1.前言
这是之前自己挖漏洞的时候自己写着用的一款小工具,主要就是能方便一点,在拿到一个要分析的程序后,能够直接分析下其程序加载的libc,架构,端序等信息,根据自定义的sink找出其程序以及加载的libc中所有的引用查看其再次封装的函数等,需要安装radare2以及r2pipe依赖。
2.代码
import argparse import r2pipe import subprocess import json def get_dynamic_libraries(r2, file_system_path): libraries = [] libs = r2.cmdj('ilj') for lib in libs: library = get_path_by_filename(lib, file_system_path) libraries.append(library) return libraries def get_path_by_filename(filename, file_system_path): output = subprocess.check_output(['find', file_system_path, '-name', filename]).decode('utf-8') for line in output.split('\n'): if line: return line def get_referencing_functions(r2, filename, target_symbols): referencing_functions = [] r2.cmd('aaa') # 执行初始分析 functions = r2.cmdj('aflj') for function in functions: function_name = function['name'] if any(symbol in function_name for symbol in target_symbols): refs = r2.cmdj(f"axtj {function_name}") for ref in refs: ref_address = ref['from'] ref_functions = r2.cmdj(f"afij {ref_address}") if ref_functions: ref_function = ref_functions[0] ref_function_name = ref_function['name'] ref_function_disassembly = r2.cmd(f"pdf @ {ref_function_name}") referencing_functions.append((ref_function_name, ref_function_disassembly, function_name, filename)) return referencing_functions def find_referencing_functions_in_libraries(main_program, libraries, target_symbols): referencing_functions = [] print("Load Program") print(f"Program Name: {main_program}") r2_main = r2pipe.open(main_program) # 获取程序的架构和端序 program_architecture = get_architecture(r2_main) program_endian = get_endian(r2_main) print(f"Program Architecture: {program_architecture}") print(f"Program Endian: {program_endian}") print("------------------------------------------------------------") main_program_referencing_functions = get_referencing_functions(r2_main, main_program, target_symbols) referencing_functions.extend(main_program_referencing_functions) r2_main.quit() print("Load Libraries") for library in libraries: print(f"Library Name: {library}") r2_lib = r2pipe.open(library) # 获取库的架构和端序 libc_architecture = get_architecture(r2_lib) libc_endian = get_endian(r2_lib) print(f"Library Architecture: {libc_architecture}") print(f"Library Endian: {libc_endian}") print("------------------------------------------------------------") library_referencing_functions = get_referencing_functions(r2_lib, library, target_symbols) referencing_functions.extend(library_referencing_functions) r2_lib.quit() return referencing_functions def get_architecture(r2fd): info = json.loads(r2fd.cmd('iIj')) return info["arch"] def get_endian(r2fd): info = json.loads(r2fd.cmd('iIj')) return info["endian"] if __name__ == "__main__": parser = argparse.ArgumentParser(description='Find referencing functions in a program and libraries.') parser.add_argument('-p', '--program', type=str, help='Path to the main program') parser.add_argument('-f', '--filesystem', type=str, help='Path to the file system') parser.add_argument('-s', '--symbols', type=str, help='Target symbols (comma-separated)', default='system,execve,popen') parser.add_argument('-d', '--disassembly', type=int, help='Print disassembly information (0 or 1)', default=0) args = parser.parse_args() if not args.program or not args.filesystem: parser.print_help() exit() main_program = args.program file_system_path = args.filesystem target_symbols = args.symbols.split(',') print_disassembly = bool(args.disassembly) r2 = r2pipe.open(main_program) libraries = get_dynamic_libraries(r2, file_system_path) r2.quit() referencing_functions = find_referencing_functions_in_libraries(main_program, libraries, target_symbols) unique_functions = set((function_name, symbol, filename) for function_name, _, symbol, filename in referencing_functions) print("Referencing Functions in Main Program:") for function_name, symbol, filename in unique_functions: if filename == main_program: print(f"File: {filename}") print(f"Symbol: {symbol}") print(f"Function: {function_name}") print("------------------------------------------------------------") print("Referencing Functions in Libraries:") for function_name, symbol, filename in unique_functions: if filename != main_program: print(f"File: {filename}") print(f"Symbol: {symbol}") print(f"Function: {function_name}") print("------------------------------------------------------------") if print_disassembly: for ref_function_name, ref_function_disassembly, _, _ in referencing_functions: print(f"Referenced by: {ref_function_name}") print(f"Disassembly:\n{ref_function_disassembly}") print("------------------------------------------------------------")
3.效果及用法
4.总结
希望对兄弟们有一点帮助
原文始发于微信公众号(小黑说安全):IOT二进制漏洞挖掘小工具
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论