Merge pull request #597 from cq674350529/feat/add_mips_lkm

add support for mips32_lkm

Author: xwings

ChangeLog

@@ -10,7 +10,8 @@ BREAK CHANGE
 
 ------------------------------------
 [Version 1.2.1]: December [SOMETHING], 2020
-- 
+
+- Degimod: fix lkm mapping and add support for mips32 lkm
 
 ------------------------------------
 [Version 1.2]: November 16th, 2020

examples/rootfs/mips32_linux/kernel/hello.ko

@@ -434,10 +434,11 @@ def lkm_get_init(self, ql):
             for nsym, symbol in enumerate(section.iter_symbols()):
                 if symbol.name == 'init_module':
                     addr = symbol.entry.st_value + elffile.get_section(symbol['st_shndx'])['sh_offset']
-                    logging.info("init_module = 0x%x" % addr)
+                    logging.info("[+] init_module = 0x%x" % addr)
                     return addr
 
         # not found. FIXME: report error on invalid module??
+        logging.warning("[!] invalid module? symbol init_module not found")
         return -1
 
     def lkm_dynlinker(self, ql, mem_start):
@@ -458,7 +459,8 @@ def get_symbol(elffile, name):
         rev_reloc_symbols = {}
 
         # dump_mem("XX Original code at 15a1 = ", ql.mem.read(0x15a1, 8))
-        for section in elffile.iter_sections():
+        _sections = list(elffile.iter_sections())
+        for section in _sections:
             # only care about reloc section
             if not isinstance(section, RelocationSection):
                 continue
@@ -467,9 +469,15 @@ def get_symbol(elffile, name):
             if section.name == ".rela.gnu.linkonce.this_module":
                 continue
 
+            dest_sec_idx = section.header.get('sh_info', None)
+            if dest_sec_idx is not None and dest_sec_idx < len(_sections):
+                dest_sec = _sections[dest_sec_idx]
+                if dest_sec.header['sh_flags'] & 2 == 0:
+                    # The target section is not loaded into memory, so just continue
+                    continue
+
             # The symbol table section pointed to in sh_link
             symtable = elffile.get_section(section['sh_link'])
-
             for rel in section.iter_relocations():
                 if rel['r_info_sym'] == 0:
                     continue
@@ -564,15 +572,33 @@ def get_symbol(elffile, name):
                     val = rev_reloc_symbols[symbol_name] + val - loc
                     ql.mem.write(loc, ql.pack32(val & 0xFFFFFFFF))
 
-                elif describe_reloc_type(rel['r_info_type'], elffile) == 'R_386_32':
+                elif describe_reloc_type(rel['r_info_type'], elffile) in ('R_386_32', 'R_MIPS_32'):
                     val = ql.unpack(ql.mem.read(loc, 4))
                     val = rev_reloc_symbols[symbol_name] + val
                     ql.mem.write(loc, ql.pack32(val & 0xFFFFFFFF))
 
+                elif describe_reloc_type(rel['r_info_type'], elffile) == 'R_MIPS_HI16':
+                    # actual relocation is done in R_MIPS_LO16
+                    prev_mips_hi16_loc = loc
+
+                elif describe_reloc_type(rel['r_info_type'], elffile) == 'R_MIPS_LO16':
+                    val = ql.unpack16(ql.mem.read(prev_mips_hi16_loc + 2, 2)) << 16 | ql.unpack16(ql.mem.read(loc + 2, 2))
+                    val = rev_reloc_symbols[symbol_name] + val
+                    # *(word)(mips_lo16_loc + 2) is treated as signed
+                    if (val & 0xFFFF) >= 0x8000:
+                        val += (1 << 16)
+
+                    ql.mem.write(prev_mips_hi16_loc + 2, ql.pack16(val >> 16))
+                    ql.mem.write(loc + 2, ql.pack16(val & 0xFFFF))
+
+                else:
+                    raise QlErrorNotImplemented("[!] Relocation type %s not implemented" % describe_reloc_type(rel['r_info_type'], elffile))
+
         return rev_reloc_symbols
 
     def load_driver(self, ql, stack_addr, loadbase=0):
         elfhead = super().parse_header()
+        elfdata_mapping = self.get_elfdata_mapping()
 
         # Determine the range of memory space opened up
         mem_start = -1
@@ -590,21 +616,16 @@ def load_driver(self, ql, stack_addr, loadbase=0):
 
         # FIXME
         mem_start = 0x1000
-        mem_end = mem_start + int(len(self.elfdata) / 0x1000 + 1) * 0x1000
+        mem_end = mem_start + int(len(elfdata_mapping) / 0x1000 + 1) * 0x1000
 
