Changeset 1633

Timestamp:

06/21/08 20:17:58 (4 months ago)

Author:

till

Message:

honeytrap
- reworked emu plugin

Files:

• honeytrap/trunk/ChangeLog (modified) (1 diff)
• honeytrap/trunk/src/ctrl.c (modified) (1 diff)
• honeytrap/trunk/src/modules/htm_cpuEmu.c (modified) (6 diffs)
• honeytrap/trunk/src/modules/htm_cpuEmu.h (modified) (1 diff)
• honeytrap/trunk/src/nfqmon.c (modified) (1 diff)
• honeytrap/trunk/src/nfqmon.h (modified) (1 diff)

honeytrap/trunk/ChangeLog

@@ -6 +6 @@
-- reworked NFQ stream monitor hooking to prevent unbinding errors
-- hex2bin tool: Command line switch for byte order swapping added
+- reworked emu plugin
-Version 1.0.0
-- Improved configure script

honeytrap/trunk/src/ctrl.c

@@ -1 +1 @@
-/* ctrl.c
-7
+8
- *
- * This file is free software; as a special exception the author gives

honeytrap/trunk/src/modules/htm_cpuEmu.c

@@ -1 +1 @@
-/* htm_cpuEmu.c
-
+-2008
- *
- * This file is free software; as a special exception the author gives
@@ -26 +26 @@
-#include <netdb.h>
-#include <sys/socket.h>
+#include <stdarg.h>
-#include <stdio.h>
+
+#include <sys/types.h>
+#include <sys/wait.h>
-
-#include <honeytrap.h>
@@ -40 +44 @@
-#include <emu/emu_memory.h>
-#include <emu/emu_cpu.h>
+#include <emu/emu_cpu_data.h>
+#include <emu/emu_log.h>
+#include <emu/emu_hashtable.h>
+#include <emu/emu_shellcode.h>
+#include <emu/environment/emu_env.h>
-#include <emu/environment/win32/emu_env_w32.h>
-//#include <emu/environment/win32/emu_env_w32_dll
-//#include <emu/environment/win32/emu_env_w32_dll_export
+#include <emu/environment/win32/emu_env_w32_dll_export
+#include <emu/environment/win32/env_w32_dll_export_kernel32_hooks
-#include <emu/emu_getpc.h>
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-void plugin_init(void) {
-        plugin_register_hooks();
+
+        if ((elog = emu_log_new()) == NULL){
+                logmsg(LOG_ERR, 1, "CPU Emulation Error - Unable to initialize logging.\n");
+                exit(EXIT_FAILURE);
+        }
+        emu_log_set_logcb(elog, logmsg_emu);
+
-        return;
-}
@@ -55 +89 @@
-void plugin_unload(void) {
-        unhook(PPRIO_ANALYZE, module_name, "find_shellcode");
+
+        emu_log_free(elog);
+
-        return;
-}
@@ -65 +102 @@
-}
-
+
+void logmsg_emu(struct emu *e, enum emu_log_level level, const char *msg) {
+        s_log_level loglevel    = LL_OFF;
+
+        switch (level) {
+        case EMU_LOG_INFO:
+                loglevel        = LL_NOISY;
+                break;
+        case EMU_LOG_DEBUG:
+                loglevel        = LL_DEBUG;
+                break;
+        case EMU_LOG_NONE:
+        default:
+                break;
+        }
+        logmsg(loglevel, 1, "CPU Emulation - CPU reports: %s.\n", msg);
+
+        return;
+}
+
+
-int find_shellcode(Attack *attack) {
-        struct emu *e = NULL;
@@ -71 +129 @@
-        /* no data - nothing todo */
-        if ((attack->a_conn.payload.size == 0) || (attack->a_conn.payload.data == NULL)) {
-e
+E
-                return(0);
-        }
-
-e
+E
-
-        if ((e = emu_new()) == NULL) {
-cpuEmu
+CPU Emulation
-                return(-1);
-        }
-
-emulation - Analyzing %d
+Emulation - Analyzing %u
-
-        if ((offset = emu_shellcode_test(e, (u_char *) attack->a_conn.payload.data, attack->a_conn.payload.size)) >= 0) {
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-                emu_free(e);
-                return(1);
-        }
-
-
+
+
-        return(0);
-}
+
+
+// run detected asm code on emulated CPU
+int run(struct emu *e) {
+        int                     j, ret;
+        uint32_t                eipsave;
+        struct emu_cpu          *cpu = emu_cpu_get(e);
+        struct emu_env          *env = emu_env_new(e);
+
+        if (env == NULL) {
+                logmsg(LOG_ERR, 1, "CPU Emulation Error - %s.\n", emu_strerror(e));
+                return -1;
+        }
+
+        logmsg(LOG_NOISY, 1, "CPU Emulation - Preparing function hooks.\n");
+
+        emu_env_w32_export_hook(env, "ExitProcess", user_hook_ExitProcess, NULL);
