metasploit-framework/external/source/byakugan/jutsu.cpp

964 lines
27 KiB
C++

#include <stdio.h>
#include <winsock2.h>
#include <ws2tcpip.h>
#include "byakugan.h"
#include "jutsu.h"
#include "msfpattern.h"
#include "stdwindbg.h"
struct requestQueue jutsuRequests;
struct trackedBuf *trackedBufList = NULL;
struct trackedVal *trackedValList = NULL;
ULONG64 disassemblyBuffer;
HANDLE processHandle = 0;
SOCKET ListenSocket = INVALID_SOCKET,
ClientSocket = INVALID_SOCKET;
//IDebugClient msfClient;
char *regs[] = {
"eax",
"ebx",
"ecx",
"edx",
"esp",
"ebp",
"eip",
NULL
};
void helpJutsu(void) {
return;
}
void memDiffJutsu(char *inputType, DWORD size, char *input, ULONG64 address) {
DWORD i, j, valResult, numBadChars = 0;
BOOL upperFlag, lowerFlag, nullFlag;
char *pureBuf = NULL, findValExpression[64] = {'\x00'};
char lineExpected[16], lineActual[16];
struct trackedBuf *curr = trackedBufList;
struct corruption *badChars;
// Valid inputs: ASCII, hex, file, buf
if (!_stricmp(inputType, "ASCII")) {
pureBuf = input;
} else if (!_stricmp(inputType, "hex")) {
if (size != parseHexInput(input, size, pureBuf)) {
dprintf("[J] Failed to parse %d bytes from hex input.\n", size);
return;
}
} else if (!_stricmp(inputType, "file")) {
pureBuf = (char *) malloc(size+1);
if (pureBuf = NULL) {
dprintf("[J] Failed to allocate %d bytes!\n", size);
return;
}
if (size != readFileIntoBuf(input, size, pureBuf)) {
dprintf("[J] Failed to read %d bytes from %s.\n", size, input);
return;
}
} else if (!_stricmp(inputType, "buf")) {
// Grab the buf by name from the trackedBufList
while (curr != NULL) {
if(!_stricmp(input, curr->bufName)) {
pureBuf = curr->bufPatt;
break;
}
curr = curr->next;
}
if (pureBuf == NULL) {
dprintf("[J] Unable to find buffer: %s\n", input);
return;
}
} else {
dprintf("[J] The valid input types are buf, hex, and file.\n");
return;
}
upperFlag = lowerFlag = nullFlag = FALSE;
badChars = (struct corruption *) malloc(size * sizeof (struct corruption));
dprintf("\t\t\tACTUAL\t\t\t\t\t\t\t\tEXPECTED\n");
for (i = 0; i < size; i++) {
// Get byte at the important memory location
StringCchPrintf(findValExpression, sizeof(findValExpression),
"poi(0x%08x)", address + i);
valResult = (GetExpression(findValExpression) & 0xFF);
lineExpected[i%16] = pureBuf[i];
lineActual[i%16] = valResult;
if (pureBuf[i] != valResult) {
badChars[numBadChars].value = pureBuf[i];
badChars[numBadChars].offset = i;
badChars[numBadChars].seenAgain = FALSE;
badChars[numBadChars].seenBefore = FALSE;
for (j = 0; j < numBadChars; j++) {
if (badChars[j].value == badChars[numBadChars].value) {
badChars[numBadChars].seenBefore = TRUE;
}
}
numBadChars++;
} else {
for (j = 0; j < numBadChars; j++)
if (valResult == badChars[j].value)
badChars[j].seenAgain = TRUE;
}
if (i % 16 == 15 || i == size-1) {
// Print the actual characters with differences in bold
for (j = 0; j != i % 16 + 1; j++) {
// Diff the two locations
if (lineActual[j] != lineExpected[j]) {
// Store badchars, and bad offsets
// Print this character in bold!
