commit 6ae3193dd749a75190f3abd7041d61d4041a57aa
parent ab42aeefe4ff9a31e5fe072f6d3ad9045f17ce1f
Author: deurzen <m.deurzen@tum.de>
Date: Mon, 25 Jan 2021 10:46:06 +0100
adds debug info
Diffstat:
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/mem_forensics/memcheck-gdb.py b/mem_forensics/memcheck-gdb.py
@@ -781,6 +781,8 @@ class RkCheckFunctions(gdb.Command):
def compare_functions(self):
global v_off_g
+ zerofonef = 0
+
for (name, addr), (size, elf) in self.code_dict.items():
try:
live = gdb.selected_inferior().read_memory(addr, size)
@@ -832,7 +834,7 @@ class RkCheckFunctions(gdb.Command):
elf_base = int("0x" + elf[i+2:i+4] + elf[i:i+2], 16)
live_base = int("0x" + live[i+2:i+4] + live[i:i+2], 16)
- print(name, "i:", i, "ELF:" , hex(elf_base), "LIVE:", hex(live_base))
+ # print(name, "i:", i, "ELF:" , hex(elf_base), "LIVE:", hex(live_base))
# KASLR offset has not yet been applied
if elf_base + off == live_base:
@@ -850,7 +852,17 @@ class RkCheckFunctions(gdb.Command):
i += 2
continue
+ # pattern: call -> nop
+ if elf[i:i+4] == "e8" and live[i:i+2] == "0f01":
+ print("e8-ef01 FOUND:", name)
+ zerofonef += 1
+ i += 5
+ continue
+
+ # pattern: nop -> jmp
if elf[i:i+4] == "0f1f" and live[i:i+2] == "e9":
+ print("0f1f-e9 FOUND:", name)
+ zerofonef += 1
i += 5
continue
@@ -862,11 +874,13 @@ class RkCheckFunctions(gdb.Command):
if resolved:
self.same_count += 1
else:
- print(f"function `{name}` compromised, live bytes not equal to ELF bytes")
- print(f"excluded: {to_exclude}, expected: {elf}, live: {live}")
+ # print(f"function `{name}` compromised, live bytes not equal to ELF bytes")
+ # print(f"excluded: {to_exclude}, expected: {elf}, live: {live}")
self.diff_count += 1
+ print("ZEROFONEF", zerofonef)
+
def get_v_addr(self, symbol):
try:
return gdb.execute(f"x {symbol}", to_string=True).split(" ")[0]
