Module: Rex::Arch::X86

Defined in:
lib/rex/arch/x86.rb

Overview

everything here is mostly stole from vlad’s perl x86 stuff

Constant Summary collapse

EAX =

Register number constants

AL = AX = ES = 0
ECX =
CL = CX = CS = 1
EDX =
DL = DX = SS = 2
EBX =
BL = BX = DS = 3
ESP =
AH = SP = FS = 4
EBP =
CH = BP = GS = 5
ESI =
DH = SI =      6
EDI =
BH = DI =      7
REG_NAMES32 =
[ 'eax', 'ecx', 'edx', 'ebx', 'esp', 'ebp', 'esi', 'edi' ]
REG_NAMES16 =
[ 'ax', 'cx', 'dx', 'bx', 'sp', 'bp', 'si', 'di' ]
REG_NAMES8L =
[ 'al', 'cl', 'dl', 'bl', nil, nil, nil, nil ]

Class Method Summary collapse

Class Method Details

._check_badchars(data, badchars) ⇒ Object

:nodoc:



388
389
390
391
392
393
394
# File 'lib/rex/arch/x86.rb', line 388

def self._check_badchars(data, badchars) # :nodoc:
  idx = Rex::Text.badchar_index(data, badchars)
  if idx
    raise RuntimeError, "Bad character at #{idx}", caller()
  end
  return data
end

._check_reg(*regs) ⇒ Object

:nodoc:



379
380
381
382
383
384
385
386
# File 'lib/rex/arch/x86.rb', line 379

def self._check_reg(*regs) # :nodoc:
  regs.each { |reg|
    if reg > 7 || reg < 0
      raise ArgumentError, "Invalid register #{reg}", caller()
    end
  }
  return nil
end

.add(val, reg, badchars = '', adjust = false, bits = 0) ⇒ Object

This method generates the opcodes equivalent to subtracting with a negative value from a given register.



343
344
345
# File 'lib/rex/arch/x86.rb', line 343

def self.add(val, reg, badchars = '', adjust = false, bits = 0)
  sub(val, reg, badchars, true, adjust, bits)
end

.adjust_reg(reg, adjustment) ⇒ Object

This method adjusts the value of the ESP register by a given amount.



371
372
373
374
375
376
377
# File 'lib/rex/arch/x86.rb', line 371

def self.adjust_reg(reg, adjustment)
  if (adjustment > 0)
    sub(adjustment, reg, '', false, false, 32)
  else
    add(adjustment, reg, '', true, 32)
  end
end

.call(addr) ⇒ Object

This method returns the opcodes that compose a relative call instruction to the address specified.



108
109
110
# File 'lib/rex/arch/x86.rb', line 108

def self.call(addr)
  "\xe8" + pack_dword(rel_number(addr, -5))
end

.clear(reg, badchars = '') ⇒ Object

This method generates an instruction that clears the supplied register in a manner that attempts to avoid bad characters, if supplied.



201
202
203
204
# File 'lib/rex/arch/x86.rb', line 201

def self.clear(reg, badchars = '')
  _check_reg(reg)
  return set(reg, 0, badchars)
end

.copy_to_stack(len) ⇒ Object

Generates a buffer that will copy memory immediately following the stub that is generated to be copied to the stack



78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
# File 'lib/rex/arch/x86.rb', line 78

def self.copy_to_stack(len)
  # four byte align
  len = (len + 3) & ~0x3

  stub =
    "\xeb\x0f"+                # jmp _end
    push_dword(len)+           # push n
    "\x59"+                    # pop ecx
    "\x5e"+                    # pop esi
    "\x29\xcc"+                # sub esp, ecx
    "\x89\xe7"+                # mov edi, esp
    "\xf3\xa4"+                # rep movsb
    "\xff\xe4"+                # jmp esp
    "\xe8\xec\xff\xff\xff"     # call _start

  stub
end

.dword_adjust(dword, amount = 0) ⇒ Object

This method adds/subs a packed long integer



54
55
56
# File 'lib/rex/arch/x86.rb', line 54

def self.dword_adjust(dword, amount=0)
  pack_dword(dword.unpack('V')[0] + amount)
end

.encode_effective(shift, dst) ⇒ Object

This method generates the encoded effective value for a register.



151
152
153
# File 'lib/rex/arch/x86.rb', line 151

def self.encode_effective(shift, dst)
  return (0xc0 | (shift << 3) | dst)
end

.encode_modrm(dst, src) ⇒ Object

This method generates the mod r/m character for a source and destination register.



