├── AUTHORS ├── CHANGES ├── Makefile.am ├── README ├── bindings ├── Makefile.am └── python │ ├── Makefile.am │ ├── libemu_module.c │ └── setup.py.in ├── configure.ac ├── debian ├── changelog ├── compat ├── control ├── copyright ├── docs ├── files ├── libemu-dev.install ├── libemu.install └── rules ├── doc ├── Makefile.am └── libemu.3 ├── include ├── Makefile.am └── emu │ ├── Makefile.am │ ├── emu.h │ ├── emu_breakpoint.h │ ├── emu_cpu.h │ ├── emu_cpu_data.h │ ├── emu_cpu_functions.h │ ├── emu_cpu_instruction.h │ ├── emu_cpu_itables.h │ ├── emu_cpu_stack.h │ ├── emu_fpu_instruction.h │ ├── emu_getpc.h │ ├── emu_graph.h │ ├── emu_hashtable.h │ ├── emu_instruction.h │ ├── emu_list.h │ ├── emu_log.h │ ├── emu_memory.h │ ├── emu_queue.h │ ├── emu_shellcode.h │ ├── emu_source.h │ ├── emu_stack.h │ ├── emu_string.h │ ├── emu_track.h │ └── environment │ ├── Makefile.am │ ├── emu_env.h │ ├── emu_profile.h │ ├── linux │ ├── Makefile.am │ ├── emu_env_linux.h │ ├── env_linux_syscall_hooks.h │ └── env_linux_syscalls.h │ └── win32 │ ├── Makefile.am │ ├── emu_env_w32.h │ ├── emu_env_w32_dll.h │ ├── emu_env_w32_dll_export.h │ ├── env_w32_dll_export_hooks.h │ ├── env_w32_dll_export_kernel32_hooks.h │ ├── env_w32_dll_export_msvcrt_hooks.h │ ├── env_w32_dll_export_shdocvw_hooks.h │ ├── env_w32_dll_export_shell32_hooks.h │ ├── env_w32_dll_export_urlmon_hooks.h │ └── env_w32_dll_export_ws2_32_hooks.h ├── libemu.doxy ├── libemu.pc.in ├── src ├── Makefile.am ├── emu.c ├── emu_breakpoint.c ├── emu_cpu.c ├── emu_cpu_data.c ├── emu_getpc.c ├── emu_graph.c ├── emu_hashtable.c ├── emu_list.c ├── emu_log.c ├── emu_memory.c ├── emu_queue.c ├── emu_shellcode.c ├── emu_source.c ├── emu_stack.c ├── emu_string.c ├── emu_track.c ├── environment │ ├── emu_env.c │ ├── emu_profile.c │ ├── linux │ │ ├── emu_env_linux.c │ │ └── env_linux_syscall_hooks.c │ └── win32 │ │ ├── dlls │ │ ├── advapi32dll.c │ │ ├── kernel32dll.c │ │ ├── msvcrtdll.c │ │ ├── ntdll.c │ │ ├── shdocvwdll.c │ │ ├── shell32dll.c │ │ ├── shlwapidll.c │ │ ├── urlmondll.c │ │ ├── user32dll.c │ │ ├── wininetdll.c │ │ └── ws2_32dll.c │ │ ├── emu_env_w32.c │ │ ├── emu_env_w32_dll.c │ │ ├── emu_env_w32_dll_export.c │ │ ├── env_w32_dll_export_kernel32_hooks.c │ │ ├── env_w32_dll_export_msvcrt_hooks.c │ │ ├── env_w32_dll_export_shdocvw_hooks.c │ │ ├── env_w32_dll_export_shell32_hooks.c │ │ ├── env_w32_dll_export_urlmon_hooks.c │ │ └── env_w32_dll_export_ws2_32_hooks.c ├── functions │ ├── Makefile.am │ ├── aaa.c │ ├── adc.c │ ├── add.c │ ├── and.c │ ├── call.c │ ├── cmp.c │ ├── cmps.c │ ├── dec.c │ ├── div.c │ ├── group_1.c │ ├── group_10.c │ ├── group_2.c │ ├── group_3.c │ ├── group_4.c │ ├── group_5.c │ ├── idiv.c │ ├── imul.c │ ├── inc.c │ ├── int.c │ ├── jcc.c │ ├── jmp.c │ ├── lodscc.c │ ├── loopcc.c │ ├── misc.c │ ├── mov.c │ ├── movsx.c │ ├── movzx.c │ ├── mul.c │ ├── neg.c │ ├── not.c │ ├── or.c │ ├── pop.c │ ├── push.c │ ├── rcl.c │ ├── rcr.c │ ├── repcc.c │ ├── ret.c │ ├── rol.c │ ├── ror.c │ ├── sal.c │ ├── sar.c │ ├── sbb.c │ ├── scas.c │ ├── shr.c │ ├── stoscc.c │ ├── sub.c │ ├── test.c │ ├── xchg.c │ └── xor.c ├── libdasm.c ├── libdasm.h └── opcode_tables.h ├── testsuite ├── Makefile.am ├── cpu_run.c ├── emunids.c ├── hashtest.c ├── instrtest.c ├── instrtree.c ├── main.c ├── memtest.c └── scprofiler.c └── tools ├── Makefile.am └── sctest ├── Makefile.am ├── dot.c ├── dot.h ├── nanny.c ├── nanny.h ├── options.h ├── sctestmain.c ├── tests.c ├── tests.h ├── userhooks.c └── userhooks.h /AUTHORS: -------------------------------------------------------------------------------- 1 | 2 | libemu was designed and written by: 3 | * Paul Baecher 4 | * Markus Koetter 5 | 6 | 7 | special thanks go to: 8 | * jt / nologin.org for libdasm 9 | * Tony Finch for http://dotat.at/prog/lists/list.h 10 | -------------------------------------------------------------------------------- /Makefile.am: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | 3 | ACLOCAL_AMFLAGS = -I m4 4 | AUTOMAKE_OPTIONS = foreign 5 | 6 | SUBDIRS = src include testsuite doc bindings tools 7 | 8 | 9 | EXTRA_DIST = configure.ac CHANGES libemu.pc.in 10 | 11 | pkgconfigdir = /usr/lib/pkgconfig/ 12 | pkgconfig_DATA = libemu.pc 13 | 14 | -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | 2 | _______________ 3 | | | 4 | | | 5 | | libemu | 6 | | x86 emulation | 7 | | | 8 | | | 9 | | | 10 | \ O | 11 | \______________| 12 | 13 | 14 | homepage: http://libemu.mwcollect.org 15 | 16 | 17 | building from svn: 18 | autoreconf -v -i 19 | ./configure --prefix=/opt/libemu; make install 20 | 21 | building from tarball: 22 | tar xvfz libemu-VERSION.tar.gz 23 | cd libemu-VERSION 24 | ./configure --prefix=/opt/libemu; make install 25 | 26 | 27 | specific configure options: 28 | 29 | --enable-debug enable debug code generation [default=yes] 30 | debug messages, instruction strings, nothing one wants to miss, even if it takes a lot of cpu cycles. 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /bindings/Makefile.am: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | 3 | AUTOMAKE_OPTIONS = foreign 4 | 5 | if ENABLE_PYTHON_BINDINGS 6 | python_dir = python 7 | endif 8 | 9 | SUBDIRS = $(python_dir) 10 | 11 | -------------------------------------------------------------------------------- /bindings/python/Makefile.am: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | 3 | AUTOMAKE_OPTIONS = foreign 4 | 5 | all: 6 | python setup.py build 7 | 8 | install: all 9 | python setup.py install 10 | 11 | clean: 12 | python setup.py clean 13 | 14 | dist-clean: clean 15 | 16 | 17 | EXTRA_DIST = setup.py libemu_module.c 18 | 19 | 20 | -------------------------------------------------------------------------------- /bindings/python/setup.py.in: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | from distutils.core import setup, Extension 4 | 5 | libemu = Extension('libemu', 6 | sources = ['libemu_module.c'], 7 | include_dirs = ['../../include'], 8 | library_dirs = ['../../src/.libs'], 9 | extra_link_args=['-Wl,-rpath=@LIBDIR@'], 10 | libraries = ['emu'], 11 | ) 12 | 13 | setup (name = 'libemu', 14 | version = '@VERSION@', 15 | description = 'Python interface to the libemu x86 emulator.', 16 | author = 'Georg Wicherski', 17 | author_email = 'gw@mwcollect.org', 18 | url = 'http://libemu.mwcollect.org/', 19 | ext_modules = [libemu]) 20 | -------------------------------------------------------------------------------- /debian/changelog: -------------------------------------------------------------------------------- 1 | libemu (0.2.0-1) unstable; urgency=low 2 | 3 | * Initial release (Closes: #nnnn) 4 | 5 | -- common Mon, 17 May 2010 22:14:41 +0200 6 | -------------------------------------------------------------------------------- /debian/compat: -------------------------------------------------------------------------------- 1 | 7 2 | -------------------------------------------------------------------------------- /debian/control: -------------------------------------------------------------------------------- 1 | Source: libemu 2 | Priority: extra 3 | Maintainer: Nepenthes Development Team 4 | Build-Depends: debhelper (>= 7), autotools-dev 5 | Standards-Version: 3.8.1 6 | Section: libs 7 | Homepage: http://libemu.carnivore.it 8 | 9 | Package: libemu-dev 10 | Section: libdevel 11 | Architecture: any 12 | Depends: libemu (= ${binary:Version}) 13 | Description: libemu development files 14 | 15 | Package: libemu 16 | Section: libs 17 | Architecture: any 18 | Description: libemu library 19 | -------------------------------------------------------------------------------- /debian/copyright: -------------------------------------------------------------------------------- 1 | This package was debianized by Nepenthes Development Team on 2 | Mon, 17 May 2010 22:14:41 +0200. 3 | 4 | It was downloaded from http://libemu.carnivore.it 5 | 6 | Upstream Author(s): 7 | 8 | 9 | 10 | Copyright: 11 | 12 | 13 | 14 | 15 | License: 16 | 17 | GPL 18 | 19 | The Debian packaging is: 20 | 21 | Copyright (C) 2010 Markus Kötter 22 | 23 | and is licensed under the GPL version 3, 24 | see `/usr/share/common-licenses/GPL-3'. 25 | 26 | # Please also look if there are files or directories which have a 27 | # different copyright/license attached and list them here. 28 | -------------------------------------------------------------------------------- /debian/docs: -------------------------------------------------------------------------------- 1 | README 2 | -------------------------------------------------------------------------------- /debian/files: -------------------------------------------------------------------------------- 1 | libemu-dev_0.2.0-1_amd64.deb libdevel extra 2 | libemu_0.2.0-1_amd64.deb libs extra 3 | -------------------------------------------------------------------------------- /debian/libemu-dev.install: -------------------------------------------------------------------------------- 1 | usr/include/emu/* 2 | -------------------------------------------------------------------------------- /debian/libemu.install: -------------------------------------------------------------------------------- 1 | usr/lib/libemu.so.* 2 | usr/lib/libemu.so 3 | usr/lib/libemu.a 4 | -------------------------------------------------------------------------------- /debian/rules: -------------------------------------------------------------------------------- 1 | #!/usr/bin/make -f 2 | # -*- makefile -*- 3 | # Sample debian/rules that uses debhelper. 4 | # This file was originally written by Joey Hess and Craig Small. 5 | # As a special exception, when this file is copied by dh-make into a 6 | # dh-make output file, you may use that output file without restriction. 7 | # This special exception was added by Craig Small in version 0.37 of dh-make. 8 | 9 | # Uncomment this to turn on verbose mode. 10 | #export DH_VERBOSE=1 11 | 12 | %: 13 | dh $@ 14 | -------------------------------------------------------------------------------- /doc/Makefile.am: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | 3 | AUTOMAKE_OPTIONS = foreign 4 | 5 | 6 | man_MANS = libemu.3 7 | 8 | EXTRA_DIST = $(man_MANS) 9 | 10 | -------------------------------------------------------------------------------- /include/Makefile.am: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | 3 | AUTOMAKE_OPTIONS = foreign 4 | 5 | SUBDIRS = emu 6 | -------------------------------------------------------------------------------- /include/emu/Makefile.am: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | 3 | AUTOMAKE_OPTIONS = foreign 4 | 5 | SUBDIRS = environment 6 | 7 | includedir = $(prefix)/include/emu 8 | 9 | include_HEADERS = emu.h 10 | include_HEADERS += emu_cpu_data.h 11 | include_HEADERS += emu_cpu_functions.h 12 | include_HEADERS += emu_cpu.h 13 | include_HEADERS += emu_cpu_instruction.h 14 | include_HEADERS += emu_cpu_itables.h 15 | include_HEADERS += emu_cpu_stack.h 16 | include_HEADERS += emu_fpu_instruction.h 17 | include_HEADERS += emu_getpc.h 18 | include_HEADERS += emu_graph.h 19 | include_HEADERS += emu_hashtable.h 20 | include_HEADERS += emu_instruction.h 21 | include_HEADERS += emu_list.h 22 | include_HEADERS += emu_log.h 23 | include_HEADERS += emu_memory.h 24 | include_HEADERS += emu_queue.h 25 | include_HEADERS += emu_shellcode.h 26 | include_HEADERS += emu_source.h 27 | include_HEADERS += emu_stack.h 28 | include_HEADERS += emu_string.h 29 | include_HEADERS += emu_track.h 30 | include_HEADERS += emu_breakpoint.h 31 | 32 | 33 | #include_HEADERS = emu.h 34 | #include_HEADERS += emu_log.h 35 | #include_HEADERS += emu_cpu.h 36 | #include_HEADERS += emu_memory.h 37 | 38 | 39 | #noinst_HEADERS = emu_cpu_data.h 40 | #noinst_HEADERS += emu_cpu_functions.h 41 | #noinst_HEADERS += emu_cpu_itables.h 42 | #noinst_HEADERS += emu_cpu_stack.h 43 | -------------------------------------------------------------------------------- /include/emu/emu.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #ifndef HAVE_EMU_H 29 | #define HAVE_EMU_H 30 | 31 | #include 32 | #include 33 | 34 | #ifndef MIN 35 | #define MIN(a,b) (((a)<(b))?(a):(b)) 36 | #endif 37 | 38 | #ifndef MAX 39 | #define MAX(a,b) (((a)>(b))?(a):(b)) 40 | #endif 41 | 42 | 43 | struct emu; 44 | struct emu_logging; 45 | struct emu_cpu; 46 | struct emu_fpu; 47 | 48 | 49 | /** 50 | * Create a new emu. 51 | * 52 | * @return on success: the new emu 53 | * on failure: NULL 54 | */ 55 | struct emu *emu_new(void); 56 | 57 | /** 58 | * Free the emu 59 | * 60 | * @param e the emu to free 61 | */ 62 | void emu_free(struct emu *e); 63 | 64 | /** 65 | * Retrieve a pointer to the emu's emu_memory. 66 | * 67 | * @param e the emu 68 | * 69 | * @return The pointer to the emu's emu_memory. 70 | */ 71 | struct emu_memory *emu_memory_get(struct emu *e); 72 | 73 | /** 74 | * Retrieve a pointer to the emu's logging facility. 75 | * 76 | * @param e the emu 77 | * 78 | * @return pointer to the emu's emu_logging. 79 | */ 80 | struct emu_logging *emu_logging_get(struct emu *e); 81 | 82 | /** 83 | * Retrieve a pointer to the emu's emu_cpu 84 | * 85 | * @param e the emu 86 | * 87 | * @return pointer to the emu's emu_cpu. 88 | */ 89 | struct emu_cpu *emu_cpu_get(struct emu *e); 90 | 91 | /** 92 | * Set the emu's internal errno 93 | * 94 | * @param e the emu 95 | * @param err 96 | */ 97 | void emu_errno_set(struct emu *e, int err); 98 | 99 | /** 100 | * Retrieve the emu's errno 101 | * 102 | * @param c the emu 103 | * 104 | * @return the emu's errno 105 | */ 106 | int emu_errno(struct emu *c); 107 | 108 | /** 109 | * Set the emu's strerror message. 110 | * 111 | * @param e the emu 112 | * @param format the errormessage format 113 | */ 114 | void emu_strerror_set(struct emu *e, const char *format, ...); 115 | 116 | /** 117 | * Retrieve the emu's strerror 118 | * 119 | * @param e the emu 120 | * 121 | * @return the strerror 122 | */ 123 | const char *emu_strerror(struct emu *e); 124 | 125 | 126 | /*int32_t emu_parse(struct emu *e); 127 | int32_t emu_step(struct emu *e);*/ 128 | #endif // HAVE_EMU_H 129 | -------------------------------------------------------------------------------- /include/emu/emu_breakpoint.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #ifndef HAVE_EMU_BREAKPOINT_H 29 | #define HAVE_EMU_BREAKPOINT_H 30 | 31 | #include 32 | #include 33 | 34 | struct emu; 35 | struct emu_memory; 36 | struct emu_breakpoint; 37 | 38 | #define EMU_ACCESS_READ (4) 39 | #define EMU_ACCESS_WRITE (2) 40 | /* NOTYET SUPPORTED */ 41 | #define EMU_ACCESS_EXECUTE (1) 42 | 43 | /* Argument Function Pointers */ 44 | typedef void (*emu_bp_resp)(struct emu *e); 45 | typedef bool (*emu_bp_cond)(struct emu *e); 46 | 47 | /* Memory Management */ 48 | struct emu_breakpoint *emu_breakpoint_alloc(struct emu_memory *mem); 49 | void emu_breakpoint_free(struct emu_breakpoint *bp); 50 | 51 | /* Set / Get */ 52 | void emu_breakpoint_set(struct emu_memory *m, uint32_t addr, uint8_t access, emu_bp_resp response); 53 | void emu_breakpoint_conditional_set(struct emu_memory *m, uint32_t addr, uint8_t access, emu_bp_resp response, emu_bp_cond condition); 54 | struct emu_breakpoint *emu_breakpoint_get(struct emu_memory *m, uint32_t addr); 55 | void emu_breakpoint_check(struct emu_memory *m, uint32_t addr, uint8_t access); 56 | 57 | void emu_breakpoint_remove(struct emu_memory *m, uint32_t addr); 58 | 59 | #endif /* HAVE_EMU_BREAKPOINT_H */ 60 | -------------------------------------------------------------------------------- /include/emu/emu_cpu.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #ifndef HAVE_EMU_CPU_H 29 | #define HAVE_EMU_CPU_H 30 | 31 | #include 32 | 33 | struct emu; 34 | struct emu_cpu; 35 | 36 | enum emu_reg32 { 37 | eax = 0, ecx, edx, ebx, esp, ebp, esi, edi 38 | }; 39 | 40 | 41 | enum emu_reg16 42 | { 43 | ax = 0,/* eax */ 44 | cx, /* ecx */ 45 | dx, /* edx */ 46 | bx, /* ebx */ 47 | sp, /* esp */ 48 | bp, /* ebp */ 49 | si, /* esp */ 50 | di /* edi */ 51 | 52 | }; 53 | 54 | 55 | enum emu_reg8 56 | { 57 | al=0, /* eax */ 58 | cl, /* ecx */ 59 | dl, /* edx */ 60 | bl, /* ebx */ 61 | ah, /* eax */ 62 | ch, /* ecx */ 63 | dh, /* edx */ 64 | bh /* ebx */ 65 | 66 | }; 67 | 68 | struct emu_cpu *emu_cpu_new(struct emu *e); 69 | 70 | uint32_t emu_cpu_reg32_get(struct emu_cpu *cpu_p, enum emu_reg32 reg); 71 | void emu_cpu_reg32_set(struct emu_cpu *cpu_p, enum emu_reg32 reg, uint32_t val); 72 | 73 | uint16_t emu_cpu_reg16_get(struct emu_cpu *cpu_p, enum emu_reg16 reg); 74 | void emu_cpu_reg16_set(struct emu_cpu *cpu_p, enum emu_reg16 reg, uint16_t val); 75 | 76 | uint8_t emu_cpu_reg8_get(struct emu_cpu *cpu_p, enum emu_reg8 reg); 77 | void emu_cpu_reg8_set(struct emu_cpu *cpu_p, enum emu_reg8 reg, uint8_t val); 78 | 79 | uint32_t emu_cpu_eflags_get(struct emu_cpu *c); 80 | void emu_cpu_eflags_set(struct emu_cpu *c, uint32_t val); 81 | 82 | /** 83 | * Set the cpu's EIP 84 | * 85 | * @param c the cpu 86 | * @param eip eip 87 | */ 88 | void emu_cpu_eip_set(struct emu_cpu *c, uint32_t eip); 89 | 90 | /** 91 | * get the cpu's EIP 92 | * 93 | * @param c the cpu 94 | * 95 | * @return EIP 96 | */ 97 | uint32_t emu_cpu_eip_get(struct emu_cpu *c); 98 | 99 | 100 | /** 101 | * parse a instruction at EIP 102 | * 103 | * @param c the cpu 104 | * 105 | * @return on success: 0 106 | * on errror : -1, check emu_errno and emu_strerror 107 | */ 108 | int32_t emu_cpu_parse(struct emu_cpu *c); 109 | 110 | /** 111 | * step the last instruction 112 | * 113 | * @param c the cpu 114 | * 115 | * @return on success: 0 116 | * on errror : -1, check emu_errno and emu_strerror 117 | */ 118 | int32_t emu_cpu_step(struct emu_cpu *c); 119 | 120 | int32_t emu_cpu_run(struct emu_cpu *c); 121 | 122 | void emu_cpu_free(struct emu_cpu *c); 123 | 124 | void emu_cpu_debug_print(struct emu_cpu *c); 125 | 126 | void emu_cpu_debugflag_set(struct emu_cpu *c, uint8_t flag); 127 | void emu_cpu_debugflag_unset(struct emu_cpu *c, uint8_t flag); 128 | 129 | 130 | #endif /* HAVEEMU_CPU_H */ 131 | -------------------------------------------------------------------------------- /include/emu/emu_cpu_instruction.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | 29 | #ifndef HAVE_EMU_CPU_INSTRUCTION 30 | #define HAVE_EMU_CPU_INSTRUCTION 31 | 32 | 33 | 34 | #include 35 | 36 | 37 | struct emu_cpu_instruction; 38 | struct emu_cpu; 39 | 40 | struct emu_cpu_instruction_info 41 | { 42 | int32_t (*function)(struct emu_cpu *, struct emu_cpu_instruction *); 43 | const char *name; 44 | 45 | struct 46 | { 47 | uint8_t s_bit : 1; 48 | uint8_t w_bit : 1; 49 | uint8_t modrm_byte : 4; 50 | uint8_t imm_data : 3; 51 | uint8_t disp_data : 3; 52 | uint8_t level : 2; 53 | uint8_t type : 2; 54 | uint8_t fpu_info : 1; 55 | } format; 56 | }; 57 | 58 | struct emu_cpu_instruction 59 | { 60 | uint8_t opc; 61 | uint8_t opc_2nd; 62 | uint16_t prefixes; 63 | uint8_t s_bit : 1; 64 | uint8_t w_bit : 1; 65 | uint8_t operand_size : 2; 66 | 67 | struct /* mod r/m data */ 68 | { 69 | union 70 | { 71 | uint8_t mod : 2; 72 | uint8_t x : 2; 73 | }; 74 | 75 | union 76 | { 77 | uint8_t reg1 : 3; 78 | uint8_t opc : 3; 79 | uint8_t sreg3 : 3; 80 | uint8_t y : 3; 81 | }; 82 | 83 | union 84 | { 85 | uint8_t reg : 3; 86 | uint8_t reg2 : 3; 87 | uint8_t rm : 3; 88 | uint8_t z : 3; 89 | }; 90 | 91 | struct 92 | { 93 | uint8_t scale : 2; 94 | uint8_t index : 3; 95 | uint8_t base : 3; 96 | } sib; 97 | 98 | union 99 | { 100 | uint8_t s8; 101 | uint16_t s16; 102 | uint32_t s32; 103 | } disp; 104 | 105 | uint32_t ea; 106 | } modrm; 107 | 108 | uint32_t imm; 109 | uint16_t *imm16; 110 | uint8_t *imm8; 111 | 112 | int32_t disp; 113 | 114 | 115 | }; 116 | 117 | 118 | 119 | 120 | #endif 121 | -------------------------------------------------------------------------------- /include/emu/emu_cpu_stack.