arno
/
bddisasm
mirror of https://github.com/bitdefender/bddisasm.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Added support for AESDEC, AESDECLAST and AESIMC emulation, using compiler intrinsics - they will be used only if the SHEMU_OPT_SUPPORT_AES is set (so the integrator can properly check for AES-NI support in hardware).

Browse Source 
Fixed shemu option on Linux - make sure proper RIP is provided.
pull/40/head
Andrei Vlad LUTAS 3 years ago
parent 83ee0d120d
commit f8a3011a49
8 changed files with 100 additions and 19 deletions
Show Stats Download Patch File Download Diff File

2
CMakeLists.txt
Unescape View File

@ -95,7 +95,7 @@ set(BDDISASM_COMPILE_OPTIONS
-g3 -g3
-gdwarf-4 -gdwarf-4
-grecord-gcc-switches -grecord-gcc-switches
-march=nehalem -march=westmere
) )
target_compile_options(bddisasm PRIVATE ${BDDISASM_COMPILE_OPTIONS}) target_compile_options(bddisasm PRIVATE ${BDDISASM_COMPILE_OPTIONS})

59
bdshemu/bdshemu.c
Unescape View File

@ -10,7 +10,7 @@
#include "nd_crt.h" #include "nd_crt.h"
#include "bddisasm.h" #include "bddisasm.h"
#include "bdshemu.h" #include "bdshemu.h"
#include <immintrin.h>
// //
// A generic emulator value. // A generic emulator value.
@ -357,7 +357,7 @@ ShemuSetFlags(
else if (FM_SHL == FlagsMode) else if (FM_SHL == FlagsMode)
{ {
// CF is the last bit shifted out of the destination. // CF is the last bit shifted out of the destination.
if (ND_GET_BIT(Src1, (Size * 8) - Src2)) if (ND_GET_BIT(Src1, (Size * 8ULL) - Src2))
{ {
Context->Registers.RegFlags |= NDR_RFLAG_CF; Context->Registers.RegFlags |= NDR_RFLAG_CF;
} }
@ -368,7 +368,7 @@ ShemuSetFlags(
if (Src2 == 1) if (Src2 == 1)
{ {
if (ND_GET_BIT(Size * 8 - 1, Dst) ^ ND_GET_BIT(Src1, (Size * 8) - Src2)) if (ND_GET_BIT(Size * 8ULL - 1, Dst) ^ ND_GET_BIT(Src1, (Size * 8ULL) - Src2))
{ {
Context->Registers.RegFlags |= NDR_RFLAG_OF; Context->Registers.RegFlags |= NDR_RFLAG_OF;
} }
@ -1351,6 +1351,7 @@ ShemuSetOperandValue(
if (ShemuIsStackPtr(Context, gla, MAX(op->Size, Context->Instruction.WordLength))) if (ShemuIsStackPtr(Context, gla, MAX(op->Size, Context->Instruction.WordLength)))
{ {
uint8_t stckstrlen = 0; uint8_t stckstrlen = 0;
uint32_t i;
// Note: only Context->Instruction.WordLength bits are flagged as RIP, as that is the RIP size. // Note: only Context->Instruction.WordLength bits are flagged as RIP, as that is the RIP size.
if (Context->Instruction.Instruction == ND_INS_CALLNR || if (Context->Instruction.Instruction == ND_INS_CALLNR ||
@ -1384,7 +1385,7 @@ ShemuSetOperandValue(
// Note that we will ignore registers which have not been modified during emulation; those are considered // Note that we will ignore registers which have not been modified during emulation; those are considered
// input values for the emulated code, and may be pointers or other data. We are interested only in // input values for the emulated code, and may be pointers or other data. We are interested only in
// stack values built within the emulate code. // stack values built within the emulate code.
for (uint32_t i = 0; i < Value->Size; i++) for (i = 0; i < Value->Size; i++)
{ {
unsigned char c = Value->Value.Bytes[i]; unsigned char c = Value->Value.Bytes[i];
@ -1402,7 +1403,7 @@ ShemuSetOperandValue(
if (stckstrlen == Value->Size) if (stckstrlen == Value->Size)
