qilingframework
diff --git a/‎ChangeLog‎
Lines changed: 22 additions & 7 deletions b/‎ChangeLog‎
Lines changed: 22 additions & 7 deletions
diff --git a/‎README.md‎
Lines changed: 26 additions & 26 deletions b/‎README.md‎
Lines changed: 26 additions & 26 deletions
diff --git a/‎examples/crackme_x86_linux.py‎
Lines changed: 5 additions & 8 deletions b/‎examples/crackme_x86_linux.py‎
Lines changed: 5 additions & 8 deletions
diff --git a/‎examples/crackme_x86_windows.py‎
Lines changed: 3 additions & 6 deletions b/‎examples/crackme_x86_windows.py‎
Lines changed: 3 additions & 6 deletions
diff --git a/‎examples/crackme_x86_windows_auto.py‎
Lines changed: 57 additions & 19 deletions b/‎examples/crackme_x86_windows_auto.py‎
Lines changed: 57 additions & 19 deletions
diff --git a/‎examples/crackme_x86_windows_setcallback.py‎
Lines changed: 2 additions & 2 deletions b/‎examples/crackme_x86_windows_setcallback.py‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎examples/crackme_x86_windows_unpatch.py‎
Lines changed: 2 additions & 2 deletions b/‎examples/crackme_x86_windows_unpatch.py‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎examples/doogie_8086_crack.py‎
Lines changed: 7 additions & 7 deletions b/‎examples/doogie_8086_crack.py‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎examples/extensions/idaplugin/custom_script.py‎
Lines changed: 2 additions & 2 deletions b/‎examples/extensions/idaplugin/custom_script.py‎
Lines changed: 2 additions & 2 deletions
@@ -2,19 +2,34 @@ This file details the changelog of Qiling Framework.
 
 
 ------------------------------------
-[Version 1.4.2]: Jan 29th, 2022
+[Version 1.4.2]: Feb 13th, 2022
 
 New features:
--
--
+- Add stm32f103 support (#1087)
+- Add Arduino Due (SAM3X8E) Support (#1090)
 
 Improvements:
--
--
+- ARM exception handler improvements (#1056)
+- UEFI improvements (#1061)
+- Qdb improvements (#1058)
+- Update rich api in evm dbgcui (#1062)
+- Add security coockies back into PE loader for kernel driver (#1063)
+- Fix ql_open_flag_mapping for Linux binary emulation on Windows (#1064)
+- Minor changes and fixes to the tracing module (#1065)
+- Fix unicornafl for linux_x8664 fuzzing example (#1068)
+- Fuzzing improvements (#1075)
+- Add fix and example for openat path traversion (#1076)
+- Fix _CreateFileA params issue (#1079)
 
 Contributors:
--
--
+- nmantani
+- hardik05
+- cla7aye15I4nd
+- ucgJhe
+- elicn
+- wtdcode
+- kabeor
+- xwings
 
 
 ------------------------------------
 
@@ -88,55 +88,55 @@ Please see [setup guide](https://docs.qiling.io/en/latest/install/) file for how
 
 #### Examples
 
-- Below example shows how to use Qiling framework to emulate a Windows EXE on a Linux machine
+- The example below shows how to use Qiling framework in the most striaghtforward way to emulate a Windows executable.
 
 ```python
-from qiling import *
-
-# sandbox to emulate the EXE
-def my_sandbox(path, rootfs):
-    # setup Qiling engine
-    ql = Qiling(path, rootfs)
-    # now emulate the EXE
-    ql.run()
+from qiling import Qiling
 
 if __name__ == "__main__":
-    # execute Windows EXE under our rootfs
-    my_sandbox(["examples/rootfs/x86_windows/bin/x86_hello.exe"], "examples/rootfs/x86_windows")
+    # initialize Qiling instance, specifying the executable to emulate and the emulated system root.
+    # note that the current working directory is assumed to be Qiling home
+    ql = Qiling([r'examples/rootfs/x86_windows/bin/x86_hello.exe'], r'examples/rootfs/x86_windows')
+
+    # start emulation
+    ql.run()
 ```
 
