Unicorn Team 黑科技之 HackNFC
看了2条360 Unicorn Team的微博后,感觉蛮有趣的,打算复现一下 谷歌了下相关资料,在HACKADAY找到了介绍文章 还有2篇北邮工学硕士的论文,欢迎有兴趣的朋友和我一起交流~ 联系方式在 ...
- Setting up Unicorn with Nginx
gem install unicorn or gem 'unciron' 1 install Nginx yum install ... 2 Configuration vi /etc/nginx/n ...
随机推荐
- Linux下开发STM32单片机
一开始学习51单片机就是用的MDK这个IDE软件,IDE软件虽然看起来直观好像更加容易入门(因为有界面看起来很形象),但是实际上IDE却是向我们这些入门人员隐藏了背后真实存在的过程,让我们以为编译就是 ...
- CSS Grid & Flex poster PDF 海报定制
CSS Grid & Flex poster PDF 海报定制 CSS 手工实现 导出 SVG / PNG 导出 PDF 打印,定制海报 refs https://css-tricks.com ...
- 1+X 证书制度
1+X 证书制度 教育部职业技术教育 http://www.cvae.com.cn/zgzcw/tzgg/202001/c0ddd6c87e6c42839f8cc3e09a2dce89.shtml 2 ...
- LeetCode 二叉树,两个子节点的最近的公共父节点
LeetCode 二叉树,两个子节点的最近的公共父节点 二叉树 Lowest Common Ancestor of a Binary Tree 二叉树的最近公共父亲节点 https://leetcod ...
- Redis 大 key 问题 & 问题分析 & 解决方案
Redis 大 key 问题 & 问题分析 & 解决方案 Redis 什么是 Redis 大 key 单个key 存储的 value 很大 hash, set,zset,list 结构 ...
- PIP & Python packages management
PIP & Python packages management $ python3 --version # OR $ python3 -V # Python 3.7.3 $ pip --ve ...
- web components & publish custom element & npm
web components & publish custom element & npm https://www.webcomponents.org/publish Polymer ...
- js & bitwise-operators
js & bitwise-operators 不用加减乘除运算符, 求整数的7倍 "use strict"; /** * * @author xgqfrms * @lice ...
- Renice INC:解密干型葡萄酒
市场上,干型葡萄酒往往对比甜型葡萄酒(如甜红.甜白)受到更多葡萄酒爱好者的青睐.在葡萄酒界,大部分的红葡萄酒和白葡萄酒也都是干型的,而且它们的口感往往各有特色,并非千篇一律.今天,就跟随Renice ...
- hadoop支持lzo完整过程
简介 启用lzo 启用lzo的压缩方式对于小规模集群是很有用处,压缩比率大概能降到原始日志大小的1/3.同时解压缩的速度也比较快. 安装lzo lzo并不是linux系统原生支持,所以需要下载安装软件 ...