Skip to content

Commit

Permalink
Add Chinese docs.
Browse files Browse the repository at this point in the history
  • Loading branch information
dark-lbp committed Apr 10, 2020
1 parent c6d96c6 commit c96b5b9
Show file tree
Hide file tree
Showing 5 changed files with 208 additions and 0 deletions.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
# VxHunter
A ToolSet for VxWorks Based Embedded Device Analyses.

*Readme in other languages: [English](README.md), [简体中文](README.zh-cn.md)*


## Firmware Analyze Tool
The firmware analyze tool is plugins written in Python, mainly used for analyze firmware loading address, fix function name with symbol table and etc.
Expand Down
74 changes: 74 additions & 0 deletions README.zh-cn.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
# VxHunter
一个用于VxWorks嵌入式设备分析的工具集。

*说明文档的其他语言: [English](README.md), [简体中文](README.zh-cn.md)*


## Firmware Analyze Tool
固件分析工具是基于python编写的VxWorks分析工具,主要的用途是分析固件的加载地址,从识别出的符号表中修复函数名及符号信息等。

支持的逆向工具:
* IDA Pro 7.x
* Ghidra 9.x
* Radare2

测试过的固件:
* Schneider 140NOE77101 - Ethernet network TCP/IP module
* Siemens SCALANCE-X208/SCALANCE-X216/SCALANCE-X308 - Siemens SCALANCE X Switch
* Hirschmann PowerMICE - Industrial ETHERNET Switch


### IDA Demo
![](docs/images/VxHunter_IDA_480.gif)


### Ghidra Demo
[如何在Ghidra中使用VxHunter](docs/How_to_use_vxhunter_firmware_tools_in_ghidra.zh-cn.md)


#### vxhunter_firmware_init.py
![](docs/images/VxHunter_ghidra_firmware_init_720.gif)


#### vxhunter_analysis.py
在执行了`vxhunter_firmware_init.py`后,我们可以使用`vxhunter_analysis.py`脚本对VxWorks固件进行进一步的分析。
这个脚本会分析硬编码的账号,已编译的VxWorks服务以及一些其他的信息。
![](docs/images/VxHunter_ghidra_analysis_720.gif)


### Radare2 Demo

[如何在Radare2中使用VxHunter](docs/How_to_use_vxhunter_firmware_tools_in_radare2.zh-cn.md)

![](docs/images/VxHunter_Radare2_720.gif)

## VxSerial Debugger - Beta
串口调试工具是基于VxWorks命令行及python编写的一个VxWorks调试工具,通常我们能够在VxWorks设备的串口获取到交互式命令行。

串口调试工具使用VxWorks交互式命令行中的内存读/写指令来将调试shellcode注入到目标系统中,这个调试shellcode将由keystone-engine来动态生成。

串口调试工具的原理和inline hook比较像,如果目标设备命中了断点,它将会跳转执行调试shellcode并且等待其他调试命令的执行。

串口调试工具所支持的功能:
* 内存读/写。
* 条件断点, 基于Python的callback函数,该函数返回True则断下,返回False时程序会继续执行。
* 查看Task状态。(栈, 寄存器).
* VxWorks数据结构查看(netpool, clBlk, 等).


### Example
这个示例脚本是在TP-Link TL-WR886N-V7,固件版本V1.1.0的设备上调试CVE-2018-19528漏洞的例子。


[串口调试示例脚本](serial_debugger_example.py)

示例视频

[![示例视频](https://img.youtube.com/vi/ulO8MsoDLLk/0.jpg)](https://www.youtube.com/watch?v=ulO8MsoDLLk)


## TODO
### Firmware Analyze Tool
* ~~支持对VxWorks内存dump文件分析~~
* 支持分析VxWorks内存dump文件中动态加载的符号
* 支持分析symFindByName符号查询函数的引用来补全函数引用。
29 changes: 29 additions & 0 deletions docs/How_to_use_vxhunter_firmware_tools_in_ghidra.zh-cn.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# 如何在Ghidra中使用VxHunter

VxHunter Ghidra脚本能自动分析VxWorks镜像的加载地址及符号信息。


## 步骤一: 在Ghidra中加载VxWorks镜像
示例固件下载地址 [这里](https://github.com/dark-lbp/vxhunter/tree/master/example_firmware), in this document we chose [image_vx5_ppc_big_endian.bin](https://github.com/dark-lbp/vxhunter/blob/master/example_firmware/image_vx5_ppc_big_endian.bin).