-- Below example shows how to use Qiling framework to dynamically patch a Windows crackme, make it always display "Congratulation" dialog
+- The following example shows how a Windows crackme may be patched dynamically to make it always display the "Congratulation" dialog.
 
 ```python
-from qiling import *
+from qiling import Qiling
+
+def force_call_dialog_func(ql: Qiling):
+    # get DialogFunc address from current stack frame
+    lpDialogFunc = ql.stack_read(-8)
 
-def force_call_dialog_func(ql):
-    # get DialogFunc address
-    lpDialogFunc = ql.unpack32(ql.mem.read(ql.reg.esp - 0x8, 4))
     # setup stack memory for DialogFunc
     ql.stack_push(0)
-    ql.stack_push(1001)
-    ql.stack_push(273)
+    ql.stack_push(1001)     # IDS_APPNAME
+    ql.stack_push(0x111)    # WM_COMMAND
     ql.stack_push(0)
+
+    # push return address
     ql.stack_push(0x0401018)
-    # force EIP to DialogFunc
-    ql.reg.eip = lpDialogFunc
+
+    # resume emulation from DialogFunc address
+    ql.arch.regs.eip = lpDialogFunc
 
 
-def my_sandbox(path, rootfs):
-    ql = Qiling(path, rootfs)
+if __name__ == "__main__":
+    # initialize Qiling instance
+    ql = Qiling([r'rootfs/x86_windows/bin/Easy_CrackMe.exe'], r'rootfs/x86_windows')
+
     # NOP out some code
     ql.patch(0x004010B5, b'\x90\x90')
     ql.patch(0x004010CD, b'\x90\x90')
     ql.patch(0x0040110B, b'\x90\x90')
     ql.patch(0x00401112, b'\x90\x90')
+
     # hook at an address with a callback
     ql.hook_address(force_call_dialog_func, 0x00401016)
     ql.run()
-
-
-if __name__ == "__main__":
-    my_sandbox(["rootfs/x86_windows/bin/Easy_CrackMe.exe"], "rootfs/x86_windows")
 ```
 
 The below Youtube video shows how the above example works.
 
@@ -16,14 +16,11 @@
 
 class Solver:
     def __init__(self, invalid: bytes):
-        mock_stdin = pipe.SimpleInStream(sys.stdin.fileno())
-        mock_stdout = pipe.NullOutStream(sys.stdout.fileno())
-
         # create a silent qiling instance
-        self.ql = Qiling([rf"{ROOTFS}/bin/crackme_linux"], ROOTFS,
-            verbose=QL_VERBOSE.OFF, # thwart qiling logger output
-            stdin=mock_stdin,       # take over the input to the program using a fake stdin
-            stdout=mock_stdout)     # disregard program output
+        self.ql = Qiling([rf"{ROOTFS}/bin/crackme_linux"], ROOTFS, verbose=QL_VERBOSE.OFF)
+
+        self.ql.os.stdin = pipe.SimpleInStream(sys.stdin.fileno())  # take over the input to the program using a fake stdin
+        self.ql.os.stdout = pipe.NullOutStream(sys.stdout.fileno()) # disregard program output
 
         # execute program until it reaches the 'main' function
         self.ql.run(end=0x0804851b)
@@ -32,7 +29,7 @@ def __init__(self, invalid: bytes):
         #
         # since the emulation halted upon entering 'main', its return address is there on
         # the stack. we use it to limit the emulation till function returns
-        self.replay_starts = self.ql.reg.arch_pc
+        self.replay_starts = self.ql.arch.regs.arch_pc
         self.replay_ends = self.ql.stack_read(0)
 
         # instead of restarting the whole program every time a new flag character is guessed,
 
@@ -14,13 +14,10 @@ def instruction_count(ql: Qiling, address: int, size: int, user_data):
     user_data[0] += 1
 
 def get_count(flag):
-    mock_stdin = pipe.SimpleStringBuffer()
-    mock_stdout = pipe.SimpleStringBuffer()
+    ql = Qiling(["rootfs/x86_windows/bin/crackme.exe"], "rootfs/x86_windows", verbose=QL_VERBOSE.OFF)
 
-    ql = Qiling(["rootfs/x86_windows/bin/crackme.exe"], "rootfs/x86_windows",
-        verbose=QL_VERBOSE.OFF,
-        stdin=mock_stdin,
-        stdout=mock_stdout)
+    ql.os.stdin = pipe.SimpleStringBuffer()
+    ql.os.stdout = pipe.SimpleStringBuffer()
 
     ql.os.stdin.write(bytes("".join(flag) + "\n", 'utf-8'))
     count = [0]
 