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #ifndef EMU_CPU_STACK_H_ 29 | #define EMU_CPU_STACK_H_ 30 | 31 | #define PUSH_DWORD(cpu, arg) \ 32 | { \ 33 | uint32_t pushme; \ 34 | bcopy(&(arg), &pushme, 4); \ 35 | if (cpu->reg[esp] < 4) \ 36 | { \ 37 | emu_errno_set((cpu)->emu, ENOMEM); \ 38 | emu_strerror_set((cpu)->emu, \ 39 | "ran out of stack space writing a dword\n"); \ 40 | return -1; \ 41 | } \ 42 | cpu->reg[esp]-=4; \ 43 | { \ 44 | int32_t memret = emu_memory_write_dword(cpu->mem, cpu->reg[esp], pushme); \ 45 | if (memret != 0) \ 46 | return memret; \ 47 | } \ 48 | } 49 | 50 | 51 | #define PUSH_WORD(cpu, arg) \ 52 | { \ 53 | uint16_t pushme; \ 54 | bcopy(&(arg), &pushme, 2); \ 55 | if (cpu->reg[esp] < 2) \ 56 | { \ 57 | emu_errno_set((cpu)->emu, ENOMEM); \ 58 | emu_strerror_set((cpu)->emu, \ 59 | "ran out of stack space writing a word\n"); \ 60 | return -1; \ 61 | } \ 62 | cpu->reg[esp]-=2; \ 63 | { \ 64 | int32_t memret = emu_memory_write_word(cpu->mem, cpu->reg[esp], pushme);\ 65 | if (memret != 0) \ 66 | return memret; \ 67 | } \ 68 | } 69 | 70 | 71 | 72 | #define PUSH_BYTE(cpu, arg) \ 73 | { \ 74 | uint8_t pushme = arg; \ 75 | if (cpu->reg[esp] < 1) \ 76 | { \ 77 | emu_errno_set((cpu)->emu, ENOMEM); \ 78 | emu_strerror_set((cpu)->emu, \ 79 | "ran out of stack space writing a byte\n"); \ 80 | return -1; \ 81 | } \ 82 | cpu->reg[esp]-=1; \ 83 | { \ 84 | int32_t memret = emu_memory_write_byte(cpu->mem, cpu->reg[esp], pushme); \ 85 | if (memret != 0) \ 86 | return memret; \ 87 | } \ 88 | } 89 | 90 | 91 | #define POP_DWORD(cpu, dst_p) \ 92 | { int32_t ret = emu_memory_read_dword(cpu->mem, cpu->reg[esp], dst_p); \ 93 | if( ret != 0 ) \ 94 | return ret; \ 95 | else \ 96 | if ( dst_p != &cpu->reg[esp] ) \ 97 | cpu->reg[esp] += 4; } 98 | 99 | #define POP_WORD(cpu, dst_p) \ 100 | { int32_t ret = emu_memory_read_word(cpu->mem, cpu->reg[esp], dst_p); \ 101 | if( ret != 0 ) \ 102 | return ret; \ 103 | else \ 104 | cpu->reg[esp] += 2; } 105 | 106 | #define POP_BYTE(cpu, dst_p) \ 107 | { int32_t ret = emu_memory_read_byte(cpu->mem, cpu->reg[esp], dst_p); \ 108 | if( ret != 0 ) \ 109 | return ret; \ 110 | else \ 111 | cpu->reg[esp] += 1; } 112 | 113 | 114 | 115 | #endif /*EMU_CPU_STACK_H_*/ 116 | -------------------------------------------------------------------------------- /include/emu/emu_fpu_instruction.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #ifndef HAVE_EMU_FPU_INSTRUCTION_H 29 | #define HAVE_EMU_FPU_INSTRUCTION_H 30 | 31 | #define FPU_MOD(fpu) (fpu[1] >> 6) 32 | #define FPU_RM(fpu) (fpu[1] & 7) 33 | 34 | #define FPU_MF(fpu) ((fpu[0] >> 1) & 3) 35 | 36 | struct emu_fpu_instruction 37 | { 38 | uint16_t prefixes; 39 | 40 | uint8_t fpu_data[2]; /* TODO: split into correct fields */ 41 | uint32_t ea; 42 | 43 | uint32_t last_instr; 44 | 45 | }; 46 | 47 | #endif 48 | -------------------------------------------------------------------------------- /include/emu/emu_getpc.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | 29 | 30 | #include 31 | 32 | /** 33 | * 34 | * @param e 35 | * @param data 36 | * @param size 37 | * @param offset 38 | * 39 | * @return 1 for getpc via call or fnstenv 40 | * 2 for mov withing fs: segment 41 | */ 42 | uint8_t emu_getpc_check(struct emu *e, uint8_t *data, uint32_t size, uint32_t offset); 43 | -------------------------------------------------------------------------------- /include/emu/emu_graph.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | #include 30 | #include 31 | 32 | #include "emu/emu_list.h" 33 | 34 | struct emu_vertex; 35 | 36 | header_list_typedefs(emu_edge_root,emu_edge,emu_edge_link); 37 | 38 | /** 39 | * The edge connects two vertexes. 40 | * 41 | * The following fields of a emu_vertex are to your own purpose: 42 | * - data, attach your own data. 43 | * 44 | * @see emu_vertex 45 | * @see emu_graph 46 | */ 47 | struct emu_edge 48 | { 49 | struct emu_vertex *destination; 50 | emu_edge_link link; 51 | uint32_t count; 52 | void *data; 53 | }; 54 | 55 | header_list_functions(emu_edges,emu_edge_root, emu_edge, link); 56 | 57 | struct emu_edge *emu_edge_new(void); 58 | void emu_edge_free(struct emu_edge *ee); 59 | 60 | 61 | header_list_typedefs(emu_vertex_root,emu_vertex,emu_vertex_link); 62 | header_list_functions(emu_vertexes,emu_vertex_root, emu_vertex, link); 63 | 64 | 65 | 66 | 67 | enum emu_color { black, blue, cyan, green, grey, magenta, red, white, yellow }; 68 | 69 | /** 70 | * The vertex is a vertex in a graph. 71 | * It can have edges to other vertexes, 72 | * and has backedges from the vertexes where it has edges too. 73 | * The following fields of the emu_vertex are for your own purposes: 74 | * - color, usefull for bfs & dfs 75 | * - distance, usefull for distance measurement 76 | * - data, attach your own data 77 | * 78 | * @see emu_edge 79 | * @see emu_graph 80 | */ 81 | struct emu_vertex 82 | { 83 | void *data; 84 | emu_edge_root *edges; 85 | 86 | emu_vertex_link link; 87 | enum emu_color color; 88 | 89 | emu_edge_root *backedges; 90 | uint32_t backlinks; 91 | 92 | uint32_t distance; 93 | }; 94 | 95 | 96 | struct emu_vertex *emu_vertex_new(void); 97 | void emu_vertex_free(struct emu_vertex *ev); 98 | void emu_vertex_data_set(struct emu_vertex *ev, void *data); 99 | void *emu_vertex_data_get(struct emu_vertex *ev); 100 | struct emu_edge *emu_vertex_edge_add(struct emu_vertex *ev, struct emu_vertex *to); 101 | 102 | typedef void (*emu_graph_destructor)(void *data); 103 | struct emu_graph 104 | { 105 | emu_vertex_root *vertexes; 106 | emu_graph_destructor vertex_destructor; 107 | }; 108 | 109 | struct emu_graph *emu_graph_new(void); 110 | void emu_graph_free(struct emu_graph *eg); 111 | void emu_graph_vertex_add(struct emu_graph *eg, struct emu_vertex *ev); 112 | 113 | bool emu_graph_path_exists(struct emu_graph *eg, struct emu_vertex *from, struct emu_vertex *to); 114 | bool emu_graph_loop_detect(struct emu_graph *eg, struct emu_vertex *from); 115 | int32_t emu_graph_distance(struct emu_graph *eg, struct emu_vertex *from, struct emu_vertex *to); 116 | -------------------------------------------------------------------------------- /include/emu/emu_instruction.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #ifndef EMU_INSTRUCTION_H 29 | #define EMU_INSTRUCTION_H 30 | 31 | #include 32 | #include 33 | #include "emu/emu_track.h" 34 | 35 | 36 | 37 | /** 38 | * The emu_instruction is the dummy struct for fpu/cpu instructions 39 | * The track & source information is used to 40 | * create the static instruction graph and run the binary 41 | * backwards traversal. 42 | * 43 | * @see emu_tracking_info 44 | */ 45 | struct emu_instruction 46 | { 47 | uint16_t prefixes; 48 | uint8_t opc; 49 | uint8_t is_fpu : 1; 50 | 51 | union 52 | { 53 | struct emu_cpu_instruction cpu; 54 | struct emu_fpu_instruction fpu; 55 | }; 56 | 57 | struct 58 | { 59 | struct emu_tracking_info init; 60 | struct emu_tracking_info need; 61 | } track; 62 | 63 | struct 64 | { 65 | uint8_t has_cond_pos : 1; 66 | uint32_t norm_pos; 67 | uint32_t cond_pos; 68 | } source; 69 | }; 70 | 71 | #endif 72 | -------------------------------------------------------------------------------- /include/emu/emu_log.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #ifndef HAVE_EMU_LOG_H 29 | #define HAVE_EMU_LOG_H 30 | 31 | struct emu; 32 | 33 | enum emu_log_level 34 | { 35 | EMU_LOG_NONE, 36 | EMU_LOG_INFO, 37 | EMU_LOG_DEBUG 38 | }; 39 | 40 | typedef void (*emu_log_logcb)(struct emu *e, enum emu_log_level level, const char *msg); 41 | 42 | struct emu_logging *emu_log_new(void); 43 | void emu_log_free(struct emu_logging *el); 44 | 45 | void emu_log_level_set(struct emu_logging *el, enum emu_log_level level); 46 | 47 | void emu_log(struct emu *e, enum emu_log_level level, const char *format, ...); 48 | 49 | void emu_log_set_logcb(struct emu_logging *el, emu_log_logcb logcb); 50 | 51 | void emu_log_default_logcb(struct emu *e, enum emu_log_level level, const char *msg); 52 | 53 | #define logInfo(e, format...) emu_log(e, EMU_LOG_INFO, format) 54 | 55 | #ifdef DEBUG 56 | #define logDebug(e, format...) emu_log(e, EMU_LOG_DEBUG, format) 57 | #else 58 | #define logDebug(e, format...) 59 | #endif // DEBUG 60 | 61 | #define logPF(e) logDebug(e, "in <%s> %s:%i>\n", __PRETTY_FUNCTION__, __FILE__, __LINE__) 62 | 63 | #endif // HAVE_EMU_LOG_H 64 | -------------------------------------------------------------------------------- /include/emu/emu_memory.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #ifndef HAVE_EMU_MEMORY_H 29 | #define HAVE_EMU_MEMORY_H 30 | 31 | #include 32 | #include 33 | 34 | enum emu_segment { 35 | s_cs = 0, s_ss, s_ds, s_es, s_fs, s_gs 36 | }; 37 | 38 | struct emu; 39 | struct emu_memory; 40 | struct emu_string; 41 | struct emu_breakpoint; 42 | 43 | struct emu_memory *emu_memory_new(struct emu *e); 44 | void emu_memory_clear(struct emu_memory *em); 45 | void emu_memory_free(struct emu_memory *em); 46 | 47 | /* read access, these functions return -1 on error */ 48 | int32_t emu_memory_read_byte(struct emu_memory *m, uint32_t addr, uint8_t *byte); 49 | int32_t emu_memory_read_word(struct emu_memory *m, uint32_t addr, uint16_t *word); 50 | int32_t emu_memory_read_dword(struct emu_memory *m, uint32_t addr, uint32_t *dword); 51 | int32_t emu_memory_read_block(struct emu_memory *m, uint32_t addr, void *dest, size_t len); 52 | int32_t emu_memory_read_string(struct emu_memory *m, uint32_t addr, struct emu_string *s, uint32_t maxsize); 53 | 54 | /* write access */ 55 | int32_t emu_memory_write_byte(struct emu_memory *m, uint32_t addr, uint8_t byte); 56 | int32_t emu_memory_write_word(struct emu_memory *m, uint32_t addr, uint16_t word); 57 | int32_t emu_memory_write_dword(struct emu_memory *m, uint32_t addr, uint32_t dword); 58 | int32_t emu_memory_write_block(struct emu_memory *m, uint32_t addr, const void *src, size_t len); 59 | 60 | /* segment selection */ 61 | void emu_memory_segment_select(struct emu_memory *m, enum emu_segment s); 62 | enum emu_segment emu_memory_segment_get(struct emu_memory *m); 63 | 64 | /* alloc */ 65 | int32_t emu_memory_alloc(struct emu_memory *m, uint32_t *addr, size_t len); 66 | /*int32_t emu_memory_alloc_at(struct emu_memory *m, uint32_t addr, size_t len);*/ 67 | 68 | /* information */ 69 | uint32_t emu_memory_get_usage(struct emu_memory *m); 70 | 71 | void emu_memory_mode_ro(struct emu_memory *m); 72 | void emu_memory_mode_rw(struct emu_memory *m); 73 | 74 | struct emu_breakpoint *emu_memory_get_breakpoint(struct emu_memory *m); 75 | struct emu *emu_memory_get_emu(struct emu_memory *m); 76 | 77 | 78 | #define MEM_BYTE_READ(cpu_p, addr, data_p) \ 79 | { int32_t ret = emu_memory_read_byte((cpu_p)->mem, addr, data_p); \ 80 | if( ret != 0 ) \ 81 | return ret; } 82 | 83 | #define MEM_BYTE_WRITE(cpu_p, addr, data) \ 84 | { int32_t ret = emu_memory_write_byte((cpu_p)->mem, addr, data); \ 85 | if( ret != 0 ) \ 86 | return ret; } 87 | 88 | #define MEM_WORD_READ(cpu_p, addr, data_p) \ 89 | { int32_t ret = emu_memory_read_word((cpu_p)->mem, addr, data_p); \ 90 | if( ret != 0 ) \ 91 | return ret; } 92 | 93 | #define MEM_WORD_WRITE(cpu_p, addr, data) \ 94 | { uint16_t val; \ 95 | bcopy(&(data), &val, 2); \ 96 | int32_t ret = emu_memory_write_word((cpu_p)->mem, addr, val); \ 97 | if( ret != 0 ) \ 98 | return ret; } 99 | 100 | #define MEM_DWORD_READ(cpu_p, addr, data_p) \ 101 | { int32_t ret = emu_memory_read_dword((cpu_p)->mem, addr, data_p); \ 102 | if( ret != 0 ) \ 103 | return ret; } 104 | 105 | #define MEM_DWORD_WRITE(cpu_p, addr, data) \ 106 | { uint32_t val; \ 107 | bcopy(&(data), &val, 4); \ 108 | int32_t ret = emu_memory_write_dword((cpu_p)->mem, addr, val); \ 109 | if( ret != 0 ) \ 110 | return ret; } 111 | 112 | 113 | #endif // HAVE_EMU_MEMORY_H 114 | -------------------------------------------------------------------------------- /include/emu/emu_queue.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | 29 | #ifndef HAVE_EMU_QUEUE_H 30 | #define HAVE_EMU_QUEUE_H 31 | 32 | 33 | struct emu_queue_item 34 | { 35 | struct emu_queue_item *next; 36 | void *data; 37 | }; 38 | 39 | struct emu_queue_item *emu_queue_item_new(void); 40 | void emu_queue_item_free(struct emu_queue_item *eqi); 41 | 42 | struct emu_queue 43 | { 44 | struct emu_queue_item *front; 45 | struct emu_queue_item *back; 46 | }; 47 | 48 | /** 49 | * Create a new queue 50 | * 51 | * @return on success: pointer to the new queue 52 | * on failure: NULL 53 | */ 54 | struct emu_queue *emu_queue_new(void); 55 | void emu_queue_free(struct emu_queue *eq); 56 | 57 | /** 58 | * Retrieve the pointer to the first element 59 | * 60 | * @param eq the queue 61 | * 62 | * @return returns the pointer to the first element 63 | */ 64 | void *emu_queue_front(struct emu_queue *eq); 65 | 66 | /** 67 | * Enqueue data into the queue. 68 | * 69 | * @param eq the queue 70 | * @param data the data to enqueue 71 | */ 72 | void emu_queue_enqueue(struct emu_queue *eq, void *data); 73 | 74 | /** 75 | * Dequeue the first element from the queue 76 | * 77 | * @param eq the queue 78 | * 79 | * @return pointer to the data of the first element 80 | */ 81 | void *emu_queue_dequeue(struct emu_queue *eq); 82 | 83 | /** 84 | * Check if the queue is empty 85 | * 86 | * @param eq the queue 87 | * 88 | * @return true if the queue is empty, else false 89 | */ 90 | bool emu_queue_empty(struct emu_queue *eq); 91 | 92 | #endif 93 | -------------------------------------------------------------------------------- /include/emu/emu_shellcode.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | 29 | #ifndef HAVE_EMU_SHELLCODE_H 30 | #define HAVE_EMU_SHELLCODE_H 31 | 32 | #include 33 | 34 | struct emu; 35 | 36 | /** 37 | * Tests a given buffer for possible shellcodes 38 | * 39 | * @param e the emu 40 | * @param data the buffer to test 41 | * @param size the size of the buffer 42 | * 43 | * @return on success, the offset within the buffer where the shellcode is suspected 44 | * on failure (no shellcode detected), -1 45 | */ 46 | int32_t emu_shellcode_test(struct emu *e, uint8_t *data, uint16_t size); 47 | 48 | 49 | struct emu_stats 50 | { 51 | uint32_t eip; 52 | 53 | struct 54 | { 55 | uint32_t read_access; 56 | uint32_t write_access; 57 | } memory; 58 | 59 | struct 60 | { 61 | uint32_t steps; 62 | }cpu; 63 | }; 64 | 65 | 66 | 67 | 68 | struct emu_stats *emu_stats_new(void); 69 | void emu_stats_free(struct emu_stats *es); 70 | 71 | 72 | #endif 73 | 74 | -------------------------------------------------------------------------------- /include/emu/emu_source.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | 29 | #ifndef HAVE_EMU_SOURCE_H 30 | #define HAVE_EMU_SOURCE_H 31 | 32 | struct emu_track_and_source; 33 | struct emu_vertex; 34 | 35 | 36 | /** 37 | * Create the callgraph of the shellcode being stored in the emu memory. 38 | * 39 | * @param e the emu 40 | * @param es the emu_source_and_track struct which stores the graph 41 | * @param datastart where to start 42 | * @param datasize where to stop 43 | * 44 | * @return 45 | */ 46 | uint32_t emu_source_instruction_graph_create(struct emu *e, struct emu_track_and_source *es, uint32_t datastart, uint32_t datasize); 47 | 48 | 49 | void emu_source_forward_bfs(struct emu_track_and_source *et, struct emu_vertex *from); 50 | void emu_source_backward_bfs(struct emu_track_and_source *et, struct emu_vertex *ev); 51 | 52 | #endif 53 | -------------------------------------------------------------------------------- /include/emu/emu_stack.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2008 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | 29 | #ifndef HAVE_EMU_STACK_H 30 | #define HAVE_EMU_STACK_H 31 | 32 | struct emu_stack_item 33 | { 34 | struct emu_stack_item *next; 35 | void *data; 36 | }; 37 | 38 | struct emu_stack 39 | { 40 | struct emu_stack_item *front; 41 | struct emu_stack_item *back; 42 | }; 43 | 44 | struct emu_stack *emu_stack_new(void); 45 | void emu_stack_free(struct emu_stack *es); 46 | void *emu_stack_front(struct emu_stack *es); 47 | void emu_stack_push(struct emu_stack *es, void *data); 48 | void *emu_stack_pop(struct emu_stack *es); 49 | bool emu_stack_empty(struct emu_stack *es); 50 | 51 | #endif 52 | -------------------------------------------------------------------------------- /include/emu/emu_string.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #ifndef HAVE_EMU_STRING_H 29 | #define HAVE_EMU_STRING_H 30 | 31 | #include 32 | #include 33 | 34 | /** 35 | * The struct used for the string implementation. 36 | */ 37 | struct emu_string 38 | { 39 | uint32_t size; 40 | void *data; 41 | uint32_t allocated; 42 | 43 | }; 44 | 45 | /** 46 | * Create a new, empty string. 47 | * 48 | * @return on success, pointer to the new and empty string, on failure NULL 49 | */ 50 | struct emu_string *emu_string_new(void); 51 | 52 | /** 53 | * Free the string, free the bytes which got allocated. 54 | * 55 | * @param s the string to free 56 | */ 57 | void emu_string_free(struct emu_string *s); 58 | 59 | 60 | /** 61 | * cast the string to char * 62 | * 63 | * @param s the string 64 | * 65 | * @return char * of the string 66 | */ 67 | char *emu_string_char(struct emu_string *s); 68 | 69 | /** 70 | * append the string by some data 71 | * 72 | * @param s the string 73 | * @param data the data to append 74 | */ 75 | void emu_string_append_char(struct emu_string *s, const char *data); 76 | 77 | 78 | /** 79 | * append the string by some formatted string 80 | * 81 | * @param s the string 82 | * @param format the format 83 | */ 84 | void emu_string_append_format(struct emu_string *s, const char *format, ...); 85 | 86 | #endif 87 | 88 | 89 | -------------------------------------------------------------------------------- /include/emu/emu_track.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | 29 | #ifndef HAVE_EMU_TRACK_H 30 | #define HAVE_EMU_TRACK_H 31 | 32 | #include 33 | #include 34 | 35 | struct emu; 36 | struct emu_cpu; 37 | struct emu_graph; 38 | struct emu_instruction; 39 | 40 | 41 | 42 | /** 43 | * The emu_tracking_info struct is used within the 44 | * binary backwards traversal. 45 | * The required informations about which registers 46 | * need to get initialized are stored in the struct together with the 47 | * eip value where we need to start searching. 48 | * 49 | * @see emu_shellcode_run_and_track 50 | * @see emu_source_and_track_instr_info 51 | */ 52 | struct emu_tracking_info 53 | { 54 | uint32_t eip; 55 | 56 | uint32_t eflags; 57 | uint32_t reg[8]; 58 | 59 | uint8_t fpu:1; // used to store the last_instruction information required for fnstenv 60 | }; 61 | 62 | 63 | /** 64 | * The emu_source_and_track_instr_info struct stores the register/fpu 65 | * tracking information as well as the source information 66 | * for a instruction. 67 | * Additionally the disassembly of the instruction can be stored 68 | * for debugging purposes. 