CN117195227A - Heterogeneous general software bug execution code construction method - Google Patents
Heterogeneous general software bug execution code construction method Download PDFInfo
- Publication number
- CN117195227A CN117195227A CN202311163847.7A CN202311163847A CN117195227A CN 117195227 A CN117195227 A CN 117195227A CN 202311163847 A CN202311163847 A CN 202311163847A CN 117195227 A CN117195227 A CN 117195227A
- Authority
- CN
- China
- Prior art keywords
- instruction
- jmp
- test
- architecture
- arc
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000010276 construction Methods 0.000 title claims abstract description 31
- 238000000034 method Methods 0.000 claims abstract description 35
- 238000006243 chemical reaction Methods 0.000 claims abstract description 15
- 238000012360 testing method Methods 0.000 claims description 150
- 230000006870 function Effects 0.000 claims description 15
- 238000011161 development Methods 0.000 claims description 8
- 230000009191 jumping Effects 0.000 claims description 4
- 238000003672 processing method Methods 0.000 claims description 3
- 230000007123 defense Effects 0.000 abstract description 4
- 230000007547 defect Effects 0.000 abstract description 3
- 238000001514 detection method Methods 0.000 abstract description 3
- 238000004458 analytical method Methods 0.000 abstract description 2
- 238000005516 engineering process Methods 0.000 description 11
- 238000013461 design Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The invention discloses a heterogeneous general software bug execution code construction method, which comprises the following steps: determining the offset position of the jump of the software bug execution code in the running process according to the characteristics of different architecture machine codes; and (3) taking invalid instructions (such as loop, xor and other assembly instructions) in the architectures as slide instructions, so that normal jump is carried out according to different architectures when the codes are executed, and platform conversion is completed. And converting the obtained software bug execution codes into executable files. The method for constructing the universal software bug execution code can be applied to different host computer architectures, including a mainstream arm architecture, a mips architecture, an x86 architecture, an amd64 architecture and the like, overcomes the defect that the software bug execution code cannot be executed on different architectures, enhances the applicability and the universality of the software bug execution code, and provides support for software bug analysis and detection, especially security defense work of an operating system.
Description
Technical Field
The invention belongs to the technical field of information, and particularly relates to a heterogeneous general software bug execution code construction method.
Background
In the research field of attack and defense of a computer operating system, the construction of a general software bug execution code (hereinafter abbreviated as shellcode) is a very important technical means for analyzing the security of the computer operating system. shellcode typically exists in the form of binary program code designed to be executed in the memory of a computer system to perform certain operations. The development of shellcode technology can be traced to early computer virus and worm attacks. Over time, attack techniques against computer operating systems have become increasingly complex and difficult to detect. An attacker builds shellcode to exploit vulnerabilities in the computer operating system, thereby bypassing the security mechanism of the operating system and acquiring control rights of the operating system. shellcode technology can also be used to bypass security mechanisms such as firewalls, intrusion detection systems, antivirus software, and the like. shellcode technology also has its legal uses in the field of network space security, for example, network security researchers and system administrators can use shellcode technology to test the security and defensive measures of networks and systems to ensure the security of networks and systems. In addition, the shellcode technology can be also used in the fields of data encryption, data recovery, personal information protection and the like, and has important application value in reality. In summary, shellcode technology is a very important means of computer system security, which plays a very important role in both computer system attack and defense. Knowing the background and working principle of shellcode technology can help computer system security researchers to better protect computer system and ensure its security and stability.
Implementation and execution of shellcode technology typically requires that the attacker have considerable in-depth computer programming skills, especially operating system and underlying assembly language programming skills. In general, shellcode technology is very flexible and customized, and an attacker can write different shellcodes according to specific attack targets and operating system environments, so that the shellcode technology can be better adapted to attack scenes and the detected risk can be reduced.
In general, different platform frameworks require targeted shellcode construction because of the different instructions supported by the bottom layer. The existing shellcode technology does not support a multi-platform architecture and has insufficient generality. This results in a need to design the corresponding shellcode for different platforms, which is less efficient.
Disclosure of Invention
The invention aims to overcome at least one defect of the prior art and provides a heterogeneous general software bug execution code construction method.
The technical scheme adopted by the invention is as follows:
a heterogeneous general software bug execution code construction method comprises the following steps:
s1, generating different software bug execution codes under different architectures;
s2, finding a temporary slide instruction jmp_tmp [ arc ] of each framework, wherein the slide instruction is a jump instruction under the framework arc and is an invalid instruction under the non-arc framework, and the jump offset address in the temporary slide instruction is temporarily replaced by loc_tmp [ arc ];
s3, finding out actual offset addresses loc [ arc ] of software bug execution codes sc [ arc ] under different frameworks arc;
s4, replacing the loc_tmp [ arc ] in S2 with the loc [ arc ] in S3 to obtain a slide instruction jmp [ arc ] which can be practically applied, and splicing the jmp [ arc ] and sc [ arc ] which are finally obtained to obtain a final software bug execution code and converting the final software bug execution code into an executable file.