@@ -8,26 +8,64 @@
 
 from qiling import Qiling
 from qiling.extensions import pipe
+from qiling.const import QL_INTERCEPT, QL_VERBOSE
+from qiling.os.windows.api import HWND, UINT, LONG
+
+def hook_DialogBoxParamA_onexit(ql: Qiling, address: int, params, retval: int):
+    # extract lpDialogFunc value
+    # [see arguments list at 'qiling/os/windows/dlls/user32.py' -> 'hook_DialogBoxParamA']
+    lpDialogFunc = params['lpDialogFunc']
+
+    def call_DialogFunc(ql: Qiling):
+        # we would like to resume from the exact same address that used to invoke
+        # this hook. in order to prevent an endless loop of hook invocations, we
+        # remove the hook through its handle.
+        hh.remove()
+
+        WM_COMMAND = 0x111
+        IDS_APPNAME = 1001
+
+        # [steps #3 and #4]
+        # set up the arguments and call the address passed through the lpDialogFunc
+        # param. make sure it resumes back to where we were.
+        ql.os.fcall.call_native(lpDialogFunc, (
+            (HWND, 0),
+            (UINT, WM_COMMAND),
+            (UINT, IDS_APPNAME),
+            (LONG, 0),
+        ), ql.arch.regs.arch_pc)
+
+    # get DialogBoxParamA return address; should be the first item on the stack
+    retaddr = ql.arch.stack_read(0)
+
+    # we would like to call DialogFunc as soon as DialogBoxParamA returns, so we
+    # hook its return address. once it returns, 'call_DialogFunc' will be invoked.
+    hh = ql.hook_address(call_DialogFunc, retaddr)
+
+def our_sandbox(path: str, rootfs: str):
+    ql = Qiling([path], rootfs, verbose=QL_VERBOSE.DEFAULT)
+
+    # this crackme's logic lies within the function passed to DialogBoxParamA through
+    # the lpDialogFunc parameter. normally DialogBoxParamA would call the function
+    # passed through that parameter, but Qiling's implementation for it doesn't do
+    # that.
+    #
+    # to solve this crackme and force the "success" dialog to show, we will:
+    #  1. set up a mock stdin and feed it with the correct flag
+    #  1. hook DialogBoxParamA to see where its lpDialogFunc param points to
+    #  2. set up a valid set of arguments DialogFunc expects to see
+    #  3. call it and see it greets us with a "success" message
+
+    # [step #1]
+    # set up a mock stdin and feed it with mocked keystrokes
+    ql.os.stdin = pipe.SimpleInStream(sys.stdin.fileno())
+    ql.os.stdin.write(b'Ea5yR3versing\n')
+
+    # [step #2]
+    # intercept DialogBoxParamA on exit
+    ql.os.set_api('DialogBoxParamA', hook_DialogBoxParamA_onexit, QL_INTERCEPT.EXIT)
 
-def force_call_dialog_func(ql: Qiling):
-    # get DialogFunc address
-    lpDialogFunc = ql.unpack32(ql.mem.read(ql.reg.esp - 0x8, 4))
-    # setup stack for DialogFunc
-    ql.stack_push(0)
-    ql.stack_push(1001)
-    ql.stack_push(273)
-    ql.stack_push(0)
-    ql.stack_push(0x0401018)
-    # force EIP to DialogFunc
-    ql.reg.eip = lpDialogFunc
-
-def our_sandbox(path, rootfs):
-    ql = Qiling(path, rootfs, stdin=pipe.SimpleInStream(sys.stdin.fileno()))
-
-    ql.os.stdin.write(b"Ea5yR3versing\n")
-    ql.hook_address(force_call_dialog_func, 0x00401016)
     ql.run()
 
 if __name__ == "__main__":
-    # Flag is : Ea5yR3versing
-    our_sandbox(["rootfs/x86_windows/bin/Easy_CrackMe.exe"], "rootfs/x86_windows")
+    our_sandbox(r"rootfs/x86_windows/bin/Easy_CrackMe.exe", r"rootfs/x86_windows")
@@ -10,15 +10,15 @@
 
 def force_call_dialog_func(ql: Qiling):
     # get DialogFunc address
-    lpDialogFunc = ql.unpack32(ql.mem.read(ql.reg.esp - 0x8, 4))
+    lpDialogFunc = ql.unpack32(ql.mem.read(ql.arch.regs.esp - 0x8, 4))
     # setup stack for DialogFunc
     ql.stack_push(0)
     ql.stack_push(1001)
     ql.stack_push(273)
     ql.stack_push(0)
     ql.stack_push(0x0401018)
     # force EIP to DialogFunc
-    ql.reg.eip = lpDialogFunc
+    ql.arch.regs.eip = lpDialogFunc
 
 def my_sandbox(path, rootfs):
     ql = Qiling(path, rootfs)
 
