Loading binary data
加载二进制数据使用 load_program
函数,提供一个文件名,或者字节字符串
In [1]: import amoco
In [2]: p = amoco.system.loader.load_program(u'samples/x86/flow.elf')
In [3]: print(p)
<amoco.system.linux_x86.ELF object at 0x7f834b4187d0>
In [4]: print(p.bin.Ehdr)
ELF header:
[Elf32_Ehdr]
e_ident :ELF; ELFOSABI_SYSV; 1; ELFCLASS32; ELFDATA2LSB; 0; 127 #占16个字节。前四个字节被称作ELF的Magic Number。后面的字节描述了ELF文件内容如何解码等信息
e_type :ET_EXEC #
e_machine :EM_386 #描述了文件面向的架构
e_version :EV_CURRENT
e_entry :0x8048380
e_phoff :52 #program header table的offset
e_shoff :4416 # section header table 的offset
e_flags :0x0 # 4字节,特定于处理器的标志,32位和64位Intel架构都没有定义标志,因此eflags的值是0。
e_ehsize :52 #2字节,ELF header的大小,32位ELF是52字节,64位是64字节
e_phentsize :32 #2字节。program header table中每个入口的大小。
e_phnum :9 #2字节。如果文件没有program header table, e_phnum的值为0。
e_shentsize :40 #2字节,section header table中entry的大小,即每个section header占多少字节。
e_shnum :30 # 2字节,section header table中header的数目。如果文件没有section header table, e_shnum的值为0。e_shentsize乘以e_shnum,就得到了整个section header table的大小。
e_shstrndx :27 # section header string table index. 包含了section header table中section name string table。如果没有section name string table, e_shstrndx的值是SHN_UNDEF.
Symbolic representations of blocks
一个块对象提供了位于内存中的一些地址的指令,用符号化函数来表示指令序列的动作:
In [7]: print(b.map.view)
eip <- (eip+-0x10)
eflags:
| cf <- 0x0
| sf <- (((esp+0x4)&0xfffffff0)<0x0)
| tf <- tf
| zf <- (((esp+0x4)&0xfffffff0)==0x0)
| pf <- (0x6996>>(((esp[0:8]+0x4)&0xf0)>>0x4)[0:4])[0:1]
| of <- 0x0
| df <- df
| af <- af
ebp <- 0x0
esp <- (((esp+0x4)&0xfffffff0)-0x24)
esi <- M32(esp)
ecx <- (esp+0x4)
(((esp+0x4)&0xfffffff0)-4) <- eax
(((esp+0x4)&0xfffffff0)-8) <- (((esp+0x4)&0xfffffff0)-0x4)
(((esp+0x4)&0xfffffff0)-12) <- edx
(((esp+0x4)&0xfffffff0)-16) <- 0x8048610
(((esp+0x4)&0xfffffff0)-20) <- 0x80485a0
(((esp+0x4)&0xfffffff0)-24) <- (esp+0x4)
(((esp+0x4)&0xfffffff0)-28) <- M32(esp)
(((esp+0x4)&0xfffffff0)-32) <- 0x80484fd
(((esp+0x4)&0xfffffff0)-36) <- (eip+0x21)
class system.core.CoreExec(p, cpu=None)
The CoreExec class implements the base class for a memory mapped binary executable program, providing the generic instruction or data fetchers and the mandatory API used by amoco.main analysis classes. Most of the amoco.system modules use this base class and redefine the initenv(), :meth‘load_binary‘ and helpers methods according to a dedicated system and architecture (Linux/x86, Win32/x86, etc).
意思是说:
所述CoreExec类用于实现一个存储器基类映射二进制可执行程序,提供通用的指令或获取数据,以及amoco.main分析类强制使用的必需API。 大多数amoco.system模块使用此基类,并根据专用系统和体系结构(Linux / x86,Win32 / x86等)重新定义initenv(),:meth'load_binary'和帮助器方法。
lsweep:
Linear sweep based analysis: a fast but somehow dumb way of disassembling a program. Other strategies usually inherit from this class which provides generic methods sequence() and iterblocks() as instruction and basic block iterators.
