shellcode-blocks/tests/test_jump_hook.py at 5af6d53de1adf9b772dbf5d799435e5384eb4bd4 · shaymargolis/shellcode-blocks · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
import pytest

from shellblocks.shellcode_step import ShellcodeStep
from shellblocks.primitives.jump_hook import ShellcodePrimitiveJumpHook
from shellblocks.primitives.goto import ShellcodePrimitiveGoto
from shellblocks.primitives.memset import ShellcodePrimitiveMemset


SECTOR_SIZE = 0x2000


def generate_memset_to_goto(temp_dir_path,
                            shellcode_address,
                            compiler_arch,
                            jump_hook_goto,
                            jump_hook_location):
    expected_goto_primitive = ShellcodePrimitiveGoto(
        "jump_next_stage",
        jump_hook_goto
    )

    step = ShellcodeStep(
        "first_step",
        [
            expected_goto_primitive,
        ],
        0x1000,
        base_address=shellcode_address,
    )

    out_file = step.generate(temp_dir_path / step.nickname, compiler_arch)
    goto_shellcode = out_file.read_bytes()

    expected_memset_primitive = ShellcodePrimitiveMemset(
        "set_jump_next_stage",
        jump_hook_location,
        goto_shellcode
    )

    step = ShellcodeStep(
        "first_step",
        [
            expected_memset_primitive,
        ],
        0x1000,
        base_address=shellcode_address,
    )

    out_file = step.generate(temp_dir_path / step.nickname, compiler_arch)
    return out_file.read_bytes()


@pytest.mark.parametrize('shellcode_run_addr', [
    (0x82000010),
    (0xbc100010),
    (0x91100118),
])
@pytest.mark.parametrize('jump_hook_location', [
    0xbc000010,
    0x91000118,
])
@pytest.mark.parametrize('jump_hook_goto', [
    0x81002020,
    0xbcf00070,
    0x910f0218,
])
def test_jump_hook_sanity(
    temp_dir_path,
    compiler_arch,
    shellcode_run_addr,
    jump_hook_location,
    jump_hook_goto
):
    # Generate shellcode
    # ------------------
    shellcode_address = 0xbfc00000

    # Build expected MEMSET to GOTO

    memset_shellcode = generate_memset_to_goto(
        temp_dir_path,
        shellcode_address,
        compiler_arch,
        jump_hook_goto,
        jump_hook_location,
    )

    # Check is identical to JUMPHOOK primitive

    jump_hook_pritimive = ShellcodePrimitiveJumpHook(
        "hook_next_stage",
        jump_hook_location,
        jump_hook_goto
    )

    step = ShellcodeStep(
        "first_step",
        [
            jump_hook_pritimive,
        ],
        0x1000,
        base_address=shellcode_address
    )

    out_file = step.generate(temp_dir_path / step.nickname, compiler_arch)
    jump_hook_shellcode = out_file.read_bytes()

    assert jump_hook_shellcode == memset_shellcode