+        emu_env_w32_export_hook(env, "ExitThread", user_hook_ExitThread, NULL);
+        emu_env_w32_export_hook(env, "CreateProcessA", user_hook_CreateProcess, NULL);
+        emu_env_w32_export_hook(env, "WaitForSingleObject", user_hook_WaitForSingleObject, NULL);
+
+        emu_env_w32_load_dll(env->env.win,"ws2_32.dll");
+        emu_env_w32_export_hook(env, "accept", user_hook_accept, NULL);
+        emu_env_w32_export_hook(env, "bind", user_hook_bind, NULL);
+        emu_env_w32_export_hook(env, "closesocket", user_hook_closesocket, NULL);
+        emu_env_w32_export_hook(env, "connect", user_hook_connect, NULL);
+        emu_env_w32_export_hook(env, "listen", user_hook_listen, NULL);
+        emu_env_w32_export_hook(env, "recv", user_hook_recv, NULL);
+        emu_env_w32_export_hook(env, "send", user_hook_send, NULL);
+        emu_env_w32_export_hook(env, "socket", user_hook_socket, NULL);
+        emu_env_w32_export_hook(env, "WSASocketA", user_hook_WSASocket, NULL);
+
+        opts.steps = 1000000;
+
+        // run the code
+        logmsg(LOG_NOISY, 1, "CPU Emulation - Running code...\n");
+
+        struct emu_hashtable *eh = NULL;
+        for (eipsave=0, j=0;j<opts.steps;j++ ) {
+                if (cpu->repeat_current_instr == false) eipsave = emu_cpu_eip_get(emu_cpu_get(e));
+
+                struct emu_env_hook *hook = NULL;
+
+                ret = 0;
+
+                if ((hook = emu_env_w32_eip_check(env)) != NULL) {
+                        if (hook->hook.win->fnhook == NULL) {
+                                logmsg(LOG_DEBUG, 1, "CPU Emulation - Unhooked call to %s.\n", hook->hook.win->fnname);
+                                break;
+                        }
+                } else {
+                        if ((ret = emu_cpu_parse(emu_cpu_get(e))) == -1) {
+                                logmsg(LOG_WARN, 1, "CPU Emulation Warning - CPU Error: %s", emu_strerror(e));
+                                break;
+                        }
+                        if (log_level == LOG_DEBUG) {
+                                emu_log_level_set(emu_logging_get(e),EMU_LOG_DEBUG);
+                                logDebug(e, "%s\n", cpu->instr_string);
+                                emu_log_level_set(emu_logging_get(e),EMU_LOG_NONE);
+                        }
+                }
+        }
+        if (eh != NULL) emu_hashtable_free(eh);
+
+        return 0;
+}
+
+
+// (W32 API) function hooks
+uint32_t user_hook_ExitProcess(struct emu_env *env, struct emu_env_hook *hook, ...) {
+        va_list vl;
+        int     exitcode;
+
+        va_start(vl, hook);
+
+        exitcode = va_arg(vl,  int);
+
+        va_end(vl);
+
+        logmsg(LOG_NOISY, 1, "CPU Emulation - Hooking ExitProcess() call.\n");
+
+        opts.steps = 0;
+        return 0;
+}
+
+
+uint32_t user_hook_ExitThread(struct emu_env *env, struct emu_env_hook *hook, ...) {
+        va_list vl;
+        int     exitcode;
+
+        va_start(vl, hook);
+
+        exitcode = va_arg(vl,  int);
+
+        va_end(vl);
+
+        logmsg(LOG_NOISY, 1, "CPU Emulation - Hooking ExitThread() call.\n");
+
+        opts.steps = 0;
+        return 0;
+
+}
+
+uint32_t user_hook_socket(struct emu_env *env, struct emu_env_hook *hook, ...) {
+        va_list         vl;
+        int             domain, type, protocol;
+
+        logmsg(LOG_NOISY, 1, "CPU Emulation - Hooking socket() call.\n");
+
+        va_start(vl, hook);
+
+        domain          = va_arg(vl, int);
+        type            = va_arg(vl, int);
+        protocol        = va_arg(vl, int);
+
+        va_end(vl);
+
+        return socket(domain, type, protocol);
+}
+
+
+
+uint32_t user_hook_bind(struct emu_env *env, struct emu_env_hook *hook, ...) {
+        va_list                 vl;
+        int                     s;
+        struct sockaddr         *saddr;
+        socklen_t               saddrlen;
+        struct sockaddr_in      *si;
+
+        logmsg(LOG_NOISY, 1, "CPU Emulation - Hooking bind() call.\n");
+
+        va_start(vl, hook);
+
+        s               = va_arg(vl, int);