69 | * 70 | * @see emu_shellcode_run_and_track 71 | */ 72 | struct emu_source_and_track_instr_info 73 | { 74 | uint32_t eip; 75 | char *instrstring; 76 | 77 | struct 78 | { 79 | struct emu_tracking_info init; 80 | struct emu_tracking_info need; 81 | } track; 82 | 83 | struct 84 | { 85 | uint8_t has_cond_pos : 1; 86 | uint32_t norm_pos; 87 | uint32_t cond_pos; 88 | } source; 89 | }; 90 | 91 | struct emu_source_and_track_instr_info *emu_source_and_track_instr_info_new(struct emu_cpu *cpu, uint32_t eip_before_instruction); 92 | void emu_source_and_track_instr_info_free(struct emu_source_and_track_instr_info *esantii); 93 | void emu_source_and_track_instr_info_free_void(void *x); 94 | 95 | bool emu_source_and_track_instr_info_cmp(void *a, void *b); 96 | uint32_t emu_source_and_track_instr_info_hash(void *key); 97 | 98 | 99 | struct emu_track_and_source 100 | { 101 | struct emu_tracking_info track; 102 | 103 | struct emu_graph *static_instr_graph; 104 | struct emu_hashtable *static_instr_table; 105 | 106 | struct emu_graph *run_instr_graph; 107 | struct emu_hashtable *run_instr_table; 108 | 109 | }; 110 | 111 | 112 | struct emu_track_and_source *emu_track_and_source_new(void); 113 | void emu_track_and_source_free(struct emu_track_and_source *et); 114 | 115 | int32_t emu_track_instruction_check(struct emu *e, struct emu_track_and_source *et); 116 | 117 | 118 | 119 | struct emu_tracking_info *emu_tracking_info_new(void); 120 | void emu_tracking_info_free(struct emu_tracking_info *eti); 121 | 122 | void emu_tracking_info_clear(struct emu_tracking_info *eti); 123 | 124 | 125 | /** 126 | * Calculate the logic difference between two instruction_infos 127 | * and store the result. 128 | * 129 | * @param a 130 | * @param b 131 | * @param result 132 | */ 133 | void emu_tracking_info_diff(struct emu_tracking_info *a, struct emu_tracking_info *b, struct emu_tracking_info *result); 134 | 135 | void emu_tracking_info_copy(struct emu_tracking_info *from, struct emu_tracking_info *to); 136 | 137 | /** 138 | * Check if a instruction can satisfy 139 | * the requirements of another instruction. 140 | * 141 | * @param a 142 | * @param b 143 | * 144 | * @return returns true if a covers the requirements of b 145 | * else false 146 | */ 147 | bool emu_tracking_info_covers(struct emu_tracking_info *a, struct emu_tracking_info *b); 148 | 149 | void emu_tracking_info_debug_print(struct emu_tracking_info *a); 150 | 151 | 152 | 153 | #endif 154 | -------------------------------------------------------------------------------- /include/emu/environment/Makefile.am: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | 3 | AUTOMAKE_OPTIONS = foreign 4 | 5 | SUBDIRS = win32 linux 6 | 7 | 8 | includedir = $(prefix)/include/emu/environment 9 | include_HEADERS = emu_profile.h emu_env.h 10 | 11 | -------------------------------------------------------------------------------- /include/emu/environment/emu_env.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2008 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | struct emu_env_linux; 29 | struct emu_env_linux_syscall; 30 | struct emu_env_w32; 31 | struct emu_env_w32_dll_export; 32 | 33 | 34 | 35 | /* 36 | typedef void *(*new_env)(struct emu *e); 37 | typedef void (*free_env)(void *env); 38 | typedef int32_t (*env_hook)(void *env, const char *syscallname, 39 | int (*userhook)(void *env, void *syscall, ...), 40 | void *userdata); 41 | 42 | typedef int32_t (*env_pre_check)(void *env); 43 | typedef int32_t (*env_post_check)(void *env); 44 | 45 | 46 | struct env_helper 47 | { 48 | void *env; 49 | void *(*new_env)(struct emu *e); 50 | void (*free_env)(void *env); 51 | 52 | int32_t (*env_hook)(void *env, const char *syscallname, 53 | int (*userhook)(void *env, void *syscall, ...), 54 | void *userdata); 55 | 56 | int32_t (*env_pre_check)(void *env); 57 | int32_t (*env_post_check)(void *env); 58 | }; 59 | 60 | 61 | struct env_helper envs[] = 62 | { 63 | { 64 | NULL, 65 | (new_env)emu_env_w32_new, 66 | (free_env)emu_env_w32_free, 67 | (env_hook)NULL, 68 | (env_pre_check) NULL, 69 | (env_post_check) NULL 70 | }, 71 | { 72 | NULL, 73 | (new_env)emu_env_linux_new, 74 | (free_env)emu_env_linux_free, 75 | (env_hook)emu_env_linux_syscall_hook, 76 | (env_pre_check) NULL, 77 | (env_post_check) NULL 78 | } 79 | }; 80 | 81 | */ 82 | 83 | enum emu_env_type 84 | { 85 | emu_env_type_win32, 86 | emu_env_type_linux, 87 | }; 88 | 89 | struct emu_env_hook 90 | { 91 | enum emu_env_type type; 92 | 93 | union 94 | { 95 | struct emu_env_w32_dll_export *win; 96 | struct emu_env_linux_syscall *lin; 97 | } hook; 98 | }; 99 | 100 | struct emu_env 101 | { 102 | struct 103 | { 104 | struct emu_env_w32 *win; 105 | struct emu_env_linux *lin; 106 | } env; 107 | 108 | 109 | struct emu *emu; 110 | // struct env_helper *envs; 111 | struct emu_profile *profile; 112 | void *userdata; 113 | }; 114 | 115 | struct emu_env *emu_env_new(struct emu *e); 116 | void emu_env_free(struct emu_env *env); 117 | -------------------------------------------------------------------------------- /include/emu/environment/linux/Makefile.am: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | 3 | includedir = $(prefix)/include/emu/environment/linux 4 | 5 | include_HEADERS = emu_env_linux.h 6 | include_HEADERS += env_linux_syscalls.h 7 | include_HEADERS += env_linux_syscall_hooks.h 8 | 9 | -------------------------------------------------------------------------------- /include/emu/environment/linux/emu_env_linux.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #ifndef HAVE_EMU_ENV_LINUX_H 29 | #define HAVE_EMU_ENV_LINUX_H 30 | 31 | #include 32 | #include 33 | #include 34 | 35 | #include "emu/emu.h" 36 | #include "emu/emu_cpu.h" 37 | #include "emu/emu_cpu_data.h" 38 | #include "emu/emu_memory.h" 39 | #include "emu/emu_hashtable.h" 40 | 41 | struct emu_profile; 42 | struct emu_env; 43 | 44 | struct emu_env_linux 45 | { 46 | struct emu *emu; 47 | struct emu_hashtable *syscall_hooks_by_name; 48 | struct emu_env_linux_syscall *syscall_hookx; 49 | struct emu_env_hook *hooks; 50 | // struct emu_profile *profile; 51 | }; 52 | 53 | struct emu_env_linux *emu_env_linux_new(struct emu *e); 54 | void emu_env_linux_free(struct emu_env_linux *eel); 55 | 56 | struct emu_env_hook *emu_env_linux_syscall_check(struct emu_env *env); 57 | 58 | 59 | struct emu_env_linux_syscall_entry 60 | { 61 | const char *name; 62 | const char *(*fnhook)(struct emu_env_linux *env); 63 | }; 64 | 65 | 66 | typedef uint32_t (*userhook)(struct emu_env_linux *env, struct emu_env_linux_syscall *syscall, ...); 67 | 68 | struct emu_env_linux_syscall 69 | { 70 | const char *name; 71 | int32_t (*fnhook)(struct emu_env *env, struct emu_env_hook *hook); 72 | void *userdata; 73 | uint32_t (*userhook)(struct emu_env *env, struct emu_env_hook *hook, ...); 74 | }; 75 | 76 | int32_t emu_env_linux_syscall_hook(struct emu_env *env, const char *syscallname, 77 | uint32_t (*userhook)(struct emu_env *env, struct emu_env_hook *hook, ...), 78 | void *userdata); 79 | 80 | const char *env_linux_socketcall(struct emu_env_linux *env); 81 | 82 | #endif 83 | -------------------------------------------------------------------------------- /include/emu/environment/linux/env_linux_syscall_hooks.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | /* 1 exit */ 29 | int32_t env_linux_hook_exit(struct emu_env *env, struct emu_env_hook *hook); 30 | 31 | /* 2 fork */ 32 | int32_t env_linux_hook_fork(struct emu_env *env, struct emu_env_hook *hook); 33 | 34 | /* 11 execve */ 35 | int32_t env_linux_hook_execve(struct emu_env *env, struct emu_env_hook *hook); 36 | 37 | /* 15 chmod */ 38 | int32_t env_linux_hook_chmod(struct emu_env *env, struct emu_env_hook *hook); 39 | 40 | /* 63 dup2 */ 41 | int32_t env_linux_hook_dup2(struct emu_env *env, struct emu_env_hook *hook); 42 | 43 | /* 102 socketcall */ 44 | /* 45 | accept 46 | bind 47 | connect 48 | getpeername - missing 49 | getsockname - missing 50 | getsockopt - missing 51 | listen 52 | recv - missing 53 | recvfrom - missing 54 | recvmsg - missing 55 | send - missing 56 | sendmsg - missing 57 | sendto - missing 58 | setsockopt - missing 59 | shutdown - missing 60 | socket 61 | socketpair - missing 62 | */ 63 | int32_t env_linux_hook_socketcall(struct emu_env *env, struct emu_env_hook *hook); 64 | 65 | 66 | 67 | 68 | 69 | -------------------------------------------------------------------------------- /include/emu/environment/win32/Makefile.am: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | 3 | includedir = $(prefix)/include/emu/environment/win32 4 | 5 | include_HEADERS = emu_env_w32.h 6 | include_HEADERS += emu_env_w32_dll.h 7 | include_HEADERS += env_w32_dll_export_hooks.h 8 | include_HEADERS += emu_env_w32_dll_export.h 9 | include_HEADERS += env_w32_dll_export_kernel32_hooks.h 10 | include_HEADERS += env_w32_dll_export_urlmon_hooks.h 11 | include_HEADERS += env_w32_dll_export_ws2_32_hooks.h 12 | include_HEADERS += env_w32_dll_export_msvcrt_hooks.h 13 | include_HEADERS += env_w32_dll_export_shell32_hooks.h 14 | include_HEADERS += env_w32_dll_export_shdocvw_hooks.h 15 | 16 | -------------------------------------------------------------------------------- /include/emu/environment/win32/emu_env_w32.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #ifndef HAVE_EMU_ENV_W32 29 | #define HAVE_EMU_ENV_W32 30 | 31 | #include 32 | 33 | struct emu; 34 | struct emu_env_w32_dll; 35 | struct emu_env_w32_dll_export; 36 | struct emu_profile; 37 | struct emu_env; 38 | struct emu_env_hook; 39 | 40 | /** 41 | * the emu win32 enviroment struct 42 | * 43 | * @see emu_env_w32_new 44 | */ 45 | struct emu_env_w32 46 | { 47 | /** 48 | * pointer to the emu 49 | */ 50 | struct emu *emu; 51 | /** 52 | * array of pointers to the dlls loaded to memory 53 | */ 54 | struct emu_env_w32_dll **loaded_dlls; 55 | /** 56 | * the baseaddress for the env 57 | */ 58 | uint32_t baseaddr; 59 | 60 | /** 61 | * for SEH 62 | */ 63 | uint32_t last_good_eip; 64 | uint32_t lastExceptionHandler; 65 | uint32_t exception_count; 66 | }; 67 | 68 | /** 69 | * Create a new emu_env_w32 environment 70 | * 71 | * @param e the emulation to create the w32 process environment in 72 | * 73 | * @return on success: pointer to the emu_env_w32 create 74 | * on failure: NULL 75 | */ 76 | struct emu_env_w32 *emu_env_w32_new(struct emu *e); 77 | 78 | /** 79 | * Free the emu_env_w32, free all dlls etc 80 | * 81 | * @param env the env to free 82 | */ 83 | void emu_env_w32_free(struct emu_env_w32 *env); 84 | 85 | int32_t emu_env_w32_load_dll(struct emu_env_w32 *env, char *path); 86 | 87 | /** 88 | * Hook an dll export from a dll 89 | * 90 | * @param env the env 91 | * @param exportname the exportname, f.e. "socket" 92 | * @param fnhook pointer to the hook function 93 | * 94 | * @return on success: 0 95 | * on failure: -1 96 | */ 97 | int32_t emu_env_w32_export_hook(struct emu_env *env, 98 | const char *exportname, 99 | uint32_t (*fnhook)(struct emu_env *env, struct emu_env_hook *hook, ...), 100 | void *userdata); 101 | 102 | 103 | 104 | /** 105 | * Check if eip is within a loaded dll, 106 | * - call the dll's export function 107 | * 108 | * @param env the env 109 | * 110 | * @return on success: pointer to the dll_export 111 | * on failure: NULL 112 | */ 113 | struct emu_env_hook *emu_env_w32_eip_check(struct emu_env *env); 114 | 115 | 116 | int32_t emu_env_w32_step_failed(struct emu_env *env); 117 | #endif 118 | 119 | -------------------------------------------------------------------------------- /include/emu/environment/win32/emu_env_w32_dll.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #ifndef HAVE_EMU_ENV_W32_DLL_H 29 | #define HAVE_EMU_ENV_W32_DLL_H 30 | 31 | #include 32 | 33 | struct emu_env_hook; 34 | struct emu_env_w32_dll_export; 35 | 36 | struct emu_env_w32_dll 37 | { 38 | char *dllname; 39 | 40 | char *image; 41 | uint32_t imagesize; 42 | 43 | uint32_t baseaddr; 44 | 45 | struct emu_env_w32_dll_export *exportx; 46 | struct emu_env_hook *hooks; 47 | struct emu_hashtable *exports_by_fnptr; 48 | struct emu_hashtable *exports_by_fnname; 49 | }; 50 | 51 | struct emu_env_w32_dll *emu_env_w32_dll_new(void); 52 | void emu_env_w32_dll_free(struct emu_env_w32_dll *dll); 53 | void emu_env_w32_dll_exports_copy(struct emu_env_w32_dll *to, struct emu_env_w32_dll_export *from); 54 | 55 | 56 | struct emu_env_w32_known_dll_segment 57 | { 58 | uint32_t address; 59 | const char *segment; 60 | uint32_t segment_size; 61 | }; 62 | 63 | struct emu_env_w32_known_dll 64 | { 65 | const char *dllname; 66 | uint32_t baseaddress; 67 | uint32_t imagesize; 68 | struct emu_env_w32_dll_export *exports; 69 | struct emu_env_w32_known_dll_segment *memory_segments; 70 | }; 71 | 72 | #endif 73 | -------------------------------------------------------------------------------- /include/emu/environment/win32/emu_env_w32_dll_export.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | 30 | #ifndef HAVE_EMU_ENV_W32_DLL_EXPORT_H 31 | #define HAVE_EMU_ENV_W32_DLL_EXPORT_H 32 | 33 | 34 | struct emu; 35 | struct emu_env_w32; 36 | struct emu_env; 37 | struct emu_env_hook; 38 | 39 | typedef uint32_t (*win32userhook)(struct emu_env_w32 *env, struct emu_env_w32_dll_export *ex, ...); 40 | 41 | struct emu_env_w32_dll_export 42 | { 43 | char *fnname; 44 | uint32_t virtualaddr; 45 | int32_t (*fnhook)(struct emu_env *env, struct emu_env_hook *hook); 46 | void *userdata; 47 | uint32_t (*userhook)(struct emu_env *env, struct emu_env_hook *hook, ...); 48 | uint32_t ordinal; 49 | }; 50 | 51 | struct emu_env_w32_dll_export *emu_env_w32_dll_export_new(void); 52 | void emu_env_w32_dll_export_copy(struct emu_env_w32_dll_export *to, struct emu_env_w32_dll_export *from); 53 | void emu_env_w32_dll_export_free(struct emu_env_w32_dll_export *exp); 54 | 55 | extern struct emu_env_w32_dll_export kernel32_exports[]; 56 | extern struct emu_env_w32_dll_export ws2_32_exports[]; 57 | extern struct emu_env_w32_dll_export wininet_exports[]; 58 | extern struct emu_env_w32_dll_export urlmon_exports[]; 59 | 60 | 61 | #endif 62 | -------------------------------------------------------------------------------- /include/emu/environment/win32/env_w32_dll_export_msvcrt_hooks.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | 30 | int32_t env_w32_hook__execv(struct emu_env *env, struct emu_env_hook *hook); 31 | int32_t env_w32_hook_fclose(struct emu_env *env, struct emu_env_hook *hook); 32 | int32_t env_w32_hook_fopen(struct emu_env *env, struct emu_env_hook *hook); 33 | int32_t env_w32_hook_fwrite(struct emu_env *env, struct emu_env_hook *hook); 34 | 35 | 36 | -------------------------------------------------------------------------------- /include/emu/environment/win32/env_w32_dll_export_shdocvw_hooks.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | 30 | int32_t env_w32_hook_IEWinMain(struct emu_env *env, struct emu_env_hook *hook); 31 | -------------------------------------------------------------------------------- /include/emu/environment/win32/env_w32_dll_export_shell32_hooks.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2011 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | 30 | int32_t env_hook_SHGetSpecialFolderPathA(struct emu_env *env, struct emu_env_hook *hook); 31 | 32 | -------------------------------------------------------------------------------- /include/emu/environment/win32/env_w32_dll_export_urlmon_hooks.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | 30 | int32_t env_w32_hook_URLDownloadToFileA(struct emu_env *env, struct emu_env_hook *hook); 31 | 32 | -------------------------------------------------------------------------------- /include/emu/environment/win32/env_w32_dll_export_ws2_32_hooks.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | 30 | int32_t env_w32_hook_accept(struct emu_env *env, struct emu_env_hook *hook); 31 | int32_t env_w32_hook_bind(struct emu_env *env, struct emu_env_hook *hook); 32 | int32_t env_w32_hook_closesocket(struct emu_env *env, struct emu_env_hook *hook); 33 | int32_t env_w32_hook_connect(struct emu_env *env, struct emu_env_hook *hook); 34 | int32_t env_w32_hook_listen(struct emu_env *env, struct emu_env_hook *hook); 35 | int32_t env_w32_hook_recv(struct emu_env *env, struct emu_env_hook *hook); 36 | int32_t env_w32_hook_send(struct emu_env *env, struct emu_env_hook *hook); 37 | int32_t env_w32_hook_sendto(struct emu_env *env, struct emu_env_hook *hook); 38 | int32_t env_w32_hook_socket(struct emu_env *env, struct emu_env_hook *hook); 39 | int32_t env_w32_hook_WSASocketA(struct emu_env *env, struct emu_env_hook *hook); 40 | int32_t env_w32_hook_WSAStartup(struct emu_env *env, struct emu_env_hook *hook); 41 | 42 | -------------------------------------------------------------------------------- /libemu.pc.in: -------------------------------------------------------------------------------- 1 | 2 | prefix=@prefix@ 3 | exec_prefix=@exec_prefix@ 4 | libdir=@libdir@ 5 | includedir=@includedir@ 6 | 7 | Name: libemu 8 | Description: library to detect and profile shellcodes 9 | URL: http://libemu.mwcollect.org 10 | Version: @VERSION@ 11 | Requires: 12 | Libs: -L${libdir} -lemu 13 | Cflags: -I${includedir} 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /src/Makefile.am: -------------------------------------------------------------------------------- 1 | # libemu Makefile 2 | # Paul Baecher, Markus Koetter 3 | # $Id$ 4 | 5 | AUTOMAKE_OPTIONS = foreign 6 | 7 | 8 | 9 | AM_CFLAGS = -pipe -D _GNU_SOURCE -I../include -Werror -Wall -g 10 | 11 | lib_LTLIBRARIES = libemu.la 12 | 13 | SUBDIRS = functions 14 | 15 | libemu_la_SOURCES = emu.c 16 | libemu_la_SOURCES += emu_log.c 17 | libemu_la_SOURCES += emu_memory.c 18 | libemu_la_SOURCES += emu_cpu_data.c 19 | libemu_la_SOURCES += emu_cpu.c 20 | libemu_la_SOURCES += emu_string.c 21 | libemu_la_SOURCES += emu_getpc.c 22 | libemu_la_SOURCES += emu_graph.c 23 | libemu_la_SOURCES += emu_hashtable.c 24 | libemu_la_SOURCES += emu_list.c 25 | libemu_la_SOURCES += emu_queue.c 26 | libemu_la_SOURCES += emu_stack.c 27 | libemu_la_SOURCES += emu_shellcode.c 28 | libemu_la_SOURCES += emu_source.c 29 | libemu_la_SOURCES += emu_track.c 30 | libemu_la_SOURCES += emu_breakpoint.c 31 | libemu_la_SOURCES += functions/aaa.c 32 | libemu_la_SOURCES += functions/adc.c 33 | libemu_la_SOURCES += functions/add.c 34 | libemu_la_SOURCES += functions/and.c 35 | libemu_la_SOURCES += functions/call.c 36 | libemu_la_SOURCES += functions/cmp.c 37 | libemu_la_SOURCES += functions/cmps.c 38 | libemu_la_SOURCES += functions/dec.c 39 | libemu_la_SOURCES += functions/div.c 40 | libemu_la_SOURCES += functions/group_1.c 41 | libemu_la_SOURCES += functions/group_2.c 42 | libemu_la_SOURCES += functions/group_3.c 43 | libemu_la_SOURCES += functions/group_4.c 44 | libemu_la_SOURCES += functions/group_5.c 45 | libemu_la_SOURCES += functions/group_10.c 46 | libemu_la_SOURCES += functions/idiv.c 47 | libemu_la_SOURCES += functions/imul.c 48 | libemu_la_SOURCES += functions/inc.c 49 | libemu_la_SOURCES += functions/int.c 50 | libemu_la_SOURCES += functions/jcc.c 51 | libemu_la_SOURCES += functions/jmp.c 52 | libemu_la_SOURCES += functions/lodscc.c 53 | libemu_la_SOURCES += functions/loopcc.c 54 | libemu_la_SOURCES += functions/misc.c 55 | libemu_la_SOURCES += functions/mov.c 56 | libemu_la_SOURCES += functions/movsx.c 57 | libemu_la_SOURCES += functions/movzx.c 58 | libemu_la_SOURCES += functions/mul.c 59 | libemu_la_SOURCES += functions/neg.c 60 | libemu_la_SOURCES += functions/not.c 61 | libemu_la_SOURCES += functions/or.c 62 | libemu_la_SOURCES += functions/pop.c 63 | libemu_la_SOURCES += functions/push.c 64 | libemu_la_SOURCES += functions/rcl.c 65 | libemu_la_SOURCES += functions/rcr.c 66 | libemu_la_SOURCES += functions/repcc.c 67 | libemu_la_SOURCES += functions/ret.c 68 | libemu_la_SOURCES += functions/rol.c 69 | libemu_la_SOURCES += functions/ror.c 70 | libemu_la_SOURCES += functions/sal.c 71 | libemu_la_SOURCES += functions/sar.c 72 | libemu_la_SOURCES += functions/sbb.c 73 | libemu_la_SOURCES += functions/scas.c 74 | libemu_la_SOURCES += functions/shr.c 75 | libemu_la_SOURCES += functions/stoscc.c 76 | libemu_la_SOURCES += functions/sub.c 77 | libemu_la_SOURCES += functions/test.c 78 | libemu_la_SOURCES += functions/xchg.c 79 | libemu_la_SOURCES += functions/xor.c 80 | 81 | libemu_la_SOURCES += libdasm.c libdasm.h opcode_tables.h 82 | 83 | libemu_la_SOURCES += environment/emu_env.c 84 | libemu_la_SOURCES += environment/emu_profile.c 85 | libemu_la_SOURCES += environment/win32/emu_env_w32.c 86 | libemu_la_SOURCES += environment/win32/emu_env_w32_dll.c 87 | libemu_la_SOURCES += environment/win32/emu_env_w32_dll_export.c 88 | libemu_la_SOURCES += environment/win32/env_w32_dll_export_kernel32_hooks.c 89 | libemu_la_SOURCES += environment/win32/env_w32_dll_export_urlmon_hooks.c 90 | libemu_la_SOURCES += environment/win32/env_w32_dll_export_ws2_32_hooks.c 91 | libemu_la_SOURCES += environment/win32/env_w32_dll_export_msvcrt_hooks.c 92 | libemu_la_SOURCES += environment/win32/env_w32_dll_export_shell32_hooks.c 93 | libemu_la_SOURCES += environment/win32/env_w32_dll_export_shdocvw_hooks.c 94 | 95 | libemu_la_SOURCES += environment/linux/emu_env_linux.c 96 | libemu_la_SOURCES += environment/linux/env_linux_syscall_hooks.c 97 | 98 | 99 | libemu_la_LDFLAGS = -no-undefined -version-info @libemu_soname@ -export-symbols-regex "^emu_" 100 | -------------------------------------------------------------------------------- /src/emu.