rp-bf：一款Windows下辅助进行ROP gadgets搜索的Rust库

git clone https://github.com/yrp604/bochscpu.git

cargo build --release

git clone https://github.com/0vercl0k/rp-bf.rs.git

cargo build --release

pub trait Finder {    fn pre(&mut self, emu: &mut Emu, candidate: u64) -> Result<()>;    fn post(&mut self, emu: &Emu) -> Result<bool>;}

pub fn explore(opts: &Opts, finder: &mut dyn Finder, ui: &mut dyn ui::Ui) -> Result<Vec<Candidate>> {    // ...    for (mem_address, mem_block) in dump.mem_blocks() {        // ...        'outer: for candidate in mem_block.range.start..mem_block.range.end {            // ...            // Invoke the `pre` callback to set-up state.            trace!("Trying out {candidate:#x}");            finder.pre(&mut emu, candidate)?;            // Run the emulation with the candidate.            let (res, stats) = emu.run()?;            how_many_total += 1;            // We found a candidate if it lead to a crash & the `post` condition            // returned `true`.            let crashed = matches!(res, TestcaseResult::Crash);            let found_candidate = crashed && finder.post(&emu)?;            // ...            emu.restore()?;            // ...        }    }}

pub trait Finder {    fn pre(&mut self, emu: &mut Emu, candidate: u64) -> anyhow::Result<()>;    fn post(&mut self, emu: &Emu) -> anyhow::Result<bool>;}

impl Finder for Pwn2OwnMiami2022_2 {    fn pre(&mut self, emu: &mut Emu, candidate: u64) -> Result<()> {        // Here, we continue where we left off after the gadget found in |miami1|,        // where we went from constrained arbitrary call, to unconstrained arbitrary        // call. At this point, we want to pivot the stack to our heap chunk.        //        // ```        // (1de8.1f6c): Access violation - code c0000005 (first/second chance not available)        // For analysis of this file, run !analyze -v        // mfc140u!_guard_dispatch_icall_nop:        // 00007ffd`57427190 ffe0            jmp     rax {deadbeef`baadc0de}        //        // 0:011> dqs @rcx        // 00000000`1970bf00  00000001`400aed08 GenBroker64+0xaed08        // 00000000`1970bf08  bbbbbbbb`bbbbbbbb        // 00000000`1970bf10  deadbeef`baadc0de <-- this is where @rax comes from        // 00000000`1970bf18  61616161`61616161        // ```        self.rcx_before = emu.rcx();        // Fix-up @rax with the candidate address.        emu.set_rax(candidate);        // Fix-up the buffer, where the address of the candidate would be if we were        // executing it after |miami1|.        let size_of_u64 = std::mem::size_of::<u64>() as u64;        let second_qword = size_of_u64 * 2;        emu.virt_write(Gva::from(self.rcx_before + second_qword), &candidate)?;        // Overwrite the buffer we control with the `MARKER_PAGE_ADDR`. Skip the first 3        // qwords, because the first and third ones are already used to hijack flow        // and the second we skip it as it makes things easier.        for qword_idx in 3..18 {            let byte_idx = qword_idx * size_of_u64;            emu.virt_write(                Gva::from(self.rcx_before + byte_idx),                &MARKER_PAGE_ADDR.u64(),            )?;        }        Ok(())    }    // ...}

impl Finder for Pwn2OwnMiami2022_2 {    // ...    fn post(&mut self, emu: &Emu) -> Result<bool> {        // Let's check if we pivoted into our buffer AND that we also are able to        // start a ROP chain.        let wanted_landing_start = self.rcx_before + 0x18;        let wanted_landing_end = self.rcx_before + 0x90;        let pivoted = has_stack_pivoted_in_range(emu, wanted_landing_start..=wanted_landing_end);        let mask = 0xffffffff_ffff0000;        let rip = emu.rip();        let rip_has_marker = (rip & mask) == (MARKER_PAGE_ADDR.u64() & mask);        let is_interesting = pivoted && rip_has_marker;        Ok(is_interesting)    }}