In some examples of the method for constructing the general software bug execution code, step S1 generates different software bug execution codes under different architectures through a shellleft function of a binary exploit development library pwntools in a standard Python library.
In some examples of the generic software bug execution code construction method, step S2 includes the steps of:
s21, designing a temporary skateboard instruction under an arm32 architecture;
s22, designing a temporary skateboard instruction under a mips architecture;
s23, designing a temporary skateboard instruction under an i386 architecture;
s24, designing a temporary skateboard instruction under an amd64 architecture;
s25, designing a method capable of jumping codes to offset positions of software bug execution codes under an arm64 architecture.
In some examples of the general software vulnerability execution code construction method, step S21 includes the steps of:
(1) Finding jump instructions of an arm32 architecture through an assembly instruction set of the arm32 architecture and a using method;
(2) Defining a jump instruction test set of an arm32 architecture, wherein the jump instruction test set comprises an arm32 architecture jump instruction, and the jump instruction test set ensures that the test instruction arm32 jmp test in the set normally runs under the arm32 architecture and jumps;
(3) The test instructions of the jump instruction test set arm32_jmp_test are sequentially fetched, the test instructions are converted into machine codes arm32_jmp_test_asm under the arm32 architecture, the machine codes arm32_jmp_test_asm are converted into assembly instructions other_discsm under the non-arm 32 architecture, and if the conversion is successful and the converted instructions are non-jump instructions, the arm32_jmp_test is output, and the temporary skateboard instruction set jmp_tmp [ ] is added.
In some examples of the generic software bug execution code construction method, step S22 includes the steps of:
(1) Finding a skip instruction of the mips architecture through an assembly instruction set of the mips architecture and a using method;
(2) Defining a skip instruction test set mips_jmp_tests of a mips architecture, wherein the skip instruction test set contains skip instructions of the mips architecture, and the test instructions arm32_jmp_tests in the set are ensured to normally run and skip under the mips architecture;
(3) And sequentially taking out test instructions mips_jmp_test in the jump instruction test set mips_jmp_test, converting the test instructions into machine codes mips_jmp_test_asm under a mips architecture, converting the machine codes mips_jmp_test_asm into assembly instructions other_discm under a non-mips architecture, outputting mips_jmp_test if the conversion is successful and the converted instructions are non-jump instructions, and adding the mips_jmp_test into a temporary skateboard instruction set jmp_tmp [ ].
In some examples of the general software vulnerability execution code construction method, step S23 includes the steps of:
(1) Finding a jump instruction of the i386 architecture through an assembly instruction set of the i386 architecture and a using method thereof;
(2) Defining a jump instruction test set i386_jmp_tests of an i386 architecture, wherein the set contains jump instructions of the i386 architecture, and the test instructions i386_jmp_tests in the set are ensured to normally run and jump under an arm32 architecture;
(3) The test instruction i386_jmp_test in the jump instruction test set i386_jmp_test is sequentially fetched, the test instruction is converted into a machine code i386_jmp_test_asm under the i386 architecture, the machine code i386_jmp_test_asm is converted into an assembly instruction other_discasm under the non-i 386 architecture, if the conversion is successful and the converted instruction is a non-jump instruction, i386_jmp_test is output, and the test instruction is added into the temporary skateboard instruction set jmp_tmp [ ].
In some examples of the generic software bug execution code construction method, step S24 includes the steps of:
the temporary slide instruction is designed differently according to the code segment register CS value used by the process under the i386 and amd64 architectures and added to the temporary slide instruction set jmp_tmp [ ].
In some examples of the generic software bug execution code construction method, step S25 includes the steps of:
(1) Designing a jump instruction, which is a jump instruction in arm32 and an invalid instruction in arm 64;
(2) Placing the software bug execution code of arm64 in the first of the sc [ arc ] sets, and if no jump instruction in jmp [ arc ] has occurred, automatically executing the software bug execution code of arm64 in instruction order.
In some examples of the generic software bug execution code construction method, step S3 includes the steps of:
s31, constructing a dictionary simulated jump instruction jmp_like [ arc ] for simulating a 4-byte jump instruction, and assigning the 4-byte jump instruction as a four-byte type character string;
s32, splicing a jmp_fake [ arc ] instruction and a sc [ arc ] instruction to obtain a shellcode_fake instruction; the first four bytes of the sc [ arc ] instruction are fetched and assigned to the arc_like [ arc ] instruction;
s33, finding the initial position of an arc_like instruction through a string processing method find () function built in Python, calculating the offset address loc [ arc ] of the initial position and a dictionary simulated jump instruction jmp_like [ arc ], and converting the result into 16 system;
s34, replacing main functions in the jmp [ arc ] obtained in the step S2 with loc [ arc ] instructions respectively to obtain a final skateboard instruction jmp [ arc ].