StringCchPrintf(findValExpression, sizeof(findValExpression),
".printf /D \"<b><red>%02x</red></b> \"", lineActual[j]);
g_ExtControl->Execute(DEBUG_OUTCTL_THIS_CLIENT, findValExpression,
DEBUG_EXECUTE_NOT_LOGGED);
} else {
dprintf("%02x ", lineActual[j]);
}
// Take note of upper / lower / null exclusions
}
if (i == size-1)
for (j = 0; j < 15 - i % 16; j+=2)
dprintf("\t");
dprintf("\t");
// Now print the Expected characters
for (j = 0; j != i % 16 + 1; j++) {
dprintf("%02x ", lineExpected[j]);
}
dprintf("\n");
}
}
// Display bad chars
i = 0;
if (numBadChars) {
dprintf("\n[J] Bytes replaced: ");
while (i < numBadChars) {
if (!badChars[i].seenAgain && !badChars[i].seenBefore)
dprintf("0x%02x ", badChars[i].value);
i++;
}
i = 0;
dprintf("\n[J] Offset corruption occurs at: ");
while (i < numBadChars) {
if (badChars[i].seenAgain)
dprintf("%02x ", badChars[i].offset);
i++;
}
dprintf("\n");
}
// Unless pureBuf came from a tracked buffer, free the memory
if (_stricmp(inputType, "buf"))
free(pureBuf);
free(badChars);
}
void listTrackedVals() {
struct trackedVal *newTrackedVal;
if (trackedValList == NULL) {
dprintf("[J] Currently tracking no primitive values.\n");
return;
}
dprintf("[J] Currently tracking:\n");
newTrackedVal = trackedValList;
while (newTrackedVal != NULL) {
dprintf("\tName: %s\t\tSize: %d\tCandidates: %d\n",
newTrackedVal->valName, newTrackedVal->valSize, newTrackedVal->candidates);
newTrackedVal = newTrackedVal->next;
}
}
void listTrackedValByName(char *name) {
struct trackedVal *newTrackedVal;
struct valInstance *curr;
newTrackedVal = trackedValList;
if (newTrackedVal == NULL) goto nada;
while (newTrackedVal != NULL) {
if (!_stricmp(newTrackedVal->valName, name))
break;
newTrackedVal = newTrackedVal->next;
}
if (newTrackedVal) {
curr = newTrackedVal->instances;
if (curr != NULL)
dprintf("[J] Currently tracking %d candidates for %s:\n",
newTrackedVal->candidates, newTrackedVal->valName);
else
goto nada;
while (curr != NULL) {
dprintf("\tAddress: 0x%08x\n", curr->address);
curr = curr->next;
}
return;
}
nada:
dprintf("[J] No candidates are being tracked for %s.\n", name);
}
void trackValJutsu(char *name, DWORD size, DWORD value) {
struct trackedVal *newTrackedVal, *parent = NULL;
struct valInstance *last, *curr;
char findValExpression[18] = {'\x00'};
DWORD valResult, andExpression;
switch(size) {
case 1: andExpression = 0xFF; break;
case 2: andExpression = 0xFFFF; break;
case 4: andExpression = 0xFFFFFFFF; break;
default:
dprintf("[J] Valid primitive sizes are 1, 2, and 4.\n");
return;
}
newTrackedVal = trackedValList;
while (newTrackedVal != NULL) {
if (!_stricmp(newTrackedVal->valName, name))
break;
newTrackedVal = newTrackedVal->next;
}
// Search the list for the new value, purge old addresses
if (newTrackedVal) {
dprintf("[J] Narrowing down candidate list for %s from %d candidates.\n", name, newTrackedVal->candidates);
curr = newTrackedVal->instances;
last = NULL;
while (curr != NULL) {
StringCchPrintf(findValExpression, sizeof(findValExpression), "poi(0x%08x)", curr->address);
valResult = (GetExpression(findValExpression) & andExpression);
if (value != valResult) {
if (last) {
last->next = curr->next;
free(curr);
