-
Notifications
You must be signed in to change notification settings - Fork 42
Tutorial ropemu
magrazia edited this page May 24, 2016
·
1 revision
In the first part of this tutorial ropemu is presented. ropmemu implements the emulation phase and it is one of the core components of the framework. It generates JSON traces containing the CPU context and the shadow stack (the memory context). It is a Volatility plugin able to follow gadget by gadget a ROP chain. The emulation part is implemented on top of the Unicorn emulator and Capstone as disassembly library.
In the first two cases we observe the different execution modes.
In the first example we execute the first ten gadgets of the copy chain in full emulation mode.
In the second example, we re-start the execution from a given gadget (gadget number 10) by loading the CPU context from the a previous run containing 20 gadgets generated like in the first example.
02:15:56 emdel -> time python vol.py ropemu -f ../rop_dumps/0/rkrop_pmem_raw_0x00.ram --profile Linuxubuntu-serverx64x64 -o /tmp/20 -I 0xffffffff816a9438 -S 0xffff88001b800000 -n 10 --dtb=62967808
Volatility Foundation Volatility Framework 2.3.1
[+] Initial IP: 0xffffffff816a9438
[+] Initial SP: 0xffff88001b800000
[+] Gadget 1 at 0xffff88001b800000
| 0xffffffff816a9438 | ret
[+] Gadget 2 at 0xffff88001b800008
| 0xffffffff8100a4de | pop rax
| 0xffffffff8100a4df | ret
[+] Gadget 3 at 0xffff88001b800018
| 0xffffffff8115c832 | mov qword ptr [rax], rdx
| 0xffffffff8115c835 | ret
[+] Gadget 4 at 0xffff88001b800020
| 0xffffffff8100a4de | pop rax
| 0xffffffff8100a4df | ret
[+] Gadget 5 at 0xffff88001b800030
| 0xffffffff81060147 | mov rdx, rcx
| 0xffffffff8106014a | ret
[+] Gadget 6 at 0xffff88001b800038
| 0xffffffff8115c832 | mov qword ptr [rax], rdx
| 0xffffffff8115c835 | ret
[+] Gadget 7 at 0xffff88001b800040
| 0xffffffff810051ae | pop rcx
| 0xffffffff810051af | ret
[+] Gadget 8 at 0xffff88001b800050
| 0xffffffff812ce029 | pop rdx
| 0xffffffff812ce02a | ret
[+] Gadget 9 at 0xffff88001b800060
| 0xffffffff81352d33 | add rsp, 0x10
| 0xffffffff81352d37 | ret
[+] Gadget 10 at 0xffff88001b800078
| 0xffffffff8143bc09 | sub rsp, 8
| 0xffffffff8143bc0d | call rdx
[+] /tmp/20_hwcontext.json generated
real 0m2.112s
user 0m1.956s
sys 0m0.136s
03:10:51 emdel -> time python vol.py ropemu -f ../rop_dumps/0/rkrop_pmem_raw_0x00.ram --profile Linuxubuntu-serverx64x64 -o /tmp/lol -I 0xffffffff8143bc09 -S 0xffff88001b800078 -n 21 -G 10 -i /tmp/20_hwcontext.json --dtb=62967808
Volatility Foundation Volatility Framework 2.3.1
[+] Initial IP: 0xffffffff8143bc09
[+] Initial SP: 0xffff88001b800078
[+] Loading hardware context from: /tmp/20_hwcontext.json
[+] Gadget 10 at 0xffff88001b800078
| 0xffffffff8143bc09 | sub rsp, 8
| 0xffffffff8143bc0d | call rdx