In some examples of the generic software bug execution code construction method, step S4 includes the steps of:
s41, converting a slide instruction jmp [ arc ] into machine codes under respective architecture arc, and splicing according to jmp [ arm32], jmp [ mips ], jmp [ i386], sc [ arm64], jmp [ amd64], sc [ i386], sc [ amd64], sc [ arm32] and sc [ mips ] to obtain heterogeneous general software bug execution codes shellcode;
s42, converting the shellcode into an ELF executable file format by using an ELF.from_bytes function of a binary exploit development library pwntools in a standard Python library.
The beneficial effects of the invention are as follows:
the construction method of some examples of the invention can be applied to different host computer architectures, including a mainstream arm architecture, a mips architecture, an x86 architecture, an amd64 architecture and the like, overcomes the defect that software bug execution codes cannot be executed on different architectures, enhances the applicability and universality of the software bug execution codes, and provides support for software bug analysis and detection, especially security defense work of an operating system.
Drawings
FIG. 1 is a flow chart of a method for constructing heterogeneous universal software bug execution codes.
FIG. 2 is a diagram of a screenshot of the output of a sled instruction under a find mips architecture in an embodiment of the present invention.
FIG. 3 is a flow chart of shellcode execution constructed in accordance with the present invention.
Detailed Description
A heterogeneous general software bug execution code construction method comprises the following steps:
s1, generating different software bug execution codes under different architectures;
s2, finding a temporary slide instruction jmp_tmp [ arc ] of each framework, wherein the slide instruction is a jump instruction under the framework arc and is an invalid instruction under the non-arc framework, and the jump offset address in the temporary slide instruction is temporarily replaced by loc_tmp [ arc ];
s3, finding out actual offset addresses loc [ arc ] of software bug execution codes sc [ arc ] under different frameworks arc;
s4, replacing the loc_tmp [ arc ] in S2 with the loc [ arc ] in S3 to obtain a slide instruction jmp [ arc ] which can be practically applied, and splicing the jmp [ arc ] and sc [ arc ] which are finally obtained to obtain a final software bug execution code and converting the final software bug execution code into an executable file.
In the present invention, the architecture arc is a generic term of each architecture. Illustratively, the sled instruction is a jump instruction in an arm architecture and is an invalidate instruction in a non-arm architecture.
In some examples of the method for constructing the general software bug execution code, step S1 generates different software bug execution codes under different architectures through a shellleft function of a binary exploit development library pwntools in a standard Python library. Other well-known methods may also be used to generate different software bug execution code under different architectures.
In some examples of the generic software bug execution code construction method, step S2 includes the steps of:
s21, designing a temporary skateboard instruction under an arm32 architecture;
s22, designing a temporary skateboard instruction under a mips architecture;
s23, designing a temporary skateboard instruction under an i386 architecture;
s24, designing a temporary skateboard instruction under an amd64 architecture;
s25, designing a method capable of jumping codes to offset positions of software bug execution codes under an arm64 architecture.
The specific steps can be correspondingly adjusted according to the condition of testing required, and temporary skateboard instructions under the required architecture are designed.
In some examples of the general software vulnerability execution code construction method, step S21 includes the steps of:
(1) Finding jump instructions of an arm32 architecture through an assembly instruction set of the arm32 architecture and a using method;
(2) Defining a jump instruction test set of an arm32 architecture, wherein the jump instruction test set comprises an arm32 architecture jump instruction, and the jump instruction test set ensures that the test instruction arm32 jmp test in the set normally runs under the arm32 architecture and jumps;
(3) The test instructions of the jump instruction test set arm32_jmp_test are sequentially fetched, the test instructions are converted into machine codes arm32_jmp_test_asm under the arm32 architecture, the machine codes arm32_jmp_test_asm are converted into assembly instructions other_discsm under the non-arm 32 architecture, and if the conversion is successful and the converted instructions are non-jump instructions, the arm32_jmp_test is output, and the temporary skateboard instruction set jmp_tmp [ ] is added.
In some examples of the generic software bug execution code construction method, step S22 includes the steps of:
(1) Finding a skip instruction of the mips architecture through an assembly instruction set of the mips architecture and a using method;
(2) Defining a skip instruction test set mips_jmp_tests of a mips architecture, wherein the skip instruction test set contains skip instructions of the mips architecture, and the test instructions arm32_jmp_tests in the set are ensured to normally run and skip under the mips architecture;
(3) And sequentially taking out test instructions mips_jmp_test in the jump instruction test set mips_jmp_test, converting the test instructions into machine codes mips_jmp_test_asm under a mips architecture, converting the machine codes mips_jmp_test_asm into assembly instructions other_discm under a non-mips architecture, outputting mips_jmp_test if the conversion is successful and the converted instructions are non-jump instructions, and adding the mips_jmp_test into a temporary skateboard instruction set jmp_tmp [ ].
