Permalink
Browse files

initial commit from struct's version

  • Loading branch information...
0 parents commit 16c0db525ea7a9929564c88270e4b0bc7c6508bf @tduehr committed May 13, 2009
Showing with 14,163 additions and 0 deletions.
  1. +9 −0 README.txt
  2. +55 −0 arena.rb
  3. +126 −0 blocks.rb
  4. +336 −0 debugger.rb
  5. +351 −0 debuggertux.rb
  6. +423 −0 debuggerx.rb
  7. +223 −0 detour.rb
  8. +49 −0 device.rb
  9. +50 −0 event.rb
  10. +12 −0 frasm/COPYING
  11. +149 −0 frasm/Makefile
  12. +8 −0 frasm/build.bat
  13. +155 −0 frasm/config.h
  14. +671 −0 frasm/decoder.c
  15. +43 −0 frasm/decoder.h
  16. BIN frasm/decoder.obj
  17. +52 −0 frasm/distorm.c
  18. BIN frasm/distorm.obj
  19. +3 −0 frasm/extconf.rb
  20. +2 −0 frasm/frasm-i386-mswin32.def
  21. BIN frasm/frasm-i386-mswin32.exp
  22. BIN frasm/frasm-i386-mswin32.lib
  23. +103 −0 frasm/frasm.c
  24. BIN frasm/frasm.obj
  25. +8 −0 frasm/frasm.so.manifest
  26. +509 −0 frasm/instructions.c
  27. +421 −0 frasm/instructions.h
  28. BIN frasm/instructions.obj
  29. +2,929 −0 frasm/insts.c
  30. +20 −0 frasm/insts.h
  31. BIN frasm/insts.obj
  32. +1,426 −0 frasm/operands.c
  33. +27 −0 frasm/operands.h
  34. BIN frasm/operands.obj
  35. +478 −0 frasm/prefix.c
  36. +50 −0 frasm/prefix.h
  37. BIN frasm/prefix.obj
  38. +349 −0 frasm/textdefs.c
  39. +75 −0 frasm/textdefs.h
  40. BIN frasm/textdefs.obj
  41. +27 −0 frasm/wstring.c
  42. +48 −0 frasm/wstring.h
  43. BIN frasm/wstring.obj
  44. +84 −0 frasm/x86defs.c
  45. +150 −0 frasm/x86defs.h
  46. BIN frasm/x86defs.obj
  47. +48 −0 hittracertux.rb
  48. +63 −0 hittracerx.rb
  49. +9 −0 hook_notepad.rb
  50. +23 −0 hooks.rb
  51. +506 −0 process.rb
  52. +46 −0 ptr.rb
  53. +11 −0 ragweed.rb
  54. +3 −0 rasm.rb
  55. +1,046 −0 rasm/isa.rb
  56. +26 −0 rasm/util.rb
  57. +197 −0 sbuf.rb
  58. +176 −0 snicker.rb
  59. +103 −0 trampoline.rb
  60. +23 −0 tux-example.rb
  61. +3 −0 wrap32.rb
  62. +163 −0 wrap32/debugging.rb
  63. +46 −0 wrap32/overlapped.rb
  64. +59 −0 wrap32/process_token.rb
  65. +208 −0 wrap32/thread_context.rb
  66. +16 −0 wrap32/winx.rb
  67. +526 −0 wrap32/wrap32.rb
  68. +3 −0 wraptux.rb
  69. +68 −0 wraptux/constants.rb
  70. +3 −0 wraptux/threads.rb
  71. +76 −0 wraptux/wraptux.rb
  72. +3 −0 wrapx.rb
  73. +101 −0 wrapx/constants.rb
  74. +147 −0 wrapx/kernelerrorx.rb
  75. +91 −0 wrapx/kernx.rb
  76. +249 −0 wrapx/region_info.rb
  77. +203 −0 wrapx/thread_context.rb
  78. +121 −0 wrapx/thread_info.rb
  79. +376 −0 wrapx/wrapx.rb
@@ -0,0 +1,9 @@
+Ragweed is a set of scriptable debugging tools written mostly in native ruby.
+
+Where required the Ruby/DL and Win32API libraries are used to interface the machine
+and OS native system calls.
+
+This suite is currently fairly piecemeal. Each OS has it's own set of tools.
+The most complete set is for Win32.
+
+Work is ongoing to complete and unify the OSX and Linux portions.
@@ -0,0 +1,55 @@
+class Ragweed::Arena
+ # I want 3 lambdas:
+ # * "get" should take no arguments and result in the address of a fresh
+ # 4k page.
+ # * "free" should free any 4k page returned by "get"
+ # * "copy" should implement memcpy, copying a string into a 4k page.
+ def initialize(get, free, copy)
+ @get = get
+ @free = free