+        saddr           = va_arg(vl, struct sockaddr *);
+        saddrlen        = va_arg(vl, socklen_t);
+
+        if (opts.override.bind.host != NULL) {
+                si                      = (struct sockaddr_in *) saddr;
+                si->sin_addr.s_addr     = inet_addr(opts.override.bind.host);
+        }
+
+        if (opts.override.connect.port > 0) {
+                si              = (struct sockaddr_in *) saddr;
+                si->sin_port    = htons(opts.override.bind.port);
+        }
+
+        va_end(vl);
+
+        return bind(s, saddr, saddrlen);
+}
+
+
+uint32_t user_hook_connect(struct emu_env *env, struct emu_env_hook *hook, ...) {
+        va_list                 vl;
+        int                     s;
+        struct sockaddr         *saddr;
+        struct sockaddr_in      *si;
+        socklen_t               saddrlen;
+
+        logmsg(LOG_NOISY, 1, "CPU Emulation - Hooking connect() call.\n");
+
+        va_start(vl, hook);
+
+        s       = va_arg(vl,  int);
+        saddr   = va_arg(vl,  struct sockaddr *);
+
+        if (opts.override.connect.host != NULL) {
+                si                      = (struct sockaddr_in *) saddr;
+                si->sin_addr.s_addr     = inet_addr(opts.override.connect.host);
+        }
+
+        if (opts.override.connect.port > 0) {
+                si              = (struct sockaddr_in *) saddr;
+                si->sin_port    = htons(opts.override.connect.port);
+        }
+
+        saddrlen = va_arg(vl,  socklen_t);
+
+        va_end(vl);
+
+        return connect(s, saddr, saddrlen);
+}
+
+uint32_t user_hook_WaitForSingleObject(struct emu_env *env, struct emu_env_hook *hook, ...) {
+        va_list vl;
+        int32_t hHandle;
+        int     status;
+
+        logmsg(LOG_NOISY, 1, "CPU Emulation - Hooking WaitForSingleObject() call.\n");
+
+        va_start(vl, hook);
+
+        hHandle = va_arg(vl, int32_t);
+        va_arg(vl, int32_t);
+
+        va_end(vl);
+
+        for(;;) {
+                if (waitpid(hHandle, &status, WNOHANG) != 0) break;
+                sleep(1);
+        }
+
+        return 0;
+}
+
+uint32_t user_hook_WSASocket(struct emu_env *env, struct emu_env_hook *hook, ...) {
+        va_list vl;
+        int     domain, type, protocol;
+
+        logmsg(LOG_NOISY, 1, "CPU Emulation - Hooking WSASocket() call.\n");
+
+        va_start(vl, hook);
+
+        domain          = va_arg(vl,  int);
+        type            = va_arg(vl,  int);
+        protocol        = va_arg(vl, int);
+        va_arg(vl, int);
+        va_arg(vl, int);
+        va_arg(vl, int);
+
+        va_end(vl);
+
+        return socket(domain, type, protocol);
+}
+
+uint32_t user_hook_CreateProcess(struct emu_env *env, struct emu_env_hook *hook, ...) {
+        va_list                 vl;
+        char                    *pszCmdLine;
+        STARTUPINFO             *psiStartInfo;
+        PROCESS_INFORMATION     *pProcInfo;
+
+        logmsg(LOG_NOISY, 1, "CPU Emulation - Hooking CreateProcess() call.\n");
+
+        va_start(vl, hook);
+
+        va_arg(vl, char *);     // pszImageName
+        pszCmdLine = va_arg(vl, char *);               
+        va_arg(vl, void *);     // psaProcess
+        va_arg(vl, void *);     // psaThread
+        va_arg(vl, char *);     // fInheritHandles
+        va_arg(vl, uint32_t);   // fdwCreate
+        va_arg(vl, void *);     // pvEnvironment
+        va_arg(vl, char *);     // pszCurDir
+        psiStartInfo    =  va_arg(vl, STARTUPINFO *);
+        pProcInfo       =  va_arg(vl, PROCESS_INFORMATION *); 
+
+        va_end(vl);
+
+        if (pszCmdLine && strncasecmp(pszCmdLine, "cmd", 3) == 0) {
+                pid_t pid;
+
+                logmsg(LOG_NOISY, 1, "CPU Emulation - Forking connection handler.\n");
+                if ((pid = fork()) == 0) {
+                        // child code
+                        dup2(psiStartInfo->hStdInput,  fileno(stdin));
+                        dup2(psiStartInfo->hStdOutput, fileno(stdout));
