[ext_lib]

standalone Python library. Thank you Cédric (@saidelike).

Author: bootleg

README.md

@@ -62,6 +62,7 @@ that I developed and maintained during my stay at
   - [OllyDbg 1.10 usage](#ollydbg-110-usage)
   - [OllyDbg2 usage](#ollydbg2-usage)
   - [x64dbg usage](#x64dbg-usage)
+  - [Python library usage](#python-library-usage)
 - [Extend](#extend)
 - [TODO](#todo)
 - [Known Bugs/Limitations](#known-bugslimitations)
@@ -80,13 +81,18 @@ The debugger plugins:
 * `ext_olly2`: OllyDbg v2 plugin
 * `ext_x64dbg`: x64dbg plugin
 
-And the disassembler plugins:
+The disassembler plugins:
 
 * `ext_ida/SyncPlugin.py`
 * `ext_ghidra/dist/ghidra_*_retsync.zip`: Ghidra plugin
 * `ext_bn/retsync`: Binary Ninja plugin
 
 
+And the library plugin:
+
+* `ext_lib/sync.py`: standalone Python library
+
+
 # General prerequisites
 
 IDA and GDB plugins require a valid Python setup. Python 2 (>=2.7) and Python
@@ -966,6 +972,47 @@ specific address (equivalent of running **disasm <rebased addr>** in x64dbg
 command line).
 
 
+## Python library usage
+
+One may want to use **ret-sync** core features (position syncing with a
+disassembler, symbol resolution) even though a full debugging environment is
+not available or with a custom tool. To that end, a minimalist Python library
+has been extracted.
+
+The example below illustrates the usage of the Python library with a script
+that walks through the output of an event logging/tracing tool.
+
+
+```python
+from sync import *
+
+HOST = '127.0.0.1'
+
+MAPPINGS = [
+    [0x555555400000, 0x555555402000,  0x2000, " /bin/tempfile"],
+    [0x7ffff7dd3000, 0x7ffff7dfc000, 0x29000, " /lib/x86_64-linux-gnu/ld-2.27.so"],
+    [0x7ffff7ff7000, 0x7ffff7ffb000,  0x4000, " [vvar]"],
+    [0x7ffff7ffb000, 0x7ffff7ffc000,  0x1000, " [vdso]"],
+    [0x7ffffffde000, 0x7ffffffff000, 0x21000, " [stack]"],
+]
+
+EVENTS = [
+    [0x0000555555400e74, "malloc"],
+    [0x0000555555400eb3, "open"],
+    [0x0000555555400ee8, "exit"]
+]
+
+synctool = Sync(HOST, MAPPINGS)
+
+for e in EVENTS:
+    offset, name = e
+    synctool.invoke(offset)
+    print("    0x%08x - %s" % (offset, name))
+    print("[>] press enter for next event")
+    input()
+```
+
+
 # Extend
 