curr = last->next;
} else {
newTrackedVal->instances = curr->next;
free(curr);
curr = newTrackedVal->instances;
}
newTrackedVal->candidates--;
if (newTrackedVal->candidates == 1) {
dprintf("[J] Value %s is stored at address 0x%08x\n",
newTrackedVal->valName, newTrackedVal->instances->address);
return;
}
} else {
last = curr; curr = curr->next;
}
}
dprintf("[J] Narrowed down address of %s to %d possible candidates.\n", name, newTrackedVal->candidates);
return;
}
dprintf("[J] Creating new list of candidates for %s.\n", name);
// Create a new list and search all memory for the value
newTrackedVal = (struct trackedVal *) malloc(sizeof (struct trackedVal));
if (newTrackedVal == NULL) {
dprintf("[J] OOM!");
return;
}
newTrackedVal->next = NULL;
newTrackedVal->valSize = size;
newTrackedVal->valName = _strdup(name);
if(!newTrackedVal->valName) {
free(newTrackedVal);
dprintf("[J] OOM!\n");
return;
}
newTrackedVal->candidates = findAllVals((BYTE*) &value, size, &(newTrackedVal->instances));
dprintf("[J] Discovered %d possible candidate addresses for %s\n", newTrackedVal->candidates, name);
newTrackedVal->next = trackedValList;
trackedValList = newTrackedVal;
return;
}
void bindJutsu(char *bindPort) {
HANDLE hThread;
DWORD dwThreadId;
IDebugOutputCallbacks *fuzzerOutputCallback;
// Initialize Request Queue
memset(&jutsuRequests, 0, sizeof (struct requestQueue));
// Fire up backchannel thread
hThread = CreateThread( NULL,
0,
listenJutsu,
(LPVOID) bindPort,
0,
&dwThreadId);
if (hThread == NULL)
dprintf("[Byakugan] CreateThread() failed.\n");
}
DWORD WINAPI listenJutsu(LPVOID lpvParam) {
WSADATA wsaData;
char recvbuf[DEFAULT_BUFLEN];
ULONG iResult, iSendResult;
ULONG recvbuflen = DEFAULT_BUFLEN;
char *bindPort = (char *) lpvParam;
struct addrinfo *result = NULL,
hints;
dprintf("[J] Creating Metasploit back channel on port %s... ", bindPort);
if (WSAStartup( MAKEWORD( 2, 2 ), &wsaData) != 0) {
dprintf("Failed!: %d\n", WSAGetLastError());
return (-1);
}
ZeroMemory(&hints, sizeof(hints));
hints.ai_family = AF_INET;
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;
hints.ai_flags = AI_PASSIVE;
// Resolve the server address and port
iResult = getaddrinfo(NULL, bindPort, &hints, &result);
if ( iResult != 0 ) {
dprintf("Failed!: %d\n", WSAGetLastError());
WSACleanup();
return (-1);
}
// Create a SOCKET for connecting to server
ListenSocket = socket(result->ai_family, result->ai_socktype, result->ai_protocol);
if (ListenSocket == INVALID_SOCKET) {
dprintf("Failed!: %d\n", WSAGetLastError());
freeaddrinfo(result);
WSACleanup();
return (-1);
}
// Setup the TCP listening socket
iResult = bind( ListenSocket, result->ai_addr, (int)result->ai_addrlen);
if (iResult == SOCKET_ERROR) {
dprintf("Failed!: %d\n", WSAGetLastError());
freeaddrinfo(result);
closesocket(ListenSocket);
WSACleanup();
return (-1);
}
freeaddrinfo(result);
iResult = listen(ListenSocket, SOMAXCONN);
if (iResult == SOCKET_ERROR) {
dprintf("Failed!: %d\n", WSAGetLastError());
closesocket(ListenSocket);
WSACleanup();
return (-1);
}
dprintf("Listening.\n");
// Accept a client socket
ClientSocket = accept(ListenSocket, NULL, NULL);
if (ClientSocket == INVALID_SOCKET) {