In some examples of the general software vulnerability execution code construction method, step S23 includes the steps of:
(1) Finding a jump instruction of the i386 architecture through an assembly instruction set of the i386 architecture and a using method thereof;
(2) Defining a jump instruction test set i386_jmp_tests of an i386 architecture, wherein the set contains jump instructions of the i386 architecture, and the test instructions i386_jmp_tests in the set are ensured to normally run and jump under an arm32 architecture;
(3) The test instruction i386_jmp_test in the jump instruction test set i386_jmp_test is sequentially fetched, the test instruction is converted into a machine code i386_jmp_test_asm under the i386 architecture, the machine code i386_jmp_test_asm is converted into an assembly instruction other_discasm under the non-i 386 architecture, if the conversion is successful and the converted instruction is a non-jump instruction, i386_jmp_test is output, and the test instruction is added into the temporary skateboard instruction set jmp_tmp [ ].
In some examples of the generic software bug execution code construction method, step S24 includes the steps of:
the temporary slide instruction is designed differently according to the code segment register CS value used by the process under the i386 and amd64 architectures and added to the temporary slide instruction set jmp_tmp [ ].
In some examples of the generic software bug execution code construction method, step S25 includes the steps of:
(1) Designing a jump instruction, which is a jump instruction in arm32 and an invalid instruction in arm 64;
(2) Placing the software bug execution code of arm64 in the first of the sc [ arc ] sets, and if no jump instruction in jmp [ arc ] has occurred, automatically executing the software bug execution code of arm64 in instruction order.
In some examples of the generic software bug execution code construction method, step S3 includes the steps of:
s31, constructing a dictionary simulated jump instruction jmp_like [ arc ] for simulating a 4-byte jump instruction, and assigning the 4-byte jump instruction as a four-byte type character string;
s32, splicing a jmp_fake [ arc ] instruction and a sc [ arc ] instruction to obtain a shellcode_fake instruction; the first four bytes of the sc [ arc ] instruction are fetched and assigned to the arc_like [ arc ] instruction;
s33, finding the initial position of an arc_like instruction through a string processing method find () function built in Python, calculating the offset address loc [ arc ] of the initial position and a dictionary simulated jump instruction jmp_like [ arc ], and converting the result into 16 system;
s34, replacing main functions in the jmp [ arc ] obtained in the step S2 with loc [ arc ] instructions respectively to obtain a final skateboard instruction jmp [ arc ].
In some examples of the generic software bug execution code construction method, step S4 includes the steps of:
s41, converting a slide instruction jmp [ arc ] into machine codes under respective architecture arc, and splicing according to jmp [ arm32], jmp [ mips ], jmp [ i386], sc [ arm64], jmp [ amd64], sc [ i386], sc [ amd64], sc [ arm32] and sc [ mips ] to obtain heterogeneous general software bug execution codes shellcode;
s42, converting the shellcode into an ELF executable file format by using an ELF.from_bytes function of a binary exploit development library pwntools in a standard Python library.
The technical scheme of the invention is further described below by combining examples.
Examples
As shown in fig. 1, the method for constructing heterogeneous universal software bug execution code shellcode provided by the invention comprises the following steps:
s1, generating different software bug execution codes under each architecture. Step S1 generates different software bug execution codes under each architecture by using a shellleft function of a binary bug exploitation library pwntools in a standard Python library.
Taking shellcode under the amd64 architecture as an example, the code is generated as
sc['amd64']=shellcraft.amd64.sh(),arch='amd64'。
S2, finding a temporary slide instruction jmp_tmp [ arc ] of each architecture, wherein the slide instruction is a jump instruction under the architecture arc and is an invalid instruction under the architecture which is not arc. Wherein the offset address of the jump in the temporary slide command is temporarily replaced with loc_tmp [ arc ].
More specifically, step S2 includes the steps of:
s21, designing a skateboard instruction under an arm32 architecture.
Wherein S21 includes the following steps:
(1) Jump instructions of the arm32 architecture and methods of use are found through the assembler instruction set of the arm32 architecture.
(2) The jump instruction defining the arm32 architecture tests the set of arm32 jmp_tests, which contains the jump instruction of the arm32 architecture, to ensure that the test instruction arm32 jmp_test in the set runs normally under the arm32 architecture and jumps.
(3) The test instructions of the jump instruction test set arm32_jmp_test are sequentially fetched, the test instructions are converted into machine codes arm32_jmp_test_asm under the arm32 architecture, the machine codes arm32_jmp_test_asm are converted into assembly instructions other_discsm under the non-arm 32 architecture, and if the conversion is successful and the converted instructions are non-jump instructions, the arm32_jmp_test is output, and the temporary skateboard instruction set jmp_tmp [ ] is added.
S22, designing a skateboard instruction under a mips architecture.
Wherein, step S22 includes the following steps:
(1) Jump instructions of the mips architecture and methods of use are found through an assembler instruction set of the mips architecture.
