Programming/python

[script] CFG 패턴을 통한 CFG 탐지 스크립트 (Ghidra)

KimKwangWoon 2025. 4. 21. 00:53 
from ghidra.program.model.symbol import RefType
from ghidra.program.model.listing import CodeUnit
from ghidra.util.task import ConsoleTaskMonitor
from ghidra.program.model.address import Address
from ghidra.program.model.lang import OperandType

listing = currentProgram.getListing()
monitor = ConsoleTaskMonitor()

print("[*] Scanning for potential CFG validation patterns...")

for func in listing.getFunctions(True):
    instructions = list(listing.getInstructions(func.getBody(), True))

    for i in range(len(instructions) - 2):
        ins1 = instructions[i]
        ins2 = instructions[i + 1]
        ins3 = instructions[i + 2]

        # Pattern 1: mov rcx, reg  / mov rax, qword ptr [addr] / call rax
        if (
            ins1.getMnemonicString().lower() == "mov" and
            ins1.getOpObjects(0)[0].toString().lower() == "rcx" and
            ins2.getMnemonicString().lower() == "mov" and
            ins2.getOpObjects(0)[0].toString().lower() == "rax" and
            OperandType.isAddress(ins2.getOperandType(1)) and
            ins3.getMnemonicString().lower() == "call" and
            ins3.getOpObjects(0)[0].toString().lower() == "rax"
        ):
            print("[+] Potential CFG validator:")
            print("    Function: {} at {}".format(func.getName(), func.getEntryPoint()))
            print("    Pattern: {} ; {} ; {}".format(ins1, ins2, ins3))
            print("---")

        # Pattern 2: mov reg, reg / call qword ptr [addr] (direct dispatch)
        if (
            ins1.getMnemonicString().lower() == "mov" and
            ins2.getMnemonicString().lower() == "call" and
            OperandType.isAddress(ins2.getOperandType(0))
        ):
            call_op = ins2.getOpObjects(0)[0]
            if isinstance(call_op, Address):
                ref_data = listing.getDataAt(call_op)
                if ref_data:
                    print("[?] Indirect call possibly related to CFG dispatch:")
                    print("    Function: {} at {}".format(func.getName(), func.getEntryPoint()))
                    print("    Pattern: {} ; {}".format(ins1, ins2))
                    print("---")

print("[*] Scan complete.")

 

최근 known dll을 대상으로 cfg를 우회하여 shell code를 실행하는 PoC를 진행하고 싶어서 급하게 급조한 스크립트

ntdll.dll을 대상으로 사용해보니 주소들이 잘 뽑히는 것 같음

자세한 내용은 아래 블로그 참조 (Control Flow Hijacking via Data Pointers)

https://www.legacyy.xyz/defenseevasion/windows/2025/04/16/control-flow-hijacking-via-data-pointers.html

 

Control Flow Hijacking via Data Pointers

When performing process injection, one of the most important IOCs that make up behavioural signatures is passing execution to our shellcode. Whilst there are multiple techniques to doing so and this is certainly nothing purely “new” - in this post I wa

www.legacyy.xyz

저작자표시 (새창열림)

'Programming > python' 카테고리의 다른 글

TOCTOU PoC  (0) 2025.01.15
백준 4344번 python  (0) 2021.03.17
백준 2941번 python  (0) 2021.03.17
백준 2741번 python  (0) 2021.03.17
백준 2577번 python  (0) 2021.03.17

'Programming/python'의 다른글

  • 현재글[script] CFG 패턴을 통한 CFG 탐지 스크립트 (Ghidra)

관련글

티스토리툴바