add blob loader

Author: cq674350529

qiling/const.py

@@ -33,6 +33,7 @@ class QL_OS(IntEnum):
     EVM = 207
     QNX = 208
     MCU = 209
+    BARE = 210
 
 class QL_VERBOSE(IntEnum):
     OFF = 0
@@ -65,6 +66,7 @@ class QL_INTERCEPT(IntEnum):
 QL_OS_BAREMETAL   = (QL_OS.MCU,)
 QL_OS_INTERPRETER = (QL_OS.EVM,)
 QL_OS_ALL         = QL_OS_POSIX + QL_OS_NONPID + (QL_OS.WINDOWS,)
+QL_OS_BARE_RTOS   = (QL_OS.BARE,)
 
 QL_HOOK_BLOCK = 0b0001
 QL_CALL_BLOCK = 0b0010
@@ -90,6 +92,7 @@ def __reverse_enum(e: Type[Enum]) -> Mapping[str, Any]:
     QL_OS.DOS     : "DOS",
     QL_OS.EVM     : "EVM",
     QL_OS.MCU     : "MCU",
+    QL_OS.BARE    : "BLOB"
 }
 
 arch_os_map = {

qiling/core.py

@@ -19,7 +19,7 @@
     from .hw.hw import QlHwManager
     from .loader.loader import QlLoader
 
-from .const import QL_ARCH_ENDIAN, QL_ENDIAN, QL_VERBOSE, QL_OS_INTERPRETER, QL_OS_BAREMETAL, QL_OS_ALL
+from .const import QL_ARCH_ENDIAN, QL_ENDIAN, QL_VERBOSE, QL_OS_INTERPRETER, QL_OS_BAREMETAL, QL_OS_ALL, QL_OS_BARE_RTOS
 from .exception import QlErrorFileNotFound, QlErrorArch, QlErrorOsType
 from .utils import *
 from .core_struct import QlCoreStructs
@@ -194,7 +194,7 @@ def __init__(
         ##############
         # Components #
         ##############
-        if self.gpos or self.baremetal:
+        if self.gpos or self.baremetal or self.blob:
             self._mem = component_setup("os", "memory", self)
             self._reg = component_setup("arch", "register", self)
 
@@ -490,6 +490,15 @@ def gpos(self) -> bool:
         """
         return self.ostype in QL_OS_ALL
 
+    @property
+    def blob(self) -> bool:
+        """  Static linked bare binary type
+            - U-Boot, VxWorks, eCos
+
+            Type: bool
+        """
+        return self.ostype in QL_OS_BARE_RTOS
+
     @property
     def platform_os(self):
         """ Specify current platform os where Qiling runs on.

qiling/loader/blob.py

@@ -0,0 +1,65 @@
+#!/usr/bin/env python3
+#
+# Cross Platform and Multi Architecture Advanced Binary Emulation Framework
+#
+
+from qiling import Qiling
+from qiling.cc import QlCC, intel, arm, mips
+from qiling.const import QL_ARCH
+from qiling.loader.loader import QlLoader
+from qiling.os.fcall import QlFunctionCall
+from qiling.os.memory import QlMemoryHeap
+from qiling.os.os import QlOs
+
+
+class QLOsBare(QlOs):
+    """ QLOsBare for bare barines.
+
+    For bare binary such as u-boot, it's ready to be mapped and executed directly,
+    where there is(may be) no concept of os? Currently, some functionalities such as
+    resolve_fcall_params(), heap or add_fs_mapper() are based on os. To keep the
+    consistence of api usage, QLOsBare is introduced and placed at its loader temporarily.
+    """
+    def __init__(self, ql: Qiling):
+        super(QLOsBare, self).__init__(ql)
+
+        self.ql = ql
+
+        cc: QlCC = {
+            QL_ARCH.X86   : intel.cdecl,
+            QL_ARCH.X8664 : intel.amd64,
+            QL_ARCH.ARM   : arm.aarch32,
+            QL_ARCH.ARM64 : arm.aarch64,
+            QL_ARCH.MIPS  : mips.mipso32
+        }[ql.archtype](ql)
+
+        self.fcall = QlFunctionCall(ql, cc)
+
+    def run(self):
+        self.entry_point = self.ql.entry_point if self.ql.entry_point else self.ql.loader.load_address
+        self.exit_point = self.ql.exit_point if self.ql.exit_point else self.ql.loader.load_address + len(self.ql.code)
+
+        self.ql.emu_start(self.entry_point, self.exit_point, self.ql.timeout, self.ql.count)
+
+class QlLoaderBLOB(QlLoader):
+    def __init__(self, ql: Qiling):
+        super().__init__(ql)
+
+        self.load_address = 0
+
+    def run(self):
+        # setup bare os
+        self.ql._os = QLOsBare(self.ql)
+
+        self.load_address = self.ql.os.entry_point      # for consistency
+
+        self.ql.mem.map(self.ql.os.entry_point, self.ql.os.code_ram_size, info="[code]")
+        self.ql.mem.write(self.ql.os.entry_point, self.ql.code)
+
+        heap_address = self.ql.os.entry_point + self.ql.os.code_ram_size
+        heap_size = int(self.ql.os.profile.get("CODE", "heap_size"), 16)
+        self.ql.os.heap = QlMemoryHeap(self.ql, heap_address, heap_address + heap_size)
+
+        self.ql.reg.arch_sp = heap_address - 0x1000
+
+        return