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | #include 30 | #include 31 | #include 32 | 33 | #include "emu/emu.h" 34 | #include "emu/emu_log.h" 35 | #include "emu/emu_memory.h" 36 | #include "emu/emu_cpu.h" 37 | 38 | struct emu 39 | { 40 | struct emu_logging *log; 41 | struct emu_memory *memory; 42 | struct emu_cpu *cpu; 43 | 44 | int errno; 45 | char *errorstr; 46 | }; 47 | 48 | 49 | struct emu *emu_new(void) 50 | { 51 | struct emu *e = (struct emu *)malloc(sizeof(struct emu)); 52 | if( e == NULL ) 53 | { 54 | return NULL; 55 | } 56 | memset(e, 0, sizeof(struct emu)); 57 | e->log = emu_log_new(); 58 | e->memory = emu_memory_new(e); 59 | if( e->memory == NULL ) 60 | { 61 | return NULL; 62 | } 63 | e->cpu = emu_cpu_new(e); 64 | logDebug(e,"%s %x\n", __PRETTY_FUNCTION__,(unsigned int)e); 65 | return e; 66 | } 67 | 68 | 69 | void emu_free(struct emu *e) 70 | { 71 | logDebug(e,"%s %x\n", __PRETTY_FUNCTION__,(unsigned int)e); 72 | emu_cpu_free(e->cpu); 73 | emu_memory_free(e->memory); 74 | emu_log_free(e->log); 75 | if (e->errorstr != NULL) 76 | free(e->errorstr); 77 | 78 | free(e); 79 | } 80 | 81 | inline struct emu_memory *emu_memory_get(struct emu *e) 82 | { 83 | return e->memory; 84 | } 85 | 86 | inline struct emu_logging *emu_logging_get(struct emu *e) 87 | { 88 | return e->log; 89 | } 90 | 91 | inline struct emu_cpu *emu_cpu_get(struct emu *e) 92 | { 93 | return e->cpu; 94 | } 95 | 96 | 97 | 98 | void emu_errno_set(struct emu *e, int err) 99 | { 100 | e->errno = err; 101 | } 102 | 103 | int emu_errno(struct emu *c) 104 | { 105 | return c->errno; 106 | } 107 | 108 | void emu_strerror_set(struct emu *e, const char *format, ...) 109 | { 110 | if (e->errorstr != NULL) 111 | free(e->errorstr); 112 | 113 | va_list ap; 114 | char *message; 115 | va_start(ap, format); 116 | int va = vasprintf(&message, format, ap); 117 | va_end(ap); 118 | 119 | if (va == -1) 120 | return; 121 | 122 | e->errorstr = message; 123 | } 124 | 125 | const char *emu_strerror(struct emu *e) 126 | { 127 | return e->errorstr; 128 | } 129 | 130 | -------------------------------------------------------------------------------- /src/emu_breakpoint.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | #include 30 | #include 31 | #include "emu/emu_breakpoint.h" 32 | #include "emu/emu_memory.h" 33 | 34 | 35 | struct emu_breakpoint 36 | { 37 | struct emu_memory *mem; 38 | struct emu_breakpoint *next; 39 | uint32_t addr; 40 | uint8_t access; 41 | emu_bp_resp response; 42 | emu_bp_cond condition; 43 | }; 44 | 45 | 46 | struct emu_breakpoint *emu_breakpoint_alloc(struct emu_memory *mem) 47 | { 48 | struct emu_breakpoint *bp = malloc(sizeof(struct emu_breakpoint)); 49 | if(bp == NULL) { 50 | return NULL; 51 | } 52 | 53 | memset(bp, 0x00, sizeof(struct emu_breakpoint)); 54 | 55 | bp->mem = mem; 56 | return bp; 57 | } 58 | 59 | void emu_breakpoint_free(struct emu_breakpoint *bp) 60 | { 61 | /* TODO: Free all the bp_items */ 62 | free(bp); 63 | 64 | return; 65 | } 66 | 67 | void emu_breakpoint_set(struct emu_memory *m, uint32_t addr, uint8_t access, emu_bp_resp response) 68 | { 69 | emu_breakpoint_conditional_set(m, addr, access, response, NULL); 70 | 71 | return; 72 | } 73 | 74 | void emu_breakpoint_conditional_set(struct emu_memory *m, uint32_t addr, uint8_t access, emu_bp_resp response, emu_bp_cond condition) 75 | { 76 | struct emu_breakpoint *item = emu_memory_get_breakpoint(m); 77 | struct emu_breakpoint *new_item = emu_breakpoint_alloc(m); 78 | if(new_item == NULL) { 79 | /* TODO: Something is wrong */ 80 | return; 81 | } 82 | 83 | 84 | new_item->addr = addr; 85 | new_item->access = access; 86 | new_item->response = response; 87 | new_item->condition = condition; 88 | 89 | while(item->next != NULL) { 90 | item = item->next; 91 | } 92 | item->next = new_item; 93 | 94 | return; 95 | } 96 | 97 | struct emu_breakpoint *emu_breakpoint_get(struct emu_memory *m, uint32_t addr) 98 | { 99 | struct emu_breakpoint *item = emu_memory_get_breakpoint(m); 100 | 101 | while(item != NULL) { 102 | if(item->addr == addr) { 103 | return item; 104 | } 105 | item = item->next; 106 | } 107 | return NULL; 108 | } 109 | 110 | void emu_breakpoint_check(struct emu_memory *m, uint32_t addr, uint8_t access) 111 | { 112 | struct emu_breakpoint *bp = emu_breakpoint_get(m, addr); 113 | 114 | if(bp == NULL) { 115 | /* No Breakpoint at given addrs */ 116 | return; 117 | } 118 | 119 | if(bp->condition != NULL) { 120 | if(!(*bp->condition)(emu_memory_get_emu(m))) { 121 | return; 122 | } 123 | } 124 | 125 | if((bp->access & access) == access) { 126 | (*bp->response)(emu_memory_get_emu(m)); 127 | } 128 | return; 129 | } 130 | 131 | void emu_breakpoint_remove(struct emu_memory *m, uint32_t addr) 132 | { 133 | struct emu_breakpoint *item_current = emu_memory_get_breakpoint(m); 134 | struct emu_breakpoint *item_previous = NULL; 135 | 136 | 137 | while(item_current != NULL) { 138 | if(item_current->addr == addr) { 139 | if(item_previous == NULL) { 140 | item_previous = item_current; 141 | item_current = item_current->next; 142 | emu_breakpoint_free(item_previous); 143 | } else { 144 | item_previous->next = item_current->next; 145 | emu_breakpoint_free(item_current); 146 | } 147 | return; 148 | } 149 | item_previous = item_current; 150 | item_current = item_current->next; 151 | } 152 | return; 153 | } 154 | -------------------------------------------------------------------------------- /src/emu_cpu_data.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | 29 | #include "emu/emu_cpu_data.h" 30 | 31 | 32 | /** 33 | * int type min/max for signed/unsigned int to 32bits size 34 | * 35 | * access is 36 | * max_inittype_border[bits/8][signed|unsigned][min|max] 37 | * 38 | * where signed/min is 0 39 | * and unsigned/max is 1 40 | */ 41 | int64_t max_inttype_borders[][2][2] = 42 | { 43 | { 44 | {0, 0}, 45 | {0, 0}, 46 | }, 47 | { 48 | {MIN_INT8, MAX_INT8}, 49 | {MIN_UINT8, MAX_UINT8}, 50 | }, 51 | { 52 | {MIN_INT16, MAX_INT16}, 53 | {MIN_UINT16, MAX_UINT16}, 54 | }, 55 | { 56 | {0, 0}, 57 | {0, 0}, 58 | }, 59 | { 60 | {MIN_INT32, MAX_INT32}, 61 | {MIN_UINT32, MAX_UINT32}, 62 | } 63 | }; 64 | 65 | -------------------------------------------------------------------------------- /src/emu_getpc.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | 29 | 30 | 31 | #include 32 | 33 | 34 | #include "emu/emu.h" 35 | #include "emu/emu_memory.h" 36 | #include "emu/emu_cpu.h" 37 | #include "emu/emu_cpu_data.h" 38 | #include "emu/emu_getpc.h" 39 | #include "emu/emu_cpu_instruction.h" 40 | 41 | 42 | #define MIN(a,b) (((a)<(b))?(a):(b)) 43 | #define MAX(a,b) (((a)>(b))?(a):(b)) 44 | 45 | 46 | uint8_t emu_getpc_check(struct emu *e, uint8_t *data, uint32_t size, uint32_t offset) 47 | { 48 | struct emu_cpu *c = emu_cpu_get(e); 49 | struct emu_memory *m = emu_memory_get(e); 50 | 51 | 52 | // uint32_t offset; 53 | // for (offset=0; offsetinstr.cpu.disp); 78 | printf("data + offset + disp %p <-> %p data + size\n", (data + offset + c->instr.cpu.disp), data+size); 79 | printf("data + offset + disp %p <-> %p data \n", (data + offset + c->instr.cpu.disp), data); 80 | */ 81 | 82 | if (abs(c->instr.cpu.disp) > 512) 83 | { 84 | break; 85 | } 86 | 87 | uint32_t espcopy = emu_cpu_reg32_get(c, esp); 88 | int j; 89 | for (j=0;j<64;j++) 90 | { 91 | int ret = emu_cpu_parse(emu_cpu_get(e)); 92 | 93 | if (ret != -1) 94 | { 95 | ret = emu_cpu_step(emu_cpu_get(e)); 96 | } 97 | 98 | if ( ret == -1 ) 99 | { 100 | // printf("cpu error %s\n", emu_strerror(e)); 101 | break; 102 | } 103 | 104 | if (emu_cpu_reg32_get(c, esp) == espcopy) // eip pushed by call is popped 105 | return 1; 106 | } 107 | 108 | return 1; 109 | break; 110 | 111 | /* fnstenv */ 112 | case 0xd9: 113 | emu_memory_write_block(m, 0x1000, data+offset, MIN(size-offset, 64)); 114 | emu_cpu_eip_set(c, 0x1000); 115 | 116 | if ( emu_cpu_parse(c) != 0 ) 117 | break; 118 | 119 | if ( (c->instr.fpu.fpu_data[1] & 0x38) != 0x30 ) 120 | break; 121 | 122 | if ( c->instr.fpu.ea == emu_cpu_reg32_get(c, esp) - 0xc ) 123 | { 124 | // printf("found fnstenv with ea = esp - 0xc\n"); 125 | return 1; 126 | } 127 | 128 | /* FIXME THE CODE HERE IS CRAP */ 129 | /* espcopy = emu_cpu_reg32_get(c, esp); 130 | for (j=0;j<64;j++) 131 | { 132 | int ret = emu_cpu_parse(emu_cpu_get(e)); 133 | 134 | if (ret != -1) 135 | { 136 | ret = emu_cpu_step(emu_cpu_get(e)); 137 | } 138 | 139 | if ( ret == -1 ) 140 | { 141 | printf("cpu error %s\n", emu_strerror(e)); 142 | break; 143 | } 144 | 145 | for (reg=0; reg<8; reg++) 146 | { 147 | if (reg != 4 && emu_cpu_reg32_get(c, reg) == espcopy + 4) // eip written by fnstenv 148 | return 1; 149 | } 150 | } 151 | */ 152 | break; 153 | /* 154 | case 0x64: // fs: prefix 155 | if ( data[offset+1] == 0x8b ) 156 | { 157 | emu_memory_write_block(m, 0x1000, data+offset, MIN(size-offset, 64)); 158 | emu_cpu_eip_set(c, 0x1000); 159 | 160 | if ( emu_cpu_parse(c) != 0 ) 161 | break; 162 | 163 | return 2; 164 | } 165 | break; 166 | */ 167 | } 168 | return 0; 169 | } 170 | 171 | -------------------------------------------------------------------------------- /src/emu_list.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | 29 | #include 30 | 31 | #include "emu/emu_list.h" 32 | 33 | source_list_functions(emu_list, emu_list_root, emu_list_item, link); 34 | 35 | struct emu_list_item *emu_list_item_create() 36 | { 37 | struct emu_list_item *eli = malloc(sizeof(struct emu_list_item)); 38 | memset(eli, 0, sizeof(struct emu_list_item)); 39 | emu_list_init_link(eli); 40 | return eli; 41 | } 42 | 43 | -------------------------------------------------------------------------------- /src/emu_log.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | #include 30 | #include 31 | #include 32 | 33 | #include "emu/emu.h" 34 | #include "emu/emu_log.h" 35 | 36 | 37 | 38 | struct emu_logging 39 | { 40 | enum emu_log_level loglevel; 41 | 42 | emu_log_logcb logcb; 43 | }; 44 | 45 | 46 | struct emu_logging *emu_log_new(void) 47 | { 48 | struct emu_logging *el = (struct emu_logging *)malloc(sizeof(struct emu_logging)); 49 | if( el == NULL ) 50 | { 51 | return NULL; 52 | } 53 | memset(el, 0, sizeof(struct emu_logging)); 54 | 55 | el->logcb = emu_log_default_logcb; 56 | 57 | return el; 58 | } 59 | 60 | void emu_log_free(struct emu_logging *el) 61 | { 62 | free(el); 63 | } 64 | 65 | void emu_log_level_set(struct emu_logging *el, enum emu_log_level level) 66 | { 67 | el->loglevel = level; 68 | } 69 | 70 | void emu_log(struct emu *e, enum emu_log_level level, const char *format, ...) 71 | { 72 | struct emu_logging *el = emu_logging_get(e); 73 | 74 | if ( el->loglevel == EMU_LOG_NONE ) 75 | return; 76 | 77 | if ( el->loglevel < level ) 78 | return; 79 | 80 | 81 | va_list ap; 82 | char *message; 83 | 84 | va_start(ap, format); 85 | int va = vasprintf(&message, format, ap); 86 | va_end(ap); 87 | 88 | if (va == -1) 89 | message = strdup("failed to allocate memory in vasprintf\n"); 90 | 91 | el->logcb(e, level, message); 92 | 93 | free(message); 94 | } 95 | 96 | void emu_log_set_logcb(struct emu_logging *el, emu_log_logcb logcb) 97 | { 98 | el->logcb = logcb; 99 | } 100 | 101 | void emu_log_default_logcb(struct emu *e, enum emu_log_level level, const char *msg) 102 | { 103 | const char *lev[] = {"none","\033[32;1minfo\033[0m","\033[31;1mdebug\033[0m"}; 104 | fprintf(stdout,"[emu 0x%p %s ] ",(void *)e, lev[level]); 105 | fprintf(stdout,"%s", msg); 106 | } 107 | -------------------------------------------------------------------------------- /src/emu_queue.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | 29 | #include 30 | #include 31 | #include 32 | 33 | #include "emu/emu_queue.h" 34 | 35 | struct emu_queue *emu_queue_new(void) 36 | { 37 | struct emu_queue *eq = (struct emu_queue *)malloc(sizeof(struct emu_queue)); 38 | if( eq == NULL ) 39 | { 40 | return NULL; 41 | } 42 | memset(eq, 0, sizeof(struct emu_queue)); 43 | return eq; 44 | } 45 | 46 | void emu_queue_free(struct emu_queue *eq) 47 | { 48 | while ( emu_queue_empty(eq) == false ) 49 | { 50 | emu_queue_dequeue(eq); 51 | } 52 | free(eq); 53 | } 54 | 55 | void *emu_queue_front(struct emu_queue *eq) 56 | { 57 | return eq->front->data; 58 | } 59 | 60 | void emu_queue_enqueue(struct emu_queue *eq, void *data) 61 | { 62 | struct emu_queue_item *eqi = emu_queue_item_new(); 63 | eqi->data = data; 64 | 65 | if (emu_queue_empty(eq) == true) 66 | { 67 | eq->front = eqi; 68 | eq->back = eqi; 69 | }else 70 | { 71 | eq->back->next = eqi; 72 | eq->back = eqi; 73 | } 74 | } 75 | 76 | void *emu_queue_dequeue(struct emu_queue *eq) 77 | { 78 | if (emu_queue_empty(eq) == true) 79 | return NULL; 80 | 81 | struct emu_queue_item *eqi = eq->front; 82 | 83 | // last element 84 | if ( eq->front == eq->back ) 85 | eq->front = eq->back = NULL; 86 | else 87 | eq->front = eq->front->next; 88 | 89 | void *data = eqi->data; 90 | emu_queue_item_free(eqi); 91 | return data; 92 | } 93 | 94 | 95 | bool emu_queue_empty(struct emu_queue *eq) 96 | { 97 | if (eq->front == NULL) 98 | return true; 99 | else 100 | return false; 101 | } 102 | 103 | 104 | struct emu_queue_item *emu_queue_item_new(void) 105 | { 106 | struct emu_queue_item *eqi = (struct emu_queue_item *)malloc(sizeof(struct emu_queue_item)); 107 | if( eqi == NULL ) 108 | { 109 | return NULL; 110 | } 111 | memset(eqi, 0, sizeof(struct emu_queue_item)); 112 | return eqi; 113 | 114 | } 115 | 116 | void emu_queue_item_free(struct emu_queue_item *eqi) 117 | { 118 | free(eqi); 119 | } 120 | 121 | -------------------------------------------------------------------------------- /src/emu_stack.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2008 Paul Baecher & Markus Koetter 8 | * Copyright (C) 2016 tpltnt 9 | * 10 | * This program is free software; you can redistribute it and/or 11 | * modify it under the terms of the GNU General Public License 12 | * as published by the Free Software Foundation; either version 2 13 | * of the License, or (at your option) any later version. 14 | * 15 | * This program is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU General Public License 21 | * along with this program; if not, write to the Free Software 22 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 23 | * 24 | * 25 | * contact nepenthesdev@users.sourceforge.net 26 | * 27 | *******************************************************************************/ 28 | 29 | 30 | #include 31 | #include 32 | #include 33 | 34 | #include "emu/emu_stack.h" 35 | 36 | struct emu_stack *emu_stack_new(void) 37 | { 38 | struct emu_stack *es = malloc(sizeof(struct emu_stack)); 39 | if (NULL == es) 40 | { 41 | return NULL; 42 | } 43 | memset(es, 0, sizeof(struct emu_stack)); 44 | return es; 45 | } 46 | 47 | void emu_stack_free(struct emu_stack *es) 48 | { 49 | free(es); 50 | } 51 | 52 | void *emu_stack_front(struct emu_stack *es) 53 | { 54 | return es->front->data; 55 | } 56 | 57 | void emu_stack_push(struct emu_stack *es, void *data) 58 | { 59 | struct emu_stack_item *item = malloc(sizeof(struct emu_stack_item)); 60 | memset(item, 0, sizeof(struct emu_stack_item)); 61 | item->data = data; 62 | item->next = es->front; 63 | es->front = item; 64 | } 65 | 66 | void *emu_stack_pop(struct emu_stack *es) 67 | { 68 | if (emu_stack_empty(es) == true) 69 | return NULL; 70 | 71 | struct emu_stack_item *item = es->front; 72 | void *data = es->front->data; 73 | es->front = es->front->next; 74 | free(item); 75 | return data; 76 | } 77 | 78 | bool emu_stack_empty(struct emu_stack *es) 79 | { 80 | if (es->front == NULL) 81 | return true; 82 | return false; 83 | } 84 | 85 | -------------------------------------------------------------------------------- /src/emu_string.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | 29 | #include 30 | #include 31 | #include 32 | 33 | 34 | #include "emu/emu_string.h" 35 | 36 | 37 | struct emu_string *emu_string_new(void) 38 | { 39 | struct emu_string *s = (struct emu_string *)malloc(sizeof(struct emu_string)); 40 | if( s == NULL ) 41 | { 42 | return NULL; 43 | } 44 | memset(s, 0, sizeof(struct emu_string)); 45 | return s; 46 | } 47 | 48 | void emu_string_free(struct emu_string *s) 49 | { 50 | free(s->data); 51 | free(s); 52 | } 53 | 54 | char *emu_string_char(struct emu_string *s) 55 | { 56 | return (char *)s->data; 57 | } 58 | 59 | 60 | #include 61 | void emu_string_append_char(struct emu_string *s, const char *data) 62 | { 63 | // printf("before %i %i|%s|\n", s->size, strlen(data), (char *)s->data); 64 | s->data = realloc(s->data, s->size + strlen(data) + 1); 65 | memcpy((unsigned char *)s->data + s->size, data, strlen(data)); 66 | *(unsigned char *)(s->data + s->size + strlen(data)) = 0; 67 | s->size += strlen(data); 68 | // printf("after %i |%s|\n", s->size, (char *)s->data); 69 | } 70 | 71 | void emu_string_append_format(struct emu_string *s, const char *format, ...) 72 | { 73 | va_list ap; 74 | char *message; 75 | 76 | va_start(ap, format); 77 | int va = vasprintf(&message, format, ap); 78 | va_end(ap); 79 | 80 | if (va == -1) 81 | exit(-1); 82 | 83 | emu_string_append_char(s, message); 84 | free(message); 85 | } 86 | -------------------------------------------------------------------------------- /src/environment/emu_env.