Merge pull request #4 from qilingframework/dev

Dev

Author: xwings

examples/hello_arm_qnx_customapi.py

@@ -0,0 +1,34 @@
+#!/usr/bin/env python3
+#
+# Cross Platform and Multi Architecture Advanced Binary Emulation Framework
+#
+
+import sys
+sys.path.append("..")
+
+from qiling import Qiling
+from qiling.const import QL_INTERCEPT, QL_CALL_BLOCK, QL_VERBOSE
+from qiling.os.const import STRING
+
+def my_puts_onenter(ql: Qiling):
+    params = ql.os.resolve_fcall_params({'s': STRING})
+
+    print(f'puts("{params["s"]}")')
+    return QL_CALL_BLOCK
+
+def my_printf_onenter(ql: Qiling):
+    params = ql.os.resolve_fcall_params({'s': STRING})
+
+    print(f'printf("{params["s"]}")')
+    return QL_CALL_BLOCK
+
+def my_puts_onexit(ql: Qiling):
+    print(f'after puts')
+    return QL_CALL_BLOCK
+
+if __name__ == "__main__":
+    ql = Qiling(["rootfs/arm_qnx/bin/hello_static"], "rootfs/arm_qnx")
+    ql.set_api('puts', my_puts_onenter, QL_INTERCEPT.ENTER)
+    ql.set_api('printf', my_printf_onenter, QL_INTERCEPT.ENTER)
+    ql.set_api('puts', my_puts_onexit, QL_INTERCEPT.EXIT)
+    ql.run()

examples/mem_invalid_access.py

@@ -11,8 +11,8 @@
 def mem_crash(ql: Qiling, access: int, address: int, size: int, value: int):
     print(f'got crash')
 
-    PAGE_SIZE = 0x1000
-    aligned = address & ~(PAGE_SIZE - 1)
+    PAGE_SIZE = ql.mem.pagesize
+    aligned = ql.mem.align(address)
 
     # map the entire page containing the invalid address and fill it with 'Q's
     ql.mem.map(aligned, PAGE_SIZE)

qiling/extensions/idaplugin/qilingida.py

@@ -42,7 +42,7 @@
 from PyQt5.QtWidgets import (QPushButton, QHBoxLayout)
 
 # Qiling
-from qiling import *
+from qiling import Qiling
 from qiling.const import *
 from qiling.arch.x86_const import reg_map_32 as x86_reg_map_32
 from qiling.arch.x86_const import reg_map_64 as x86_reg_map_64
@@ -1269,7 +1269,7 @@ def ql_show_mem_view(self, addr=get_screen_ea(), size=0x10):
                         ok = ask_yn(1, "Memory [%X:%X] is not mapped!\nDo you want to map it?\n   YES - Load Binary\n   NO - Fill page with zeroes\n   Cancel - Close dialog" % (mem_addr, mem_addr + mem_size))
                         if ok == 0:
                             self.qlemu.ql.mem.map(mem_addr, mem_size)
-                            self.qlemu.ql.mem.write(self.qlemu.ql.mem.align(mem_addr), b"\x00"*mem_size)
+                            self.qlemu.ql.mem.write(mem_addr, b"\x00"*mem_size)
                         elif ok == 1:
                             # TODO: map_binary
                             return
@@ -1568,16 +1568,16 @@ def _guide_hook(self, ql, addr, size):
                 self.paths[start_bb_id].append(cur_bb.id)
             ql.emu_stop()
 