[+] Gadget 11 at 0xffff88001b800068
| 0xffffffff81626b6e | mov rdx, rbx
| 0xffffffff81626b71 | call rcx
[+] Gadget 12 at 0xffff88001b800060
| 0xffffffff816a9434 | add rsp, 0x38
| 0xffffffff816a9438 | ret
[+] Gadget 13 at 0xffff88001b8000a0
| 0xffffffff8100a4de | pop rax
| 0xffffffff8100a4df | ret
[+] Gadget 14 at 0xffff88001b8000b0
| 0xffffffff8115c832 | mov qword ptr [rax], rdx
| 0xffffffff8115c835 | ret
[+] Gadget 15 at 0xffff88001b8000b8
| 0xffffffff812ca859 | pop rbx
| 0xffffffff812ca85a | ret
[+] Gadget 16 at 0xffff88001b8000c8
| 0xffffffff812ce029 | pop rdx
| 0xffffffff812ce02a | ret
[+] Gadget 17 at 0xffff88001b8000d8
| 0xffffffff81352d33 | add rsp, 0x10
| 0xffffffff81352d37 | ret
[+] Gadget 18 at 0xffff88001b8000f0
| 0xffffffff8143bc09 | sub rsp, 8
| 0xffffffff8143bc0d | call rdx
[+] Gadget 19 at 0xffff88001b8000e0
| 0xffffffff815852e3 | mov rdx, rsi
| 0xffffffff815852e6 | mov esi, r8d
| 0xffffffff815852e9 | call rbx
[+] Gadget 20 at 0xffff88001b8000d8
| 0xffffffff816a9434 | add rsp, 0x38
| 0xffffffff816a9438 | ret
[+] Gadget 21 at 0xffff88001b800118
| 0xffffffff8100a4de | pop rax
| 0xffffffff8100a4df | ret
[+] /tmp/lol_hwcontext.json generated
real 0m2.149s
user 0m1.972s
sys 0m0.172s
The first two gadgets of /tmp/20_hwcontext.json:
{
"0xffff88001b800000-1": {
"0xffffffff816a9438": {
"ret ": {
"EAX": "0x0",
"EBP": "0x0",
"EBX": "0x0",
"ECX": "0x0",
"EDI": "0x0",
"EDX": "0x0",
"EFLAGS": "0x0",
"ESI": "0x0",
"RAX": "0x0",
"RBP": "0x0",
"RBX": "0x0",
"RCX": "0x0",
"RDI": "0x0",
"RDX": "0x0",
"RSI": "0x0",
"R8": "0x0",
"R9": "0x0",
"R10": "0x0",
"R11": "0x0",
"R12": "0x0",
"R13": "0x0",
"R14": "0x0",
"R15": "0x0",
"RSP": "0xffff88001b800008",
"ESP": "0x1b800008",
"RIP": "0xffffffff8100a4de",
"EIP": "0x8100a4de"
}
}
},
"0xffff88001b800008-2": {
"0xffffffff8100a4de": {
"pop rax": {
"EAX": "0x1bc00000",
"EBP": "0x0",
"EBX": "0x0",
"ECX": "0x0",
"EDI": "0x0",
"EDX": "0x0",
"EFLAGS": "0x0",
"ESI": "0x0",
"RAX": "0xffff88001bc00000",
"RBP": "0x0",
"RBX": "0x0",
"RCX": "0x0",
"RDI": "0x0",
"RDX": "0x0",
"RSI": "0x0",
"R8": "0x0",
"R9": "0x0",
"R10": "0x0",
"R11": "0x0",
"R12": "0x0",
"R13": "0x0",
"R14": "0x0",
"R15": "0x0",
"RSP": "0xffff88001b800010",
"ESP": "0x1b800010",
"RIP": "0xffffffff8100a4df",
"EIP": "0x8100a4df"
}
},
"0xffffffff8100a4df": {
"ret ": {
"EAX": "0x1bc00000",
"EBP": "0x0",
"EBX": "0x0",
"ECX": "0x0",
"EDI": "0x0",
"EDX": "0x0",
"EFLAGS": "0x0",
"ESI": "0x0",
"RAX": "0xffff88001bc00000",
"RBP": "0x0",
"RBX": "0x0",
"RCX": "0x0",
"RDI": "0x0",
"RDX": "0x0",
"RSI": "0x0",
"R8": "0x0",
"R9": "0x0",
"R10": "0x0",
"R11": "0x0",
"R12": "0x0",
"R13": "0x0",
"R14": "0x0",
"R15": "0x0",
"RSP": "0xffff88001b800018",
"ESP": "0x1b800018",
"RIP": "0xffffffff8115c832",
"EIP": "0x8115c832"
}
}
},
...
ROPMEMU Framework