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2008 Paul Baecher & Markus Koetter 8 | * Copyright (C) 2016 tpltnt 9 | * 10 | * This program is free software; you can redistribute it and/or 11 | * modify it under the terms of the GNU General Public License 12 | * as published by the Free Software Foundation; either version 2 13 | * of the License, or (at your option) any later version. 14 | * 15 | * This program is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU General Public License 21 | * along with this program; if not, write to the Free Software 22 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 23 | * 24 | * 25 | * contact nepenthesdev@users.sourceforge.net 26 | * 27 | *******************************************************************************/ 28 | 29 | #include "emu/environment/emu_env.h" 30 | #include "emu/environment/emu_profile.h" 31 | #include "emu/environment/linux/emu_env_linux.h" 32 | #include "emu/environment/win32/emu_env_w32.h" 33 | #include "emu/environment/win32/emu_env_w32_dll_export.h" 34 | 35 | struct emu_env *emu_env_new(struct emu *e) 36 | { 37 | struct emu_env *env = malloc(sizeof(struct emu_env)); 38 | if (NULL == env) 39 | { 40 | return NULL; 41 | } 42 | memset(env, 0, sizeof(struct emu_env)); 43 | env->env.lin = emu_env_linux_new(e); 44 | env->env.win = emu_env_w32_new(e); 45 | env->emu = e; 46 | env->profile = NULL;//emu_profile_new(); 47 | return env; 48 | 49 | } 50 | 51 | void emu_env_free(struct emu_env *env) 52 | { 53 | emu_env_w32_free(env->env.win); 54 | emu_env_linux_free(env->env.lin); 55 | if (env->profile != NULL) 56 | emu_profile_free(env->profile); 57 | free(env); 58 | } 59 | -------------------------------------------------------------------------------- /src/environment/win32/emu_env_w32_dll.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * Copyright (C) 2016 tpltnt 9 | * 10 | * This program is free software; you can redistribute it and/or 11 | * modify it under the terms of the GNU General Public License 12 | * as published by the Free Software Foundation; either version 2 13 | * of the License, or (at your option) any later version. 14 | * 15 | * This program is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU General Public License 21 | * along with this program; if not, write to the Free Software 22 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 23 | * 24 | * 25 | * contact nepenthesdev@users.sourceforge.net 26 | * 27 | *******************************************************************************/ 28 | 29 | #include 30 | #include 31 | 32 | #include "emu/emu.h" 33 | #include "emu/environment/emu_env.h" 34 | #include "emu/environment/win32/emu_env_w32_dll.h" 35 | #include "emu/environment/win32/emu_env_w32_dll_export.h" 36 | #include "emu/emu_hashtable.h" 37 | 38 | struct emu_env_w32_dll *emu_env_w32_dll_new(void) 39 | { 40 | struct emu_env_w32_dll *dll = (struct emu_env_w32_dll *)malloc(sizeof(struct emu_env_w32_dll)); 41 | if (NULL == dll) 42 | { 43 | return NULL; 44 | } 45 | memset(dll,0,sizeof(struct emu_env_w32_dll)); 46 | return dll; 47 | } 48 | 49 | void emu_env_w32_dll_free(struct emu_env_w32_dll *dll) 50 | { 51 | emu_hashtable_free(dll->exports_by_fnptr); 52 | emu_hashtable_free(dll->exports_by_fnname); 53 | free(dll->exportx); 54 | free(dll->hooks); 55 | free(dll->dllname); 56 | free(dll); 57 | } 58 | 59 | void emu_env_w32_dll_exports_copy(struct emu_env_w32_dll *to,struct emu_env_w32_dll_export *from) 60 | { 61 | uint32_t size; 62 | uint32_t i; 63 | for (i=0;from[i].fnname != 0; i++); 64 | 65 | size = i; 66 | 67 | to->exportx = malloc(sizeof(struct emu_env_w32_dll_export) * size); 68 | to->hooks = malloc(sizeof(struct emu_env_hook) * size); 69 | memcpy(to->exportx, from, sizeof(struct emu_env_w32_dll_export) * size); 70 | 71 | 72 | to->exports_by_fnptr = emu_hashtable_new(size, emu_hashtable_ptr_hash,emu_hashtable_ptr_cmp); 73 | to->exports_by_fnname = emu_hashtable_new(size, emu_hashtable_string_hash, emu_hashtable_string_cmp); 74 | 75 | for (i=0;from[i].fnname != 0; i++) 76 | { 77 | struct emu_env_w32_dll_export *ex = &to->exportx[i]; 78 | struct emu_env_hook *hook = &to->hooks[i]; 79 | hook->type = emu_env_type_win32; 80 | hook->hook.win = ex; 81 | 82 | emu_hashtable_insert(to->exports_by_fnptr, (void *)(uintptr_t)from[i].virtualaddr, hook); 83 | emu_hashtable_insert(to->exports_by_fnname, (void *)(uintptr_t)from[i].fnname, hook); 84 | } 85 | } 86 | -------------------------------------------------------------------------------- /src/environment/win32/emu_env_w32_dll_export.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * Copyright (C) 2016 tpltnt 9 | * 10 | * This program is free software; you can redistribute it and/or 11 | * modify it under the terms of the GNU General Public License 12 | * as published by the Free Software Foundation; either version 2 13 | * of the License, or (at your option) any later version. 14 | * 15 | * This program is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU General Public License 21 | * along with this program; if not, write to the Free Software 22 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 23 | * 24 | * 25 | * contact nepenthesdev@users.sourceforge.net 26 | * 27 | *******************************************************************************/ 28 | 29 | #include 30 | #include 31 | 32 | // for the socket hooks 33 | #include 34 | #include 35 | #include 36 | #include 37 | 38 | #include 39 | #include 40 | 41 | 42 | #include "emu/emu.h" 43 | #include "emu/emu_memory.h" 44 | #include "emu/emu_cpu.h" 45 | #include "emu/emu_cpu_data.h" 46 | #include "emu/emu_cpu_stack.h" 47 | #include "emu/emu_hashtable.h" 48 | #include "emu/environment/win32/emu_env_w32.h" 49 | #include "emu/environment/win32/emu_env_w32_dll_export.h" 50 | #include "emu/environment/win32/emu_env_w32_dll.h" 51 | #include "emu/emu_string.h" 52 | 53 | struct emu_env_w32_dll_export *emu_env_w32_dll_export_new(void) 54 | { 55 | struct emu_env_w32_dll_export *exp = (struct emu_env_w32_dll_export *)malloc(sizeof(struct emu_env_w32_dll_export)); 56 | if (NULL == exp) 57 | { 58 | return NULL; 59 | } 60 | memset(exp,0,sizeof(struct emu_env_w32_dll_export)); 61 | return exp; 62 | } 63 | 64 | void emu_env_w32_dll_export_free(struct emu_env_w32_dll_export *exp) 65 | { 66 | free(exp); 67 | } 68 | 69 | void emu_env_w32_dll_export_copy(struct emu_env_w32_dll_export *to, struct emu_env_w32_dll_export *from) 70 | { 71 | to->fnhook = from->fnhook; 72 | to->fnname = from->fnname; 73 | to->virtualaddr = from->virtualaddr; 74 | } 75 | 76 | 77 | -------------------------------------------------------------------------------- /src/environment/win32/env_w32_dll_export_shdocvw_hooks.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007-2011 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | #include 30 | 31 | #include 32 | #include 33 | #include 34 | 35 | #include "../../../config.h" 36 | #include "emu/emu.h" 37 | #include "emu/emu_log.h" 38 | #include "emu/emu_memory.h" 39 | #include "emu/emu_cpu.h" 40 | #include "emu/emu_cpu_data.h" 41 | #include "emu/emu_cpu_stack.h" 42 | #include "emu/emu_hashtable.h" 43 | #include "emu/emu_string.h" 44 | #include "emu/environment/emu_env.h" 45 | #include "emu/environment/emu_profile.h" 46 | #include "emu/environment/win32/emu_env_w32.h" 47 | #include "emu/environment/win32/emu_env_w32_dll.h" 48 | #include "emu/environment/win32/emu_env_w32_dll_export.h" 49 | #include "emu/environment/win32/env_w32_dll_export_urlmon_hooks.h" 50 | 51 | 52 | int32_t env_w32_hook_IEWinMain(struct emu_env *env, struct emu_env_hook *hook) 53 | { 54 | logDebug(env->emu, "Hook me Captain Cook!\n"); 55 | logDebug(env->emu, "%s:%i %s\n",__FILE__,__LINE__,__FUNCTION__); 56 | 57 | struct emu_cpu *c = emu_cpu_get(env->emu); 58 | 59 | uint32_t eip_save; 60 | POP_DWORD(c, &eip_save); 61 | /* IEWinMain(LPSTR pszCommandLine, int nShowWindow) */ 62 | 63 | uint32_t pszCommandLine; 64 | POP_DWORD(c, &pszCommandLine); 65 | 66 | uint32_t nShowWindow; 67 | POP_DWORD(c, &nShowWindow); 68 | 69 | struct emu_string *CommandLine = emu_string_new(); 70 | emu_memory_read_string(c->mem, pszCommandLine, CommandLine, 512); 71 | 72 | uint32_t returnvalue = 0; 73 | 74 | if ( hook->hook.win->userhook != NULL ) 75 | { 76 | returnvalue = hook->hook.win->userhook(env, hook, 77 | emu_string_char(CommandLine), 78 | nShowWindow); 79 | }else 80 | { 81 | returnvalue = 0; 82 | } 83 | 84 | if (env->profile != NULL) 85 | { 86 | emu_profile_function_add(env->profile, "IEWinMain"); 87 | 88 | emu_profile_argument_add_ptr(env->profile, "LPSTR", "pszCommandLine", pszCommandLine); 89 | emu_profile_argument_add_string(env->profile, "", "", emu_string_char(CommandLine)); 90 | emu_profile_argument_add_int(env->profile, "int", "nShowWindow", nShowWindow); 91 | 92 | emu_profile_function_returnvalue_int_set(env->profile, "HRESULT", returnvalue); 93 | } 94 | 95 | emu_cpu_reg32_set(c, eax, returnvalue); 96 | emu_string_free(CommandLine); 97 | emu_cpu_eip_set(c, eip_save); 98 | return 0; 99 | } 100 | -------------------------------------------------------------------------------- /src/environment/win32/env_w32_dll_export_shell32_hooks.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | #include 30 | 31 | #include 32 | #include 33 | #include 34 | 35 | #include "../../../config.h" 36 | #include "emu/emu.h" 37 | #include "emu/emu_log.h" 38 | #include "emu/emu_memory.h" 39 | #include "emu/emu_cpu.h" 40 | #include "emu/emu_cpu_data.h" 41 | #include "emu/emu_cpu_stack.h" 42 | #include "emu/emu_hashtable.h" 43 | #include "emu/emu_string.h" 44 | #include "emu/environment/emu_env.h" 45 | #include "emu/environment/emu_profile.h" 46 | #include "emu/environment/win32/emu_env_w32.h" 47 | #include "emu/environment/win32/emu_env_w32_dll.h" 48 | #include "emu/environment/win32/emu_env_w32_dll_export.h" 49 | #include "emu/environment/win32/env_w32_dll_export_urlmon_hooks.h" 50 | 51 | void GetSHFolderName(int clsid, char* buf255) 52 | { 53 | const char *FolderNames[0xff] = 54 | { 55 | [0x00] = "./DESKTOP", 56 | [0x01] = "./INTERNET", 57 | [0x02] = "./PROGRAMS", 58 | [0x03] = "./CONTROLS", 59 | [0x04] = "./PRINTERS", 60 | [0x05] = "./PERSONAL", 61 | [0x06] = "./FAVORITES", 62 | [0x07] = "./STARTUP", 63 | [0x08] = "./RECENT", 64 | [0x09] = "./SENDTO", 65 | [0x0A] = "./BITBUCKET", 66 | [0x0B] = "./STARTMENU", 67 | [0x10] = "./DESKTOPDIRECTORY", 68 | [0x11] = "./DRIVES", 69 | [0x12] = "./NETWORK", 70 | [0x13] = "./NETHOOD", 71 | [0x14] = "./FONTS", 72 | [0x15] = "./TEMPLATES", 73 | [0x16] = "./COMMON_STARTMENU", 74 | [0x17] = "./COMMON_PROGRAMS", 75 | [0x18] = "./COMMON_STARTUP", 76 | [0x19] = "./COMMON_DESKTOPDIRECTORY", 77 | [0x1a] = "./APPDATA", 78 | [0x1b] = "./PRINTHOOD", 79 | [0x1d] = "./ALTSTARTUP", 80 | [0x1e] = "./COMMON_ALTSTARTUP", 81 | [0x1f] = "./COMMON_FAVORITES", 82 | [0x20] = "./INTERNET_CACHE", 83 | [0x21] = "./COOKIES", 84 | [0x22] = "./HISTORY", 85 | }; 86 | 87 | if( clsid < 0x22 && FolderNames[clsid] != 0 ) 88 | strncpy(buf255, FolderNames[clsid], 254); 89 | else 90 | strncpy(buf255, "invalid id", 254); 91 | } 92 | 93 | 94 | int32_t env_hook_SHGetSpecialFolderPathA(struct emu_env *env, struct emu_env_hook *hook) 95 | { 96 | 97 | struct emu_cpu *c = emu_cpu_get(env->emu); 98 | struct emu_memory *mem = emu_memory_get(env->emu); 99 | 100 | uint32_t eip_save; 101 | 102 | POP_DWORD(c, &eip_save); 103 | 104 | /* 105 | CopyBOOL SHGetSpecialFolderPath( 106 | HWND hwndOwner, 107 | __out LPTSTR lpszPath, 108 | __in int csidl, 109 | __in BOOL fCreate 110 | ); 111 | 112 | */ 113 | uint32_t hwnd; 114 | POP_DWORD(c, &hwnd); 115 | 116 | uint32_t buf; 117 | POP_DWORD(c, &buf); 118 | 119 | uint32_t csidl; 120 | POP_DWORD(c, &csidl); 121 | 122 | uint32_t fCreate; 123 | POP_DWORD(c, &fCreate); 124 | 125 | char buf255[255]; 126 | memset(buf255,0,254); 127 | GetSHFolderName(csidl, (char*)&buf255); 128 | 129 | emu_memory_write_block(mem,buf,buf255,strlen(buf255)); 130 | 131 | emu_cpu_reg32_set(c, eax, 0); 132 | 133 | if ( env->profile != NULL ) 134 | { 135 | emu_profile_function_add(env->profile, "SHGetSpecialFolderPath"); 136 | emu_profile_argument_add_int(env->profile, "HWND", "hwndOwner", hwnd); 137 | emu_profile_argument_add_ptr(env->profile, "LPCSTR", "lpszPath", buf); 138 | emu_profile_argument_add_string(env->profile, "", "", buf255); 139 | emu_profile_argument_add_int(env->profile, "int", "csidl", csidl); 140 | emu_profile_argument_add_int(env->profile, "BOOL", "fCreate", fCreate); 141 | emu_profile_function_returnvalue_int_set(env->profile, "BOOL", c->reg[eax]); 142 | } 143 | 144 | emu_cpu_eip_set(c, eip_save); 145 | return 0; 146 | } 147 | 148 | -------------------------------------------------------------------------------- /src/environment/win32/env_w32_dll_export_urlmon_hooks.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | #include 30 | 31 | #include 32 | #include 33 | #include 34 | 35 | #include "../../../config.h" 36 | #include "emu/emu.h" 37 | #include "emu/emu_log.h" 38 | #include "emu/emu_memory.h" 39 | #include "emu/emu_cpu.h" 40 | #include "emu/emu_cpu_data.h" 41 | #include "emu/emu_cpu_stack.h" 42 | #include "emu/emu_hashtable.h" 43 | #include "emu/emu_string.h" 44 | #include "emu/environment/emu_env.h" 45 | #include "emu/environment/emu_profile.h" 46 | #include "emu/environment/win32/emu_env_w32.h" 47 | #include "emu/environment/win32/emu_env_w32_dll.h" 48 | #include "emu/environment/win32/emu_env_w32_dll_export.h" 49 | #include "emu/environment/win32/env_w32_dll_export_urlmon_hooks.h" 50 | 51 | int32_t env_w32_hook_URLDownloadToFileA(struct emu_env *env, struct emu_env_hook *hook) 52 | { 53 | logDebug(env->emu, "Hook me Captain Cook!\n"); 54 | logDebug(env->emu, "%s:%i %s\n",__FILE__,__LINE__,__FUNCTION__); 55 | 56 | struct emu_cpu *c = emu_cpu_get(env->emu); 57 | 58 | uint32_t eip_save; 59 | 60 | POP_DWORD(c, &eip_save); 61 | 62 | /* 63 | HRESULT URLDownloadToFile( 64 | LPUNKNOWN pCaller, 65 | LPCTSTR szURL, 66 | LPCTSTR szFileName, 67 | DWORD dwReserved, 68 | LPBINDSTATUSCALLBACK lpfnCB 69 | ); 70 | */ 71 | 72 | uint32_t p_caller; 73 | POP_DWORD(c, &p_caller); 74 | 75 | uint32_t p_url; 76 | POP_DWORD(c, &p_url); 77 | 78 | struct emu_string *url = emu_string_new(); 79 | emu_memory_read_string(c->mem, p_url, url, 512); 80 | 81 | 82 | uint32_t p_filename; 83 | POP_DWORD(c, &p_filename); 84 | 85 | struct emu_string *filename = emu_string_new(); 86 | emu_memory_read_string(c->mem, p_filename, filename, 512); 87 | 88 | uint32_t reserved; 89 | POP_DWORD(c, &reserved); 90 | 91 | uint32_t statuscallbackfn; 92 | POP_DWORD(c, &statuscallbackfn); 93 | 94 | 95 | 96 | uint32_t returnvalue=0; 97 | if ( hook->hook.win->userhook != NULL ) 98 | { 99 | returnvalue = hook->hook.win->userhook(env, hook, 100 | NULL, 101 | emu_string_char(url), 102 | emu_string_char(filename), 103 | 0, 104 | NULL); 105 | }else 106 | { 107 | returnvalue = 0; 108 | } 109 | 110 | 111 | emu_cpu_reg32_set(c, eax, returnvalue); 112 | 113 | // logDebug(env->emu, " %s -> %s\n", emu_string_char(url), emu_string_char(filename)); 114 | 115 | if (env->profile != NULL) 116 | { 117 | emu_profile_function_add(env->profile, "URLDownloadToFile"); 118 | 119 | emu_profile_argument_add_ptr(env->profile, "LPUNKNOWN", "pCaller", p_caller); 120 | emu_profile_argument_add_none(env->profile); 121 | emu_profile_argument_add_ptr(env->profile, "LPCTSTR", "szURL", p_url); 122 | emu_profile_argument_add_string(env->profile, "", "", emu_string_char(url)); 123 | emu_profile_argument_add_ptr(env->profile, "LPCTSTR", "szFileName", p_filename); 124 | emu_profile_argument_add_string(env->profile, "", "", emu_string_char(filename)); 125 | emu_profile_argument_add_int(env->profile, "DWORD", "dwReserved", reserved); 126 | emu_profile_argument_add_int(env->profile, "LPBINDSTATUSCALLBACK", "lpfnCB", statuscallbackfn); 127 | 128 | emu_profile_function_returnvalue_int_set(env->profile, "HRESULT", returnvalue); 129 | } 130 | 131 | 132 | emu_string_free(url); 133 | emu_string_free(filename); 134 | emu_cpu_eip_set(c, eip_save); 135 | return 0; 136 | } 137 | 138 | -------------------------------------------------------------------------------- /src/functions/Makefile.am: -------------------------------------------------------------------------------- 1 | # libemu Makefile 2 | # Paul Baecher, Markus Koetter 3 | # $Id$ 4 | 5 | EXTRA_DIST = add.c 6 | EXTRA_DIST += misc.c 7 | -------------------------------------------------------------------------------- /src/functions/aaa.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | #include 30 | 31 | #include "emu/emu.h" 32 | #include "emu/emu_cpu.h" 33 | #include "emu/emu_cpu_data.h" 34 | 35 | #include "emu/emu_memory.h" 36 | 37 | int32_t instr_aaa_37(struct emu_cpu *c, struct emu_cpu_instruction *i) 38 | { 39 | /* 37 40 | * ASCII adjust AL after add 41 | * AAA 42 | */ 43 | 44 | if ( ((*c->reg8[al] & 0x0f) > 9) || CPU_FLAG_ISSET(c,f_af)) 45 | { 46 | *c->reg8[al] = *c->reg8[al] + 6; 47 | *c->reg8[ah] = *c->reg8[ah] + 1; 48 | CPU_FLAG_SET(c,f_af); 49 | CPU_FLAG_SET(c,f_cf); 50 | }else 51 | { 52 | CPU_FLAG_UNSET(c,f_af); 53 | CPU_FLAG_UNSET(c,f_cf); 54 | } 55 | *c->reg8[al] = (*c->reg8[al] & 0x0f); 56 | 57 | return 0; 58 | } 59 | -------------------------------------------------------------------------------- /src/functions/call.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | #include 30 | 31 | #include "emu/emu.h" 32 | #include "emu/emu_cpu.h" 33 | #include "emu/emu_cpu_data.h" 34 | 35 | #include "emu/emu_cpu_stack.h" 36 | #include "emu/emu_memory.h" 37 | 38 | 39 | int32_t instr_call_9a(struct emu_cpu *c, struct emu_cpu_instruction *i) 40 | { 41 | 42 | /* 9A cd 43 | * CALL ptr16:16 44 | * Call far, absolute, address given in operand 45 | */ 46 | 47 | /* 9A cp 48 | * CALL ptr16:32 49 | * Call far, absolute, address given in operand 50 | */ 51 | 52 | UNIMPLEMENTED(c, SST); 53 | } 54 | 55 | 56 | int32_t instr_call_e8(struct emu_cpu *c, struct emu_cpu_instruction *i) 57 | { 58 | 59 | /* E8 cd 60 | * CALL rel32 61 | * Call near, relative, displacement relative to next instruction 62 | */ 63 | 64 | 65 | /* E8 cw 66 | * CALL rel16 67 | * Call near, relative, displacement relative to next instruction 68 | */ 69 | 70 | PUSH_DWORD(c, c->eip); 71 | c->eip += i->disp; 72 | 73 | SOURCE_NORM_POS(c->instr, c->eip); 74 | 75 | return 0; 76 | } 77 | 78 | 79 | int32_t instr_group_5_ff_call(struct emu_cpu *c, struct emu_cpu_instruction *i) 80 | { 81 | if( i->modrm.opc == 2 ) 82 | { 83 | PUSH_DWORD(c, c->eip); 84 | 85 | if( i->modrm.mod != 3 ) 86 | { 87 | if( i->prefixes & PREFIX_OPSIZE ) 88 | { 89 | /* FF /2 90 | * CALL r/m16 91 | * Call near, absolute indirect, address given in r/m16 92 | */ 93 | 94 | uint16_t disp; 95 | MEM_WORD_READ(c, i->modrm.ea, &disp); 96 | 97 | c->eip = disp; 98 | 99 | SOURCE_NORM_POS(c->instr, c->eip); 100 | } 101 | else 102 | { 103 | /* FF /2 104 | * CALL r/m32 105 | * Call near, absolute indirect, address given in r/m32 106 | */ 107 | 108 | uint32_t disp; 109 | MEM_DWORD_READ(c, i->modrm.ea, &disp); 110 | 111 | c->eip = disp; 112 | 113 | SOURCE_NORM_POS(c->instr, c->eip); 114 | } 115 | } 116 | else 117 | { 118 | if( i->prefixes & PREFIX_OPSIZE ) 119 | { 120 | /* FF /2 121 | * CALL r/m16 122 | * Call near, absolute indirect, address given in r/m16 123 | */ 124 | 125 | c->eip = *c->reg16[i->modrm.rm]; 126 | 127 | SOURCE_NORM_POS(c->instr, c->eip); 128 | TRACK_NEED_REG16(c->instr, i->modrm.rm); 129 | } 130 | else 131 | { 132 | /* FF /2 133 | * CALL r/m32 134 | * Call near, absolute indirect, address given in r/m32 135 | */ 136 | 137 | c->eip = c->reg[i->modrm.rm]; 138 | 139 | SOURCE_NORM_POS(c->instr, c->eip); 140 | TRACK_NEED_REG32(c->instr, i->modrm.rm); 141 | } 142 | } 143 | } 144 | else 145 | { 146 | /* FF /3 147 | * CALL m16:16 148 | * Call far, absolute indirect, address given in m16:16 149 | */ 150 | 151 | /* FF /3 152 | * CALL m16:32 153 | * Call far, absolute indirect, address given in m16:32 154 | */ 155 | 156 | UNIMPLEMENTED(c, SST); 157 | 158 | } 159 | 160 | return 0; 161 | } 162 | 163 | -------------------------------------------------------------------------------- /src/functions/dec.