-    def _skip_unmapped_rw(self, ql, type, addr, size, value):
-        alignment = 0x1000
-        # Round down
-        map_addr = addr & (~(alignment - 1))
-        # Round up
-        map_size = ((size + (alignment - 1)) & (~(alignment - 1)))
+    def _skip_unmapped_rw(self, ql: Qiling, type, addr, size, value):
+        map_addr = ql.mem.align(addr)
+        map_size = ql.mem.align_up(size)
+
         if not ql.mem.is_mapped(map_addr, map_size):
             logging.warning(f"Invalid memory R/W, trying to map {hex(map_size)} at {hex(map_addr)}")
+
             ql.mem.map(map_addr, map_size)
-            ql.mem.write(map_addr, b'\x00'*map_size)
+            ql.mem.write(map_addr, b'\x00' * map_size)
+
         return True
 
     def _find_branch_in_real_block(self, bb):

qiling/loader/pe.py

@@ -96,7 +96,7 @@ def load_dll(self, name: bytes, driver: bool = False) -> int:
             data = cached.data
 
             image_base = cached.ba
-            image_size = self.ql.mem.align(len(data), 0x1000)
+            image_size = self.ql.mem.align_up(len(data))
 
             # verify whether we can load the dll to the same address it was loaded when it was cached.
             # if not, the dll will have to be realoded in order to have its symbols relocated using the
@@ -126,7 +126,7 @@ def load_dll(self, name: bytes, driver: bool = False) -> int:
             data = bytearray(dll.get_memory_mapped_image())
 
             image_base = dll.OPTIONAL_HEADER.ImageBase or self.dll_last_address
-            image_size = self.ql.mem.align(len(data), 0x1000)
+            image_size = self.ql.mem.align_up(len(data))
 
             self.ql.log.debug(f'DLL preferred base address: {image_base:#x}')
 
@@ -514,7 +514,7 @@ def load(self):
         if self.path and not self.ql.code:
             # for simplicity, no image base relocation
             self.pe_image_address = self.pe.OPTIONAL_HEADER.ImageBase
-            self.pe_image_address_size = self.ql.mem.align(self.pe.OPTIONAL_HEADER.SizeOfImage, 0x1000)
+            self.pe_image_address_size = self.ql.mem.align_up(self.pe.OPTIONAL_HEADER.SizeOfImage)
 
             if self.pe_image_address + self.pe_image_address_size > self.ql.os.heap_base_address:
                 # pe reloc
@@ -599,7 +599,7 @@ def load(self):
                 self.ql.os.fcall.writeParams(((POINTER, self.ql.loader.driver_object_address), (POINTER, self.ql.loader.regitry_path_address)))
 
             # mmap PE file into memory
-            self.ql.mem.map(self.pe_image_address, self.align(self.pe_image_address_size, 0x1000), info="[PE]")
+            self.ql.mem.map(self.pe_image_address, self.ql.mem.align_up(self.pe_image_address_size), info="[PE]")
             self.pe.parse_data_directories()
             data = bytearray(self.pe.get_memory_mapped_image())
             self.ql.mem.write(self.pe_image_address, bytes(data))

qiling/loader/pe_uefi.py

@@ -97,9 +97,9 @@ def map_and_load(self, path: str, exec_now: bool=False):
 
         # use image base only if it does not point to NULL
         image_base = pe.OPTIONAL_HEADER.ImageBase or self.next_image_base
-        image_size = ql.mem.align(pe.OPTIONAL_HEADER.SizeOfImage, 0x1000)
+        image_size = ql.mem.align_up(pe.OPTIONAL_HEADER.SizeOfImage)
 
-        assert (image_base % 0x1000) == 0, 'image base is expected to be page-aligned'
+        assert (image_base % ql.mem.pagesize) == 0, 'image base is expected to be page-aligned'
 
         if image_base != pe.OPTIONAL_HEADER.ImageBase:
             pe.relocate_image(image_base)

qiling/os/memory.py

@@ -195,21 +195,45 @@ def show_mapinfo(self):
     def get_lib_base(self, filename: str) -> int:
         return next((s for s, _, _, info, _ in self.map_info if os.path.split(info)[1] == filename), -1)
 
-    def align(self, addr: int, alignment: int = None) -> int:
-        """Round up to nearest alignment.
+    def align(self, value: int, alignment: int = None) -> int:
+        """Align a value down to the specified alignment boundary.
 