(2) The jump instruction test set mips_jmp_tests of the mips architecture is defined, and the jump instruction of the mips architecture is contained in the set, so that the test instruction mips_jmp_tests in the set can be ensured to normally run and jump under the mips architecture.
(3) And sequentially taking out test instructions mips_jmp_test in the jump instruction test set mips_jmp_test, converting the test instructions into machine codes mips_jmp_test_asm under a mips architecture, converting the machine codes mips_jmp_test_asm into assembly instructions other_discm under a non-mips architecture, outputting mips_jmp_test if the conversion is successful and the converted instructions are non-jump instructions, and adding the mips_jmp_test into a temporary skateboard instruction set jmp_tmp [ ].
S23, designing a skateboard instruction under the i386 architecture.
Wherein, step S23 includes the following steps:
(1) The jump instruction of the i386 architecture and the using method are found through the assembler instruction set of the i386 architecture.
(2) The jump instruction test set i386_jmp_tests of the i386 architecture is defined, the jump instruction of the i386 architecture is contained in the set, and the test instruction i386_jmp_tests in the set are ensured to normally run under the i386 architecture and jump.
(3) The test instruction i386_jmp_test in the jump instruction test set i386_jmp_test is sequentially fetched, the test instruction is converted into a machine code i386_jmp_test_asm under the i386 architecture, the machine code i386_jmp_test_asm is converted into an assembly instruction other_discasm under the non-i 386 architecture, if the conversion is successful and the converted instruction is a non-jump instruction, i386_jmp_test is output, and the test instruction is added into the temporary skateboard instruction set jmp_tmp [ ].
Taking a design mips architecture for example, a sled instruction.
The jump instruction blez, j, beq, jal is first found by the assembler instruction set of the mips architecture.
Defining a test instruction mips_jmp_test, wherein mips_jmp_test is composed of the jump instruction in step S22 (1) and a tag, which represents a temporary offset address. Defining a jump instruction test set mips_jmp_tests of the architecture to be tested mips:
mips_jmp_tests=['blez$s4,main','j main','beq$s4,100,main','jal main']
the set contains the skip instruction of the structure mips to be tested, and the operation results of the instruction under the mips structure are all offset addresses for skipping to main labels.
The jump instruction mips jmp test in the jump instruction test set mips jmp test is fetched in sequence, and a tag main is added to the instruction to convert the jump instruction into an executable test instruction test. The conversion process is as follows.
And converting the test instruction into a machine code mips_jmp_test_asm under a framework to be tested, converting the machine code mips_jmp_test_asm into an assembly instruction other_discasm under a non-framework to be tested, outputting mips_jmp_test if the conversion is successful and the converted instruction is a non-jump instruction, and regarding the mips_jmp_test as a temporary skateboard instruction jmp_tmp [ mips ] under the mips framework. The output results are shown in fig. 2.
Taking a jump instruction blez$s4 and main under a mips architecture as an example, converting the jump instruction into a test instruction, then converting the test instruction into a machine code b '\x1a\x80\x00\x00', converting the machine code into an assembly instruction arm 32_discsm under an arm32 architecture, wherein the assembly instruction arm 32_discsm is an index r8, r0, sl and lsl r0, and converting the machine code into an assembly instruction i 386_discsm under an i386 architecture, wherein the assembly instruction i 386_discsm is an add BYTE PTR [ eax ],0x0, arm 32_discsm and i 386_discsm are legal non-jump instructions.
S24, designing a skateboard instruction under the amd64 architecture. The difference in the values of the code segment register CS is used by processes under the i386 and amd64 architectures, wherein in the i386 architecture the value of the code segment register CS is 0x23 and in the amd64 architecture the value of the code segment register CS is 0x33. The instruction to design jmp [ amd64] is to determine if the CS register is equal to 0x23, if not, jump to the offset position loc [ amd64] of sc [ amd64] and run sc [ amd64], otherwise execute sc [ i386] in order. Jmp [ amd64] is added to the skid instruction set jmp [ ].
Taking the following slide command jmp [ amd64] as an example:
jmp[amd64]=”'
mov eax,cs
mov ebx,0x23
sub eax,ebx
jnz x64
X86:
”'
s25, designing a method capable of jumping codes to offset positions of software bug execution codes under an arm64 architecture.
Wherein, step S25 includes the following steps:
(1) A sled instruction under the arm32 architecture is designed that is a jump instruction in arm32 and an invalidate instruction in arm 64.
Taking the jump instruction b main under the arm32 architecture as an example, a tag main is added to the instruction, which is converted into an executable test instruction, then the test instruction is converted into a machine code b '\xff\xff\xff\ xea', the machine code is converted into a bics xzr, xzr, xzr, ror#63 as an assembly instruction under an arm64 architecture, and is converted into a legal non-jump instruction as an assembly instruction under an i386 architecture. The jump instruction b main is a temporary sled instruction under the arm32 architecture that is added to the temporary sled instruction set jmp_tmp [ ].
