PyEmu:一个多用途的IA-32模拟器脚本

PyEmu:一个多用途的IA-32模拟器脚本

分类：

系统模拟器：完全模拟系统环境、硬件、软件和bios，一个典型的例子是bochs

指令模拟器：将CPU的行为转换成等价的逻辑和内存运算

模拟器应用于逆向：

       逆向会随着应用的特性越来越多而变得越来越复杂，逻辑理解起来越耗时，如果包含大量函数、分支，可以使用模拟器分析，可用的场景有：

       复杂分支的代码

有歧义的代码

混淆代码

逆向工具现状：

       BinNavi, PaiMei, IDA脚本和插件

       Idax86emu插件，可以修改栈，模拟寄存器甚至模拟库函数调用，但是扩展性较差

PyEmu结构：

       包括PyCPU, PyMemory,PyEmu三个模块

PyEmu用于用户交互

PyCPU用于执行指令，支持100+ IntelIA-32指令，将指令地址交给pydasm解析出操作符和操作数

       Get_register(register,size)

       Set_register(register,size)

       Get_memory_address(instruction,operand_index,size)

       Get_memory(address,size)

       Set_memory(address,value,size)

       Set_arithmetic_flags(operand_1_value,operand_2_value,result,size)

       Set_shit_flags(result,size)

PyMemory用于内存操作

PyEmu的使用：

       用于ida的模拟执行：

       From PyEmu import IDAPyEmu

       emu = IDAPyEmu()

       emu.set_register(“EIP”,ScreenEA())

       emu.debug(2)

       emu.execute(steps=5)

       用于本地PE文件的模拟执行：

       import os, sys, pefile

       from PyEmu import PEPyEmu

       exename = sys.argv[1]

       address = int(sys.argv[2],16)

       emu = PEPyEmu(exename)

       emu.debug(2)

       emu.set_register(“EIP”, address)

       emu.execute(steps=10)

 

       监听器：    寄存器监听emu.set_register_handler(“eax”,my_register_handler)

                            库函数监听emu.set_library_handler(“malloc”,my_library_handler)

                            异常监听emu.set_exception_handler(“GP”,my_exception_handler)

                            指令监听emu.set_instruction_handler(“cmp”,my_instruction_handler)

                            操作符监听emu.set_opcode_handler(“0x39,my_opcode_handler)

                            内存监听emu.set_memory_handler(0x41424344,my_memory_handler)

                            指令指针监听emu.set_pc_handler(0x45464748,my_pc_handler)

       执行：execute(self,steps=1,start=0,end=0)

       修改：  emu.set_register(“eax”,0x12345678,name=”counter”)

                     emu.set_stack_variable(0x80,0x12345678,name=”var_80”)

                     emu.set_stack_argument(0x8,0xaabbccdd,name=”arg_0”)

                     emu.set_memory(0x12345678,”ABCDEFG”)

跟踪内存访问：

from PyEmu importIDAPyEmu

def my_memory_access_handler(emu, address,value, size, type):

      print"[*] Hit my_memory_access_handler %x: %s (%x, %x, %x, %s)" %(emu.get_register("EIP"), emu.get_disasm(), address, value, size,type)

      returnTrue

#初始化

emu.set_register("EIP",ScreenEA())

emu.set_memory_access_handler(my_memory_access_handler)

emu.execute(start=0x00427E6B, end=0x00427E8D)

print "[*] Done"

分支枚举：

       emu.set_mnemonic_handle(“cmp”,my_cmp_handler)

 

文件：

PyContext.py: A module containing a class for defining a context to pass between modules in the emulatorPyCPU.py: The CPU class implements each instruction and is responsible for executing and maintaining statePyDebug.py: A simple class to ease some debugging tasksPyEmu.py: The user facing class that implements the public methods available for use.  Also is responsible for initiating the memory and cpu classesPyInstruction.py: A helper class for providing abstracted access to the pydasm instruction structuresPyMemory.py: A module containing the memory managers responsible for fetching and storing memoryPyOS.py: A rough implementation of needed OS specific structures for process creation and control.examples/    idapyemu.py: A simple example of using PyEmu in IDA Pro    idapyemu_memory_access.py: A simple example showing tracking of memory access    idapyemu_path_enumeration.py: An example showing mnemonic hooking    idapyemu_return_value.py: An example demonstrating return value enumeration    idapyemu_test_case.py: A test case exercising many of the PyEmu methods    pepyemu.py: A example of PE file PyEmu use    pydbgpyemu.py: A example of PyDbg uselib/    pefile.py: Ero Carrera's pefile implementation    pydasm.pyd: Ero Carrera's libdasm python wrapper    ctypes/_ctypes.pyd: Ctypes library needed for PyOS.py

 

 

########################################################################
#
# Instantiation
#
########################################################################

emu = PyEmu()
emu = IDAPyEmu(stack_base=0x0, stack_size=0x0, heap_base=0x0, heap_size=0x0)
emu = PydbgPyEmu(dbg)

########################################################################
#
# Execution
#
########################################################################

# Single Step
emu.execute(steps=2)

# Run from
emu.execute(start=0x12345678)

# Run to
emu.execute(end=0x12345678)

# Run from to
emu.execute(start=0x12345678, end=0x9abcdef0)

# Break (possibly useless)
emu.set_breakpoint(0x12345678)

# Break with handler (possibly useless)
emu.set_breakpoint(0x12345678, my_breakpoint_handler)

########################################################################
#
# Manipulation
#
########################################################################

# Smart register setting "eax" "al" "ax" masksthe value
emu.set_register("eax", 0x1234567, name="counter")
emu.get_register("ax")
emu.get_register("counter")

# Stack access
emu.set_stack_variable(0x80, 0x12345678, name="var_80")
emu.set_stack_argument(1, 0x12345678, name="count")

emu.get_stack_argument(2)
emu.get_stack_argument("count")

emu.get_stack_variable(0x80)
emu.get_stack_variable("var_80")

# Memory access
emu.get_memory(0x12345678, 4)
emu.set_memory(0x12345678, "ABCDEFGHIJKLMNOP")
emu.set_memory(0x12345678, 0x12345678, size=2)

########################################################################
#
# Handlers
#
########################################################################

# Low level handlers
emu.set_register_handler("eax", my_register_handler)
emu.set_library_handler("LoadLibrary", my_library_handler)
emu.set_exception_handler("GP", my_exception_handler)
emu.set_mnemonic_handler("jmp", my_instruction_handler)
emu.set_opcode_handler(0xe9, my_opcode_handler)
emu.set_memory_handler(0x41424344, my_memory_handler)
emu.set_pc_handler(0x45464748, my_pc_handler)

# High level handlers
emu.set_memory_write_handler(my_memory_write_handler)
emu.set_memory_read_handler(my_memory_read_handler)
emu.set_memory_access_handler(my_memory_access_handler)

emu.set_stack_write_handler(my_stack_write_handler)
emu.set_stack_read_handler(my_stack_read_handler)
emu.set_stack_access_handler(my_stack_access_handler)

emu.set_heap_write_handler(my_heap_write_handler)
emu.set_heap_read_handler(my_heap_read_handler)
emu.set_heap_access_handler(my_heap_access_handler)

########################################################################
#
# Misc
#
########################################################################

# Execution logging
emu.log(filehandle)

# Debug printing logging
emu.debug(1)