using function binary_loaded_info to get the loaded info of binary.

zhanggenex · May 22, 2018 · c312fcb · c312fcb
1 parent 38984f8
commit c312fcb
Show file tree

Hide file tree

Showing 2 changed files with 97 additions and 128 deletions.
diff --git a/ptfuzzer.py b/ptfuzzer.py
@@ -5,79 +5,34 @@
 from capstone import *
 import argparse
 import os
-
+from run_with_pt import binary_loaded_info
 
 parser = argparse.ArgumentParser(description = 'Process arguements and bin name.')
 parser.add_argument('afl_args', type = str, help = 'arguements of AFL')
 parser.add_argument('target', type = str, help = 'target bin name and arguements of target bin')
 args = parser.parse_args()
 
-raw_bin_file = ""
-target_args = ""
-
-
-p = 0
-while p < len(args.target):
-	if args.target[p] == " ":
-		break
-	raw_bin_file += args.target[p]
-	p += 1
-if p < len(args.target) - 1:
-	target_args = args.target[p+1 : len(args.target)]
 
+# get afl binary and afl arguments
 bin_dir = os.path.dirname(__file__)
 afl_bin = os.path.join(bin_dir, "afl-ptfuzz")
 afl_args = args.afl_args
 
-raw_bin = "." + os.path.basename(raw_bin_file) + ".text"
-
-ld = cle.Loader(raw_bin_file)
-
-f = open(raw_bin, "wb")
-if not f:
-	print "open file " + raw_bin + " for writing failed."
-
-bin_code = ""
-base_addr = 0x0
-entry = ld.main_object.entry + base_addr
-# 'data', 'header', 'is_null', 'name', 'stream'
-
-
-
-for i in ld.main_object.sections:
-	if i.name == ".text":
-		print i.vaddr
-		min_addr = i.vaddr + base_addr
-		max_addr = i.vaddr + i.filesize + base_addr
-		raw_bytes = ld.memory.read_bytes(i.vaddr, i.filesize)
-		for byte in raw_bytes:
-			bin_code += byte
-
-# print len(bin_code)
-f.write(bin_code)
-f.close()
-
+# get target binary and target arguments
+target_words = args.target.split()
+raw_bin_file = target_words[0];
+target_args = ""
+for i in range(1, len(target_words)):
+	target_args += (target_words[i] + " ")
+
+# get the loaded info of target binary
+info = binary_loaded_info(raw_bin_file)
+raw_bin = info['raw_bin']
+min_addr = info['text_min']
+max_addr = info['text_max']
+entry = info['entry']
+
+# compose the command line for running AFL
 cmdline = "sudo %s -r %s -l %d -h %d -e %d %s %s %s @@" % (afl_bin, raw_bin, min_addr, max_addr, entry, afl_args, raw_bin_file, target_args)
 print cmdline
-os.system(cmdline)
-
-
-
-#faddr = open("./min_max.txt", "w")
-#faddr.write(str(min_addr) + "\n" + str(max_addr) + "\n" + str(entry))
-#faddr.close()
-
-
-
-#~ raw_bytes = ld.memory.read_bytes(ld.main_object.entry, max_addr-min_addr)
-#~ CODE = ''.join( raw_bytes )
-#~ md = Cs(CS_ARCH_X86, CS_MODE_64)
-#~ for i in md.disasm(CODE, entry):
-    #~ print("0x%x:\t%s\t%s" %(i.address, i.mnemonic, i.op_str))
-
-#~ print "len(raw_bytes) = ", len(raw_bytes)
-#~ print "entry_point = ", hex(ld.main_object.entry)
-#~ print "min_addr = ", hex(min_addr)
-#~ print "max_addr = ", hex(max_addr)
-#~ print "max_addr - min_addr = ", max_addr - min_addr
-#~ print "loader min and max addr: ", ld.min_addr, ld.max_addr
+os.system(cmdline)
diff --git a/run_with_pt.py b/run_with_pt.py
@@ -7,71 +7,85 @@
 import argparse
 import os
 