+ @copy = copy
+ @pages = []
+ @avail = 0
+ @off = 0
+ end
+
+ private
+
+ def get
+ p = @get.call
+ @pages << p
+ @cur = p
+ @avail = 4096
+ @off = 0
+ end
+
+ public
+
+ # Allocate any size less than 4090 from the arena.
+ def alloc(sz)
+ raise "can't handle > page size now" if sz > 4090
+ get if sz > @avail
+ ret = @off
+ @off += sz
+ round = 4 - (@off % 4)
+ if (@off + round) > 4096
+ @avail = 0
+ @off = 4096
+ else
+ @off += round
+ @avail -= (sz + round)
+ end
+
+ return Ptr.new(@cur + ret)
+ end
+
+ # Copy a buffer into the arena and return its new address.
+ def copy(buf)
+ ret = alloc(buf.size)
+ @copy.call(ret, buf)
+ return ret
+ end
+
+ # Release the whole arena all at once.
+ def release; @pages.each {|p| @free.call(p)}; end
+end
@@ -0,0 +1,126 @@
+pushv = $VERBOSE
+$VERBOSE = nil
+
+module Ragweed::Blocks
+ include Ragweed::Rasm
+ extend Ragweed::Rasm
+
+ def remote_trampoline(argc, opts={})
+ i = Rasm::Subprogram.new
+
+ # drop directly to debugger
+ i << Int(3) if opts[:debug]
+
+ # psuedo-frame-pointer
+ i.<< Push(esi)
+ i.<< Mov(esi, esp)
+
+ # get the thread arg
+ i.<< Add(esi, 8)
+
+ # load it
+ i.<< Mov(esi, [esi])
+ i.<< Push(ebx)
+ i.<< Mov(ebx, [esi])
+ i.<< Push(ecx)
+
+ # harvest arguments out of the argument buffer
+ (0...argc).each do |n|
+ i.<< Mov(ecx, [esi+(4+(n*4))])
+ i.<< Push(ecx)
+ end
+
+ i.<< Call(ebx)
+
+ # stuff return value after args
+ i.<< Mov([esi + (4+(argc*4))], eax)
+
+ # epilogue
+ i.<< Pop(ecx)
+ i.<< Pop(ebx)
+ i.<< Pop(esi)
+ i.<< Ret() # i think this is an artifact of my IRB, XXX clean up
+ end
+ module_function :remote_trampoline
+
+ def event_pair_stub(opts={})
+ i = Rasm::Subprogram.new
+
+ i << Int(3) if opts[:debug]
+
+ i.<< Push(ebp)
+ i.<< Mov(ebp, esp)
+ i.<< Sub(esp, 12)
+
+ i.<< Push(esi)
+ i.<< Mov(esi, [ebp+8])
+
+ i.<< Push(eax)
+ i.<< Push(ebx)
+ i.<< Push(edx)
+
+ # OpenProcess
+ i.<< Mov(ebx, [esi]) # function ptr
+ i.<< Mov(eax, [esi+24])
+ i.<< Push(eax)
+ i.<< Xor(eax, eax)
+ i.<< Push(eax)
+ i.<< Or(eax, 0x1F0FFF)
+ i.<< Push(eax)
+ i.<< Call(ebx)
+ i.<< Mov([ebp-4], eax)
+
+ # DuplicateHandle
+ i.<< Mov(ebx, [esi+4]) # function ptr
+ (1..2).each do |which|
+ i.<< Push(2) # flags
+ i.<< Push(0) # dunno
+ i.<< Push(0) # dunno
+ i.<< Mov(edx, ebp) # my LEA encoding is broken
+ i.<< Sub(edx, 8+(4*(which-1)))
+ i.<< Lea(eax, [edx])
+ i.<< Push(eax) # handle out-arg
+ i.<< Xor(eax, eax)
+ i.<< Not(eax)
+ i.<< Push(eax) # target process
+ i.<< Mov(ecx, esi)
+ i.<< Add(ecx, (20 + (4 * which)))
+ i.<< Push([ecx])
+ i.<< Push([ebp-4]) # target process handle
+ i.<< Call(ebx)
+ end
+
+ # ResetHandle
+ i.<< Mov(ebx, [esi+8]) # function ptr
+ (0..1).each do |which|
+ i.<< Push([ebp-(8+(4*which))])
+ i.<< Call(ebx)
+ end
+
+ # SignalHandle
+ i.<< Mov(ebx, [esi+12]) # function ptr
+ i.<< Push([ebp-8])
+ i.<< Call(ebx)
+
+ # WaitForSingleObject
+ i.<< Mov(ebx, [esi+16])
+ i.<< Xor(eax, eax)
+ i.<< Not(eax)
+ i.<< Push(eax)
+ i.<< Push([ebp-12])
+ i.<< Call(ebx)
+
+ # All done!
+
+ i.<< Pop(edx)
+ i.<< Pop(ebx)
+ i.<< Pop(eax)
+ i.<< Pop(ecx)
+ i.<< Pop(esi)
+ i.<< Add(esp, 12)
+ i.<< Pop(ebp)
+ i.<< Ret()
+ end
+end
+
+$VERBOSE = pushv
Oops, something went wrong.

0 comments on commit 16c0db5

Please sign in to comment.