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | 30 | #define INSTR_CALC(bits, a) \ 31 | UINTOF(bits) operand_a = a; \ 32 | UINTOF(bits) operation_result = operand_a-1; \ 33 | a = operation_result; 34 | 35 | 36 | 37 | #define INSTR_SET_FLAG_OF(cpu, bits) \ 38 | { \ 39 | int64_t sz = (INTOF(bits))operand_a; \ 40 | \ 41 | sz--; \ 42 | \ 43 | if (sz < max_inttype_borders[sizeof(operation_result)][0][0] || sz > max_inttype_borders[sizeof(operation_result)][0][1] \ 44 | || sz != (INTOF(bits))operation_result ) \ 45 | { \ 46 | CPU_FLAG_SET(cpu, f_of); \ 47 | }else \ 48 | { \ 49 | CPU_FLAG_UNSET(cpu, f_of); \ 50 | } \ 51 | } 52 | 53 | 54 | #include "emu/emu_cpu.h" 55 | #include "emu/emu_cpu_data.h" 56 | 57 | #include "emu/emu_memory.h" 58 | 59 | /*Intel Architecture Software Developer's Manual Volume 2: Instruction Set Reference (24319102.PDF) page 186*/ 60 | 61 | 62 | #ifdef INSTR_CALC_AND_SET_FLAGS 63 | #undef INSTR_CALC_AND_SET_FLAGS 64 | #endif // INSTR_CALC_AND_SET_FLAGS 65 | 66 | #define INSTR_CALC_AND_SET_FLAGS(bits, cpu, a) \ 67 | INSTR_CALC(bits, a) \ 68 | INSTR_SET_FLAG_ZF(cpu) \ 69 | INSTR_SET_FLAG_PF(cpu) \ 70 | INSTR_SET_FLAG_SF(cpu) \ 71 | INSTR_SET_FLAG_OF(cpu,bits) 72 | 73 | 74 | 75 | 76 | int32_t instr_dec_4x(struct emu_cpu *c, struct emu_cpu_instruction *i) 77 | { 78 | if ( i->prefixes & PREFIX_OPSIZE ) 79 | { 80 | /* 48+rw 81 | * Decrement r16 by 1 82 | * DEC r16 83 | */ 84 | INSTR_CALC_AND_SET_FLAGS(16, c, *c->reg16[i->opc & 7]) 85 | }else 86 | { 87 | /* 48+rw 88 | * Decrement r32 by 1 89 | * DEC r32 90 | */ 91 | INSTR_CALC_AND_SET_FLAGS(32, c, c->reg[i->opc & 7]) 92 | } 93 | return 0; 94 | } 95 | 96 | 97 | 98 | int32_t instr_group_4_fe_dec(struct emu_cpu *c, struct emu_cpu_instruction *i) 99 | { 100 | /* FE /1 101 | * Decrement r/m8 by 1 102 | * DEC r/m8 103 | */ 104 | if ( i->modrm.mod != 3 ) 105 | { 106 | uint8_t dst; 107 | MEM_BYTE_READ(c, i->modrm.ea, &dst); 108 | 109 | INSTR_CALC_AND_SET_FLAGS(8, c, dst) 110 | 111 | MEM_BYTE_WRITE(c, i->modrm.ea, dst); 112 | 113 | } 114 | else 115 | { 116 | INSTR_CALC_AND_SET_FLAGS(8, c, *c->reg8[i->modrm.rm]) 117 | } 118 | return 0; 119 | } 120 | 121 | 122 | int32_t instr_group_5_ff_dec(struct emu_cpu *c, struct emu_cpu_instruction *i) 123 | { 124 | if ( i->modrm.mod != 3 ) 125 | { 126 | 127 | if ( i->prefixes & PREFIX_OPSIZE ) 128 | { 129 | /* FF /1 130 | * Decrement r/m16 by 1 131 | * DEC r/m16 132 | */ 133 | uint16_t dst; 134 | MEM_WORD_READ(c, i->modrm.ea, &dst); 135 | 136 | INSTR_CALC_AND_SET_FLAGS(16, c, dst) 137 | 138 | MEM_WORD_WRITE(c, i->modrm.ea, dst); 139 | } 140 | else 141 | { 142 | /* FF /1 143 | * Decrement r/m32 by 1 144 | * DEC r/m32 145 | */ 146 | uint32_t dst; 147 | MEM_DWORD_READ(c, i->modrm.ea, &dst); 148 | 149 | INSTR_CALC_AND_SET_FLAGS(32, c, dst) 150 | 151 | MEM_DWORD_WRITE(c, i->modrm.ea, dst); 152 | } 153 | } 154 | else 155 | { 156 | if ( i->prefixes & PREFIX_OPSIZE ) 157 | { 158 | /* FF /1 159 | * Decrement r/m16 by 1 160 | * DEC r/m16 161 | */ 162 | INSTR_CALC_AND_SET_FLAGS(16, c, *c->reg16[i->modrm.rm]) 163 | } 164 | else 165 | { 166 | /* FF /1 167 | * Decrement r/m32 by 1 168 | * DEC r/m32 169 | */ 170 | INSTR_CALC_AND_SET_FLAGS(32, c, c->reg[i->modrm.rm]) 171 | } 172 | } 173 | return 0; 174 | } 175 | -------------------------------------------------------------------------------- /src/functions/div.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | #include 30 | #include 31 | 32 | #define INSTR_CALC(dbits,bits,cpu,dividend,divisor,quotient,remainder)\ 33 | {\ 34 | if (divisor == 0) \ 35 | { \ 36 | emu_strerror_set(cpu->emu,"div by zero (%i bits)\n",bits); \ 37 | emu_errno_set(cpu->emu,EINVAL); \ 38 | return -1; \ 39 | } \ 40 | UINTOF(dbits) q_result = dividend / divisor; \ 41 | UINTOF(dbits) r_result = dividend % divisor; \ 42 | \ 43 | quotient = q_result; \ 44 | remainder = r_result; \ 45 | if ( q_result > max_inttype_borders[bits/8][1][1]) \ 46 | { \ 47 | emu_strerror_set(cpu->emu,"div quotient larger than intborder (%i bits)\n",bits); \ 48 | emu_errno_set(cpu->emu,EINVAL); \ 49 | return -1; \ 50 | } \ 51 | } 52 | 53 | #include "emu/emu.h" 54 | #include "emu/emu_cpu.h" 55 | #include "emu/emu_cpu_data.h" 56 | 57 | #include "emu/emu_cpu_stack.h" 58 | #include "emu/emu_memory.h" 59 | 60 | /*Intel Architecture Software Developer's Manual Volume 2: Instruction Set Reference (24319102.PDF) page 188*/ 61 | 62 | int32_t instr_group_3_f6_div(struct emu_cpu *c, struct emu_cpu_instruction *i) 63 | { 64 | if ( i->modrm.mod != 3 ) 65 | { 66 | /* F6 /6 67 | * Unsigned divide AX by r/m8; AL <- Quotient, AH <- Remainder 68 | * DIV r/m8 69 | */ 70 | uint8_t m8; 71 | MEM_BYTE_READ(c, i->modrm.ea, &m8); 72 | INSTR_CALC(16, 73 | 8, 74 | c, 75 | *c->reg16[ax], 76 | m8, 77 | *c->reg8[al], 78 | *c->reg8[ah]) 79 | } 80 | else 81 | { 82 | /* F6 /6 83 | * Unsigned divide AX by r/m8; AL <- Quotient, AH <- Remainder 84 | * DIV r/m8 85 | */ 86 | INSTR_CALC(16, 87 | 8, 88 | c, 89 | *c->reg16[ax], 90 | *c->reg8[i->modrm.rm], 91 | *c->reg8[al], 92 | *c->reg8[ah]) 93 | } 94 | return 0; 95 | } 96 | 97 | int32_t instr_group_3_f7_div(struct emu_cpu *c, struct emu_cpu_instruction *i) 98 | { 99 | if ( i->modrm.mod != 3 ) 100 | { 101 | if ( i->prefixes & PREFIX_OPSIZE ) 102 | { 103 | /* F7 /6 104 | * Unsigned divide DX:AX by r/m16; AX <- Quotient, DX <- Remainder 105 | * DIV r/m16 106 | */ 107 | uint16_t m16; 108 | MEM_WORD_READ(c, i->modrm.ea, &m16); 109 | 110 | uint32_t dividend; 111 | DWORD_FROM_WORDS(dividend,*c->reg16[dx],*c->reg16[ax]); 112 | 113 | INSTR_CALC(32, 114 | 16, 115 | c, 116 | dividend, 117 | m16, 118 | *c->reg16[ax], 119 | *c->reg16[dx]) 120 | 121 | } 122 | else 123 | { 124 | /* F7 /6 125 | * Unsigned divide EDX:EAX by r/m32 doubleword; EAX <- Quotient, EDX <- Remainder 126 | * DIV r/m32 127 | */ 128 | uint32_t m32; 129 | MEM_DWORD_READ(c, i->modrm.ea, &m32); 130 | 131 | uint64_t dividend; 132 | QWORD_FROM_DWORDS(dividend,c->reg[edx],c->reg[eax]); 133 | 134 | INSTR_CALC(64, 135 | 32, 136 | c, 137 | dividend, 138 | m32, 139 | c->reg[eax], 140 | c->reg[edx]) 141 | } 142 | } 143 | else 144 | { 145 | if ( i->prefixes & PREFIX_OPSIZE ) 146 | { 147 | /* F7 /6 148 | * Unsigned divide DX:AX by r/m16; AX <- Quotient, DX <- Remainder 149 | * DIV r/m16 150 | */ 151 | 152 | uint32_t dividend; 153 | DWORD_FROM_WORDS(dividend,*c->reg16[dx],*c->reg16[ax]); 154 | 155 | INSTR_CALC(32, 156 | 16, 157 | c, 158 | dividend, 159 | *c->reg16[i->modrm.rm], 160 | *c->reg16[ax], 161 | *c->reg16[dx]) 162 | 163 | } 164 | else 165 | { 166 | /* F7 /6 167 | * Unsigned divide EDX:EAX by r/m32 doubleword; EAX <- Quotient, EDX <- Remainder 168 | * DIV r/m32 169 | */ 170 | uint64_t dividend; 171 | QWORD_FROM_DWORDS(dividend,c->reg[edx],c->reg[eax]); 172 | 173 | INSTR_CALC(64, 174 | 32, 175 | c, 176 | dividend, 177 | c->reg[i->modrm.rm], 178 | c->reg[eax], 179 | c->reg[edx]) 180 | 181 | } 182 | } 183 | return 0; 184 | } 185 | 186 | -------------------------------------------------------------------------------- /src/functions/group_1.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | 30 | #include "emu/emu_cpu.h" 31 | #include "emu/emu_cpu_data.h" 32 | #include "emu/emu_cpu_functions.h" 33 | #include "emu/emu_memory.h" 34 | 35 | int32_t instr_group_1_80(struct emu_cpu *c, struct emu_cpu_instruction *i) 36 | { 37 | static int32_t (*group_1_80_fn[8])(struct emu_cpu *c, struct emu_cpu_instruction *i) = { 38 | /* 0 */ instr_group_1_80_add, 39 | /* 1 */ instr_group_1_80_or, 40 | /* 2 */ instr_group_1_80_adc, 41 | /* 3 */ instr_group_1_80_sbb, 42 | /* 4 */ instr_group_1_80_and, 43 | /* 5 */ instr_group_1_80_sub, 44 | /* 6 */ instr_group_1_80_xor, 45 | /* 7 */ instr_group_1_80_cmp, 46 | }; 47 | 48 | return group_1_80_fn[i->modrm.opc](c, i); 49 | } 50 | 51 | int32_t instr_group_1_81(struct emu_cpu *c, struct emu_cpu_instruction *i) 52 | { 53 | 54 | static int32_t (*group_1_81_fn[8])(struct emu_cpu *c, struct emu_cpu_instruction *i) = { 55 | /* 0 */ instr_group_1_81_add, 56 | /* 1 */ instr_group_1_81_or, 57 | /* 2 */ instr_group_1_81_adc, 58 | /* 3 */ instr_group_1_81_sbb, 59 | /* 4 */ instr_group_1_81_and, 60 | /* 5 */ instr_group_1_81_sub, 61 | /* 6 */ instr_group_1_81_xor, 62 | /* 7 */ instr_group_1_81_cmp, 63 | }; 64 | 65 | return group_1_81_fn[i->modrm.opc](c, i); 66 | } 67 | 68 | int32_t instr_group_1_82(struct emu_cpu *c, struct emu_cpu_instruction *i) 69 | { 70 | return 0; 71 | } 72 | 73 | int32_t instr_group_1_83(struct emu_cpu *c, struct emu_cpu_instruction *i) 74 | { 75 | static int32_t (*group_1_83_fn[8])(struct emu_cpu *c, struct emu_cpu_instruction *i) = { 76 | /* 0 */ instr_group_1_83_add, 77 | /* 1 */ instr_group_1_83_or, 78 | /* 2 */ instr_group_1_83_adc, 79 | /* 3 */ instr_group_1_83_sbb, 80 | /* 4 */ instr_group_1_83_and, 81 | /* 5 */ instr_group_1_83_sub, 82 | /* 6 */ instr_group_1_83_xor, 83 | /* 7 */ instr_group_1_83_cmp, 84 | }; 85 | 86 | return group_1_83_fn[i->modrm.opc](c, i); 87 | } 88 | 89 | 90 | -------------------------------------------------------------------------------- /src/functions/group_10.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | 30 | #include "emu/emu_cpu.h" 31 | #include "emu/emu_cpu_data.h" 32 | #include "emu/emu_cpu_functions.h" 33 | #include "emu/emu_cpu_stack.h" 34 | #include "emu/emu_memory.h" 35 | 36 | int32_t instr_group_10_8f_pop(struct emu_cpu *c, struct emu_cpu_instruction *i) 37 | { 38 | if (i->prefixes & PREFIX_OPSIZE) 39 | { 40 | /* 8F /0 41 | * Pop top of stack into m16; increment stack pointer 42 | * POP m16 43 | */ 44 | }else 45 | { 46 | /* 8F /0 47 | * Pop top of stack into m32; increment stack pointer 48 | * POP m32 49 | */ 50 | uint32_t m32; 51 | /* support pop dword fs:[0x00] */ 52 | enum emu_segment oldseg = emu_memory_segment_get(c->mem); 53 | emu_memory_segment_select(c->mem, s_ss); 54 | POP_DWORD(c, &m32); 55 | emu_memory_segment_select(c->mem, oldseg); 56 | MEM_DWORD_WRITE(c, i->modrm.ea, m32); 57 | } 58 | 59 | return 0; 60 | } 61 | 62 | 63 | int32_t instr_group_10_8f(struct emu_cpu *c, struct emu_cpu_instruction *i) 64 | { 65 | 66 | static int32_t (*group_10_8f_fn[8])(struct emu_cpu *c, struct emu_cpu_instruction *i) = { 67 | /* 0 */ instr_group_10_8f_pop, 68 | /* 1 */ NULL, 69 | /* 2 */ NULL, 70 | /* 3 */ NULL, 71 | /* 4 */ NULL, 72 | /* 5 */ NULL, 73 | /* 6 */ NULL, 74 | /* 7 */ NULL, 75 | }; 76 | 77 | if ( group_10_8f_fn[i->modrm.opc] != NULL ) 78 | return group_10_8f_fn[i->modrm.opc](c, i); 79 | else 80 | return -1; 81 | } 82 | 83 | -------------------------------------------------------------------------------- /src/functions/group_2.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | 30 | #include "emu/emu_cpu.h" 31 | #include "emu/emu_cpu_data.h" 32 | #include "emu/emu_cpu_functions.h" 33 | #include "emu/emu_memory.h" 34 | 35 | 36 | int32_t instr_group_2_c0(struct emu_cpu *c, struct emu_cpu_instruction *i) 37 | { 38 | static int32_t (*group_2_c0_fn[8])(struct emu_cpu *c, struct emu_cpu_instruction *i) = { 39 | /* 0 */ instr_group_2_c0_rol, 40 | /* 1 */ instr_group_2_c0_ror, 41 | /* 2 */ instr_group_2_c0_rcl, 42 | /* 3 */ instr_group_2_c0_rcr, 43 | /* 4 */ instr_group_2_c0_sal, 44 | /* 5 */ instr_group_2_c0_shr, 45 | /* 6 */ instr_group_2_c0_sal, // sal is shl 46 | /* 7 */ instr_group_2_c0_sar, 47 | }; 48 | 49 | return group_2_c0_fn[i->modrm.opc](c, i); 50 | } 51 | 52 | 53 | int32_t instr_group_2_c1(struct emu_cpu *c, struct emu_cpu_instruction *i) 54 | { 55 | static int32_t (*group_2_c1_fn[8])(struct emu_cpu *c, struct emu_cpu_instruction *i) = { 56 | /* 0 */ instr_group_2_c1_rol, 57 | /* 1 */ instr_group_2_c1_ror, 58 | /* 2 */ instr_group_2_c1_rcl, 59 | /* 3 */ instr_group_2_c1_rcr, 60 | /* 4 */ instr_group_2_c1_sal, 61 | /* 5 */ instr_group_2_c1_shr, 62 | /* 6 */ instr_group_2_c1_sal, // sal is shl, 63 | /* 7 */ instr_group_2_c1_sar, 64 | }; 65 | 66 | return group_2_c1_fn[i->modrm.opc](c, i); 67 | } 68 | 69 | 70 | int32_t instr_group_2_d0(struct emu_cpu *c, struct emu_cpu_instruction *i) 71 | { 72 | static int32_t (*group_2_d0_fn[8])(struct emu_cpu *c, struct emu_cpu_instruction *i) = { 73 | /* 0 */ instr_group_2_d0_rol, 74 | /* 1 */ instr_group_2_d0_ror, 75 | /* 2 */ instr_group_2_d0_rcl, 76 | /* 3 */ instr_group_2_d0_rcr, 77 | /* 4 */ instr_group_2_d0_sal, 78 | /* 5 */ instr_group_2_d0_shr, 79 | /* 6 */ instr_group_2_d0_sal, // sal is shl 80 | /* 7 */ instr_group_2_d0_sar, 81 | }; 82 | 83 | return group_2_d0_fn[i->modrm.opc](c, i); 84 | } 85 | 86 | int32_t instr_group_2_d1(struct emu_cpu *c, struct emu_cpu_instruction *i) 87 | { 88 | static int32_t (*group_2_d1_fn[8])(struct emu_cpu *c, struct emu_cpu_instruction *i) = { 89 | /* 0 */ instr_group_2_d1_rol, 90 | /* 1 */ instr_group_2_d1_ror, 91 | /* 2 */ instr_group_2_d1_rcl, 92 | /* 3 */ instr_group_2_d1_rcr, 93 | /* 4 */ instr_group_2_d1_sal, 94 | /* 5 */ instr_group_2_d1_shr, 95 | /* 6 */ instr_group_2_d1_sal, // sal is shl0, 96 | /* 7 */ instr_group_2_d1_sar, 97 | }; 98 | 99 | return group_2_d1_fn[i->modrm.opc](c, i); 100 | } 101 | 102 | 103 | int32_t instr_group_2_d2(struct emu_cpu *c, struct emu_cpu_instruction *i) 104 | { 105 | static int32_t (*group_2_d2_fn[8])(struct emu_cpu *c, struct emu_cpu_instruction *i) = { 106 | /* 0 */ instr_group_2_d2_rol, 107 | /* 1 */ instr_group_2_d2_ror, 108 | /* 2 */ instr_group_2_d2_rcl, 109 | /* 3 */ instr_group_2_d2_rcr, 110 | /* 4 */ instr_group_2_d2_sal, 111 | /* 5 */ instr_group_2_d2_shr, 112 | /* 6 */ instr_group_2_d2_sal, // sal is shl, 113 | /* 7 */ instr_group_2_d2_sar, 114 | }; 115 | 116 | return group_2_d2_fn[i->modrm.opc](c, i); 117 | } 118 | 119 | 120 | int32_t instr_group_2_d3(struct emu_cpu *c, struct emu_cpu_instruction *i) 121 | { 122 | static int32_t (*group_2_d3_fn[8])(struct emu_cpu *c, struct emu_cpu_instruction *i) = { 123 | /* 0 */ instr_group_2_d3_rol, 124 | /* 1 */ instr_group_2_d3_ror, 125 | /* 2 */ instr_group_2_d3_rcl, 126 | /* 3 */ instr_group_2_d3_rcr, 127 | /* 4 */ instr_group_2_d3_sal, // sal is shl 128 | /* 5 */ instr_group_2_d3_shr, 129 | /* 6 */ instr_group_2_d3_sal, // sal is shl 130 | /* 7 */ instr_group_2_d3_sar, 131 | }; 132 | 133 | return group_2_d3_fn[i->modrm.opc](c, i); 134 | } 135 | 136 | -------------------------------------------------------------------------------- /src/functions/group_3.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | 30 | #include "emu/emu_cpu.h" 31 | #include "emu/emu_cpu_data.h" 32 | #include "emu/emu_cpu_functions.h" 33 | #include "emu/emu_memory.h" 34 | 35 | 36 | int32_t instr_group_3_f6(struct emu_cpu *c, struct emu_cpu_instruction *i) 37 | { 38 | static int32_t (*group_3_f6_fn[8])(struct emu_cpu *c, struct emu_cpu_instruction *i) = { 39 | /* 0 */ instr_group_3_f6_test, 40 | /* 1 */ instr_group_3_f6_test, 41 | /* 2 */ instr_group_3_f6_not, 42 | /* 3 */ instr_group_3_f6_neg, 43 | /* 4 */ instr_group_3_f6_mul, 44 | /* 5 */ instr_group_3_f6_imul, 45 | /* 6 */ instr_group_3_f6_div, 46 | /* 7 */ instr_group_3_f6_idiv, 47 | }; 48 | 49 | return group_3_f6_fn[i->modrm.opc](c, i); 50 | } 51 | 52 | 53 | int32_t instr_group_3_f7(struct emu_cpu *c, struct emu_cpu_instruction *i) 54 | { 55 | static int32_t (*group_3_f7_fn[8])(struct emu_cpu *c, struct emu_cpu_instruction *i) = { 56 | /* 0 */ instr_group_3_f7_test, 57 | /* 1 */ instr_group_3_f7_test, 58 | /* 2 */ instr_group_3_f7_not, 59 | /* 3 */ instr_group_3_f7_neg, 60 | /* 4 */ instr_group_3_f7_mul, 61 | /* 5 */ instr_group_3_f7_imul, 62 | /* 6 */ instr_group_3_f7_div, 63 | /* 7 */ instr_group_3_f7_idiv, 64 | }; 65 | 66 | return group_3_f7_fn[i->modrm.opc](c, i); 67 | } 68 | 69 | -------------------------------------------------------------------------------- /src/functions/group_4.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | 30 | #include "emu/emu_cpu.h" 31 | #include "emu/emu_cpu_data.h" 32 | #include "emu/emu_cpu_functions.h" 33 | #include "emu/emu_memory.h" 34 | 35 | 36 | int32_t instr_group_4_fe(struct emu_cpu *c, struct emu_cpu_instruction *i) 37 | { 38 | static int32_t (*group_4_fe_fn[8])(struct emu_cpu *c, struct emu_cpu_instruction *i) = { 39 | /* 0 */ instr_group_4_fe_inc, 40 | /* 1 */ instr_group_4_fe_dec, 41 | /* 2 */ 0, 42 | /* 3 */ 0, 43 | /* 4 */ 0, 44 | /* 5 */ 0, 45 | /* 6 */ 0, 46 | /* 7 */ 0, 47 | }; 48 | 49 | if (group_4_fe_fn[i->modrm.opc]) 50 | return group_4_fe_fn[i->modrm.opc](c, i); 51 | else 52 | return -1; 53 | } 54 | -------------------------------------------------------------------------------- /src/functions/group_5.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | #include 30 | 31 | #include "emu/emu.h" 32 | #include "emu/emu_cpu.h" 33 | #include "emu/emu_cpu_data.h" 34 | #include "emu/emu_cpu_functions.h" 35 | #include "emu/emu_cpu_stack.h" 36 | #include "emu/emu_memory.h" 37 | 38 | 39 | 40 | 41 | int32_t instr_group_5_ff(struct emu_cpu *c, struct emu_cpu_instruction *i) 42 | { 43 | static int32_t (*group_5_fn[8])(struct emu_cpu *c, struct emu_cpu_instruction *i) = { 44 | /* 0 */ instr_group_5_ff_inc, 45 | /* 1 */ instr_group_5_ff_dec, 46 | /* 2 */ instr_group_5_ff_call, 47 | /* 3 */ instr_group_5_ff_call, 48 | /* 4 */ instr_group_5_ff_jmp, 49 | /* 5 */ instr_group_5_ff_jmp, 50 | /* 6 */ instr_group_5_ff_push, 51 | /* 7 */ 0, 52 | }; 53 | 54 | if (group_5_fn[i->modrm.opc] != NULL) 55 | return group_5_fn[i->modrm.opc](c, i); 56 | else 57 | return -1; 58 | } 59 | -------------------------------------------------------------------------------- /src/functions/int.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include "emu/emu_cpu.h" 29 | #include "emu/emu_cpu_data.h" 30 | #include "emu/emu_memory.h" 31 | #include "emu/emu_string.h" 32 | 33 | int32_t instr_int_cd(struct emu_cpu *c, struct emu_cpu_instruction *i) 34 | { 35 | return 0; 36 | } 37 | 38 | 39 | -------------------------------------------------------------------------------- /src/functions/jmp.