forked from mak/memfuzz
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtrace.rb
84 lines (66 loc) · 1.77 KB
/
trace.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
require 'metasm'
require './apihook.rb'
include Metasm
class Integer
def inspect
"%Xh" % self
end
end
module Metasm
class Debugger
def log(*a)
end
end
end
class Trace
attr_reader :owned
def initialize(eqFuncList,file,inp,dasm=nil)
@eqFuncList = eqFuncList
@dbg = OS.current.create_debugger(file + " " + inp)
@input = inp
@dasm = dasm
@dasm ||= AutoExe.decode_file(file).disassemble
@funcList = find_functions
@owned = {}
setup = @funcList.map { |a| {:address => a, :condition => false}}
ApiHook.new(@dbg,setup,lambda {|a| hook(a)},nil)
end
def find_functions
l = nil
@dasm.load_plugin 'dasm_all'
@dasm.dasm_all_section '.text'
@dasm.function.keys.select do |x|
f = f2 = false
f = l.first =~ /^thunk/ if l= @dasm.label_alias[x]
f2 = l.first =~ /^entrypoint/ if l = @dasm.label_alias[x]
x.kind_of? Integer and not (f or f2)
end
end
def get_section_addr(name)
@dasm.section_info.select { |n,a,l,i| name == n}.first[1]
end
def hook(args)
@eqFuncList.each do |f|
i =0
owned_args = []
args.each do |x|
i += 1
b = case f
when Symbol
send f, @dbg,@dasm,@input,x when Proc
f.call(@dbg,@dasm,@input,x)
end
owned_args << i if b
end
fbeg = @dasm.find_function_start(@dbg.pc)
name = @dasm.label_alias[fbeg].first || fbeg
$stderr.puts "\n#{name}@#{fbeg.inspect}:\n\tYou own: " + owned_args.map { |i| "[esp + #{i * @dbg.cpu.size/8}]"}.join(', ') + "\n\n" if not owned_args.empty?
@owned[fbeg] = owned_args if not owned_args.empty?
end
end
end
if __FILE__ == $0
file = ARGV.shift || './a.out'
inp = ARGV.shift || 'AAAA'
Trace.new(file,inp)
end