dprintf("[J] Back channel accept failed: %d\n", WSAGetLastError());
closesocket(ListenSocket);
WSACleanup();
return (-1);
}
// No longer need server socket
closesocket(ListenSocket);
// Register new output callback
//fuzzerOutputCallback = new IDebugOutputCallbacks();
// Register new event callback
// Receive until the peer shuts down the connection
do {
memset(recvbuf, 0, DEFAULT_BUFLEN);
iResult = recv(ClientSocket, recvbuf, recvbuflen, 0);
if (iResult > 0)
parseJutsu(recvbuf, iResult);
else if (iResult == 0)
dprintf("[J] Back channel connection closing...\n");
else {
dprintf("[J] Back channel recv failed: %d\n", WSAGetLastError());
closesocket(ClientSocket);
WSACleanup();
return (-1);
}
} while (iResult > 0);
// shutdown the connection since we're done
iResult = shutdown(ClientSocket, SD_SEND);
if (iResult == SOCKET_ERROR) {
dprintf("[J] Back channel shutdown failed: %d\n", WSAGetLastError());
closesocket(ClientSocket);
WSACleanup();
return (-1);
}
// cleanup
closesocket(ClientSocket);
WSACleanup();
return (0);
}
void parseJutsu(char *buf, ULONG buflen) {
struct request *newRequest, *node;
struct requestHeader *reqHead;
//dprintf("[J] Back channel got: %s\n", buf);
reqHead = (struct requestHeader *) buf;
if ((reqHead->length + 4) > buflen || buflen < 5 || reqHead->length > 0xFFFD) {
dprintf("[J] Received a malformed jutsu request! :(\n");
return;
}
newRequest = (struct request *) malloc(sizeof (struct request));
if (newRequest == NULL) {
dprintf("[J] Failed to allocate! :(\n");
return;
}
newRequest->type = reqHead->type;
newRequest->length = reqHead->length;
newRequest->data = (BYTE *) malloc(newRequest->length + 1);
if (newRequest->data == NULL) {
dprintf("[J] Failed to allocate! :(\n");
free(newRequest);
return;
}
newRequest->next = NULL;
memcpy(newRequest->data, (buf+4), newRequest->length);
if (jutsuRequests.head != NULL) {
node = jutsuRequests.head;
while (node->next != NULL)
node = node->next;
node->next = newRequest;
} else {
jutsuRequests.head = newRequest;
}
jutsuRequests.length++;
return;
}
void showRequestsJutsu() {
struct request *node;
USHORT i;
dprintf("[J] Currently waiting on %d requests:\n", jutsuRequests.length);
node = jutsuRequests.head;
while (node != NULL) {
dprintf("Type: 0x%04x\tLength: 0x%04x\nData:",
node->type, node->length);
for (i = 0; i < node->length; i++) {
if (i % 32 == 0) dprintf("\n");
if (i % 8 == 0) dprintf("\t0x");
dprintf("%01x", node->data[i]);
}
dprintf("\n\n");
node = node->next;
}
}
void identBufJutsu(char *inputType, char *bufName, char *bufPatt, DWORD size) {
struct trackedBuf *newTrackedBuf, *curBuf;
char *msfPattern;
newTrackedBuf = (struct trackedBuf *) malloc(sizeof (struct trackedBuf));
if (newTrackedBuf == NULL) {
dprintf("[J] OOM!");
return;
}
newTrackedBuf->next = NULL;
newTrackedBuf->prev = NULL;
if (!_stricmp(inputType, "msfpattern")) {
size = strtoul(bufPatt, NULL, 10);
msfPattern = (char *) malloc(size+1);
if (msfPattern == NULL) {
dprintf("[J] Failed to allocate %d bytes!\n", size+1);
return;
}
msf_pattern_create(size, msfPattern);
msfPattern[size] = '\x00';
newTrackedBuf->bufPatt = msfPattern;
} else if (!_stricmp(inputType, "ascii")){
newTrackedBuf->bufPatt = _strdup(bufPatt);