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | 30 | #include "emu/emu_cpu.h" 31 | #include "emu/emu_cpu_data.h" 32 | 33 | #include "emu/emu_memory.h" 34 | 35 | 36 | int32_t instr_jmp_e9(struct emu_cpu *c, struct emu_cpu_instruction *i) 37 | { 38 | 39 | 40 | 41 | /* E9 cw 42 | * Jump near, relative, displacement relative to next instruction 43 | * JMP rel16 44 | */ 45 | 46 | 47 | /* E9 cd 48 | * Jump near, relative, displacement relative to next instruction 49 | * JMP rel32 50 | */ 51 | 52 | c->eip += i->disp; 53 | 54 | SOURCE_NORM_POS(c->instr, c->eip); 55 | 56 | return 0; 57 | } 58 | 59 | 60 | int32_t instr_jmp_ea(struct emu_cpu *c, struct emu_cpu_instruction *i) 61 | { 62 | 63 | /* EA cd 64 | * Jump far, absolute, address given in operand 65 | * JMP ptr16:16 66 | */ 67 | 68 | 69 | /* EA cp 70 | * Jump far, absolute, address given in operand 71 | * JMP ptr16:32 72 | */ 73 | 74 | UNIMPLEMENTED(c, SST); 75 | 76 | } 77 | 78 | int32_t instr_jmp_eb(struct emu_cpu *c, struct emu_cpu_instruction *i) 79 | { 80 | /* EB cb 81 | * Jump short, relative, displacement relative to next instruction 82 | * JMP rel8 83 | */ 84 | 85 | c->eip += i->disp; 86 | 87 | SOURCE_NORM_POS(c->instr, c->eip); 88 | 89 | return 0; 90 | } 91 | 92 | 93 | int32_t instr_group_5_ff_jmp(struct emu_cpu *c, struct emu_cpu_instruction *i) 94 | { 95 | if( i->modrm.opc == 4 ) 96 | { 97 | if( i->modrm.mod != 3 ) 98 | { 99 | if( i->prefixes & PREFIX_OPSIZE ) 100 | { 101 | /* FF /4 102 | * Jump near, absolute indirect, address given in r/m16 103 | * JMP r/m16 104 | */ 105 | 106 | uint16_t disp; 107 | MEM_WORD_READ(c, i->modrm.ea, &disp); 108 | 109 | c->eip = disp; 110 | 111 | SOURCE_NORM_POS(c->instr, c->eip); 112 | } 113 | else 114 | { 115 | /* FF /4 116 | * Jump near, absolute indirect, address given in r/m32 117 | * JMP r/m32 118 | */ 119 | 120 | uint32_t disp; 121 | MEM_DWORD_READ(c, i->modrm.ea, &disp); 122 | 123 | c->eip = disp; 124 | 125 | SOURCE_NORM_POS(c->instr, c->eip); 126 | } 127 | } 128 | else 129 | { 130 | if( i->prefixes & PREFIX_OPSIZE ) 131 | { 132 | /* FF /4 133 | * Jump near, absolute indirect, address given in r/m16 134 | * JMP r/m16 135 | */ 136 | 137 | c->eip = *c->reg16[i->modrm.rm]; 138 | 139 | SOURCE_NORM_POS(c->instr, c->eip); 140 | TRACK_NEED_REG16(c->instr, i->modrm.rm); 141 | } 142 | else 143 | { 144 | /* FF /4 145 | * Jump near, absolute indirect, address given in r/m32 146 | * JMP r/m32 147 | */ 148 | 149 | c->eip = c->reg[i->modrm.rm]; 150 | 151 | SOURCE_NORM_POS(c->instr, c->eip); 152 | TRACK_NEED_REG32(c->instr, i->modrm.rm); 153 | } 154 | } 155 | } 156 | else /* /5 */ 157 | { 158 | /* unneeded */ 159 | /* FF /5 160 | * Jump far, absolute indirect, address given in m16:16 161 | * JMP m16:16 162 | */ 163 | 164 | 165 | /* FF /5 166 | * Jump far, absolute indirect, address given in m16:32 167 | * JMP m16:32 168 | */ 169 | 170 | UNIMPLEMENTED(c, SST); 171 | 172 | } 173 | 174 | return 0; 175 | } 176 | 177 | -------------------------------------------------------------------------------- /src/functions/lodscc.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | 30 | #include "emu/emu_cpu.h" 31 | #include "emu/emu_cpu_data.h" 32 | 33 | #include "emu/emu_cpu_stack.h" 34 | #include "emu/emu_memory.h" 35 | 36 | 37 | int32_t instr_lods_ac(struct emu_cpu *c, struct emu_cpu_instruction *i) 38 | { 39 | 40 | 41 | /* AC 42 | * Load byte at address DS:(E)SI into AL 43 | * LODS m8 44 | */ 45 | 46 | /* AC 47 | * Load byte at address DS:(E)SI into AL 48 | * LODSB 49 | */ 50 | 51 | if ( i->prefixes & PREFIX_ADSIZE ) 52 | { 53 | // MEM_BYTE_READ(c, c->reg16[si], c->reg8[al]); 54 | UNIMPLEMENTED(c, SST); 55 | } 56 | else 57 | { 58 | MEM_BYTE_READ(c, c->reg[esi], c->reg8[al]); 59 | 60 | if ( CPU_FLAG_ISSET(c,f_df) ) 61 | { /* decrement */ 62 | c->reg[esi] -= 1; 63 | } 64 | else 65 | { /* increment */ 66 | c->reg[esi] += 1; 67 | } 68 | 69 | TRACK_INIT_REG8(c->instr, al); 70 | } 71 | 72 | 73 | return 0; 74 | } 75 | 76 | int32_t instr_lods_ad(struct emu_cpu *c, struct emu_cpu_instruction *i) 77 | { 78 | 79 | if ( i->prefixes & PREFIX_OPSIZE ) 80 | { 81 | 82 | /* AD 83 | * Load word at address DS:(E)SI into AX 84 | * LODS m16 85 | */ 86 | 87 | /* AD 88 | * Load word at address DS:(E)SI into AX 89 | * LODSW 90 | */ 91 | if ( i->prefixes & PREFIX_ADSIZE ) 92 | { 93 | // MEM_WORD_READ(c, c->reg16[si], c->reg16[ax]); 94 | UNIMPLEMENTED(c, SST); 95 | } 96 | else 97 | { 98 | MEM_WORD_READ(c, c->reg[esi], c->reg16[ax]); 99 | if (CPU_FLAG_ISSET(c,f_df)) 100 | { /* decrement */ 101 | c->reg[esi] -= 2; 102 | }else 103 | { /* increment */ 104 | c->reg[esi] += 2; 105 | } 106 | } 107 | 108 | } 109 | else 110 | { 111 | 112 | /* AD 113 | * Load doubleword at address DS:(E)SI into EAX 114 | * LODS m32 115 | */ 116 | 117 | 118 | /* AD 119 | * Load doubleword at address DS:(E)SI into EAX 120 | * LODSD 121 | */ 122 | if ( i->prefixes & PREFIX_ADSIZE ) 123 | { 124 | // MEM_DWORD_READ(c, c->reg16[si], &c->reg[eax]); 125 | UNIMPLEMENTED(c, SST); 126 | 127 | } 128 | else 129 | { 130 | MEM_DWORD_READ(c, c->reg[esi], &c->reg[eax]); 131 | if (CPU_FLAG_ISSET(c,f_df)) 132 | { /* decrement */ 133 | c->reg[esi] -= 4; 134 | }else 135 | { /* increment */ 136 | c->reg[esi] += 4; 137 | } 138 | 139 | TRACK_INIT_REG32(c->instr, eax); 140 | } 141 | } 142 | 143 | return 0; 144 | } 145 | 146 | -------------------------------------------------------------------------------- /src/functions/loopcc.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | 30 | #include "emu/emu_cpu.h" 31 | #include "emu/emu_cpu_data.h" 32 | 33 | #include "emu/emu_memory.h" 34 | 35 | 36 | int32_t instr_loopcc_e0(struct emu_cpu *c, struct emu_cpu_instruction *i) 37 | { 38 | SOURCE_COND_POS(c->instr, c->eip + i->disp); 39 | 40 | /* E0 cb 41 | * Decrement count; jump short if count != 0 and ZF=0 42 | * LOOPNE rel8 43 | * LOOPNZ rel8 44 | */ 45 | if ( i->prefixes & PREFIX_OPSIZE) 46 | { 47 | TRACK_NEED_REG16(c->instr, cx); 48 | TRACK_NEED_EFLAG(c->instr, f_zf); 49 | 50 | *c->reg16[cx] = *c->reg16[cx]-1; 51 | if (*c->reg16[cx] != 0 && !CPU_FLAG_ISSET(c,f_zf)) 52 | { 53 | c->eip += i->disp; 54 | } 55 | }else 56 | { 57 | TRACK_NEED_REG32(c->instr, ecx); 58 | TRACK_NEED_EFLAG(c->instr, f_zf); 59 | 60 | c->reg[ecx]--; 61 | if (c->reg[ecx] != 0 && !CPU_FLAG_ISSET(c,f_zf)) 62 | { 63 | c->eip += i->disp; 64 | } 65 | } 66 | 67 | 68 | return 0; 69 | } 70 | 71 | int32_t instr_loopcc_e1(struct emu_cpu *c, struct emu_cpu_instruction *i) 72 | { 73 | SOURCE_COND_POS(c->instr, c->eip + i->disp); 74 | 75 | /* E1 cb 76 | * Decrement count; jump short if count != 0 and ZF=1 77 | * LOOPE rel8 78 | * LOOPZ rel8 79 | */ 80 | if ( i->prefixes & PREFIX_OPSIZE) 81 | { 82 | TRACK_NEED_REG16(c->instr, cx); 83 | TRACK_NEED_EFLAG(c->instr, f_zf); 84 | 85 | *c->reg16[cx] = *c->reg16[cx]-1; 86 | if (*c->reg16[cx] != 0 && CPU_FLAG_ISSET(c,f_zf)) 87 | { 88 | c->eip += i->disp; 89 | } 90 | }else 91 | { 92 | TRACK_NEED_REG32(c->instr, ecx); 93 | TRACK_NEED_EFLAG(c->instr, f_zf); 94 | 95 | c->reg[ecx]--; 96 | if (c->reg[ecx] != 0 && CPU_FLAG_ISSET(c,f_zf)) 97 | { 98 | c->eip += i->disp; 99 | } 100 | } 101 | 102 | 103 | return 0; 104 | } 105 | 106 | int32_t instr_loop_e2(struct emu_cpu *c, struct emu_cpu_instruction *i) 107 | { 108 | SOURCE_COND_POS(c->instr, c->eip + i->disp); 109 | 110 | /* E2 cb 111 | * Decrement count; jump short if count != 0 112 | * LOOP rel8 113 | */ 114 | 115 | if ( i->prefixes & PREFIX_OPSIZE) 116 | { 117 | TRACK_NEED_REG16(c->instr, cx); 118 | 119 | *c->reg16[cx] = *c->reg16[cx]-1; 120 | if (*c->reg16[cx] != 0 ) 121 | { 122 | c->eip += i->disp; 123 | } 124 | }else 125 | { 126 | TRACK_NEED_REG32(c->instr, ecx); 127 | 128 | c->reg[ecx]--; 129 | if (c->reg[ecx] != 0) 130 | { 131 | c->eip += i->disp; 132 | } 133 | } 134 | 135 | 136 | return 0; 137 | } 138 | 139 | 140 | 141 | -------------------------------------------------------------------------------- /src/functions/movsx.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | 30 | #include "emu/emu_cpu.h" 31 | #include "emu/emu_cpu_data.h" 32 | 33 | #include "emu/emu_memory.h" 34 | 35 | /*Intel Architecture Software Developer's Manual Volume 2: Instruction Set Reference (24319102.PDF) page 481*/ 36 | 37 | #include 38 | #include 39 | 40 | int32_t instr_movsx_0fbe(struct emu_cpu *c, struct emu_cpu_instruction *i) 41 | { 42 | 43 | if ( i->modrm.mod != 3 ) 44 | { 45 | if ( i->prefixes & PREFIX_OPSIZE ) 46 | { 47 | /* 0F BE /r 48 | * Move byte to word with sign-extension 49 | * MOVSX r16,m8 50 | */ 51 | uint8_t m8; 52 | MEM_BYTE_READ(c, i->modrm.ea, &m8); 53 | *c->reg16[i->modrm.opc] = (int8_t)m8; 54 | } 55 | else 56 | { 57 | /* 0F BE /r 58 | * Move byte to doubleword, sign-extension 59 | * MOVSX r32,m8 60 | */ 61 | uint8_t m8; 62 | MEM_BYTE_READ(c, i->modrm.ea, &m8); 63 | c->reg[i->modrm.opc] = (int8_t)m8; 64 | } 65 | } 66 | else 67 | { 68 | if ( i->prefixes & PREFIX_OPSIZE ) 69 | { 70 | /* 0F BE /r 71 | * Move byte to word with sign-extension 72 | * MOVSX r16,r8 73 | */ 74 | *c->reg16[i->modrm.opc] = (int8_t)*c->reg8[i->modrm.rm]; 75 | } 76 | else 77 | { 78 | /* 0F BE /r 79 | * Move byte to doubleword, sign-extension 80 | * MOVSX r32,r8 81 | */ 82 | c->reg[i->modrm.opc] = (int8_t)*c->reg8[i->modrm.rm]; 83 | } 84 | } 85 | return 0; 86 | } 87 | 88 | int32_t instr_movsx_0fbf(struct emu_cpu *c, struct emu_cpu_instruction *i) 89 | { 90 | if ( i->modrm.mod != 3 ) 91 | { 92 | /* 0F BF /r 93 | * Move word to doubleword, sign-extension 94 | * MOVSX r32,m16 95 | */ 96 | uint16_t m16; 97 | MEM_WORD_READ(c, i->modrm.ea, &m16); 98 | c->reg[i->modrm.opc] = (int16_t)m16; 99 | 100 | } 101 | else 102 | { 103 | /* 0F BF /r 104 | * Move word to doubleword, sign-extension 105 | * MOVSX r32,r16 106 | */ 107 | c->reg[i->modrm.opc] = (int16_t)*c->reg16[i->modrm.rm]; 108 | } 109 | return 0; 110 | } 111 | 112 | -------------------------------------------------------------------------------- /src/functions/movzx.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | 30 | #include "emu/emu_cpu.h" 31 | #include "emu/emu_cpu_data.h" 32 | 33 | #include "emu/emu_memory.h" 34 | 35 | /*Intel Architecture Software Developer's Manual Volume 2: Instruction Set Reference (24319102.PDF) page 486*/ 36 | 37 | #include 38 | #include 39 | 40 | int32_t instr_movzx_0fb6(struct emu_cpu *c, struct emu_cpu_instruction *i) 41 | { 42 | 43 | if ( i->modrm.mod != 3 ) 44 | { 45 | if ( i->prefixes & PREFIX_OPSIZE ) 46 | { 47 | /* 0F B6 /r 48 | * Move byte to word with zero-extension 49 | * MOVZX r16,r/m8 50 | */ 51 | uint8_t m8; 52 | MEM_BYTE_READ(c, i->modrm.ea, &m8); 53 | *c->reg16[i->modrm.opc] = m8; 54 | } 55 | else 56 | { 57 | /* 0F B6 /r 58 | * Move byte to doubleword, zero-extension 59 | * MOVZX r32,r/m8 60 | */ 61 | uint8_t m8; 62 | MEM_BYTE_READ(c, i->modrm.ea, &m8); 63 | c->reg[i->modrm.opc] = m8; 64 | } 65 | } 66 | else 67 | { 68 | if ( i->prefixes & PREFIX_OPSIZE ) 69 | { 70 | /* 0F B6 /r 71 | * Move byte to word with zero-extension 72 | * MOVZX r16,r/m8 73 | */ 74 | *c->reg16[i->modrm.opc] = *c->reg8[i->modrm.rm]; 75 | } 76 | else 77 | { 78 | /* 0F B6 /r 79 | * Move byte to doubleword, zero-extension 80 | * MOVZX r32,r/m8 81 | */ 82 | c->reg[i->modrm.opc] = *c->reg8[i->modrm.rm]; 83 | } 84 | } 85 | return 0; 86 | } 87 | 88 | int32_t instr_movzx_0fb7(struct emu_cpu *c, struct emu_cpu_instruction *i) 89 | { 90 | if ( i->modrm.mod != 3 ) 91 | { 92 | /* 0F B7 /r 93 | * Move word to doubleword, zero-extension 94 | * MOVZX r32,m16 95 | */ 96 | uint16_t m16; 97 | MEM_WORD_READ(c, i->modrm.ea, &m16); 98 | c->reg[i->modrm.opc] = m16; 99 | 100 | } 101 | else 102 | { 103 | /* 0F B7 /r 104 | * Move word to doubleword, zero-extension 105 | * MOVZX r32,r16 106 | */ 107 | c->reg[i->modrm.opc] = *c->reg16[i->modrm.rm]; 108 | } 109 | return 0; 110 | } 111 | 112 | -------------------------------------------------------------------------------- /src/functions/not.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | #include 30 | 31 | #define INSTR_CALC(bits, a, cpu) \ 32 | UINTOF(bits) operand_a = a; \ 33 | UINTOF(bits) operation_result = ~operand_a; \ 34 | a = operation_result; 35 | 36 | #include "emu/emu.h" 37 | #include "emu/emu_cpu.h" 38 | #include "emu/emu_cpu_data.h" 39 | 40 | #include "emu/emu_cpu_stack.h" 41 | #include "emu/emu_memory.h" 42 | 43 | /*Intel Architecture Software Developer's Manual Volume 2: Instruction Set Reference (24319102.PDF) page 497*/ 44 | 45 | #define INSTR_CALC_AND_SET_FLAGS(bits, cpu, a) \ 46 | INSTR_CALC(bits, a, cpu) 47 | 48 | int32_t instr_group_3_f6_not(struct emu_cpu *c, struct emu_cpu_instruction *i) 49 | { 50 | if (i->modrm.mod != 3) 51 | { 52 | /* F6 /2 53 | * Reverse each bit of r/m8 54 | * NOT r/m8 55 | */ 56 | uint8_t m8; 57 | MEM_BYTE_READ(c, i->modrm.ea, &m8); 58 | INSTR_CALC_AND_SET_FLAGS(8, 59 | c, 60 | m8) 61 | MEM_BYTE_WRITE(c, i->modrm.ea, m8); 62 | 63 | } 64 | else 65 | { 66 | /* F6 /2 67 | * Reverse each bit of r/m8 68 | * NOT r/m8 69 | */ 70 | INSTR_CALC_AND_SET_FLAGS(8,c,*c->reg8[i->modrm.rm]); 71 | } 72 | 73 | return 0; 74 | } 75 | 76 | int32_t instr_group_3_f7_not(struct emu_cpu *c, struct emu_cpu_instruction *i) 77 | { 78 | if ( i->modrm.mod != 3 ) 79 | { 80 | if ( i->prefixes & PREFIX_OPSIZE ) 81 | { 82 | /* F7 /2 83 | * Reverse each bit of r/m16 84 | * NOT r/m16 85 | */ 86 | uint16_t m16; 87 | MEM_WORD_READ(c, i->modrm.ea, &m16); 88 | INSTR_CALC_AND_SET_FLAGS(16, 89 | c, 90 | m16) 91 | MEM_WORD_WRITE(c, i->modrm.ea, m16); 92 | 93 | } 94 | else 95 | { 96 | /* F7 /2 97 | * Reverse each bit of r/m32 98 | * NOT r/m32 99 | */ 100 | uint32_t m32; 101 | MEM_DWORD_READ(c, i->modrm.ea, &m32); 102 | INSTR_CALC_AND_SET_FLAGS(32, 103 | c, 104 | m32) 105 | MEM_DWORD_WRITE(c, i->modrm.ea, m32); 106 | 107 | } 108 | } 109 | else 110 | { 111 | if ( i->prefixes & PREFIX_OPSIZE ) 112 | { 113 | /* F7 /2 114 | * Reverse each bit of r/m16 115 | * NOT r/m16 116 | */ 117 | INSTR_CALC_AND_SET_FLAGS(16, 118 | c, 119 | *c->reg16[i->modrm.rm]) 120 | 121 | } 122 | else 123 | { 124 | /* F7 /2 125 | * Reverse each bit of r/m32 126 | * NOT r/m32 127 | */ 128 | INSTR_CALC_AND_SET_FLAGS(32, 129 | c, 130 | c->reg[i->modrm.rm]) 131 | 132 | } 133 | 134 | } 135 | return 0; 136 | } 137 | -------------------------------------------------------------------------------- /src/functions/pop.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | 30 | #include "emu/emu_cpu.h" 31 | #include "emu/emu_cpu_data.h" 32 | 33 | #include "emu/emu_cpu_stack.h" 34 | #include "emu/emu_memory.h" 35 | 36 | /*Intel Architecture Software Developer's Manual Volume 2: Instruction Set Reference (24319102.PDF) page 571*/ 37 | 38 | int32_t instr_pop_07(struct emu_cpu *c, struct emu_cpu_instruction *i) 39 | { 40 | /* 07 41 | * Pop top of stack into ES; increment stack pointer 42 | * POP ES 43 | */ 44 | UNIMPLEMENTED(c, NNY); 45 | 46 | return 0; 47 | } 48 | 49 | int32_t instr_pop_17(struct emu_cpu *c, struct emu_cpu_instruction *i) 50 | { 51 | 52 | /* 17 53 | * Pop top of stack into SS; increment stack pointer 54 | * POP SS 55 | */ 56 | UNIMPLEMENTED(c, NNY); 57 | 58 | return 0; 59 | } 60 | 61 | int32_t instr_pop_1f(struct emu_cpu *c, struct emu_cpu_instruction *i) 62 | { 63 | 64 | /* 1F 65 | * Pop top of stack into DS; increment stack pointer 66 | * POP DS 67 | */ 68 | UNIMPLEMENTED(c, NNY); 69 | 70 | return 0; 71 | } 72 | 73 | int32_t instr_pop_5x(struct emu_cpu *c, struct emu_cpu_instruction *i) 74 | { 75 | 76 | if (i->prefixes & PREFIX_OPSIZE) 77 | { 78 | /* 58+ rw 79 | * Pop top of stack into r16; increment stack pointer 80 | * POP r16 81 | */ 82 | TRACK_INIT_REG16(c->instr, i->opc & 7); 83 | POP_WORD(c, c->reg16[i->opc & 7 ]); 84 | }else 85 | { 86 | /* 58+ rd 87 | * Pop top of stack into r32; increment stack pointer 88 | * POP r32 89 | */ 90 | TRACK_INIT_REG32(c->instr, i->opc & 7); 91 | POP_DWORD(c, &c->reg[i->opc & 7]); 92 | } 93 | return 0; 94 | } 95 | 96 | int32_t instr_pop_0fa1(struct emu_cpu *c, struct emu_cpu_instruction *i) 97 | { 98 | 99 | /* 0F A1 100 | * Pop top of stack into FS; increment stack pointer 101 | * POP FS 102 | */ 103 | UNIMPLEMENTED(c, NNY); 104 | 105 | return 0; 106 | } 107 | 108 | int32_t instr_pop_0fa9(struct emu_cpu *c, struct emu_cpu_instruction *i) 109 | { 110 | 111 | /* 0F A9 112 | * Pop top of stack into GS; increment stack pointer 113 | * POP GS 114 | */ 115 | UNIMPLEMENTED(c, NNY); 116 | 117 | return 0; 118 | } 119 | 120 | int32_t instr_popad_61(struct emu_cpu *c, struct emu_cpu_instruction *i) 121 | { 122 | int32_t j; 123 | 124 | if( i->prefixes & PREFIX_OPSIZE ) 125 | { 126 | for( j = 7; j >= 0; j-- ) 127 | { 128 | if( j != 4 ) 129 | { 130 | POP_WORD(c, c->reg16[j]) 131 | } 132 | else 133 | { 134 | c->reg[esp] += 2; 135 | } 136 | } 137 | } 138 | else 139 | { 140 | for( j = 7; j >= 0; j-- ) 141 | { 142 | if( j != 4 ) 143 | { 144 | POP_DWORD(c, &c->reg[j]); 145 | } 146 | else 147 | { 148 | c->reg[esp] += 4; 149 | } 150 | } 151 | } 152 | 153 | return 0; 154 | } 155 | 156 | int32_t instr_mov_89(struct emu_cpu *c, struct emu_cpu_instruction *i); 157 | 158 | int32_t instr_leave(struct emu_cpu *c, struct emu_cpu_instruction *i) 159 | { 160 | struct emu_cpu_instruction back = *i; 161 | // mov esp, ebp 162 | // pop ebp 163 | i->modrm.mod = 3; 164 | i->modrm.opc = ebp; 165 | i->modrm.rm = esp; 166 | instr_mov_89(c, i); 167 | i->opc = ebp; 168 | instr_pop_5x(c, i); 169 | *i = back; 170 | return 0; 171 | } 172 | -------------------------------------------------------------------------------- /src/functions/ret.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | 29 | #include 30 | 31 | #include "emu/emu_cpu.h" 32 | #include "emu/emu_cpu_data.h" 33 | #include "emu/emu_cpu_stack.h" 34 | #include "emu/emu_memory.h" 35 | 36 | int32_t instr_ret_c2(struct emu_cpu *c, struct emu_cpu_instruction *i) 37 | { 38 | /* C2 39 | * Near return to calling procedure and pop imm16 bytes from stack 40 | * iw RET imm16 41 | */ 42 | POP_DWORD(c, &c->eip); 43 | 44 | #if BYTE_ORDER == BIG_ENDIAN 45 | uint16_t val; 46 | bcopy(i->imm16, &val, 2); 47 | c->reg[esp] += val; 48 | #else 49 | c->reg[esp] += *i->imm16; 50 | #endif 51 | return 0; 52 | } 53 | 54 | int32_t instr_ret_c3(struct emu_cpu *c, struct emu_cpu_instruction *i) 55 | { 56 | /* C3 57 | * Near return to calling procedure 58 | * RET 59 | */ 60 | POP_DWORD(c, &c->eip); 61 | 62 | return 0; 63 | } 64 | 65 | int32_t instr_ret_ca(struct emu_cpu *c, struct emu_cpu_instruction *i) 66 | { 67 | /* CA iw 68 | * Far return to calling procedure and pop imm16 bytes from stack 69 | * RET imm16 70 | */ 71 | UNIMPLEMENTED(c, NNY); 72 | return -1; 73 | } 74 | 75 | int32_t instr_ret_cb(struct emu_cpu *c, struct emu_cpu_instruction *i) 76 | { 77 | /* CB 78 | * Far return to calling procedure 79 | * RET 80 | */ 81 | UNIMPLEMENTED(c, NNY); 82 | return -1; 83 | } 84 | 85 | -------------------------------------------------------------------------------- /src/functions/stoscc.