         # map some memory to intercept external functions of Linux kernel
-        ql.mem.map(API_HOOK_MEM, 0x1000)
-
-        # print("load addr = %x, size = %x" %(loadbase + mem_start, mem_end - mem_start))
-        ql.mem.map(loadbase + mem_start, mem_end - mem_start)
+        ql.mem.map(API_HOOK_MEM, 0x1000, info="[api_mem]")
 
         logging.info("[+] loadbase: %x, mem_start: %x, mem_end: %x" % (loadbase, mem_start, mem_end))
-
-        ql.mem.write(loadbase + mem_start, self.elfdata)
-        # dump_mem("Dumping some bytes:", self.elfdata[0x64 : 0x84])
+        ql.mem.map(loadbase + mem_start, mem_end - mem_start, info=ql.path)
+        ql.mem.write(loadbase + mem_start, elfdata_mapping)
 
         entry_point = self.lkm_get_init(ql) + loadbase + mem_start
-
         ql.brk_address = mem_end + loadbase
 
         # Set MMAP addr
@@ -619,7 +640,6 @@ def load_driver(self, ql, stack_addr, loadbase=0):
         new_stack = self.alignment(new_stack)
 
         # self.ql.os.elf_entry = self.elf_entry = loadbase + elfhead['e_entry']
-
         self.ql.os.entry_point = self.entry_point = entry_point
         self.elf_entry = self.ql.os.elf_entry = self.ql.os.entry_point
 
@@ -631,7 +651,7 @@ def load_driver(self, ql, stack_addr, loadbase=0):
         # remember address of syscall table, so external tools can access to it
         ql.os.syscall_addr = SYSCALL_MEM
         # setup syscall table
-        ql.mem.map(SYSCALL_MEM, 0x1000)
+        ql.mem.map(SYSCALL_MEM, 0x1000, info="[syscall_mem]")
         # zero out syscall table memory
         ql.mem.write(SYSCALL_MEM, b'\x00' * 0x1000)
 
@@ -642,7 +662,7 @@ def load_driver(self, ql, stack_addr, loadbase=0):
                 tmp_sc = sc.replace("sys_", "NR_")
                 if tmp_sc in globals():
                     syscall_id = globals()[tmp_sc]
-                    print("Writing syscall %s to [0x%x]" % (sc, SYSCALL_MEM + ql.pointersize * syscall_id))
+                    logging.debug("Writing syscall %s to [0x%x]" % (sc, SYSCALL_MEM + ql.pointersize * syscall_id))
                     ql.mem.write(SYSCALL_MEM + ql.pointersize * syscall_id, ql.pack(rev_reloc_symbols[sc]))
 
         # write syscall addresses into syscall table
@@ -657,3 +677,24 @@ def load_driver(self, ql, stack_addr, loadbase=0):
         ql.import_symbols[self.ql.os.hook_addr] = hook_sys_read
         ql.import_symbols[self.ql.os.hook_addr + 1 * ql.pointersize] = hook_sys_write
         ql.import_symbols[self.ql.os.hook_addr + 2 * ql.pointersize] = hook_sys_open
+
+    def get_elfdata_mapping(self):
+        elfdata_mapping = bytearray()
+        elfdata_mapping.extend(self.getelfdata(0, self.elfhead['e_ehsize']))    #elf header
+
+        for section in self.parse_sections():
+            if section.header['sh_flags'] & 2:      # alloc flag
+                sh_offset = section.header['sh_offset']
+                sh_size = section.header['sh_size']
+
+                # align section addr
+                elfdata_len = len(elfdata_mapping)
+                if elfdata_len < sh_offset:
+                    elfdata_mapping.extend(b'\x00' * (sh_offset - elfdata_len))
+
+                if section.header['sh_type'] == 'SHT_NOBITS':
+                    elfdata_mapping.extend(b'\x00' * sh_size)
+                else:
+                    elfdata_mapping.extend(self.getelfdata(sh_offset, sh_size))
+
+        return bytes(elfdata_mapping)

qiling/loader/elf.py

@@ -4,6 +4,7 @@
 # Built on top of Unicorn emulator (www.unicorn-engine.org) 
 import struct, logging
 from unicorn.x86_const import *
+from unicorn.mips_const import *
 from qiling.os.utils import *
 
 
@@ -35,6 +36,8 @@ def _get_param_by_index(ql, index):
         return _x86_get_params_by_index(ql, index)
     elif ql.archtype == QL_ARCH.X8664:
         return _x8664_get_params_by_index(ql, index)
+    elif ql.archtype == QL_ARCH.MIPS:
+        return _mips32_get_params_by_index(ql, index)
 
 
 # TODO: x86 calling convention of Linux kernel?
@@ -86,6 +89,14 @@ def _x8664_get_args(ql, number):
         return arg_list
 