159
160
161
162
# File 'lib/rex/arch/x86.rb', line 159

def self.encode_modrm(dst, src)
  _check_reg(dst, src)
  return (0xc0 | src | dst << 3).chr
end

.fpu_instructionsObject

This method returns an array of ‘safe’ FPU instructions



399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
# File 'lib/rex/arch/x86.rb', line 399

def self.fpu_instructions
  fpus = []

  0xe8.upto(0xee) { |x| fpus << "\xd9" + x.chr }
  0xc0.upto(0xcf) { |x| fpus << "\xd9" + x.chr }
  0xc0.upto(0xdf) { |x| fpus << "\xda" + x.chr }
  0xc0.upto(0xdf) { |x| fpus << "\xdb" + x.chr }
  0xc0.upto(0xc7) { |x| fpus << "\xdd" + x.chr }

  fpus << "\xd9\xd0"
  fpus << "\xd9\xe1"
  fpus << "\xd9\xf6"
  fpus << "\xd9\xf7"
  fpus << "\xd9\xe5"

  # This FPU instruction seems to fail consistently on Linux
  #fpus << "\xdb\xe1"

  fpus
end

.geteip_fpu(badchars, modified_registers = []) ⇒ Object

This method returns an array containing a geteip stub, a register, and an offset This method will return nil if the getip generation fails



424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
# File 'lib/rex/arch/x86.rb', line 424

def self.geteip_fpu(badchars, modified_registers = [])
  #
  # Default badchars to an empty string
  #
  badchars ||= ''

  #
  # Bail out early if D9 is restricted
  #
  return nil if badchars.index("\xd9")

  #
  # Create a list of FPU instructions
  #
  fpus = *self.fpu_instructions
  bads = []
  badchars.each_byte  do |c|
    fpus.each do |str|
      bads << str if (str.index(c.chr))
    end
  end
  bads.each { |str| fpus.delete(str) }
  return nil if fpus.length == 0

  #
  # Create a list of registers to use for fnstenv
  #
  dsts = []
  0.upto(7) do |c|
    dsts << c if (not badchars.index( (0x70+c).chr ))
  end

  if (dsts.include?(ESP) and badchars.index("\x24"))
    dsts.delete(ESP)
  end

  return nil if dsts.length == 0

  #
  # Grab a random FPU instruction
  #
  fpu = fpus[ rand(fpus.length) ]

  #
  # Grab a random register from dst
  #
  while(dsts.length > 0)
    buf = ''
    mod_registers = [ESP]
    dst = dsts[ rand(dsts.length) ]
    dsts.delete(dst)

    # If the register is not ESP, copy ESP
    if (dst != ESP)
      mod_registers.push(dst)
      if badchars.index( (0x70 + dst).chr )
        mod_registers.pop(dst)
        next
      end

      if !(badchars.index("\x89") or badchars.index( (0xE0+dst).chr ))
        buf << "\x89" + (0xE0 + dst).chr
      else
        if badchars.index("\x54")
          mod_registers.pop(dst)
          next
        end
        if badchars.index( (0x58+dst).chr )
          mod_registers.pop(dst)
          next
        end
        buf << "\x54" + (0x58 + dst).chr
      end
    end

    pad = 0
    while (pad < (128-12) and badchars.index( (256-12-pad).chr))
      pad += 4
    end

    # Give up on finding a value to use here
    if (pad == (128-12))
      return nil
    end

    out = buf + fpu + "\xd9" + (0x70 + dst).chr
    out << "\x24" if dst == ESP
    out << (256-12-pad).chr

    regs = [*(0..7)]
    while (regs.length > 0)
      reg = regs[ rand(regs.length) ]
      regs.delete(reg)
      next if reg == ESP
      next if badchars.index( (0x58 + reg).chr )
      mod_registers.push(reg)

      # Pop the value back out
      0.upto(pad / 4) { |c| out << (0x58 + reg).chr }

      # Fix the value to point to self
      gap = out.length - buf.length

      mod_registers.uniq!
      modified_registers.concat(mod_registers)
      return [out, REG_NAMES32[reg].upcase, gap]
    end
    mod_registers.pop(dst)
  end

  return nil
end

.jmp(addr) ⇒ Object

This method returns the opcodes that compose a jump instruction to the supplied relative offset.



47
48
49
# File 'lib/rex/arch/x86.rb', line 47

def self.jmp(addr)
  "\xe9" + pack_dword(rel_number(addr))
end

.jmp_reg(str) ⇒ Object

Jump tp a specific register



31
32
33
34
35
# File 'lib/rex/arch/x86.rb', line 31

def self.jmp_reg(str)
  reg = reg_number(str)
  _check_reg(reg)
  "\xFF" + [224 + reg].pack('C')
end

.jmp_short(addr) ⇒ Object

This method returns the opcodes that compose a short jump instruction to the supplied relative offset.