         Args:
-            addr: address to align
-            alignment: alignment granularity, must be a power of 2
+            value: a value to align
+            alignment: alignment boundary; must be a power of 2. if not specified
+            value will be aligned to page size
+
+        Returns: aligned value
+        """
+
+        if alignment is None:
+            alignment = self.pagesize
+
+        # make sure alignment is a power of 2
+        assert alignment & (alignment - 1) == 0
+
+        # round down to nearest alignment
+        return value & ~(alignment - 1)
+
+    def align_up(self, value: int, alignment: int = None) -> int:
+        """Align a value up to the specified alignment boundary.
+
+        Args:
+            value: value to align
+            alignment: alignment boundary; must be a power of 2. if not specified
+            value will be aligned to page size
+
+        Returns: aligned value
         """
 
         if alignment is None:
             alignment = self.pagesize
 
-        # rounds up to nearest alignment
-        mask = self.max_mem_addr & -alignment
+        # make sure alignment is a power of 2
+        assert alignment & (alignment - 1) == 0
 
-        return (addr + (alignment - 1)) & mask
+        # round up to nearest alignment
+        return (value + alignment - 1) & ~(alignment - 1)
 
     def save(self):
         """Save entire memory content.
@@ -431,7 +455,7 @@ def find_free_space(self, size: int, minaddr: int = None, maxaddr: int = None, a
         gaps = zip(gaps_lbounds, gaps_ubounds)
 
         for lbound, ubound in gaps:
-            addr = self.align(lbound, align)
+            addr = self.align_up(lbound, align)
             end = addr + size
 
             # is aligned range within gap and satisfying min / max requirements?
@@ -457,18 +481,19 @@ def map_anywhere(self, size: int, minaddr: int = None, maxaddr: int = None, alig
         if align is None:
             align = self.pagesize
 
+        size = self.align_up(size)
         addr = self.find_free_space(size, minaddr, maxaddr, align)
 
-        self.map(addr, self.align(size), perms, info)
+        self.map(addr, size, perms, info)
 
         return addr
 
     def protect(self, addr: int, size: int, perms):
         # mask off perms bits that are not supported by unicorn
         perms &= UC_PROT_ALL
 
-        aligned_address = addr & ~(self.pagesize - 1)
-        aligned_size = self.align((addr & (self.pagesize - 1)) + size)
+        aligned_address = self.align(addr)
+        aligned_size = self.align_up((addr & (self.pagesize - 1)) + size)
 
         self.ql.uc.mem_protect(aligned_address, aligned_size, perms)
         self.change_mapinfo(aligned_address, aligned_address + aligned_size, mem_p = perms)
@@ -590,7 +615,7 @@ def alloc(self, size: int) -> int:
             # is new chunk going to exceed currently allocated heap space?
             # in case it does, allocate additional heap space
             if self.current_use + size > self.current_alloc:
-                real_size = self.ql.mem.align(size)
+                real_size = self.ql.mem.align_up(size)
 
                 # if that additional allocation is going to exceed heap upper bound, fail
                 if self.start_address + self.current_use + real_size > self.end_address:

qiling/os/posix/syscall/mman.py

@@ -84,11 +84,12 @@ def syscall_mmap_impl(ql: Qiling, addr: int, mlen: int, prot: int, flags: int, f
 
     need_mmap = True
     mmap_base = addr
-    mmap_size = (mlen - (addr & (pagesize - 1)) + pagesize - 1) & ~(pagesize - 1)
+    mmap_size = ql.mem.align_up(mlen - (addr & (pagesize - 1)))
 
     if ql.ostype != QL_OS.QNX:
-        mmap_base &= ~(pagesize - 1)
-        if (flags & MAP_FIXED) > 0 and mmap_base != addr:
+        mmap_base = ql.mem.align(mmap_base)
+
+        if (flags & MAP_FIXED) and mmap_base != addr:
             return MAP_FAILED
 