-
-parser = argparse.ArgumentParser(description = 'Process arguements and bin name.')
-parser.add_argument('app_bin', type = str, help = 'the target application')
-parser.add_argument('--app_args', type = str, help = 'application arguments')
-args = parser.parse_args()
-
-bin_dir = os.path.dirname(__file__)
-afl_bin = os.path.join(bin_dir, "run_pt")
-app_bin = args.app_bin
-app_args = args.app_args
-if app_args == None:
-    app_args = ""
-
-raw_bin = "." + os.path.basename(app_bin) + ".text"
-
-file_info = os.popen("file " + app_bin)
-bin_type = "executable"
-if "shared object" in file_info.read():
-    bin_type = "shared_object"
-
-print "binary type is ", bin_type
-
-# Now load binary, calculate program loaded base, entry, text_min and text_max 
-ld = cle.Loader(app_bin)
-bin_code = ""
-
-base_addr = ld.main_object.sections[0].vaddr
-entry = ld.main_object.entry + base_addr
-print "Program base by cle: ", base_addr
-print "Program entry by cle: ", entry
-for i in ld.main_object.sections:
-    if i.name == ".text":
-        text_min = i.vaddr
-        text_max = i.vaddr + i.filesize
-        raw_bytes = ld.memory.read_bytes(i.vaddr, i.filesize)
-        for byte in raw_bytes:
-            bin_code += byte
-
-# write raw binary code to file
-f = open(raw_bin, "wb")
-if not f:
-    print "open file " + raw_bin + " for writing failed."
-    sys.exit(-1)
-
-f.write(bin_code)
-f.close()
-
-# Now we have to recalcuate the loaded addresses for Position-independent executables
-if bin_type == "shared_object":
-    text_min -= base_addr
-    text_max -= base_addr
-    entry -= base_addr
-    base_addr = 0x0
-
-    base_addr = 0x555555554000
-    text_min += base_addr
-    text_max += base_addr
-    entry += base_addr
-
-print "calculated real program base: ", hex(base_addr)
-print "calculated real program entry: ", hex(entry)
-
-cmdline = "sudo %s %s %d %d %d %s %s" % (afl_bin, raw_bin, text_min, text_max, entry, app_bin, app_args)
-print cmdline
-os.system(cmdline)
+def binary_loaded_info(self, app_bin):
+
+    # First, get binary type: executable or shared object(PIE)
+    bin_type = "executable"
+    file_info = os.popen("file " + app_bin)
+    if "shared object" in file_info.read():
+        bin_type = "shared_object"
+    print "binary type is ", bin_type
+
+    # Now load binary, calculate program loaded base, entry, text_min and text_max 
+    ld = cle.Loader(app_bin)
+    bin_code = ""
+
+    base_addr = ld.main_object.sections[0].vaddr
+    entry = ld.main_object.entry + base_addr
+    print "Program base by cle: ", base_addr
+    print "Program entry by cle: ", entry
+    for i in ld.main_object.sections:
+        if i.name == ".text":
+            text_min = i.vaddr
+            text_max = i.vaddr + i.filesize
+            raw_bytes = ld.memory.read_bytes(i.vaddr, i.filesize)
+            for byte in raw_bytes:
+                bin_code += byte
+            break
+
+    #Third, write raw binary code to file
+    raw_bin = "." + os.path.basename(app_bin) + ".text"
+    f = open(raw_bin, "wb")
+    if not f:
+        print "open file " + raw_bin + " for writing failed."
+        sys.exit(-1)
+
+    f.write(bin_code)
+    f.close()
+
+    # Now we have to recalcuate the loaded addresses for Position-independent executables
+    if bin_type == "shared_object":
+        text_min -= base_addr
+        text_max -= base_addr
+        entry -= base_addr
+        base_addr = 0x0
+
+        base_addr = 0x555555554000
+        text_min += base_addr
+        text_max += base_addr
+        entry += base_addr
+
+    bin_loaded_info = {
+        'base': base_addr,
+        'entry': entry,
+        'text_min': text_min,
+        'text_max': text_max,
+        'raw_bin': raw_bin
+        }
+    return bin_loaded_info 
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description = 'Process arguements and bin name.')
+    parser.add_argument('app_bin', type = str, help = 'the target application')
+    parser.add_argument('--app_args', type = str, help = 'application arguments')
+    args = parser.parse_args()
+
+    bin_dir = os.path.dirname(__file__)
+    afl_bin = os.path.join(bin_dir, "run_pt")
+    app_bin = args.app_bin
+    app_args = args.app_args
+    if app_args == None:
+        app_args = ""
+
+
+    info = binary_loaded_info(app_bin)
+
+    print "calculated real program base: ", hex(info['base'])
+    print "calculated real program entry: ", hex(info['entry'])
+
+    cmdline = "sudo %s %s %d %d %d %s %s" % (afl_bin, info['raw_bin'], info['text_min'], info['text_max'], info['entry'], app_bin, app_args)
+    print cmdline
+    os.system(cmdline)