size = strlen(bufPatt);
} else if (!_stricmp(inputType, "file")) {
newTrackedBuf->bufPatt = (char *) malloc(size+1);
if (newTrackedBuf->bufPatt == NULL) {
dprintf("[J] Failed to allocate %d bytes!\n", size+1);
return;
}
readFileIntoBuf(bufPatt, size, newTrackedBuf->bufPatt);
}
newTrackedBuf->bufName = _strdup(bufName);
newTrackedBuf->bufSize = size;
if (newTrackedBuf->bufName == NULL || newTrackedBuf->bufPatt == NULL) {
dprintf("[J] OOM!");
return;
}
if (trackedBufList == NULL) {
trackedBufList = newTrackedBuf;
} else {
curBuf = trackedBufList;
while (curBuf->next != NULL) {
curBuf = curBuf->next;
}
curBuf->next = newTrackedBuf;
newTrackedBuf->prev = curBuf;
}
dprintf("[J] Creating buffer %s.\n", bufName);
}
void rmBufJutsu(char *bufName) {
struct trackedBuf *curBuf;
curBuf = trackedBufList;
while (curBuf != NULL) {
if(!_stricmp(bufName, curBuf->bufName))
break;
curBuf = curBuf->next;
}
if (curBuf != NULL) {
if (curBuf->prev != NULL)
curBuf->prev->next = curBuf->next;
if (curBuf->next != NULL)
curBuf->next->prev = curBuf->prev;
if (curBuf == trackedBufList)
trackedBufList = curBuf->next;
free(curBuf->bufName);
free(curBuf->bufPatt);
free(curBuf);
dprintf("[J] Removed buffer: %s\n", bufName);
} else {
dprintf("[J] Unable to find buffer: %s\n", bufName);
}
}
void listTrackedBufJutsu() {
struct trackedBuf *curBuf;
curBuf = trackedBufList;
if (curBuf == NULL) {
dprintf("[J] Currntly tracking no buffer patterns.\n");
} else {
dprintf("[J] Currently tracked buffer patterns:\n");
while (curBuf != NULL) {
dprintf("\tBuf: %s\tPattern: %s\n", curBuf->bufName, curBuf->bufPatt);
curBuf = curBuf->next;
}
}
dprintf("\n");
}
void hunterJutsu() {
struct trackedBuf *curBuf;
struct bufInstance *instance;
ULONG i, j, range, addr, *nextNum, foundInstance;
BOOLEAN caught;
char *corUpper, *corLower, *corUni;
for (i = 0; regs[i] != NULL; i++) {
addr = GetExpression(regs[i]);
curBuf = trackedBufList;
caught = FALSE;
while (curBuf != NULL) {
range = curBuf->bufSize;
for (j = 0; j < range-3; j++) {
nextNum = (ULONG *) ((curBuf->bufPatt) + j);
if (*nextNum == addr) {
dprintf("[J] Controlling %s with %s at offset %d.\n",
regs[i], curBuf->bufName, j);
caught = TRUE;
break;
}
}
curBuf = curBuf->next;
if (caught)
break;
}
}
// Now, find all instances of buffers in memory with a fuzzy match! :)
curBuf = trackedBufList;
while (curBuf != NULL) {
foundInstance = searchMemory((unsigned char *) curBuf->bufPatt,
(curBuf->bufSize > 32) ? 32 : curBuf->bufSize);
if (foundInstance != 0) {
// try for larger increments
instance = (struct bufInstance *) malloc(sizeof (struct bufInstance));
memset(instance, 0, sizeof (struct bufInstance));
instance->address = foundInstance;
dprintf("[J] Found buffer %s @ 0x%08x\n", curBuf->bufName, foundInstance);
}
// try standard corruptions
range = (curBuf->bufSize > 32) ? 32 : curBuf->bufSize;
corUpper = (char *) malloc(range + 1);
corLower = (char *) malloc(range + 1);
corUni = (char *) malloc((range + 1) * 2);
for (i = j = 0; i < range; i++) {
corUpper[i] = (char) toupper(curBuf->bufPatt[i]);
corLower[i] = (char) tolower(curBuf->bufPatt[i]);
corUni[j++] = curBuf->bufPatt[i];
corUni[j++] = '\x00';
}
if ((foundInstance = searchMemory((unsigned char *) corUpper, range)) != 0)