100
101
102
# File 'lib/rex/arch/x86.rb', line 100

def self.jmp_short(addr)
  "\xeb" + pack_lsb(rel_number(addr, -2))
end

.loop(offset) ⇒ Object

Generate a LOOP instruction (Decrement ECX and jump short if ECX == 0)



40
41
42
# File 'lib/rex/arch/x86.rb', line 40

def self.loop(offset)
  "\xE2" + pack_lsb(rel_number(offset, -2))
end

.mov_byte(reg, val) ⇒ Object

This method generates the opcodes that set the low byte of a given register to the supplied value.



210
211
212
213
214
# File 'lib/rex/arch/x86.rb', line 210

def self.mov_byte(reg, val)
  _check_reg(reg)
  # chr will raise RangeError if val not between 0 .. 255
  return (0xb0 | reg).chr + val.chr
end

.mov_dword(reg, val) ⇒ Object

This method generates the opcodes that set the a register to the supplied value.



232
233
234
235
# File 'lib/rex/arch/x86.rb', line 232

def self.mov_dword(reg, val)
  _check_reg(reg)
  return (0xb8 | reg).chr + pack_dword(val)
end

.mov_word(reg, val) ⇒ Object

This method generates the opcodes that set the low word of a given register to the supplied value.



220
221
222
223
224
225
226
# File 'lib/rex/arch/x86.rb', line 220

def self.mov_word(reg, val)
  _check_reg(reg)
  if val < 0 || val > 0xffff
    raise RangeError, "Can only take unsigned word values!", caller()
  end
  return "\x66" + (0xb8 | reg).chr + pack_word(val)
end

.pack_dword(num) ⇒ Object

This method wrappers packing an integer as a little-endian buffer.



357
358
359
# File 'lib/rex/arch/x86.rb', line 357

def self.pack_dword(num)
  [num].pack('V')
end

.pack_lsb(num) ⇒ Object

This method returns the least significant byte of a packed dword.



364
365
366
# File 'lib/rex/arch/x86.rb', line 364

def self.pack_lsb(num)
  pack_dword(num)[0,1]
end

.pack_word(num) ⇒ Object

This method wrappers packing a short integer as a little-endian buffer.



350
351
352
# File 'lib/rex/arch/x86.rb', line 350

def self.pack_word(num)
  [num].pack('v')
end

.pop_dword(dst) ⇒ Object

This method generates a pop dword instruction into a register.



192
193
194
195
# File 'lib/rex/arch/x86.rb', line 192

def self.pop_dword(dst)
  _check_reg(dst)
  return (0x58 | dst).chr
end

.push_byte(byte) ⇒ Object

This method generates a push byte instruction.

Raises:

  • (::ArgumentError)


167
168
169
170
171
172
173
# File 'lib/rex/arch/x86.rb', line 167

def self.push_byte(byte)
  # push byte will sign extend...
  if byte < 128 && byte >= -128
    return "\x6a" + (byte & 0xff).chr
  end
  raise ::ArgumentError, "Can only take signed byte values!", caller()
end

.push_dword(val) ⇒ Object

This method generates a push dword instruction.



185
186
187
# File 'lib/rex/arch/x86.rb', line 185

def self.push_dword(val)
  return "\x68" + pack_dword(val)
end

.push_word(val) ⇒ Object

This method generates a push word instruction.



178
179
180
# File 'lib/rex/arch/x86.rb', line 178

def self.push_word(val)
  return "\x66\x68" + pack_word(val)
end

.reg_name32(num) ⇒ Object

This method returns the register named associated with a given register number.



143
144
145
146
# File 'lib/rex/arch/x86.rb', line 143

def self.reg_name32(num)
  _check_reg(num)
  return REG_NAMES32[num].dup
end

.reg_number(str) ⇒ Object

This method returns the number associated with a named register.



135
136
137
# File 'lib/rex/arch/x86.rb', line 135

def self.reg_number(str)
  return self.const_get(str.upcase)
end

.register_names_to_ids(str) ⇒ Object

Parse a list of registers as a space or command delimited string and return the internal register IDs as an array



541
542
543
544
545
546
547
548
549
550
551
# File 'lib/rex/arch/x86.rb', line 541

def self.register_names_to_ids(str)
  register_ids = []
  str.to_s.strip.split(/[,\s]/).
    map    {|reg| reg.to_s.strip.upcase }.
    select {|reg| reg.length > 0        }.
    uniq.each do |reg|
      next unless self.const_defined?(reg.intern)
      register_ids << self.const_get(reg.intern)
    end
  register_ids
end

.rel_number(num, delta = 0) ⇒ Object

This method returns a number offset to the supplied string.