(2) Placing the software bug execution code of arm64 in the first of the sc [ arc ] sets, and if none of the slide instructions in jmp [ arc ] jump, automatically executing the software bug execution code of arm64 in instruction order.
S3, finding out the actual offset address loc [ arc ] of the software bug execution code sc [ arc ] under different architectures arc.
Wherein, step S3 includes the following steps:
s31, constructing a dictionary simulated jump instruction jmp_tmp [ arc ] for simulating a 4-byte jump instruction, and assigning the 4-byte type character string.
The following assignments are taken as examples:
jmp_fake['arm']=b'arm_'
jmp_fake['mips']=b'mips'
jmp_fake['i386']=b'i386'
s32, splicing jmp_tmp [ arc ] instruction and sc [ arc ] instruction according to the sequence of jmp_fake [ 'arm' ] +jmp_fake [ 'mips' ] +jmp_fake [ 'i386' ] +sc [ 'arm64' ] +jmp_fake [ 'amd64' ] +sc [ 'i386' ] +sc [ 'amd64' ] +sc [ 'arm' ] +sc [ 'mips' ], and obtaining the shellcode_fake. The first four bytes of the sc [ arc ] instruction are fetched and assigned to arc_false.
The initial position of arc_fake is found through find function, the offset address loc [ arc ] of the initial position and the simulated jump instruction is calculated, and the result is converted into 16 scale.
In the form of arm_fake= "'hp \\x00\ \xe'", jmp_like [ 'arm' ] =b 'arm_'.
shellcode_tmp=
”'arm_mipsi386\\xeeE\\x8c\\xd2.\\xcd\\xad\\xf2\\xee\\hp\\x00\\xe”'
For example, the calculated offset address loc [ arm ] is 40, which translates to a 16 scale of 0x28.
And replacing the loc [ arc ] in S3 with the loc_tmp [ arc ] in S2 to obtain a practically applicable skateboard instruction jmp [ arc ]. With the examples of S3 and S2, the resulting sled command jmp [ arm ] is b 0x28.
Wherein, step S4 includes the following steps:
s41, converting the slide instruction jmp [ arc ] into machine codes under respective architecture arc, and splicing according to jmp [ arm32], jmp [ mips ], jmp [ i386], sc [ arm64], jmp [ amd64], sc [ i386], sc [ amd64], sc [ arm32], sc [ mips ] to obtain heterogeneous general software bug execution codes shellcode.
S42, converting the shellcode into an ELF executable file format by using an ELF.from_bytes function of a binary exploit development library pwntools in a standard Python library.
The shellcode execution flow constructed by the method is shown in figure 3.
The above description of the present invention is further illustrated in detail and should not be taken as limiting the practice of the present invention. It is within the scope of the present invention for those skilled in the art to make simple deductions or substitutions without departing from the concept of the present invention.
Claims (10)
1. The heterogeneous general software bug execution code construction method is characterized by comprising the following steps:
s1, generating different software bug execution codes under different architectures;
s2, finding a temporary slide instruction jmp_tmp [ arc ] of each framework, wherein the slide instruction is a jump instruction under the framework arc and is an invalid instruction under the non-arc framework, and the jump offset address in the temporary slide instruction is temporarily replaced by loc_tmp [ arc ];
s3, finding out actual offset addresses loc [ arc ] of software bug execution codes sc [ arc ] under different frameworks arc;
s4, replacing the loc_tmp [ arc ] in S2 with the loc [ arc ] in S3 to obtain a slide instruction jmp [ arc ] which can be practically applied, and splicing the jmp [ arc ] and sc [ arc ] which are finally obtained to obtain a final software bug execution code and converting the final software bug execution code into an executable file.
2. The method according to claim 1, wherein step S1 generates different software bug execution codes under different architectures by using shellleft functions of binary exploit development library pwntools in standard Python library.
3. The general software vulnerability execution code construction method of claim 1, wherein step S2 comprises the steps of:
s21, designing a temporary skateboard instruction under an arm32 architecture;
s22, designing a temporary skateboard instruction under a mips architecture;
s23, designing a temporary skateboard instruction under an i386 architecture;
s24, designing a temporary skateboard instruction under an amd64 architecture;
s25, designing a method capable of jumping codes to offset positions of software bug execution codes under an arm64 architecture.
4. The general software vulnerability execution code construction method of claim 3, wherein step S21 comprises the steps of:
(1) Finding jump instructions of an arm32 architecture through an assembly instruction set of the arm32 architecture and a using method;
(2) Defining a jump instruction test set of an arm32 architecture, wherein the jump instruction test set comprises an arm32 architecture jump instruction, and the jump instruction test set ensures that the test instruction arm32 jmp test in the set normally runs under the arm32 architecture and jumps;
(3) The test instructions of the jump instruction test set arm32_jmp_test are sequentially fetched, the test instructions are converted into machine codes arm32_jmp_test_asm under the arm32 architecture, the machine codes arm32_jmp_test_asm are converted into assembly instructions other_discsm under the non-arm 32 architecture, and if the conversion is successful and the converted instructions are non-jump instructions, the arm32_jmp_test is output, and the temporary skateboard instruction set jmp_tmp [ ] is added.
