Skip to content

Client Core

CarlOS edited this page Sep 9, 2016 · 2 revisions

I tried to keep the client core system to a minimum.

Operation

Basically it does the following:

  • Initialize logging, etc.
  • Initialize shared memory (to communicate with PIN)
  • Connect to the server (to the MQ)
  • Request a MutationObject
    • contains the Base64 encoded mutation file
    • of course, write this to disk
  • Run the victim under PIN with the mutation as input
  • Fills the MutationObject with the information from the execution
  • Sends this information to the server (to the MQ, actually)
    • Most important is the bitmap
    • Crash information in case of a crash
  • Repeat :)

The shared memory object is named "Local\NaFlSharedMemory"

Code structure

The core sets up all helpers, that is, instantiate classes passing self as a parameter. This self parameter is used as parent by the different helpers. This way objects like cfg (configuration), logging, etc. are centralized and can be accessed via this parent parameter by them.

Crash!

If the PinTool marked the bitmap as seen below, a crash is registered. Before sending this information, an attempt of reproducing the crash is made. This time without PIN but being monitored by Winappdbg instead.

#!python
if curr_bitmap[0] == 0x41414141 \
    and curr_bitmap[1] == 0x42424242:
    # Restore these first bytes to more appropriate values
    curr_bitmap[0] = 0
    curr_bitmap[1] = 0

    [...]

    self.mo.priority == CAUSED_CRASH

    # Analyzes the crash (and saves it, if determined interesting)
    # This sets the MutationObject crash_data attribute
    cmd = [self.cfg.get('target_info', 'filename'), input_filename]
    self.crash_analysis.analyze_crash(cmd)
You can’t perform that action at this time.