 While initially focused on dynamic analysis (debuggers), it is of-course

ext_lib/sync.py

@@ -0,0 +1,197 @@
+#!/usr/bin/python3
+#
+# Copyright (C) 2016, Alexandre Gazet.
+# Copyright (C) 2012-2014, Quarkslab.
+#
+# Copyright (C) 2017, Cedric Halbronn, NCC Group.
+#
+# This file is part of ret-sync.
+#
+# ret-sync is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+# Random notes:
+# There is no concept of disabling tunnel polling for commands (happy race...).
+
+import os
+import re
+import sys
+import time
+import socket
+import errno
+
+VERBOSE = 0
+
+HOST = "localhost"
+PORT = 9100
+
+
+# ext_python is adapted from ret-sync/ext_gdb/sync.py
+# TODO: factorize with the GNU GDB plugin
+
+
+def get_mod_by_addr(maps, addr):
+    for mod in maps:
+        if (addr > mod[0]) and (addr < mod[1]):
+            return [mod[0], mod[3]]
+    return None
+
+
+class Tunnel():
+
+    def __init__(self, host):
+        print("[sync] Initializing tunnel to IDA using %s:%d..." % (host, PORT))
+        try:
+            self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+            self.sock.connect((host, PORT))
+        except socket.error as msg:
+            self.sock.close()
+            self.sock = None
+            self.sync = False
+            print("[sync] Tunnel initialization  error: %s" % msg)
+            return None
+
+        self.sync = True
+
+    def is_up(self):
+        return (self.sock is not None and self.sync is True)
+
+    def poll(self):
+        if not self.is_up():
+            return None
+
+        self.sock.setblocking(False)
+
+        try:
+            msg = self.sock.recv(4096).decode()
+        except socket.error as e:
+            err = e.args[0]
+            if (err == errno.EAGAIN or err == errno.EWOULDBLOCK):
+                return '\n'
+            else:
+                self.close()
+                return None
+
+        self.sock.setblocking(True)
+        return msg
+
+    def send(self, msg):
+        if not self.sock:
+            print("[sync] tunnel_send: tunnel is unavailable (did you forget to sync ?)")
+            return
+
+        try:
+            self.sock.send(msg.encode())
+        except socket.error as msg:
+            print(msg)
+            self.sync = False
+            self.close()
+
+            print("[sync] tunnel_send error: %s" % msg)
+
+    def close(self):
+        if self.is_up():
+            self.send("[notice]{\"type\":\"dbg_quit\",\"msg\":\"dbg disconnected\"}\n")
+
+        if self.sock:
+            try:
+                self.sock.close()
+            except socket.error as msg:
+                print("[sync] tunnel_close error: %s" % msg)
+
+        self.sync = False
+        self.sock = None
+
+
+class Rln:
+
+    def __init__(self, sync):
+        self.sync = sync
+
+    def invoke(self, raddr):
+        self.sync.locate(raddr)
+
+        if (raddr is None) or (self.sync.offset is None):
+            return "-"
+
+        self.sync.tunnel.send("[sync]{\"type\":\"rln\",\"raddr\":%d" % raddr)
+
+        # Let time for the IDB client to reply if it exists
+        # Need to give it more time than usual to avoid "Resource temporarily unavailable"
+        time.sleep(0.5)
+
+        # Poll tunnel
+        msg = self.sync.tunnel.poll()
+        if msg:
+            return msg[:-1]  # strip newline
+        else:
+            return "-"
+
+
+class Sync:
+    def __init__(self, host, maps):
+        if not maps:
+            print("[sync] the memory mappings needs to be provided")
+            return None
+
+        self.maps = maps
+        self.base = None
+        self.offset = None
+        self.tunnel = None
+        self.poller = None
+        self.host = host
+
+    def locate(self, offset):
+        if not offset:
+            print("<unknown offset>")
+            return
+
+        self.offset = offset
+        mod = get_mod_by_addr(self.maps, self.offset)
+        if mod:
+            if VERBOSE >= 2:
+                print("[sync] mod found")
+                print(mod)
+
+            base, sym = mod
+
+            if self.base != base:
+                self.tunnel.send("[notice]{\"type\":\"module\",\"path\":\"%s\"}\n" % sym)
+                self.base = base
+
+            self.tunnel.send("[sync]{\"type\":\"loc\",\"base\":%d,\"offset\":%d}\n" % (self.base, self.offset))
+        else:
+            self.base = None
+            self.offset = None
+
+    def invoke(self, offset):
+        if self.tunnel and not self.tunnel.is_up():
+            self.tunnel = None
+
+        if not self.tunnel:
+            self.tunnel = Tunnel(self.host)
+            if not self.tunnel.is_up():
+                print("[sync] sync failed")
+                return
+
+            id = "ext_python"
+            self.tunnel.send("[notice]{\"type\":\"new_dbg\",\"msg\":\"dbg connect - %s\",\"dialect\":\"gdb\"}\n" % id)
+            print("[sync] sync is now enabled with host %s" % str(self.host))
+        else:
+            print('(update)')
+
+        self.locate(offset)
+
+
+if __name__ == "__main__":
+    print("[sync] this module cannot be called directly and needs to be imported from an external script")