 
+def _mips32_get_params_by_index(ql, index):
+    reg_list = [UC_MIPS_REG_4, UC_MIPS_REG_5, UC_MIPS_REG_6, UC_MIPS_REG_7]
+    if index < 4:
+        return ql.uc.reg_read(reg_list[index])
+
+    return ql.stack.read(index * 4)
+
+
 def set_function_params(ql, in_params, out_params):
     index = 0
     for each in in_params:
@@ -120,13 +131,17 @@ def set_return_value(ql, ret):
         ql.uc.reg_write(UC_X86_REG_EAX, ret)
     elif ql.archtype == QL_ARCH.X8664:
         ql.uc.reg_write(UC_X86_REG_RAX, ret)
+    elif ql.archtype == QL_ARCH.MIPS:
+        ql.uc.reg_write(UC_MIPS_REG_2, ret)
 
 
 def get_return_value(ql):
     if ql.archtype == QL_ARCH.X86:
         return ql.uc.reg_read(UC_X86_REG_EAX)
     elif ql.archtype == QL_ARCH.X8664:
         return ql.uc.reg_read(UC_X86_REG_RAX)
+    elif ql.archtype == QL_ARCH.MIPS:
+        return ql.uc.reg_read(UC_MIPS_REG_2)
 
 
 def print_function(ql, passthru, address, function_name, params, ret):
@@ -228,6 +243,12 @@ def x8664_fastcall(ql, param_num, params, func, args, kwargs):
     return result
 
 
+def mips_call(ql, param_num, params, func, args, kwargs):
+    result, param_num  = __x86_cc(ql, param_num, params, func, args, kwargs)
+    ql.reg.arch_pc = ql.reg.ra
+    return result
+
+
 def linux_kernel_api(param_num=None, params=None):
     """
     @cc: windows api calling convention, only x86 needs this, x64 is always fastcall
@@ -244,6 +265,8 @@ def wrapper(*args, **kwargs):
                 #    return x86_cdecl(ql, param_num, params, func, args, kwargs)
             elif ql.archtype == QL_ARCH.X8664:
                 return x8664_fastcall(ql, param_num, params, func, args, kwargs)
+            elif ql.archtype == QL_ARCH.MIPS:
+                return mips_call(ql, param_num, params, func, args, kwargs)
             else:
                 raise QlErrorArch("[!] Unknown ql.archtype")
         return wrapper

qiling/os/linux/fncc.py

@@ -76,13 +76,6 @@ def hook_mutex_unlock(ql, address, params):
     return 0
 
 
-@linux_kernel_api(params={
-    "Ptr": POINTER
-})
-def hook_memcmp(ql, address, params):
-    pass
-
-
 @linux_kernel_api(params={
     "Ptr": POINTER
 })
@@ -281,7 +274,10 @@ def hook_strncmp(ql, address, params):
     "needle": STRING
 })
 def hook_strstr(ql, address, params):
-    return 0
+    _haystack = params["haystack"]
+    _needle = params["needle"]
+    index = _haystack.find(_needle)
+    return 0 if index == -1 else index
 
 
 @linux_kernel_api(params={
@@ -299,7 +295,10 @@ def hook_strlen(ql, address, params):
     "size": SIZE_T
 })
 def hook_memcmp(ql, address, params):
-    return 0
+    s1 = params['s1']
+    s2 = params['s2']
+    size = params['size']
+    return ql.mem.read(s1, size) ==  ql.mem.read(s2, size)
 
 
 @linux_kernel_api(params={
@@ -465,3 +464,15 @@ def hook_commit_creds(ql, address, params):
 })
 def hook_abort_creds(ql, address, params):
     return 0
+
+@linux_kernel_api(params={
+    "dest": POINTER,
+    "src": POINTER,
+    "size": SIZE_T
+})
+def hook_memcpy(ql, address, params):
+    dest = params["dest"]
+    src = params["src"]
+    size = params["size"]
+    ql.mem.write(dest, bytes(ql.mem.read(src, size)))
+    return dest

qiling/os/linux/kernel_api/kernel_api.py

@@ -928,8 +928,15 @@ def test_demigod_m0hamed_x8664(self):
         except UcError as e:
             print(e)
             sys.exit(-1)
-        del ql         
-    
+        del ql
+
+    def test_demigod_hello_mips32(self):
+        ql = Qiling(["../examples/rootfs/mips32_linux/kernel/hello.ko"],  "../examples/rootfs/mips32_linux", output="debug")
+        begin = ql.loader.load_address + 0x1060
+        end = ql.loader.load_address + 0x1084
+        ql.run(begin=begin, end=end)
+        del ql
+
     def test_x8664_absolute_path(self):
         class MyPipe():
             def __init__(self):