有几种策略来构建程序的控制流程图(即其所有功能的CFG),但没有一种是完美的。 一些策略在模块main中实现,范围从简单的main.lsweep线性扫描方法到链接反向方法(参见main.lbackward),该方法向后评估程序的计数器,直到获得具体值或当前的根节点 达到CFG:
cas/mapper.py
The mapper module essentially implements the mapper class and the associated merge() function which allows to get a symbolic representation of the union of two mappers.
映射器模块实质上实现了映射器类和相关的merge()函数,
merge()函数允许获得一个符号,这个符号表示两个映射器的并集。
class cas.mapper.mapper(instrlist=None, csi=None)
A mapper is a symbolic functional representation of the execution of a set of instructions.
映射器是执行了一组指令的符号功能的表示
Parameters
• instrlist (list[instruction]) – a list of instructions that are symbolically executed within the mapper.
• csi (Optional[object]) – the optional csi attribute that provide a concrete initial state
__map
is an ordered list of mappings of expressions associated with a location (register or memory pointer). The order is relevant only to reflect the order of write-to-memory instructions in case of pointer aliasing.
是与位置(寄存器或内存指针)关联的表达式映射的有序列表。在pointer aliasing的情况下, 该顺序仅反映出写入到存储器指令的顺序相关。
__Mem
is a memory model where symbolic memory pointers are addressing separated memory zones. See MemoryMap and MemoryZone classes.
是一种内存模型,其中符号内存指针寻址分开的内存zone(个人理解就是偏移)。 请参阅MemoryMap和MemoryZone类。
conds
is the list of conditions that must be True for the mapper
csi
is the optional interface to a concrete state
class system.core.MemoryZone(rel=None)
A MemoryZone contains mo objects at addresses that are integer offsets related to a symbolic expression. Adefault zone with related address set to None holds values at concrete addresses in every MemoryMap.
MemoryZone在地址处包含mo对象,这些对象是与符号表达式相关的整数偏移量。 将相关地址设置为“无”的Adefault区域保存每个MemoryMap中具体地址的值。
class system.core.MemoryMap(D=None)
Provides a way to represent concrete and abstract symbolic values located in the virtual memory space of a
process. A MemoryMap is organised as a collection of MemoryZone.
提供一种表示位于进程虚拟内存空间中的具体和抽象符号值的方法。 MemoryMap被组织为MemoryZone的集合。
linear()
The linear sweep method (main.lsweep) works basically like objdump. It produces instructions by disassembling bytes one after the other, ignoring the effective control flow. For standard x86/x64 binaries, the result is not so bad because code and data are rarely interlaced, but for many other architectures the result is incorrect. Still, it provides - at almost no cost - an over approximation of the set of all basic blocks for architectures with strict fixed-length instruction alignment.
线性扫描方法(main.lsweep)基本上像objdump一样工作。它通过一个接一个地反汇编字节来转化指令,忽略了有效的控制流程。对于标准的x86 / x64二进制文件,结果并不是很糟糕,因为代码和数据很少交错,但对于许多其他体系结构,结果是不正确的。尽管如此,它提供了 - 几乎没有成本 - 对于具有严格固定长度指令对齐的架构的所有基本块集合的过度逼近。
iterblocks(loc=None)
Iterator over basic blocks. The instruction.type attribute is used to detect the end of a block (type_control_flow). The returned block object is enhanced with plateform-specific informations (see block.misc).
迭代基本块。 instruction.type属性用于检测块的结尾(type_control_flow)。 返回的块对象使用特定平台的信息进行增强(请参阅block.misc)。
参考网站:
https://www.cnblogs.com/jiqingwu/p/elf_explore_2.html
官方文档:https://buildmedia.readthedocs.org/media/pdf/amoco/stable/amoco.pdf (必看)
网友评论