+                        dup2(psiStartInfo->hStdError,  fileno(stderr));
+
+                        system("/bin/sh -c \"cd ~/.wine/drive_c/; wine 'c:\\windows\\system32\\cmd_orig.exe' \"");
+                        
+                        exit(EXIT_SUCCESS);
+                } else {
+                        // parent code 
+                        pProcInfo->hProcess = pid;
+                }
+        }
+        return 1;
+}
+
+uint32_t user_hook_accept(struct emu_env *env, struct emu_env_hook *hook, ...) {
+        va_list         vl;
+        int             s;
+        struct sockaddr *saddr;
+        socklen_t       *saddrlen;
+        
+
+        logmsg(LOG_NOISY, 1, "CPU Emulation - Hooking accept() call.\n");
+
+        va_start(vl, hook);
+
+        s               = va_arg(vl,  int);
+        saddr           = va_arg(vl,  struct sockaddr *);
+        saddrlen        = va_arg(vl,  socklen_t *);
+
+        va_end(vl);
+
+        return accept(s, saddr, saddrlen);
+}
+
+uint32_t user_hook_closesocket(struct emu_env *env, struct emu_env_hook *hook, ...) {
+        va_list vl;
+        int s;
+
+        logmsg(LOG_NOISY, 1, "CPU Emulation - Hooking closesocket() call.\n");
+
+        va_start(vl, hook);
+
+        s = va_arg(vl,  int);
+
+        va_end(vl);
+
+        return close(s);
+}
+
+uint32_t user_hook_listen(struct emu_env *env, struct emu_env_hook *hook, ...) {
+        va_list vl;
+        int     s, backlog;
+
+        logmsg(LOG_NOISY, 1, "CPU Emulation - Hooking listen() call.\n");
+
+        va_start(vl, hook);
+
+        s       = va_arg(vl,  int);
+        backlog = va_arg(vl,  int);
+
+        va_end(vl);
+
+        return listen(s, backlog);
+}
+
+uint32_t user_hook_recv(struct emu_env *env, struct emu_env_hook *hook, ...) {
+        va_list vl;
+        int     s, len, flags;
+        char    *buf;
+
+        logmsg(LOG_NOISY, 1, "CPU Emulation - Hooking recv() call.\n");
+
+        va_start(vl, hook);
+
+        s       = va_arg(vl,  int);
+        buf     = va_arg(vl,  char *);
+        len     = va_arg(vl,  int);
+        flags   = va_arg(vl,  int);
+
+        va_end(vl);
+
+        return recv(s, buf, len,  flags);
+}
+
+uint32_t user_hook_send(struct emu_env *env, struct emu_env_hook *hook, ...) {
+        va_list vl;
+        int     s, len, flags;
+        char    *buf;
+
+        logmsg(LOG_NOISY, 1, "CPU Emulation - Hooking send() call.\n");
+
+        va_start(vl, hook);
+
+        s       = va_arg(vl,  int);
+        buf     = va_arg(vl,  char *);
+        len     = va_arg(vl,  int);
+        flags   = va_arg(vl,  int);
+
+        va_end(vl);
+
+        return send(s, buf, len,  flags);
+}
+
+uint32_t user_hook_exit(struct emu_env *env, struct emu_env_hook *hook, ...) {
+        va_list vl;
+        int     code;
+
+        logmsg(LOG_NOISY, 1, "CPU Emulation - Hooking exit() call.\n");
+
+        va_start(vl, hook);
+
+        code = va_arg(vl,  int);
+
+        va_end(vl);
+
+        opts.steps = 0;
+
+        return 0;
+}

honeytrap/trunk/src/modules/htm_cpuEmu.h

@@ -25 +25 @@
-
-
-/*
-static struct run_time_options {
-        int             verbose;
-        int             nasm_force;
-        uint32_t        steps;
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
-} opts;
-
-struct instr_test {
-        const char      *instr;
-        char            *code;
-        uint16_t        codesize;
-        struct {
-                uint32_t        reg[8];
-                uint32_t        mem_state[2];
-                uint32_t        eflags;
-        } in_state;
-        struct {
-                uint32_t        reg[8];
-                uint32_t        mem_state[2];
-                uint32_t        eflags;
-                uint32_t        eip;
-        } out_state;
-};
-*/
-
-void plugin_init(void);

honeytrap/trunk/src/nfqmon.c

@@ -1 +1 @@
-/* nfqmon.c
-7
+8
- *
- * This file is free software; as a special exception the author gives

honeytrap/trunk/src/nfqmon.h

@@ -1 +1 @@
-/* nfqmon.h
-
+-2008
- *
- * This file is free software; as a special exception the author gives