{ {
// Make sure the value is not present inside a non-dirty GPR. // Make sure the value is not present inside a non-dirty GPR.
for (uint32_t i = 0; i < 16; i++) for (i = 0; i < 16; i++)
{ {
if (ShemuCmpGprValue(Context, i, Value->Size, Value->Value.Qwords[0], false) && if (ShemuCmpGprValue(Context, i, Value->Size, Value->Value.Qwords[0], false) &&
(0 == (Context->DirtyGprBitmap & (1 << i)))) (0 == (Context->DirtyGprBitmap & (1 << i))))
@ -1696,6 +1697,7 @@ ShemuEmulate(
{ {
NDSTATUS ndstatus; NDSTATUS ndstatus;
uint64_t rip; uint64_t rip;
uint32_t i;
// The stop flag has been set, this means we've reached a valid instruction, but that instruction cannot be // The stop flag has been set, this means we've reached a valid instruction, but that instruction cannot be
// emulated (for example, SYSCALL, INT, system instructions, etc). // emulated (for example, SYSCALL, INT, system instructions, etc).
@ -2182,7 +2184,7 @@ ShemuEmulate(
GET_OP(Context, 0, &dst); GET_OP(Context, 0, &dst);
GET_OP(Context, 1, &src); GET_OP(Context, 1, &src);
src.Value.Qwords[0] %= dst.Size * 8; src.Value.Qwords[0] %= dst.Size * 8ULL;
// Store the bit inside CF. // Store the bit inside CF.
SET_FLAG(Context, NDR_RFLAG_CF, (dst.Value.Qwords[0] >> src.Value.Qwords[0]) & 1); SET_FLAG(Context, NDR_RFLAG_CF, (dst.Value.Qwords[0] >> src.Value.Qwords[0]) & 1);
@ -2811,7 +2813,7 @@ ShemuEmulate(
case ND_INS_PXOR: case ND_INS_PXOR:
GET_OP(Context, 0, &dst); GET_OP(Context, 0, &dst);
GET_OP(Context, 1, &src); GET_OP(Context, 1, &src);
for (uint32_t i = 0; i < dst.Size; i++) for (i = 0; i < dst.Size; i++)
{ {
dst.Value.Bytes[i] ^= src.Value.Bytes[i]; dst.Value.Bytes[i] ^= src.Value.Bytes[i];
} }
@ -2839,7 +2841,7 @@ ShemuEmulate(
case ND_INS_VPBROADCASTQ: case ND_INS_VPBROADCASTQ:
GET_OP(Context, 1, &src); GET_OP(Context, 1, &src);
dst.Size = Context->Instruction.Operands[0].Size; dst.Size = Context->Instruction.Operands[0].Size;
for (uint32_t i = 0; i < dst.Size / src.Size; i++) for (i = 0; i < dst.Size / src.Size; i++)
{ {
switch (src.Size) switch (src.Size)
{ {
@ -2863,7 +2865,7 @@ ShemuEmulate(
case ND_INS_VPXOR: case ND_INS_VPXOR:
GET_OP(Context, 1, &dst); GET_OP(Context, 1, &dst);
GET_OP(Context, 2, &src); GET_OP(Context, 2, &src);
for (uint32_t i = 0; i < dst.Size; i++) for (i = 0; i < dst.Size; i++)
{ {
dst.Value.Bytes[i] ^= src.Value.Bytes[i]; dst.Value.Bytes[i] ^= src.Value.Bytes[i];
} }
@ -2928,6 +2930,45 @@ ShemuEmulate(
stop = true; stop = true;
break; break;
case ND_INS_AESIMC:
case ND_INS_AESDEC:
case ND_INS_AESDECLAST:
{
__m128i val, key;
// Make sure AES support is present, and we can emulate AES decryption using AES instructions.
if (0 == (Context->Options & SHEMU_OPT_SUPPORT_AES))
{
stop = true;
break;
}
GET_OP(Context, 0, &dst);
GET_OP(Context, 1, &src);
shemu_memcpy(&val, &dst, 16);
shemu_memcpy(&key, &src, 16);
if (Context->Instruction.Instruction == ND_INS_AESDEC)
{
val = _mm_aesdec_si128(val, key);
}
else if (Context->Instruction.Instruction == ND_INS_AESDECLAST)
{
val = _mm_aesdeclast_si128(val, key);
}
else if (Context->Instruction.Instruction == ND_INS_AESIMC)
{
val = _mm_aesimc_si128(key);
}
shemu_memcpy(&dst, &val, 16);
SET_OP(Context, 0, &dst);
break;
}
default: default:
return SHEMU_ABORT_UNSUPPORTED_INSTRUX; return SHEMU_ABORT_UNSUPPORTED_INSTRUX;
} }

