-
Notifications
You must be signed in to change notification settings - Fork 43
Installation
- Volatility >= 2.3.1
- Unicorn
- Capstone
- nasm
- pygraphviz
- GDB
The first version of this framework used an ad-hoc custom emulator. After the Unicorn public release we decided to adopt it and we rewrote ropemu leveraging the Unicorn Python bindings. Unicorn would be the ideal solution because in this way we do not have to worry about the ISA and we support all the instructions for free and many architectures. Unfortunately, Unicorn is a new project and it has not been extensively tested. There are some open bugs that affect the ropemu execution but sometimes there are dirty workarounds to continue the emulation and get the JSON traces. We decided to release the current implementation because it works and the Unicorn bugs will be fixed sooner or later and we believe Unicorn is the right choice for such framework :-)
For these reasons, I describe here my working environment.
Please try the default Unicorn installation.
First clone the Unicorn git repository at: https://github.com/unicorn-engine/unicorn
Second, as explained in the documentation, type:
./make.sh && sudo ./make.sh install && cd bindings/python/ && sudo make install && cd -
If you have any problem with ropemu, then follow this procedure:
Please clone the Unicorn git repository at this address: https://github.com/unicorn-engine/unicorn
and revert to the following commit:
Git status:
[~/projects/unicorn]
03:13:59 emdel -> git status
HEAD detached at 8ee696f
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)
(use "git checkout -- <file>..." to discard changes in working direct
modified: qemu/target-i386/unicorn.c
modified: uc.c
Modifications:
In qemu/target-i386/unicorn.c we added a call to munmap in the function x86_release:
22 void x86_release(void *ctx)
23 {
24 release_common(ctx);
25 TCGContext *s = (TCGContext *) ctx;
26
27
28 munmap(s->code_gen_buffer, s->code_gen_buffer_size);
...
...
In uc.c we commented the memory_overlap check -- We have to find a more elegant solution this is a temporary workaround:
644 static uc_err mem_map_check(uc_engine *uc, uint64_t address, size_t size, uint32_t perms)
645 {
...
...
667 // this area overlaps existing mapped regions?
668 //if (memory_overlap(uc, address, size)) {
669 // return UC_ERR_MAP;
670 //}
671
672 return UC_ERR_OK;
673 }
Please download Volatility and copy the content of the ROPMEMU Volatility directory under your volatility/plugins folder in your system.
In this way if you type: python vol.py --info you should be able to see ropemu and unchain.
The framework has been tested with Volatility 2.3.1 but it should work also with the latest releases.
Follow the instruction of the Capstone website and install the Python bindings.
You can install nasm with your favourite package manager (e.g., sudo apt-get install nasm)
Install the package on your favourite Linux distribution via pip: pip install pygraphviz
Install GDB with your package manager and pay attention to have a recent version supporting Python3. I have updated the GDB Python scripts to support Python3.
ROPMEMU Framework