From decded3ef6c094ba14d78f9900b8211a5163333f Mon Sep 17 00:00:00 2001 From: pancake Date: Mon, 23 Dec 2024 00:17:26 +0100 Subject: [PATCH] Initial implementation of the bin.aslr ##bin --- libr/core/cbin.c | 4 ++-- libr/core/cconfig.c | 12 +++++++++++- libr/core/cfile.c | 21 +++++++++++++++++++-- libr/include/r_bin.h | 5 +++++ libr/include/r_io.h | 1 - test/db/cmd/cmd_i | 4 ++-- 6 files changed, 39 insertions(+), 8 deletions(-) diff --git a/libr/core/cbin.c b/libr/core/cbin.c index 3d457021ad23d..9089b02cbefe5 100644 --- a/libr/core/cbin.c +++ b/libr/core/cbin.c @@ -1416,8 +1416,8 @@ static bool bin_main(RCore *r, PJ *pj, int mode, int va) { } else if (IS_MODE_SIMPLE (mode)) { r_cons_printf ("%"PFMT64d, addr); } else if (IS_MODE_RAD (mode)) { - r_cons_printf ("fs symbols\n"); - r_cons_printf ("f main @ 0x%08"PFMT64x"\n", addr); + r_cons_printf ("'fs symbols\n"); + r_cons_printf ("'@0x%08"PFMT64x"'f main\n", addr); if (isthumb) { r_cons_printf ("'@0x%08"PFMT64x"'ahb 16\n", addr); } diff --git a/libr/core/cconfig.c b/libr/core/cconfig.c index f092451092bbb..9b822e793a8b3 100644 --- a/libr/core/cconfig.c +++ b/libr/core/cconfig.c @@ -2323,12 +2323,21 @@ static bool cb_io_cache(void *user, void *data) { return true; } +#if 0 static bool cb_ioaslr(void *user, void *data) { RCore *core = (RCore *) user; RConfigNode *node = (RConfigNode *) data; core->io->aslr = (bool)node->i_value; return true; } +#endif + +static bool cb_binaslr(void *user, void *data) { + RCore *core = (RCore *) user; + RConfigNode *node = (RConfigNode *) data; + core->bin->options.fake_aslr = (bool)node->i_value; + return true; +} static bool cb_io_pava(void *user, void *data) { RCore *core = (RCore *) user; @@ -4536,7 +4545,8 @@ R_API int r_core_config_init(RCore *core) { SETICB ("io.mask", 0, &cb_iomask, "mask addresses before resolving as maps"); SETBPREF ("io.exec", "true", "see !!r2 -h~-x"); SETICB ("io.0xff", 0xff, &cb_io_oxff, "use this value instead of 0xff to fill unallocated areas"); - SETCB ("io.aslr", "false", &cb_ioaslr, "disable ASLR for spawn and such"); + // SETCB ("dbg.aslr", "false", &cb_ioaslr, "disable ASLR for spawn and such"); + SETCB ("bin.aslr", "false", &cb_binaslr, "pick a random bin.baddr to simulate ASLR for static analysis"); SETCB ("io.va", "true", &cb_iova, "use virtual address layout"); SETBPREF ("io.voidwrites", "true", "handle writes to fully unmapped areas as valid operations (requires io.va to be set)"); diff --git a/libr/core/cfile.c b/libr/core/cfile.c index 6d666ccce7217..28a69a7e75407 100644 --- a/libr/core/cfile.c +++ b/libr/core/cfile.c @@ -78,7 +78,12 @@ R_API bool r_core_file_reopen(RCore *core, const char *args, int perm, int loadb } } if (new_baddr == UT64_MAX) { - new_baddr = r_config_get_i (core->config, "bin.baddr"); + if (r_config_get_b (core->config, "bin.aslr")) { + new_baddr = r_num_rand (32) << 24; + r_config_set_i (core->config, "bin.baddr", new_baddr); + } else { + new_baddr = r_config_get_i (core->config, "bin.baddr"); + } } if (r_sandbox_enable (0)) { @@ -158,7 +163,12 @@ R_API bool r_core_file_reopen(RCore *core, const char *args, int perm, int loadb } else if (new_baddr != UT64_MAX) { baddr = new_baddr; } else { - baddr = r_config_get_i (core->config, "bin.baddr"); + if (r_config_get_b (core->config, "bin.aslr")) { + baddr = r_num_rand (32) << 24; + r_config_set_i (core->config, "bin.baddr", baddr); + } else { + baddr = r_config_get_i (core->config, "bin.baddr"); + } } ret = r_core_bin_load (core, obinfilepath, baddr); r_core_bin_update_arch_bits (core); @@ -453,6 +463,13 @@ static int r_core_file_load_for_io_plugin(RCore *r, ut64 baseaddr, ut64 loadaddr } R_CRITICAL_ENTER (r); r_io_use_fd (r->io, fd); + if (baseaddr == UT64_MAX) { + // ASLR - this is probably the only place where bin.aslr is used. maybe move into rbin.options before R2_600 + if (r_config_get_b (r->config, "bin.aslr")) { + baseaddr = r_num_rand (32) << 24; + r_config_set_i (r->config, "bin.baddr", baseaddr); + } + } RBinFileOptions opt; r_bin_file_options_init (&opt, fd, baseaddr, loadaddr, r->bin->rawstr); // opt.fd = fd; diff --git a/libr/include/r_bin.h b/libr/include/r_bin.h index c5aff3f48bbe7..6f0196f284c69 100644 --- a/libr/include/r_bin.h +++ b/libr/include/r_bin.h @@ -435,6 +435,10 @@ typedef struct r_bin_create_options_t { int bits; } RBinCreateOptions; +typedef struct r_bin_options_t { + bool fake_aslr; +} RBinOptions; + struct r_bin_t { const char *file; RBinFile *cur; // TODO: deprecate @@ -475,6 +479,7 @@ struct r_bin_t { bool use_xtr; // use extract plugins when loading a file? bool use_ldr; // use loader plugins when loading a file? RStrConstPool constpool; + RBinOptions options; // R2_600 - move all the options from rbin into this struct }; typedef struct r_bin_xtr_metadata_t { diff --git a/libr/include/r_io.h b/libr/include/r_io.h index e286603c00b07..60b619b7982eb 100644 --- a/libr/include/r_io.h +++ b/libr/include/r_io.h @@ -138,7 +138,6 @@ typedef struct r_io_t { bool ff; ut8 Oxff; // which printable char to use instead of 0xff for unallocated bytes size_t addrbytes; // XXX also available in RArchConfig.addrbytes - bool aslr; bool autofd; bool overlay; // moved into cache.mode // ut32 cached; // uses R_PERM_RWX // wtf cache for exec? diff --git a/test/db/cmd/cmd_i b/test/db/cmd/cmd_i index a1665a128ca6b..6cf75f9cda32d 100644 --- a/test/db/cmd/cmd_i +++ b/test/db/cmd/cmd_i @@ -3023,8 +3023,8 @@ NAME=iM* command FILE=bins/elf/redpill CMDS=iM* EXPECT=<