26
bdshemu/bdshemu.vcxproj
Unescape View File

@ -50,8 +50,11 @@
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DebugKernel|Win32'" Label="Configuration"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DebugKernel|Win32'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType> <ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries> <UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset> <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<CharacterSet>Unicode</CharacterSet> <CharacterSet>Unicode</CharacterSet>
<TargetVersion>Windows7</TargetVersion>
<DriverTargetPlatform>Desktop</DriverTargetPlatform>
<SupportsPackaging>false</SupportsPackaging>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType> <ConfigurationType>StaticLibrary</ConfigurationType>
@ -63,9 +66,12 @@
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='ReleaseKernel|Win32'" Label="Configuration"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='ReleaseKernel|Win32'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType> <ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries> <UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset> <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization> <WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet> <CharacterSet>Unicode</CharacterSet>
<TargetVersion>Windows7</TargetVersion>
<DriverTargetPlatform>Desktop</DriverTargetPlatform>
<SupportsPackaging>false</SupportsPackaging>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType> <ConfigurationType>StaticLibrary</ConfigurationType>
@ -76,8 +82,11 @@
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DebugKernel|x64'" Label="Configuration"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DebugKernel|x64'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType> <ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries> <UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset> <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<CharacterSet>Unicode</CharacterSet> <CharacterSet>Unicode</CharacterSet>
<TargetVersion>Windows7</TargetVersion>
<DriverTargetPlatform>Desktop</DriverTargetPlatform>
<SupportsPackaging>false</SupportsPackaging>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType> <ConfigurationType>StaticLibrary</ConfigurationType>
@ -89,9 +98,12 @@
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='ReleaseKernel|x64'" Label="Configuration"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='ReleaseKernel|x64'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType> <ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries> <UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset> <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<WholeProgramOptimization>false</WholeProgramOptimization> <WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet> <CharacterSet>Unicode</CharacterSet>
<TargetVersion>Windows7</TargetVersion>
<DriverTargetPlatform>Desktop</DriverTargetPlatform>
<SupportsPackaging>false</SupportsPackaging>
</PropertyGroup> </PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings"> <ImportGroup Label="ExtensionSettings">
@ -201,6 +213,7 @@
<AdditionalIncludeDirectories>..\inc;..\bddisasm\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> <AdditionalIncludeDirectories>..\inc;..\bddisasm\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<TreatWarningAsError>true</TreatWarningAsError> <TreatWarningAsError>true</TreatWarningAsError>
<ProgramDataBaseFileName>$(SolutionDir)bin\$(Platform)\$(Configuration)\$(ProjectName).pdb</ProgramDataBaseFileName> <ProgramDataBaseFileName>$(SolutionDir)bin\$(Platform)\$(Configuration)\$(ProjectName).pdb</ProgramDataBaseFileName>
<AdditionalOptions>/kernel /d1import_no_registry /d2AllowCompatibleILVersions /d2Zi+ %(AdditionalOptions)</AdditionalOptions>
</ClCompile> </ClCompile>
<Link> <Link>
<SubSystem>Console</SubSystem> <SubSystem>Console</SubSystem>
@ -259,7 +272,7 @@
<BasicRuntimeChecks>Default</BasicRuntimeChecks> <BasicRuntimeChecks>Default</BasicRuntimeChecks>
<IgnoreStandardIncludePath>false</IgnoreStandardIncludePath> <IgnoreStandardIncludePath>false</IgnoreStandardIncludePath>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat> <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<AdditionalOptions>/D "AMD64" %(AdditionalOptions)</AdditionalOptions> <AdditionalOptions>/kernel /D "AMD64" %(AdditionalOptions)</AdditionalOptions>
</ClCompile> </ClCompile>
<Link> <Link>
<SubSystem>Console</SubSystem> <SubSystem>Console</SubSystem>
@ -315,6 +328,7 @@
<AdditionalIncludeDirectories>..\inc;..\bddisasm\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> <AdditionalIncludeDirectories>..\inc;..\bddisasm\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<TreatWarningAsError>true</TreatWarningAsError> <TreatWarningAsError>true</TreatWarningAsError>
<ProgramDataBaseFileName>$(SolutionDir)bin\$(Platform)\$(Configuration)\$(ProjectName).pdb</ProgramDataBaseFileName> <ProgramDataBaseFileName>$(SolutionDir)bin\$(Platform)\$(Configuration)\$(ProjectName).pdb</ProgramDataBaseFileName>
<AdditionalOptions> /kernel /d1nodatetime %(AdditionalOptions)</AdditionalOptions>
</ClCompile> </ClCompile>
<Link> <Link>
<SubSystem>Console</SubSystem> <SubSystem>Console</SubSystem>
@ -386,7 +400,7 @@
<ProgramDataBaseFileName>$(SolutionDir)bin\$(Platform)\$(Configuration)\$(ProjectName).pdb</ProgramDataBaseFileName> <ProgramDataBaseFileName>$(SolutionDir)bin\$(Platform)\$(Configuration)\$(ProjectName).pdb</ProgramDataBaseFileName>
<ExceptionHandling>Sync</ExceptionHandling> <ExceptionHandling>Sync</ExceptionHandling>
<MinimalRebuild>true</MinimalRebuild> <MinimalRebuild>true</MinimalRebuild>
<AdditionalOptions>/D "AMD64" %(AdditionalOptions)</AdditionalOptions> <AdditionalOptions>/kernel /D "AMD64" %(AdditionalOptions)</AdditionalOptions>
</ClCompile> </ClCompile>
<Link> <Link>
<SubSystem>Console</SubSystem> <SubSystem>Console</SubSystem>

