lunixbochs/patchkit

Stars
626
Rank 71,265 (Top 2 %)
Language
C
License
Other
Created about 8 years ago
Updated about 1 year ago

lunixbochs/patchkit

lunixbochs

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

binary patching from Python

patchkit

Patches an ELF binary using one or more simple Python scripts.

Usage:

patch <binary> <patchdir|file> [patchdir|file...]

patchdir

Contains one or more Python patch files, which will be executed in alphabetical order against a binary.

Patch Examples

Nopping an address, injecting an assembly function, and hooking the entry point:

def simple_patch(pt):
    # nop out a jump at the entry point
    pt.patch(pt.entry, hex='90' * 5)

    # inject assembly into the binary and return the address
    addr = pt.inject(asm='mov eax, 1; ret')

    # hook the entry point to make it call addr (ret will run the original entry point)
    pt.hook(pt.entry, addr)

Replacing a C function:

def replace_free(pt):
    # pretend free() is at this address:
    old_free = 0x804fc4

    # inject a function to replace free()
    new_free = pt.inject(c=r'''
    void free_stub(void *addr) {
        printf("stubbed free(%p)\n", addr);
    }
    ''')

    # patch the beginning of free() with a jump to our new function
    pt.patch(old_free, jmp=new_free)

API

addr = search(data)
hook(addr, new_addr)
patch(addr, *compile arg*)
addr = inject(*compile arg*)

*compile arg* is any of the following:
  raw='data'
  hex='0bfe'
  asm='nop'
  jmp=0xaddr
  c='void func() { int a; a = 1; }' (only supported on inject, not patch)

IDA scripts

Some scripts live in the ida/ path. Run them like this:

/Applications/IDA\ Pro\ 6.8/idaq.app/Contents/MacOS/idaq64 -A -Sida/allfuncs.py a.out

When invoked like this, allfuncs.py will generate a.out.funcs which is used by hardening scripts.

Tools

These are somewhat CGC and x86-specific right now, but will be ported for general use in the future.

explore: uses a Python CFG and recursive backtracking emulator to find basic blocks in an executable
bindiff: uses the block boundaries from an explore run, as well as additional analysis to find and output basic block diffs between two binaries

Dependencies

Run ./deps.sh to automatically install these.
- Capstone Engine - https://github.com/aquynh/capstone.git
- Keystone Engine - https://github.com/keystone-engine/keystone.git
- Unicorn Engine - https://github.com/unicorn-engine/unicorn.git

ActualVim

Sublime Text 3 input mode using Neovim. Issues are closed, feel free to submit Pull Requests if you have bug fixes however.

usercorn

dynamic binary analysis via platform emulation

struc

Better binary packing for Go

SublimeXiki

Xiki in Sublime Text

sublimelint

Error highlighting in Sublime Text.

glshim

OpenGL 1.x driver shim for OpenGL ES devices.

vtclean

strips terminal escapes from text, can preserve color

revsync

realtime cross-tool collaborative reverse engineering

lib43

portable libc optimized for code size and readability

tinygles

Software-rendered OpenGL ES

reslate

A solid backbone for your `.slate.js.`

mpwn

single file ctf/exploit client library - python3, type annotated

og

Language and tool enhancements for Go

feeds

transcribe audio feeds into public web ui

meta

code sometimes leaks into the space between projects

pingbin

service to check internet accessibility

pitybas

a faithful TI-BASIC implementation

glues

fork of http://code.google.com/p/glues/

go-keychain

Simple OS keychain bindings for password storage in Go (Golang)

bnrepl

Run your Binary Ninja Python console in a separate Terminal window.

sublimevim

a (deprecated) WIP vim input plugin for Sublime Text 2

lorcon

Fork of https://code.google.com/p/lorcon/

community

Talon Community Repo (New API)

ghostrace

Golang syscall firehose (programmatic strace/dtruss)

n64-saleae-logic

N64 controller protocol analyzer

precorn

[WIP] pivot a running process into an emulator for instrumentation

capstr

(fast) Capstone Go bindings

crossldso

link a linux ELF .so library into memory with python and call functions in it, even if you're not on linux

microlathe

LockIT Pro JTAG proxy + GDB stub

project-euler

Project Euler polyglot

uberserver

matchmaking/chat lobby server for the spring rts project

orca

inscount

stable instruction counter based on qemu-user (--target-list=i386-linux-user,x86_64-linux-user)

EnableWebGL

A tweak to enable WebGL on iOS

sublime-syntaxget

A faster way to change Syntax highlighting modes in Sublime Text 2

localdns

serves DNS for observed DHCP leases

voicecode-commando

voicecode command cheat sheet

subasm

subleq assembler / interpreter / rop chain

fs-uae-gles

A GL ES port of FS-UAE

linters

default linters for sublimelint

smolcc

unicorn-tools

AppleScripting

Sublime Text 3 package for editing and running AppleScript

pynamed

No-nonsense DNS server stub in Python using twisted.names

argjoy

Golang method invocation with arg codecs and optional args

talon_wm

Window management in Talon

binutils-wasm

binutils compiled to wasm with every single target

pyadc

WIP: basic ADC client daemon in Python

tftpd-cgi

A simple TFTP server capable of serving CGI scripts.

go-clip

Clipboard bindings for Golang (without shelling out)

preload-hooks

LD_PRELOAD framework

luaish

libgpu

basic software rasterizer

vaporbat

Python Steam client

maze

maze generator (eventually solver? was going to be an experiment in parallel maze solving)

tactis

TIS-100 emulator / library

pypyninja

pypy interpreter shim for Binary Ninja

idascript

uberspring

Python client/server for the Spring RTS network protocol

pytiger

pytiger mirror, with various fixes for pyadc

webster

https://bochs.info/webster/ - interface to webster 1913 unabridged

qemu-2.5-unicorn

railsync

location-sentry

Tweak to show GPS-using apps on iOS

minorgems-gles

minorGems plus OpenGL ES, OpenPandora compatibility

ids

bearfield

A small, efficient, easy to use MongoDB object layer.

ti-omap5-sgx-ddk-linux

LockButton

menubar icon to lock your mac