5. The method for constructing the universal software bug execution code according to claim 3, wherein the step S22 comprises the steps of:
(1) Finding a skip instruction of the mips architecture through an assembly instruction set of the mips architecture and a using method;
(2) Defining a skip instruction test set mips_jmp_tests of a mips architecture, wherein the skip instruction test set contains skip instructions of the mips architecture, and the test instructions arm32_jmp_tests in the set are ensured to normally run and skip under the mips architecture;
(3) And sequentially taking out test instructions mips_jmp_test in the jump instruction test set mips_jmp_test, converting the test instructions into machine codes mips_jmp_test_asm under a mips architecture, converting the machine codes mips_jmp_test_asm into assembly instructions other_discm under a non-mips architecture, outputting mips_jmp_test if the conversion is successful and the converted instructions are non-jump instructions, and adding the mips_jmp_test into a temporary skateboard instruction set jmp_tmp [ ].
6. The general software vulnerability execution code construction method of claim 3, wherein step S23 comprises the steps of:
(1) Finding a jump instruction of the i386 architecture through an assembly instruction set of the i386 architecture and a using method thereof;
(2) Defining a jump instruction test set i386_jmp_tests of an i386 architecture, wherein the set contains jump instructions of the i386 architecture, and the test instructions i386_jmp_tests in the set are ensured to normally run and jump under an arm32 architecture;
(3) The test instruction i386_jmp_test in the jump instruction test set i386_jmp_test is sequentially fetched, the test instruction is converted into a machine code i386_jmp_test_asm under the i386 architecture, the machine code i386_jmp_test_asm is converted into an assembly instruction other_discasm under the non-i 386 architecture, if the conversion is successful and the converted instruction is a non-jump instruction, i386_jmp_test is output, and the test instruction is added into the temporary skateboard instruction set jmp_tmp [ ].
7. The method for constructing the universal software bug execution code according to claim 3, wherein the step S24 comprises the steps of:
the temporary slide instruction is designed differently according to the code segment register CS value used by the process under the i386 and amd64 architectures and added to the temporary slide instruction set jmp_tmp [ ].
8. The method for constructing the universal software bug execution code according to claim 3, wherein the step S25 comprises the steps of:
(1) Designing a jump instruction, which is a jump instruction in arm32 and an invalid instruction in arm 64;
(2) Placing the software bug execution code of arm64 in the first of the sc [ arc ] sets, and if no jump instruction in jmp [ arc ] has occurred, automatically executing the software bug execution code of arm64 in instruction order.
9. The method for constructing the universal software bug execution code according to claim 1, wherein the step S3 comprises the steps of:
s31, constructing a dictionary simulated jump instruction jmp_like [ arc ] for simulating a 4-byte jump instruction, and assigning the 4-byte jump instruction as a four-byte type character string;
s32, splicing a jmp_fake [ arc ] instruction and a sc [ arc ] instruction to obtain a shellcode_fake instruction; the first four bytes of the sc [ arc ] instruction are fetched and assigned to the arc_like [ arc ] instruction;
s33, finding the initial position of an arc_like instruction through a string processing method find () function built in Python, calculating the offset address loc [ arc ] of the initial position and a dictionary simulated jump instruction jmp_like [ arc ], and converting the result into 16 system;
s34, replacing main functions in the jmp [ arc ] obtained in the step S2 with loc [ arc ] instructions respectively to obtain a final skateboard instruction jmp [ arc ].