dprintf("[J] Found buffer %s @ 0x%08x - Victim of toUpper!\n",
curBuf->bufName, foundInstance);
if ((foundInstance = searchMemory((unsigned char *) corLower, range)) != 0)
dprintf("[J] Found buffer %s @ 0x%08x - Victim of toLower!\n",
curBuf->bufName, foundInstance);
if ((foundInstance = searchMemory((unsigned char *) corUni, range*2)) != 0)
dprintf("[J] Found buffer %s @ 0x%08x - Victim of Unicode Conversion!\n",
curBuf->bufName, foundInstance);
free(corUpper);
free(corLower);
free(corUni);
curBuf = curBuf->next;
}
}
ULONG64 allocateMemoryBlock(unsigned long size){
unsigned long processId = 0;
void * allocBuffer = 0;
if(g_ExtSystem->GetCurrentProcessSystemId(&processId) != S_OK){
dprintf("[J] failed to find process id\n");
return 0;
}
if(!(processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processId))){
dprintf("[J] OpenProcess failed\n");
return 0;
}
if(!(allocBuffer = VirtualAllocEx(processHandle, NULL, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE))){
dprintf("[J] VirtualAllocEx failed\n");
CloseHandle(processHandle);
return 0;
}
//CloseHandle(processHandle);
return ((ULONG64)allocBuffer);
}
unsigned short getInstructionBytes(char * instruction, unsigned char * opcodeBuffer){
BYTE zero = 0;
BYTE byteCounter = 0;
ULONG64 byteEnd = 0;
BYTE i = 0;
if(!disassemblyBuffer){
if(!(disassemblyBuffer = allocateMemoryBlock(0x1000))){
dprintf("[J] allocateMemoryBlock failed\n");
return (0);
}
}
if(g_ExtControl->Assemble(disassemblyBuffer, instruction, &byteEnd) != S_OK){
dprintf("[J] failed to assemble instruction\n");
return (0);
}
if(!ReadMemory(disassemblyBuffer, opcodeBuffer, (byteEnd-disassemblyBuffer), NULL)){
dprintf("[J] failed to read opcode sequence\n");
return (0);
}
for(i=0; i<(byteEnd-disassemblyBuffer); i++){
if(!WriteMemory((disassemblyBuffer+i), &zero, 1, NULL)){
dprintf("[J] failed to zero memory\n");
return (0);
}
}
#if 0
dprintf("[J] Opcode sequence for instruction %s:", instruction);
for(byteCounter=0; ((disassemblyBuffer+byteCounter)<byteEnd); byteCounter++){
dprintf("%02x ", opcodeBuffer[byteCounter]);
}
dprintf("\n");
#endif
return (byteEnd-disassemblyBuffer);
}
ULONG64 searchMemory(unsigned char * byteBuffer, unsigned long length){
ULONG64 addressHit = 0;
HRESULT memSearch = S_OK;
if((memSearch = g_ExtData->SearchVirtual((ULONG64)0, (ULONG64)-1, byteBuffer,
length, 1, &addressHit)) != S_OK){
#if 0
if(memSearch == HRESULT_FROM_NT(STATUS_NO_MORE_ENTRIES)){
dprintf("[J] byte sequence not found in virtual memory\n");
}
else{
dprintf("[J] byte search failed for another reason\n");
}
#endif
return (0);
}
return (addressHit);
}
DWORD findAllVals(unsigned char *byteBuffer, BYTE size, struct valInstance **instance) {
ULONG64 addressHit = 0;
DWORD addressCount = 0;
HRESULT memSearch;
struct valInstance *newValInstance;
*instance = NULL;
while ((memSearch = g_ExtData->SearchVirtual(addressHit+size, (ULONG64)-1, byteBuffer,
size, 1, &addressHit)) == S_OK) {
if (!*instance) {
*instance = (struct valInstance *) malloc(sizeof (struct valInstance));
newValInstance = *instance;
} else {
newValInstance->next = (struct valInstance *) malloc(sizeof (struct valInstance));