tests/profiles/uboot_bin.ql

@@ -0,0 +1,20 @@
+[CODE]
+ram_size = 0xa00000
+entry_point = 0x80800000
+heap_size = 0x300000
+
+
+[LOG]
+# log directory output
+# usage: dir = qlog
+dir =
+# split log file, use with multithread
+split = False
+
+
+[MISC]
+# append string into different logs
+# maily for multiple times Ql run with one file
+# usage: append = test1
+append =
+current_path = /

tests/test_blob.py

@@ -0,0 +1,68 @@
+#!/usr/bin/env python3
+#
+# Cross Platform and Multi Architecture Advanced Binary Emulation Framework
+#
+
+import sys, unittest
+sys.path.append("..")
+
+from qiling.core import Qiling
+from qiling.const import QL_VERBOSE
+from qiling.os.const import STRING
+
+class BlobTest(unittest.TestCase):
+    def test_uboot_arm(self):
+        def my_getenv(ql, *args, **kwargs):
+            env = {"ID": b"000000000000000", "ethaddr": b"11:22:33:44:55:66"}
+            params = ql.os.resolve_fcall_params({'key': STRING})
+            value = env.get(params["key"], b"")
+
+            value_addr = ql.os.heap.alloc(len(value))
+            ql.mem.write(value_addr, value)
+
+            ql.reg.r0 = value_addr
+            ql.reg.arch_pc = ql.reg.lr
+
+        def check_password(ql, *args, **kwargs):
+            passwd_output = ql.mem.read(ql.reg.r0, ql.reg.r2)
+            passwd_input = ql.mem.read(ql.reg.r1, ql.reg.r2)
+            self.assertEqual(passwd_output, passwd_input)
+
+        def partial_run_init(ql):
+            # argv prepare
+            ql.reg.arch_sp -= 0x30
+            arg0_ptr = ql.reg.arch_sp
+            ql.mem.write(arg0_ptr, b"kaimendaji")
+
+            ql.reg.arch_sp -= 0x10
+            arg1_ptr = ql.reg.arch_sp
+            ql.mem.write(arg1_ptr, b"013f1f")
+
+            ql.reg.arch_sp -= 0x20
+            argv_ptr = ql.reg.arch_sp
+            ql.mem.write(argv_ptr, ql.pack(arg0_ptr))
+            ql.mem.write(argv_ptr + ql.pointersize, ql.pack(arg1_ptr))
+
+            ql.reg.r2 = 2
+            ql.reg.r3 = argv_ptr
+
+        print("ARM uboot bin")
+
+        with open("../examples/rootfs/blob/u-boot.bin.img", "rb") as f:
+            uboot_code = f.read()
+
+        ql = Qiling(code=uboot_code[0x40:], archtype="arm", ostype="bare", profile="profiles/uboot_bin.ql", verbose=QL_VERBOSE.DEBUG)
+
+        image_base_addr = ql.loader.load_address
+        ql.hook_address(my_getenv, image_base_addr + 0x13AC0)
+        ql.hook_address(check_password, image_base_addr + 0x48634)
+
+        partial_run_init(ql)
+
+        ql.run(image_base_addr + 0x486B4, image_base_addr + 0x48718)
+
+        del ql
+
+
+if __name__ == "__main__":
+    unittest.main()