115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# File 'lib/rex/arch/x86.rb', line 115

def self.rel_number(num, delta = 0)
  s = num.to_s

  case s[0, 2]
    when '$+'
      num = s[2 .. -1].to_i
    when '$-'
      num = -1 * s[2 .. -1].to_i
    when '0x'
      num = s.hex
    else
      delta = 0
  end

  return num + delta
end

.searcher(tag) ⇒ Object

This method returns the opcodes that compose a tag-based search routine



61
62
63
64
65
66
67
68
69
70
71
72
# File 'lib/rex/arch/x86.rb', line 61

def self.searcher(tag)
  "\xbe" + dword_adjust(tag,-1)+  # mov esi, Tag - 1
  "\x46" +                        # inc esi
  "\x47" +                        # inc edi (end_search:)
  "\x39\x37" +                    # cmp [edi],esi
  "\x75\xfb" +                    # jnz 0xa (end_search)
  "\x46" +                        # inc esi
  "\x4f" +                        # dec edi (start_search:)
  "\x39\x77\xfc" +                # cmp [edi-0x4],esi
  "\x75\xfa" +                    # jnz 0x10 (start_search)
  jmp_reg('edi')                  # jmp edi
end

.set(dst, val, badchars = '') ⇒ Object

(ie. xor eax, eax + mov al, 4 + xchg ah, al)

Raises:

  • (RuntimeError)


243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
# File 'lib/rex/arch/x86.rb', line 243

def self.set(dst, val, badchars = '')
  _check_reg(dst)

  # If the value is 0 try xor/sub dst, dst (2 bytes)
  if val == 0
    opcodes = Rex::Text.remove_badchars("\x29\x2b\x31\x33", badchars)
    if !opcodes.empty?
      return opcodes[rand(opcodes.length)].chr + encode_modrm(dst, dst)
    end
# TODO: SHL/SHR
# TODO: AND
  end

  # try push BYTE val; pop dst (3 bytes)
  begin
    return _check_badchars(push_byte(val) + pop_dword(dst), badchars)
  rescue ::ArgumentError, ::RuntimeError, ::RangeError
  end

  # try clear dst, mov BYTE dst (4 bytes)
  begin
    unless val == 0 # clear tries to set(dst, 0, badchars), entering an infinite recursion
      return _check_badchars(clear(dst, badchars) + mov_byte(dst, val), badchars)
    end
  rescue ::ArgumentError, ::RuntimeError, ::RangeError
  end

  # try mov DWORD dst (5 bytes)
  begin
    return _check_badchars(mov_dword(dst, val), badchars)
  rescue ::ArgumentError, ::RuntimeError, ::RangeError
  end

  # try push DWORD, pop dst (6 bytes)
  begin
    return _check_badchars(push_dword(val) + pop_dword(dst), badchars)
  rescue ::ArgumentError, ::RuntimeError, ::RangeError
  end

  # try clear dst, mov WORD dst (6 bytes)
  begin
    unless val == 0 # clear tries to set(dst, 0, badchars), entering an infinite recursion
      return _check_badchars(clear(dst, badchars) + mov_word(dst, val), badchars)
    end
  rescue ::ArgumentError, ::RuntimeError, ::RangeError
  end

  raise RuntimeError, "No valid set instruction could be created!", caller()
end

.sub(val, reg, badchars = '', add = false, adjust = false, bits = 0) ⇒ Object

Builds a subtraction instruction using the supplied operand and register.



297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
# File 'lib/rex/arch/x86.rb', line 297

def self.sub(val, reg, badchars = '', add = false, adjust = false, bits = 0)
  opcodes = []
  shift   = (add == true) ? 0 : 5

  if (bits <= 8 and val >= -0x7f and val <= 0x7f)
    opcodes <<
      ((adjust) ? '' : clear(reg, badchars)) +
      "\x83" +
      [ encode_effective(shift, reg) ].pack('C') +
      [ val.to_i ].pack('C')
  end

  if (bits <= 16 and val >= -0xffff and val <= 0)
    opcodes <<
      ((adjust) ? '' : clear(reg, badchars)) +
      "\x66\x81" +
      [ encode_effective(shift, reg) ].pack('C') +
      [ val.to_i ].pack('v')
  end

  opcodes <<
    ((adjust) ? '' : clear(reg, badchars)) +
    "\x81" +
    [ encode_effective(shift, reg) ].pack('C') +
    [ val.to_i ].pack('V')

  # Search for a compatible opcode
  opcodes.each { |op|
    begin
      _check_badchars(op, badchars)
    rescue
      next
    end

    return op
  }

  if opcodes.empty?
    raise RuntimeError, "Could not find a usable opcode", caller()
  end
end