newValInstance = newValInstance->next;
}
newValInstance->address = addressHit;
newValInstance->next = NULL;
addressCount++;
}
return (addressCount);
}
BOOL checkExecutability(ULONG64 checkAddress){
MEMORY_BASIC_INFORMATION protectionInfo;
if(!VirtualQueryEx(processHandle, (LPVOID)checkAddress, &protectionInfo, sizeof(MEMORY_BASIC_INFORMATION))){
dprintf("[J] Unable to obtain protection information for address 0x%08x\n", checkAddress);
return FALSE;
}
//dprintf("allocation info: 0x%08x and 0x%08x\n", protectionInfo.AllocationProtect, protectionInfo.Protect);
if((protectionInfo.Protect & PAGE_EXECUTE_READ) != 0)
return TRUE;
//dprintf("[J] 0x%08x isn't executable\n");
return FALSE;
}
void searchOpcodes(char *instructions) {
char **instructionList;
unsigned char *byteSequence;
DWORD length, i, j, semiCount = 1, offset = 0;
ULONG64 ptr;
// Split instructions into seperate strings at pipes
length = 0;
while (instructions[length] != NULL) {
if (instructions[length] == '|')
semiCount++;
length++;
}
// Malloc space for instructionList;
instructionList = (char **) malloc((semiCount+1) * sizeof (char *));
if (instructionList == NULL) {
dprintf("[J] OOM!\n");
return;
}
instructionList[0] = instructions;
dprintf("[J] Searching for:\n");
i = 0; j = 0;
while (i < length) {
if (instructions[i] == '|') {
instructions[i] = '\x00';
dprintf("> %s\n", instructionList[j++]);
instructionList[j] = &(instructions[i+1]);
}
i++;
}
dprintf("> %s\n", instructionList[j]);
// Allocate space for byteSequence
byteSequence = (unsigned char *) malloc(semiCount * 6);
if (byteSequence == NULL) {
dprintf("[J] OOM!\n");
return;
}
// Generate byte sequence and display it
for (i = 0; i < semiCount; i++) {
unsigned char tmpbuf[8];
offset += getInstructionBytes(instructionList[i], byteSequence+offset);
}
dprintf("[J] Machine Code:\n> ");
for (i = 0; i < offset; i++) {
dprintf("%02x ", byteSequence[i]);
if (i != 0 && !(i % 16))
dprintf("\n> ");
}
dprintf("\n");
// Search for sequence in executable memory
ptr = searchMemory(byteSequence, offset);
if (ptr && checkExecutability(ptr))
dprintf("[J] Executable opcode sequence found at: 0x%08x\n", ptr);
return;
}
void returnAddressHuntJutsu(){
struct trackedBuf *curBuf;
int i = 0, bufferIndex = 0;
ULONG offset = 0, bytes = 0;
char findBufferExpression[25];
ULONG64 returnAddress = 0;
HRESULT memSearch = S_OK;
//disassembly variables
char returnInstruction[30];
unsigned char opcodeBuffer[30];
unsigned short instructionLength = 0;
dprintf("[J] started return address hunt\n");
for(i; i<6; i++){ //6, because we don't want to waste time on the eip register
curBuf = trackedBufList;
memset(findBufferExpression, 0x00, sizeof(findBufferExpression));
if(!(bytes = GetExpression(regs[i]))){
dprintf("[J] skipping %s as register - it is a null pointer\n", regs[i]);
continue;
}
StringCchPrintf(findBufferExpression, sizeof(findBufferExpression), "poi(%s)", regs[i]);
bytes = GetExpression(findBufferExpression);
//tests if a register points to a location in user controlled data
while(curBuf != NULL){
for(bufferIndex=0; bufferIndex < curBuf->bufSize; bufferIndex++){
if(*(PULONG)((curBuf->bufPatt)+bufferIndex) == bytes){
memset(opcodeBuffer, 0x00, sizeof(opcodeBuffer));