10. The general software vulnerability execution code construction method of claim 1, wherein step S4 comprises the steps of:
s41, converting a slide instruction jmp [ arc ] into machine codes under respective architecture arc, and splicing according to jmp [ arm32], jmp [ mips ], jmp [ i386], sc [ arm64], jmp [ amd64], sc [ i386], sc [ amd64], sc [ arm32] and sc [ mips ] to obtain heterogeneous general software bug execution codes shellcode;
s42, converting the shellcode into an ELF executable file format by using an ELF.from_bytes function of a binary exploit development library pwntools in a standard Python library.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311163847.7A CN117195227B (en) | 2023-09-11 | 2023-09-11 | Heterogeneous general software bug execution code construction method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311163847.7A CN117195227B (en) | 2023-09-11 | 2023-09-11 | Heterogeneous general software bug execution code construction method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117195227A true CN117195227A (en) | 2023-12-08 |
| CN117195227B CN117195227B (en) | 2024-04-30 |
Family
ID=88999335
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311163847.7A Active CN117195227B (en) | 2023-09-11 | 2023-09-11 | Heterogeneous general software bug execution code construction method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117195227B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5946674A (en) * | 1996-07-12 | 1999-08-31 | Nordin; Peter | Turing complete computer implemented machine learning method and system |
| US20110214110A1 (en) * | 2010-02-26 | 2011-09-01 | Red Hat, Inc. | Compiler Mechanism for Handling Conditional Statements |
| US9973531B1 (en) * | 2014-06-06 | 2018-05-15 | Fireeye, Inc. | Shellcode detection |
| CN110059477A (en) * | 2019-03-14 | 2019-07-26 | 成都亚信网络安全产业技术研究院有限公司 | A kind of attack detection method and device |
| US20210141907A1 (en) * | 2019-11-12 | 2021-05-13 | Korea Internet & Security Agency | Method and device for patching vulnerability of binary |
| CN114500043A (en) * | 2022-01-25 | 2022-05-13 | 山东省计算中心(国家超级计算济南中心) | Internet of things firmware vulnerability detection method and system based on homology analysis |
| CN115629767A (en) * | 2022-11-15 | 2023-01-20 | 中国人民解放军战略支援部队信息工程大学 | NOP instruction insertion method and device based on binary system rewriting |
-
2023
- 2023-09-11 CN CN202311163847.7A patent/CN117195227B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5946674A (en) * | 1996-07-12 | 1999-08-31 | Nordin; Peter | Turing complete computer implemented machine learning method and system |
| US20110214110A1 (en) * | 2010-02-26 | 2011-09-01 | Red Hat, Inc. | Compiler Mechanism for Handling Conditional Statements |
| US9973531B1 (en) * | 2014-06-06 | 2018-05-15 | Fireeye, Inc. | Shellcode detection |
| CN110059477A (en) * | 2019-03-14 | 2019-07-26 | 成都亚信网络安全产业技术研究院有限公司 | A kind of attack detection method and device |
| US20210141907A1 (en) * | 2019-11-12 | 2021-05-13 | Korea Internet & Security Agency | Method and device for patching vulnerability of binary |
| CN114500043A (en) * | 2022-01-25 | 2022-05-13 | 山东省计算中心(国家超级计算济南中心) | Internet of things firmware vulnerability detection method and system based on homology analysis |
| CN115629767A (en) * | 2022-11-15 | 2023-01-20 | 中国人民解放军战略支援部队信息工程大学 | NOP instruction insertion method and device based on binary system rewriting |
Non-Patent Citations (1)
| Title |
|---|
| 傅建明;林艳;刘秀文;张旭;: "云计算环境下基于随机化的安全防御研究", 计算机学报, no. 06, 28 July 2017 (2017-07-28), pages 21 - 38 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117195227B (en) | 2024-04-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9715593B2 (en) | Software vulnerabilities detection system and methods | |
| Song et al. | BitBlaze: A new approach to computer security via binary analysis | |
| Branco et al. | Scientific but not academical overview of malware anti-debugging, anti-disassembly and anti-vm technologies | |
| CN109918903B (en) | Program non-control data attack protection method based on LLVM compiler | |
| US7376970B2 (en) | System and method for proactive computer virus protection | |
| US9824214B2 (en) | High performance software vulnerabilities detection system and methods | |
| Muntean et al. | cfi: Type-assisted control flow integrity for x86-64 binaries | |
| US10242190B2 (en) | System and method for detection of malicious code by iterative emulation of microcode | |
| JP7154365B2 (en) | Methods for securing software code | |
| WO2016135729A1 (en) | A method to identify known compilers functions, libraries and objects inside files and data items containing an executable code | |
| CN105787305A (en) | Software protection method capable of resisting symbolic execution and taint analysis | |
| Nu1L Team | Reverse engineering | |
| Arthur et al. | Getting in control of your control flow with control-data isolation | |
| Otsuki et al. | Building stack traces from memory dump of Windows x64 | |
| Case et al. | HookTracer: A system for automated and accessible API hooks analysis | |
| Mu et al. | ROPOB: obfuscating binary code via return oriented programming | |
| CN113779578A (en) | Intelligent confusion method and system for mobile terminal application | |
| CN117195227B (en) | Heterogeneous general software bug execution code construction method | |
| US20180081777A1 (en) | Call trace generation via behavior computation | |
| Heitman et al. | BARF: a multiplatform open source binary analysis and reverse engineering framework | |
| Wang et al. | OFFDTAN: a new approach of offline dynamic taint analysis for binaries | |
| Smith et al. | Redir: Automated static detection of obfuscated anti-debugging techniques | |
| Pfeffer et al. | Efficient and safe control flow recovery using a restricted intermediate language | |
| Xu et al. | AT-ROP: Using static analysis and binary patch technology to defend against ROP attacks based on return instruction | |
| Zhu et al. | Constructing a Hybrid Taint Analysis Framework for Diagnosing Attacks on Binary Programs. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |