-
Notifications
You must be signed in to change notification settings - Fork 0
/
Debugger.py
172 lines (145 loc) · 4.14 KB
/
Debugger.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
## ver 1.44
from util import *
class Debugger(object):
##v1.41 avaible for both gdb default and gdb-peda
__prompt1 = "(gdb) "
__prompt2 = '\x01\x1b[;31m\x02gdb-peda$ \x01\x1b[0m\x02'
#start gdb process
p = process('gdb')
__tmp = ''
while 1:
if __prompt1 in __tmp:
__prompt = __prompt1
break
elif __prompt2 in __tmp:
__prompt = __prompt2
break
else:
__tmp += p.recv(1024)
p.sendline()
##
#recieve a string
#e.g. /home/ubuntu/Desktop/bof
def __init__(self, target):
#set file for debugger
self.__file = target
#get gdb ready
self.p.recvuntil(self.__prompt)
# recently add this code
self.setup()
self.run()
def load_file(self):
#try to load file into gdb
res = self.execute("file " + self.__file)
if "done" in res:
return True
return False
def get_function_address(self, function):
#try to get address of a function using pwntool
try:
return self.elf.symbols[function]
except KeyError:
pass
#recieve a string or number
#e.g. "1234", "0x1234", 1234, 0x1234
def set_breakpoint(self, breakpoint):
return self.execute('b* ' + str(breakpoint))
#do something like load file, check elf, check aslr, set breakpoint
def setup(self):
#if cannot load file then exit
if not self.load_file():
print "[Debugger] Failed to set up debugger"
exit(0)
#get some basic infomation with elf module
try:
self.elf = ELF(self.__file)
except:
print '[Debugger] Failed to load file elf'
exit(0)
f = open('/proc/sys/kernel/randomize_va_space', 'r')
if f.read().strip() != '0':
print '[Debugger] Kernel\'s ASLR need turn off'
f.close()
exit(0)
f.close()
#let gdb use kernel's ASLR, which is disabled.
self.execute('set disable-randomization off')
##v1.41 use intel disassembly style
self.execute('set disassembly-flavor intel')
self.execute('set pagination off')
##
#set breakpoint at main
self.execute('b* main')
def run(self, input_file = None):
if not input_file:
return self.execute('run')
return self.execute('run < ' + input_file)
def get_current_instruction(self):
# reduce "=> "
return self.execute('x/i $eip')[3:].strip()
def step(self, payload = None, flag = STEP_OVER):
#flag = 1 is step over
#flag = 0 is step in
if flag == STEP_OVER:
return self.execute('ni', payload)
return self.execute('si', payload)
def check(self, dbg_output):
if 'Program received signal' in dbg_output:
raise Exception(dbg_output)
##v1.41 change Debugger.p into self.p
def execute(self, command, payload = None):
#send command to gdb
self.p.sendline(command)
#if need input (gets/read/...) then send payload
if payload:
self.p.sendline(payload)
#recv result from gdb
res = self.p.recvuntil(self.__prompt)
res = res[:res.find(self.__prompt)]
self.check(res)
return res
##
#recieve a register name
def get_register_value(self, name):
##v1.41 return hex value, compatable with gdb default
res = self.execute('p /x $%s' % name)
##
return int(res.split('0x')[1].split(' ')[0], 16)
@staticmethod
def gdbstring_to_memory(s):
tmp = s[s.find(':\t')+2:]
tmp = re.sub(r'\n.*:', '', tmp)
tmp = tmp.replace('\t','')
tmp = tmp.replace('\n','')
tmp = tmp.replace('0x','')
return tmp.decode('hex')
def get_memory_value(self, address, size):
res = self.execute('x/%dbx %d' % (size, address))
return self.gdbstring_to_memory(res)
## v1.44, new method
@staticmethod
def calculate_length(s1, s2):
n1 = int(s1.split(':')[0], 16)
n2 = int(s2.split(':')[0], 16)
return n2-n1-1
def get_string(self, address):
res1 = self.execute('x/s %d' % (address))
res2 = self.execute('')
tmp_len = self.calculate_length(res1, res2)
# print '[Debugger]', address, tmp_len
return self.get_memory_value(address, tmp_len), tmp_len
def test():
debug = Debugger('../test-case/case01')
print hex(debug.get_function_address('main'))
print debug.get_current_instruction()
debug.step(flag = 0)
print debug.get_current_instruction()
debug.step()
print debug.get_current_instruction()
print hex(debug.get_register_value('ebx'))
print debug.get_memory_value(debug.get_register_value('ebx'), 4)
print "test ok!!!"
if __name__ == '__main__':
test()
#test()
##