使用正确的处理器类型及默认加载地址0来加载VxWorks镜像。

![](images/Load_vxworks_image_to_ghidra_01.png)

因为此时我们并不知道正确的加载地址,因此先不要对镜像进行自动分析。

![](images/not_analyze_now.png)


## 步骤二: 运行VxHunter firmware init脚本

在脚本管理器中运行VxHunter vxhunter_firmware_init.py脚本, 这个脚本会将镜像rebase到正确的加载地址并根据符号修复函数名。

![](images/VxHunter_ghidra_firmware_init_720.gif)


## 步骤三: 使用vxhunter_analysis脚本分析硬编码账号及已编入的VxWorks服务

至此就可以自由的对这个VxWorks固件进行分析了。

![](images/VxHunter_ghidra_analysis_720.gif)
100 changes: 100 additions & 0 deletions docs/How_to_use_vxhunter_firmware_tools_in_radare2.zh-cn.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
# 如何在Radare2中使用VxHunter

VxHunter radare2脚本能自动分析VxWorks镜像的加载地址及符号信息。


## 步骤一: 在radare2中打开VxWorks镜像
示例固件下载地址 [这里](https://github.com/dark-lbp/vxhunter/tree/master/example_firmware), in this document we chose [image_vx5_ppc_big_endian.bin](https://github.com/dark-lbp/vxhunter/blob/master/example_firmware/image_vx5_ppc_big_endian.bin).

在radare2使用正确的处理器类型来加载VxWorks镜像。

```
r2 -a ppc -b 32 image_vx5_ppc_big_endian.bin
```

## 步骤二: 使用R2pipe运行VxHunter r2 python脚本

目前已经编写了python2及python3两个版本的脚本。

```
# for python2
#!pipe python2 ./vxhunter_r2_py2.py
# for python3
#!pipe python3 ./vxhunter_r2_py3.py
```

VxHunter r2能够利用关键字自动识别VxWorks版本号。如果VxHunter无法识别VxWorks版本,就需要用户在r2中输入对应版本。

```
[0x00000000]> #!pipe python3 ./vxhunter_r2_py3.py # for python2
Running with python version: 3.7.4 (default, Sep 7 2019, 18:27:02)
[Clang 10.0.1 (clang-1001.0.46.4)]
Auto detected VxWorks version: None
Please input the VxWorks main version type 'c' to exit
Available (5/6/c): 5
vx_version:5
```

你也可以将VxWorks版本作为第一个脚本参数来传参:

```
[[0x00000000]> #!pipe python3 ./vxhunter_r2_py3.py 5
Running with python version: 3.7.4 (default, Sep 7 2019, 18:27:02)
[Clang 10.0.1 (clang-1001.0.46.4)]
vx_version:5
firmware_path: /path/image_vx5_ppc_big_endian.bin
[INFO ][vxhunter_r2_py3.find_symbol_table] symbol table start offset: 0x301e60
[INFO ][vxhunter_r2_py3.find_symbol_table] symbol table end offset: 0x3293b0
```

VxHunter会分析VxWorks镜像的加载地址及符号,如果分析成功你会受到如下所示的输出。

```
###### Start analyze firmware ######
[INFO ][vxhunter_r2_py3.quick_test] load address is not:0x80002000
[INFO ][vxhunter_r2_py3._check_load_address] load address is :0x10000
Found VxWorks image load address: 0x00010000
Found VxWorks symbol table from 0x00301E60 to 0x003293B0
###### Rebase current firmware ######
All core files, io, anal and flags info purged.
Rebase with r2 command: o /Users/zhuwz/temp/VxHunter_r2/image_vx5_ppc_big_endian.bin 0x10000 r-x
###### Start analyzing functions######
symbol_table_start_address: 0x00311E60
symbol_table_end_address: 0x003393B0
af: Cannot find function at 0x0002986c
af: Cannot find function at 0x0002983c
af: Cannot find function at 0x002275b0
...
###### Finish here is the flags ######
0 . classes
9086 . functions
0 . relocs
0 . sections
0 . segments
2155 * symbols
```

## 步骤三: Have Fun

至此就可以自由的对这个VxWorks固件进行分析了。

### 查找函数
```
[0x00000000]> f functions
[0x00000000]> f |grep usrI
0x0002b8e4 180 usrIpLibInit
0x0002cd94 88 usrInit
0x0002d1d8 80 usrIosCoreInit
0x0002d228 100 usrIosExtraInit
```

### 查看函数
![](images/VxHunter_Rarare2_view_functions.png)
3 changes: 3 additions & 0 deletions firmware_tools/ghidra/README.zh-cn.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
## Setting up for Development

克隆项目, 在Ghidra脚本管理器中将项目目录添加为脚本目录。

0 comments on commit c96b5b9

Please sign in to comment.