11
disasmtool/disasmtool.c
Unescape View File

@ -1520,6 +1520,17 @@ handle_shemu(
ctx.StrThreshold = SHEMU_DEFAULT_STR_THRESHOLD; ctx.StrThreshold = SHEMU_DEFAULT_STR_THRESHOLD;
ctx.MemThreshold = SHEMU_DEFAULT_MEM_THRESHOLD; ctx.MemThreshold = SHEMU_DEFAULT_MEM_THRESHOLD;
// Check for AES support.
int regs[4] = { 0 };
__cpuid(regs, 1);
// CPUID leaf function 1, register ECX, bit 25 indicates AES-NI support.
if (!!(regs[2] & (1UL << 25)))
{
ctx.Options |= SHEMU_OPT_SUPPORT_AES;
}
if (Options->UseShemuRegs) if (Options->UseShemuRegs)
{ {
// Copy the new GPRs // Copy the new GPRs

14
disasmtool_lix/disasmtool.cpp
Unescape View File

@ -7,6 +7,7 @@
#include <memory> #include <memory>
#include <limits> #include <limits>
#include <cmath> #include <cmath>
#include <cpuid.h>
#include "external/argparse.h" #include "external/argparse.h"
@ -526,7 +527,7 @@ void shemu(options &opts)
ctx.IntbufSize = opts.actual_size + STACK_SIZE; ctx.IntbufSize = opts.actual_size + STACK_SIZE;
ctx.Registers.RegFlags = NDR_RFLAG_IF | 2; ctx.Registers.RegFlags = NDR_RFLAG_IF | 2;
ctx.Registers.RegRip = opts.rip; ctx.Registers.RegRip = opts.rip ? opts.rip : 0x200000;
ctx.Segments.Cs.Selector = 0x10; ctx.Segments.Cs.Selector = 0x10;
ctx.Segments.Ds.Selector = 0x28; ctx.Segments.Ds.Selector = 0x28;
ctx.Segments.Es.Selector = 0x28; ctx.Segments.Es.Selector = 0x28;
@ -547,6 +548,17 @@ void shemu(options &opts)
ctx.Options = SHEMU_OPT_TRACE_EMULATION; ctx.Options = SHEMU_OPT_TRACE_EMULATION;
ctx.Log = shemu_log; ctx.Log = shemu_log;
ctx.AccessMemory = shemu_access_mem; ctx.AccessMemory = shemu_access_mem;
uint32_t eax, ebx, ecx, edx;
eax = ebx = ecx = edx = 0;
__get_cpuid(1, &eax, &ebx, &ecx, &edx);
if (!!(ecx & (1UL << 25)))
{
ctx.Options |= SHEMU_OPT_SUPPORT_AES;
}
// Configurable thresholds. // Configurable thresholds.
ctx.NopThreshold = SHEMU_DEFAULT_NOP_THRESHOLD; ctx.NopThreshold = SHEMU_DEFAULT_NOP_THRESHOLD;

3
inc/bdshemu.h
Unescape View File

@ -263,6 +263,9 @@ typedef unsigned int SHEMU_STATUS;
// //
#define SHEMU_OPT_TRACE_EMULATION 0x00000001 // Trace each emulated instruction. #define SHEMU_OPT_TRACE_EMULATION 0x00000001 // Trace each emulated instruction.
#define SHEMU_OPT_STOP_ON_EXPLOIT 0x00000002 // When shellcode indications are confirmed, stop emulation. #define SHEMU_OPT_STOP_ON_EXPLOIT 0x00000002 // When shellcode indications are confirmed, stop emulation.
#define SHEMU_OPT_SUPPORT_AES 0x00010000 // Indicates that AES instructions are supported, and
// therefore, the AES intrinsics can be used to emulate
// AES decryption.
// //

2
inc/version.h
Unescape View File

@ -7,6 +7,6 @@
#define DISASM_VERSION_MAJOR 1 #define DISASM_VERSION_MAJOR 1
#define DISASM_VERSION_MINOR 31 #define DISASM_VERSION_MINOR 31
#define DISASM_VERSION_REVISION 4 #define DISASM_VERSION_REVISION 5
#endif // DISASM_VER_H #endif // DISASM_VER_H

2
pybddisasm/setup.py
Unescape View File

@ -12,7 +12,7 @@ from setuptools import find_packages, setup, Command, Extension, Distribution
from codecs import open from codecs import open
VERSION = (0, 1, 3) VERSION = (0, 1, 3)
LIBRARY_VERSION = (1, 31, 4) LIBRARY_VERSION = (1, 31, 5)
LIBRARY_INSTRUX_SIZE = 864 LIBRARY_INSTRUX_SIZE = 864
packages = ['pybddisasm'] packages = ['pybddisasm']

Write Preview
Loading…
Cancel
Save