memset(returnInstruction, 0x00, sizeof(returnInstruction));
//find the opcodes for the desired instruction
//first, for call reg
StringCchPrintf(returnInstruction, sizeof(returnInstruction), "call %s", regs[i]);
if(!(instructionLength = getInstructionBytes(returnInstruction, opcodeBuffer)))
dprintf("[J] getInstructionBytes failed for '%s'\n", returnInstruction);
if(returnAddress = searchMemory(opcodeBuffer, instructionLength)){
if(checkExecutability(returnAddress))
dprintf("[J] valid return address (call %s) found at 0x%08x\n", regs[i], returnAddress);
}
//now, for jmp reg
memset(returnInstruction, 0x00, sizeof(returnInstruction));
StringCchPrintf(returnInstruction, sizeof(returnInstruction), "jmp %s", regs[i]);
if(!(instructionLength = getInstructionBytes(returnInstruction, opcodeBuffer)))
dprintf("[J] getInstructionBytes failed for '%s'\n", returnInstruction);
if(returnAddress = searchMemory(opcodeBuffer, instructionLength)){
if(checkExecutability(returnAddress))
dprintf("[J] valid return address (jmp %s) found at 0x%08x\n", regs[i], returnAddress);
}
}
}
curBuf = curBuf->next;
}
curBuf = trackedBufList;
for(offset=0; offset<0x1000; offset+=4){
memset(findBufferExpression, 0x00, sizeof(findBufferExpression));
StringCchPrintf(findBufferExpression, sizeof(findBufferExpression), "poi(poi(%s+0x%08x))", regs[i], offset);
if(!(bytes = GetExpression(findBufferExpression)))
continue; //this is basically a replacement for the
//ddp windbg command, except more automated
//walk through the buffer to see if any dword in there matches the current
//value returned by the expression
while(curBuf != NULL){
for(bufferIndex=0; bufferIndex < curBuf->bufSize; bufferIndex++){
if(*(PULONG)((curBuf->bufPatt)+bufferIndex) == bytes){
memset(opcodeBuffer, 0x00, sizeof(opcodeBuffer));
memset(returnInstruction, 0x00, sizeof(returnInstruction));
dprintf("[J] %s + 0x%08x points into offset 0x%x of buffer %s\n",
regs[i], offset, bufferIndex, curBuf->bufName);
//first, build the instruction to find the bytes for
//for now, we will support jmp [reg+offset] and call [reg+offset]
//first, for call [reg+offset]
StringCchPrintf(returnInstruction, sizeof(returnInstruction), "call [%s+%x]", regs[i], offset);
if(!(instructionLength = getInstructionBytes(returnInstruction, opcodeBuffer)))
dprintf("[J] getInstructionBytes failed for '%s'\n", returnInstruction);
if(returnAddress = searchMemory(opcodeBuffer, instructionLength)){
if(checkExecutability(returnAddress))
dprintf("[J] valid return address (call [%s+%x]) found at 0x%08x\n", regs[i], offset, returnAddress);
}
//now, for jmp [reg+offset]
memset(returnInstruction, 0x00, sizeof(returnInstruction));
StringCchPrintf(returnInstruction, sizeof(returnInstruction), "jmp [%s+%x]", regs[i], offset);
if(!(instructionLength = getInstructionBytes(returnInstruction, opcodeBuffer)))
dprintf("[J] getInstructionBytes failed for '%s'\n", returnInstruction);
if(returnAddress = searchMemory(opcodeBuffer, instructionLength)){
if(checkExecutability(returnAddress))
dprintf("[J] valid return address (jmp [%s+%x]) found at 0x%08x\n", regs[i], offset, returnAddress);
}
}
}
curBuf = curBuf->next;
}
curBuf = trackedBufList;
}
}
}