     # initial ql.loader.mmap_address

qiling/os/qnx/message.py

@@ -98,7 +98,7 @@ def ql_qnx_msg_io_connect(ql:Qiling, coid, smsg, sparts, rmsg, rparts, *args, **
         else:
             # TODO: Can we throw this exception here?
             # raise NotImplementedError(f'msg_io_connect(_IO_CONNECT_COMBINE) for type 0x{x_type:x} not implemented')
-            ql.log.warn(f'msg_io_connect(_IO_CONNECT_COMBINE) for type 0x{x_type:x} not implemented')
+            ql.log.warning(f'msg_io_connect(_IO_CONNECT_COMBINE) for type 0x{x_type:x} not implemented')
     elif subtype == 2: # == _IO_CONNECT_OPEN
         ql.log.debug(f'open(path = {path}, openflags = 0x{ioflag:x}, openmode = 0x{real_mode:x})')
         ql.os.connections[coid].fd = ql_syscall_open(ql, ql.unpack32(ql.mem.read(smsg + 8, 4)), ioflag, real_mode)
@@ -127,7 +127,7 @@ def ql_qnx_msg_io_connect(ql:Qiling, coid, smsg, sparts, rmsg, rparts, *args, **
     elif os.path.isfile(real_path):
         umask = file_stats['_S_IFREG']
     else:
-        ql.log.warn("msg_io_connect(): type of {real_path} not handled properly?")
+        ql.log.warning("msg_io_connect(): type of {real_path} not handled properly?")
         umask = 0
     # struct _io_connect_link_reply in lib/c/public/sys/iomsg.h
     ql.mem.write(iov_base, pack("<IIBBHIHH", 0, file_type, eflag, 0, 0, umask, 0, 0))
@@ -190,7 +190,7 @@ def ql_qnx_msg_mem_ctrl(ql:Qiling, coid, smsg, sparts, rmsg, rparts, *args, **kw
     if not subtype in mem_ctrl_subtypes:
         raise NotImplementedError(f'MEM_CTRL subtype {subtype} not implemented')
 
-    ql.log.warn(f'msg_mem_ctrl(subtype = {mem_ctrl_subtypes[subtype]}, flags = 0x{flags:x}, addr = 0x{addr:x}, len = 0x{len:x}) not implemented')
+    ql.log.warning(f'msg_mem_ctrl(subtype = {mem_ctrl_subtypes[subtype]}, flags = 0x{flags:x}, addr = 0x{addr:x}, len = 0x{len:x}) not implemented')
     # TODO: implement mem_ctrl
     return -1
 

qiling/os/qnx/qnx.py

@@ -3,6 +3,7 @@
 # Cross Platform and Multi Architecture Advanced Binary Emulation Framework
 #
 
+from typing import Callable
 import os
 
 from typing import Callable
@@ -13,6 +14,7 @@
 from qiling.os.qnx.const import NTO_SIDE_CHANNEL, SYSMGR_PID, SYSMGR_CHID, SYSMGR_COID
 from qiling.os.qnx.helpers import QnxConn
 from qiling.os.qnx.structs import _thread_local_storage
+
 from qiling.cc import QlCC, intel, arm, mips, riscv
 from qiling.const import QL_ARCH, QL_INTERCEPT
 from qiling.os.fcall import QlFunctionCall
@@ -44,6 +46,18 @@ def __init__(self, ql: Qiling):
         self.function_after_load_list = []
         self.elf_mem_start = 0x0
         self.load()
+        
+        cc: QlCC = {
+            QL_ARCH.X86   : intel.cdecl,
+            QL_ARCH.X8664 : intel.amd64,
+            QL_ARCH.ARM   : arm.aarch32,
+            QL_ARCH.ARM64 : arm.aarch64,
+            QL_ARCH.MIPS  : mips.mipso32,
+            QL_ARCH.RISCV : riscv.riscv,
+            QL_ARCH.RISCV64: riscv.riscv,
+        }[ql.archtype](ql)
+
+        self.fcall = QlFunctionCall(ql, cc)
 
         # use counters to get free Ids
         self.channel_id = 1
@@ -87,7 +101,7 @@ def run_function_after_load(self):
             f()
 
 
-    def hook_sigtrap(self, intno= None, int = None):
+            def hook_sigtrap(self, intno= None, int = None):
         self.ql.log.info("Trap Found")
         self.emu_error()
         exit(1)