@@ -10,15 +10,15 @@
 
 def force_call_dialog_func(ql: Qiling):
     # get DialogFunc address
-    lpDialogFunc = ql.unpack32(ql.mem.read(ql.reg.esp - 0x8, 4))
+    lpDialogFunc = ql.unpack32(ql.mem.read(ql.arch.regs.esp - 0x8, 4))
     # setup stack for DialogFunc
     ql.stack_push(0)
     ql.stack_push(1001)
     ql.stack_push(273)
     ql.stack_push(0)
     ql.stack_push(0x0401018)
     # force EIP to DialogFunc
-    ql.reg.eip = lpDialogFunc
+    ql.arch.regs.eip = lpDialogFunc
 
 def our_sandbox(path, rootfs):
     ql = Qiling(path, rootfs)
 
@@ -119,7 +119,7 @@ def echo_key(ql: Qiling, key):
 
 def show_once(ql: Qiling, key):
     klen = len(key)
-    ql.reg.ax = klen
+    ql.arch.regs.ax = klen
     ql.mem.write(0x87F4, key)
     # Partial exectution to skip input reading
     ql.run(begin=0x801B, end=0x803d)
@@ -133,7 +133,7 @@ def third_stage(keys):
                  "rootfs/8086",
                  console=False)
     ql.add_fs_mapper(0x80, QlDisk("rootfs/8086/doogie/doogie.DOS_MBR", 0x80))
-    ql.set_api((0x1a, 4), set_required_datetime, QL_INTERCEPT.EXIT)
+    ql.os.set_api((0x1a, 4), set_required_datetime, QL_INTERCEPT.EXIT)
     hk = ql.hook_code(stop, begin=0x8018, end=0x8018)
     ql.run()
     ql.hook_del(hk)
@@ -172,10 +172,10 @@ def read_until_zero(ql: Qiling, addr):
 
 def set_required_datetime(ql: Qiling):
     ql.log.info("Setting Feburary 06, 1990")
-    ql.reg.ch = BIN2BCD(19)
-    ql.reg.cl = BIN2BCD(1990%100)
-    ql.reg.dh = BIN2BCD(2)
-    ql.reg.dl = BIN2BCD(6)
+    ql.arch.regs.ch = BIN2BCD(19)
+    ql.arch.regs.cl = BIN2BCD(1990%100)
+    ql.arch.regs.dh = BIN2BCD(2)
+    ql.arch.regs.dl = BIN2BCD(6)
 
 def stop(ql, addr, data):
     ql.emu_stop()
@@ -187,7 +187,7 @@ def first_stage():
                  console=False)
     ql.add_fs_mapper(0x80, QlDisk("rootfs/8086/doogie/doogie.DOS_MBR", 0x80))
     # Doogie suggests that the datetime should be 1990-02-06.
-    ql.set_api((0x1a, 4), set_required_datetime, QL_INTERCEPT.EXIT)
+    ql.os.set_api((0x1a, 4), set_required_datetime, QL_INTERCEPT.EXIT)
     # A workaround to stop the program.
     hk = ql.hook_code(stop, begin=0x8018, end=0x8018)
     ql.run()
 
@@ -5,10 +5,10 @@ def __init__(self):
         pass
 
     def _show_context(self, ql:Qiling):
-        registers = [ k for k in ql.reg.register_mapping.keys() if type(k) is str ]
+        registers = [ k for k in ql.arch.regs.register_mapping.keys() if type(k) is str ]
         for idx in range(0, len(registers), 3):
             regs = registers[idx:idx+3]
-            s = "\t".join(map(lambda v: f"{v:4}: {ql.reg.__getattr__(v):016x}", regs))
+            s = "\t".join(map(lambda v: f"{v:4}: {ql.arch.regs.__getattr__(v):016x}", regs))
             ql.log.info(s)
 
     def custom_prepare(self, ql:Qiling):