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | #include 29 | 30 | #include "emu/emu_cpu.h" 31 | #include "emu/emu_cpu_data.h" 32 | 33 | #include "emu/emu_cpu_stack.h" 34 | #include "emu/emu_memory.h" 35 | 36 | 37 | 38 | int32_t instr_stos_aa(struct emu_cpu *c, struct emu_cpu_instruction *i) 39 | { 40 | 41 | /* AA 42 | * Store AL at address ES:(E)DI 43 | * STOS m8 44 | */ 45 | 46 | /* AA 47 | * Store AL at address ES:(E)DI 48 | * STOSB 49 | */ 50 | 51 | if ( i->prefixes & PREFIX_ADSIZE ) 52 | { 53 | // MEM_BYTE_WRITE(c,c->reg16[si],*c->reg8[al]); 54 | UNIMPLEMENTED(c, SST); 55 | } 56 | else 57 | { 58 | if (i->prefixes & PREFIX_F3) 59 | { 60 | /* F3 AA 61 | * Fill ECX bytes at ES:[EDI] with AL 62 | * REP STOS m8 63 | */ 64 | 65 | 66 | if (c->reg[ecx] > 0 ) 67 | { 68 | c->reg[ecx]--; 69 | c->repeat_current_instr = true; 70 | MEM_BYTE_WRITE(c,c->reg[edi],*c->reg8[al]); 71 | if ( !CPU_FLAG_ISSET(c,f_df) ) 72 | { /* increment */ 73 | c->reg[edi] += 1; 74 | }else 75 | { /* decrement */ 76 | c->reg[edi] -= 1; 77 | } 78 | } 79 | else 80 | c->repeat_current_instr = false; 81 | 82 | 83 | }else 84 | { 85 | MEM_BYTE_WRITE(c,c->reg[edi],*c->reg8[al]); 86 | if ( !CPU_FLAG_ISSET(c,f_df) ) 87 | { /* increment */ 88 | c->reg[edi] += 1; 89 | }else 90 | { /* decrement */ 91 | c->reg[edi] -= 1; 92 | } 93 | 94 | } 95 | 96 | } 97 | return 0; 98 | } 99 | 100 | int32_t instr_stos_ab(struct emu_cpu *c, struct emu_cpu_instruction *i) 101 | { 102 | if ( i->prefixes & PREFIX_OPSIZE ) 103 | { 104 | /* AB 105 | * Store AX at address ES:(E)DI 106 | * STOS m16 107 | */ 108 | 109 | /* AB 110 | * Store AX at address ES:(E)DI 111 | * STOSW 112 | */ 113 | if ( i->prefixes & PREFIX_ADSIZE ) 114 | { 115 | // MEM_WORD_WRITE(c,c->reg16[si],*c->reg16[ax]); 116 | UNIMPLEMENTED(c, SST); 117 | } 118 | else 119 | { 120 | MEM_WORD_WRITE(c,c->reg[edi],*c->reg16[ax]); 121 | 122 | if ( !CPU_FLAG_ISSET(c,f_df) ) 123 | { /* increment */ 124 | c->reg[edi] += 2; 125 | } 126 | else 127 | { /* decrement */ 128 | c->reg[edi] -= 2; 129 | } 130 | } 131 | } 132 | else 133 | { 134 | /* AB 135 | * Store EAX at address ES:(E)DI 136 | * STOS m32 137 | */ 138 | 139 | /* AB 140 | * Store EAX at address ES:(E)DI 141 | * STOSD 142 | */ 143 | if ( i->prefixes & PREFIX_ADSIZE ) 144 | { 145 | // MEM_DWORD_WRITE(c,c->reg16[si],c->reg[eax]); 146 | UNIMPLEMENTED(c, SST); 147 | } 148 | else 149 | { 150 | MEM_DWORD_WRITE(c,c->reg[edi],c->reg[eax]); 151 | 152 | if ( !CPU_FLAG_ISSET(c,f_df) ) 153 | { /* increment */ 154 | c->reg[edi] += 4; 155 | } 156 | else 157 | { /* decrement */ 158 | c->reg[edi] -= 4; 159 | } 160 | 161 | } 162 | } 163 | return 0; 164 | } 165 | 166 | -------------------------------------------------------------------------------- /testsuite/Makefile.am: -------------------------------------------------------------------------------- 1 | AUTOMAKE_OPTIONS = foreign 2 | 3 | AM_CPPFLAGS = -I../include -I ../.. -Werror -Wall -g 4 | AM_LDFLAGS = -lemu -L../src 5 | 6 | bin_PROGRAMS = scprofiler 7 | noinst_PROGRAMS = testsuite cpurun instrtest instrtree hashtest memtest 8 | 9 | testsuite_LDADD = ../src/libemu.la 10 | 11 | testsuite_SOURCES = main.c 12 | 13 | cpurun_LDADD = ../src/libemu.la 14 | cpurun_SOURCES = cpu_run.c 15 | 16 | instrtest_LDADD = ../src/libemu.la 17 | instrtest_SOURCES = instrtest.c 18 | 19 | #instrtree_LDADD = ../src/libemu.la 20 | instrtree_SOURCES = instrtree.c 21 | 22 | hashtest_LDADD = ../src/libemu.la 23 | hashtest_SOURCES = hashtest.c 24 | 25 | memtest_LDADD = ../src/libemu.la 26 | memtest_SOURCES = memtest.c 27 | 28 | scprofiler_LDADD = ../src/libemu.la 29 | scprofiler_SOURCES = scprofiler.c 30 | 31 | EXTRA_DIST = emunids.c 32 | -------------------------------------------------------------------------------- /testsuite/emunids.c: -------------------------------------------------------------------------------- 1 | /* 2 | * emunids 3 | * 4 | * emulation based network intrusion system 5 | * 6 | * Markus Koetter 2007 7 | * 8 | * gcc -Wall -I/opt/libemu/include/ -L/opt/libemu/lib/libemu -o printall printall.c -lnids -lemu 9 | * 10 | * 11 | */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include "nids.h" 22 | #include 23 | #include 24 | #include 25 | #include 26 | 27 | 28 | #define int_ntoa(x) inet_ntoa(*((struct in_addr *)&x)) 29 | 30 | 31 | struct emu *emu; 32 | struct ip; 33 | 34 | char *adres (struct tuple4 addr) 35 | { 36 | static char buf[256]; 37 | strcpy (buf, int_ntoa (addr.saddr)); 38 | sprintf (buf + strlen (buf), ":%i <-> ", addr.source); 39 | strcat (buf, int_ntoa (addr.daddr)); 40 | sprintf (buf + strlen (buf), ":%i", addr.dest); 41 | return buf; 42 | } 43 | 44 | 45 | void tcp_callback (struct tcp_stream *a_tcp, void ** this_time_not_needed) 46 | { 47 | // char buf[1024]; 48 | // strcpy (buf, adres (a_tcp->addr)); // we put conn params into buf 49 | 50 | if ( a_tcp->nids_state == NIDS_JUST_EST ) 51 | { 52 | a_tcp->client.collect++; 53 | a_tcp->client.collect_urg++; 54 | 55 | a_tcp->server.collect++; 56 | a_tcp->server.collect_urg++; 57 | 58 | // fprintf (stderr, "%s established\n", buf); 59 | }/* else 60 | if ( a_tcp->nids_state == NIDS_CLOSE ) 61 | { 62 | fprintf (stderr, "%s closing\n", buf); 63 | }else 64 | if ( a_tcp->nids_state == NIDS_RESET ) 65 | { 66 | fprintf (stderr, "%s reset\n", buf); 67 | } */ else 68 | if ( a_tcp->nids_state == NIDS_DATA ) 69 | { 70 | 71 | struct half_stream *hlf; 72 | char *data; 73 | int size; 74 | 75 | if ( a_tcp->server.count_new_urg || a_tcp->server.count_new ) 76 | { 77 | hlf = &a_tcp->server; 78 | }else 79 | if ( a_tcp->client.count_new_urg || a_tcp->client.count_new ) 80 | { 81 | hlf = &a_tcp->client; 82 | }else 83 | { 84 | return; 85 | } 86 | 87 | size = hlf->count - hlf->offset; 88 | data = hlf->data; 89 | 90 | // printf("size is %i\n", size); 91 | // printf("count %i offset %i size %i\n",hlf->count, hlf->offset, size); 92 | 93 | if ( emu_shellcode_test(emu, (uint8_t *)data, size) >= 0 ) 94 | { 95 | fprintf(stderr, "suspecting shellcode in connection %s\n", adres(a_tcp->addr)); 96 | } 97 | 98 | if (size > 2048) 99 | nids_discard(a_tcp, abs(2048-size)); 100 | 101 | emu_memory_clear(emu_memory_get(emu)); 102 | } 103 | 104 | return ; 105 | } 106 | 107 | void xlog(int type, int err, struct ip *iph, void *data) 108 | { 109 | char *nids_warnings[] = { 110 | "Murphy - you never should see this message !", 111 | "Oversized IP packet", 112 | "Invalid IP fragment list: fragment over size", 113 | "Overlapping IP fragments", 114 | "Invalid IP header", 115 | "Source routed IP frame", 116 | "Max number of TCP streams reached", 117 | "Invalid TCP header", 118 | "Too much data in TCP receive queue", 119 | "Invalid TCP flags" 120 | }; 121 | 122 | if (type != NIDS_WARN_SCAN) 123 | { 124 | printf("%s\n", nids_warnings[err]); 125 | } 126 | } 127 | 128 | int main (int argc, const char *argv[]) 129 | { 130 | if (argc == 1) 131 | { 132 | printf("useage %s \n", argv[0]); 133 | return -1; 134 | }else 135 | { 136 | printf("listening on device %s\n", argv[1]); 137 | } 138 | 139 | emu = emu_new(); 140 | 141 | 142 | nids_params.device = strdup(argv[1]);; 143 | nids_params.syslog = xlog; 144 | if ( !nids_init () ) 145 | { 146 | fprintf(stderr,"%s\n",nids_errbuf); 147 | exit(1); 148 | } 149 | 150 | // disable checksumming as host may calculate the checksum on the nic in hardware 151 | struct nids_chksum_ctl disable_checksums; 152 | disable_checksums.netaddr = 0; 153 | disable_checksums.mask = 0; 154 | disable_checksums.action = NIDS_DONT_CHKSUM; 155 | 156 | nids_register_chksum_ctl(&disable_checksums,1); 157 | 158 | nids_register_tcp (tcp_callback); 159 | nids_run (); 160 | 161 | 162 | emu_free(emu); 163 | return 0; 164 | } 165 | 166 | -------------------------------------------------------------------------------- /testsuite/instrtree.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | 29 | 30 | #include 31 | 32 | #include "../src/libdasm.c" 33 | #include "../src/libdasm.h" 34 | /* JMPCall 35 | const char scode[] = "\xfc\xbb\xbf\x05\xeb\xd0\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3" 36 | "\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x43\x6f\x00\x97\x53"; 37 | */ 38 | 39 | const char scode[] = "\x33\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x47" 40 | "\x13\x2b\xc0\x83\xee\xfc\xe2\xf4\xbb\x79\xc0\x8d\xaf\xea\xd4\x3f"; 41 | 42 | 43 | void indent(int lev) 44 | { 45 | int j; 46 | for ( j=0; j offset) 58 | break; 59 | 60 | INSTRUCTION inst; 61 | 62 | uint8_t isize = get_instruction(&inst, data+offset-i, MODE_32); 63 | 64 | if ( /*isize <= 0 ||*/ isize != i ) 65 | continue; 66 | 67 | indent(level); 68 | printf("instrsize %i\n", i); 69 | 70 | 71 | get_instruction_string(&inst, FORMAT_INTEL, 0, str, sizeof(str)); 72 | 73 | indent(level); 74 | printf("%s\n", str); 75 | 76 | if ( offset - isize >= 1 ) 77 | instrtree(data, datasize, offset-isize, level+1); 78 | // else 79 | // return; 80 | } 81 | } 82 | 83 | 84 | int main(void) 85 | { 86 | 87 | 88 | // int i; 89 | // 90 | // instrtree((uint8_t *)scode, 16*7, 16*7 0); 91 | 92 | unsigned int i; 93 | for ( i=0;i \"%08X %s\";\n",off1,str1,off2,str2); 137 | } 138 | 139 | 140 | 141 | return 0; 142 | } 143 | 144 | -------------------------------------------------------------------------------- /testsuite/main.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | * libemu 3 | * 4 | * - x86 shellcode emulation - 5 | * 6 | * 7 | * Copyright (C) 2007 Paul Baecher & Markus Koetter 8 | * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 2 12 | * of the License, or (at your option) any later version. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with this program; if not, write to the Free Software 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 22 | * 23 | * 24 | * contact nepenthesdev@users.sourceforge.net 25 | * 26 | *******************************************************************************/ 27 | 28 | 29 | #include 30 | #include 31 | 32 | #include "emu/emu.h" 33 | #include "emu/emu_memory.h" 34 | #include "emu/emu_log.h" 35 | 36 | int main(void) 37 | { 38 | struct emu *e = emu_new(); 39 | emu_log_level_set(emu_logging_get(e), EMU_LOG_DEBUG); 40 | 41 | 42 | /* memory test */ 43 | struct emu_memory *mem = emu_memory_get(e); 44 | int n = 0xff; 45 | uint8_t testbytes[n]; 46 | uint32_t testaddresses[n]; 47 | int i; 48 | 49 | for( i = 0; i < n; i++ ) 50 | { 51 | testbytes[i] = rand() % 0xff; 52 | testaddresses[i] = rand() % 0xff; 53 | testaddresses[i] <<= 8; 54 | testaddresses[i] |= rand() % 0xff; 55 | testaddresses[i] <<= 8; 56 | testaddresses[i] |= rand() % 0xff; 57 | testaddresses[i] <<= 8; 58 | testaddresses[i] |= rand() % 0xff; 59 | 60 | emu_memory_write_byte(mem, testaddresses[i], testbytes[i]); 61 | } 62 | 63 | 64 | for( i = 0; i < n; i++ ) 65 | { 66 | uint8_t byte; 67 | 68 | emu_memory_read_byte(mem, testaddresses[i], &byte); 69 | if( byte != testbytes[i] ) 70 | { 71 | printf("!!! memtest failed, expected %02x got %02x\n", testbytes[i], byte); 72 | return -1; 73 | } 74 | } 75 | 76 | emu_free(e); 77 | 78 | return 0; 79 | } 80 | -------------------------------------------------------------------------------- /testsuite/memtest.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "emu/emu.h" 3 | #include "emu/emu_memory.h" 4 | 5 | void test_alloc(struct emu *e) 6 | { 7 | const uint32_t len = 4711; 8 | uint32_t addr; 9 | struct emu_memory *m = emu_memory_get(e); 10 | 11 | emu_memory_alloc(m, &addr, len); 12 | 13 | printf("allocd at 0x%08x\n", addr); 14 | 15 | int i; 16 | 17 | for( i = 0; i < len; i++ ) 18 | { 19 | uint8_t byte; 20 | if( emu_memory_read_byte(m, addr + i, &byte) ) 21 | { 22 | printf("error reading allocated byte: %s\n", emu_strerror(e)); 23 | } 24 | } 25 | } 26 | 27 | 28 | int main(int argc, char **argv) 29 | { 30 | struct emu *e; 31 | 32 | e = emu_new(); 33 | 34 | test_alloc(e); 35 | 36 | emu_free(e); 37 | 38 | return 0; 39 | } 40 | -------------------------------------------------------------------------------- /tools/Makefile.am: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | 3 | AUTOMAKE_OPTIONS = foreign 4 | 5 | SUBDIRS = sctest 6 | -------------------------------------------------------------------------------- /tools/sctest/Makefile.am: -------------------------------------------------------------------------------- 1 | AUTOMAKE_OPTIONS = foreign 2 | 3 | AM_CPPFLAGS = -I../../include -I ../../.. -Werror -Wall -g 4 | AM_LDFLAGS = -lemu -L../../src 5 | 6 | 7 | # if you want to compile without tests, uncomment the following line: 8 | #AM_CPPFLAGS += -D_NO_TESTS 9 | 10 | 11 | bin_PROGRAMS = sctest 12 | 13 | sctest_CPPFLAGS = ${LIB_CARGOS_INCDIR} ${AM_CPPFLAGS} 14 | sctest_LDFLAGS = ${LIB_CARGOS} ${LIB_CARGOS_LIBDIR} ${AM_LDFLAGS} 15 | sctest_LDADD = ../../src/libemu.la 16 | sctest_SOURCES = dot.c 17 | sctest_SOURCES += dot.h 18 | sctest_SOURCES += sctestmain.c 19 | sctest_SOURCES += tests.c 20 | sctest_SOURCES += tests.h 21 | sctest_SOURCES += userhooks.c 22 | sctest_SOURCES += userhooks.h 23 | sctest_SOURCES += nanny.c 24 | sctest_SOURCES += nanny.h 25 | sctest_SOURCES += options.h 26 | 27 | -------------------------------------------------------------------------------- /tools/sctest/dot.h: -------------------------------------------------------------------------------- 1 | struct instr_vertex 2 | { 3 | uint32_t eip; 4 | struct emu_string *instr_string; 5 | struct emu_env_w32_dll *dll; 6 | struct emu_env_linux_syscall *syscall; 7 | }; 8 | 9 | 10 | struct instr_vertex *instr_vertex_new(uint32_t theeip, const char *instr_string); 11 | void instr_vertex_free(struct instr_vertex *iv); 12 | 13 | struct instr_vertex *instr_vertex_copy(struct instr_vertex *from); 14 | 15 | void instr_vertex_destructor(void *data); 16 | 17 | int graph_draw(struct emu_graph *graph); 18 | 19 | -------------------------------------------------------------------------------- /tools/sctest/nanny.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #include "nanny.h" 5 | 6 | #include "../../include/emu/emu_hashtable.h" 7 | 8 | 9 | struct nanny *nanny_new(void) 10 | { 11 | struct nanny *na = malloc(sizeof(struct nanny)); 12 | if (NULL == na) 13 | { 14 | return NULL; 15 | } 16 | memset(na, 0, sizeof(struct nanny)); 17 | 18 | na->files = emu_hashtable_new(16, emu_hashtable_ptr_hash, emu_hashtable_ptr_cmp); 19 | 20 | return na; 21 | } 22 | 23 | struct nanny_file *nanny_add_file(struct nanny *na, const char *path, uint32_t *emu_file, FILE *real_file) 24 | { 25 | struct nanny_file *file = malloc(sizeof(struct nanny_file)); 26 | if (NULL == file) 27 | { 28 | return NULL; 29 | } 30 | memset(file, 0, sizeof(struct nanny_file)); 31 | 32 | *emu_file = rand(); 33 | 34 | file->path = strdup(path); 35 | file->emu_file = *emu_file; 36 | file->real_file = real_file; 37 | 38 | emu_hashtable_insert(na->files, (void *)(uintptr_t)file->emu_file, file); 39 | 40 | return file; 41 | } 42 | 43 | struct nanny_file *nanny_get_file(struct nanny *na, uint32_t emu_file) 44 | { 45 | struct emu_hashtable_item *item = emu_hashtable_search(na->files, (void *)(uintptr_t)emu_file); 46 | if (item != NULL) 47 | { 48 | struct nanny_file *file = item->value; 49 | return file; 50 | }else 51 | return NULL; 52 | 53 | } 54 | 55 | bool nanny_del_file(struct nanny *na, uint32_t emu_file) 56 | { 57 | struct emu_hashtable_item *item = emu_hashtable_search(na->files, (void *)(uintptr_t)emu_file); 58 | if (item != NULL) 59 | { 60 | free(item->value); 61 | } 62 | return emu_hashtable_delete(na->files, (void *)(uintptr_t)emu_file); 63 | } 64 | 65 | void nanny_free(struct nanny *nanny) 66 | { 67 | 68 | } 69 | -------------------------------------------------------------------------------- /tools/sctest/nanny.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | struct nanny_file 6 | { 7 | bool active; 8 | char *path; 9 | uint32_t emu_file; 10 | FILE *real_file; 11 | }; 12 | 13 | /* 14 | struct nanny_socket 15 | { 16 | bool active; 17 | int socket; 18 | }; 19 | 20 | struct nanny_children 21 | { 22 | int pid; 23 | }; 24 | */ 25 | 26 | struct nanny 27 | { 28 | struct emu_hashtable *files; 29 | /* struct emu_hashtable *sockets; 30 | struct emu_hashtable *children; 31 | */ 32 | }; 33 | 34 | struct nanny *nanny_new(void); 35 | void nanny_free(struct nanny *nanny); 36 | 37 | struct nanny_file *nanny_add_file(struct nanny *na, const char *path, uint32_t *emu_file, FILE *real_file); 38 | struct nanny_file *nanny_get_file(struct nanny *na, uint32_t emu_file); 39 | bool nanny_del_file(struct nanny *na, uint32_t emu_file); 40 | 41 | 42 | -------------------------------------------------------------------------------- /tools/sctest/options.h: -------------------------------------------------------------------------------- 1 | struct run_time_options 2 | { 3 | int verbose; 4 | int nasm_force; 5 | uint32_t steps; 6 | int testnumber; 7 | int getpc; 8 | char *graphfile; 9 | bool from_stdin; 10 | char *from_argos_csi; 11 | unsigned char *scode; 12 | uint32_t size; 13 | int offset; 14 | char *profile_file; 15 | bool interactive; 16 | 17 | struct 18 | { 19 | struct 20 | { 21 | char *host; 22 | int port; 23 | }connect; 24 | struct 25 | { 26 | char *host; 27 | int port; 28 | }bind; 29 | 30 | struct 31 | { 32 | struct emu_hashtable *commands; 33 | }commands; 34 | 35 | }override; 36 | }; 37 | 38 | extern struct run_time_options opts; 39 | 40 | 41 | bool cmp(void *a, void *b); 42 | uint32_t hash(void *key); 43 | bool string_cmp(void *a, void *b); 44 | uint32_t string_hash(void *key); 45 | 46 | 47 | -------------------------------------------------------------------------------- /tools/sctest/tests.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | struct instr_test 4 | { 5 | const char *instr; 6 | 7 | char *code; 8 | uint16_t codesize; 9 | 10 | struct 11 | { 12 | uint32_t reg[8]; 13 | uint32_t mem_state[2]; 14 | uint32_t eflags; 15 | } in_state; 16 | 17 | struct 18 | { 19 | uint32_t reg[8]; 20 | uint32_t mem_state[2]; 21 | uint32_t eflags; 22 | uint32_t eip; 23 | } out_state; 24 | }; 25 | 26 | #define FLAG(fl) (1 << (fl)) 27 | 28 | 29 | extern struct instr_test tests[]; 30 | 31 | int numtests(void); 32 | -------------------------------------------------------------------------------- /tools/sctest/userhooks.h: -------------------------------------------------------------------------------- 1 | 2 | uint32_t user_hook_ExitProcess(struct emu_env *env, struct emu_env_hook *hook, ...); 3 | uint32_t user_hook_ExitThread(struct emu_env *env, struct emu_env_hook *hook, ...); 4 | uint32_t user_hook_CreateProcess(struct emu_env *env, struct emu_env_hook *hook, ...); 5 | uint32_t user_hook_WaitForSingleObject(struct emu_env *env, struct emu_env_hook *hook, ...); 6 | uint32_t user_hook_exit(struct emu_env *env, struct emu_env_hook *hook, ...); 7 | uint32_t user_hook_accept(struct emu_env *env, struct emu_env_hook *hook, ...); 8 | uint32_t user_hook_bind(struct emu_env *env, struct emu_env_hook *hook, ...); 9 | uint32_t user_hook_closesocket(struct emu_env *env, struct emu_env_hook *hook, ...); 10 | uint32_t user_hook_connect(struct emu_env *env, struct emu_env_hook *hook, ...); 11 | uint32_t user_hook_fclose(struct emu_env *env, struct emu_env_hook *hook, ...); 12 | uint32_t user_hook_fopen(struct emu_env *env, struct emu_env_hook *hook, ...); 13 | uint32_t user_hook_fwrite(struct emu_env *env, struct emu_env_hook *hook, ...); 14 | uint32_t user_hook_listen(struct emu_env *env, struct emu_env_hook *hook, ...); 15 | uint32_t user_hook_recv(struct emu_env *env, struct emu_env_hook *hook, ...); 16 | uint32_t user_hook_send(struct emu_env *env, struct emu_env_hook *hook, ...); 17 | uint32_t user_hook_socket(struct emu_env *env, struct emu_env_hook *hook, ...); 18 | uint32_t user_hook_WSASocket(struct emu_env *env, struct emu_env_hook *hook, ...); 19 | 20 | uint32_t user_hook_CreateFile(struct emu_env *env, struct emu_env_hook *hook, ...); 21 | uint32_t user_hook_WriteFile(struct emu_env *env, struct emu_env_hook *hook, ...); 22 | uint32_t user_hook_CloseHandle(struct emu_env *env, struct emu_env_hook *hook, ...); 23 | 24 | uint32_t user_hook_URLDownloadToFile(struct emu_env *env, struct emu_env_hook *hook, ...); 25 | uint32_t user_hook_IEWinMain(struct emu_env *env, struct emu_env_hook *hook, ...); 26 | --------------------------------------------------------------------------------