Merge pull request #1293 from elicn/dev-maintain

Periodic maintenance PR

Author: xwings

examples/shellcode_run.py

@@ -1,58 +1,107 @@
 #!/usr/bin/env python3
-# 
+#
 # Cross Platform and Multi Architecture Advanced Binary Emulation Framework
 #
 
-from binascii import unhexlify
 import sys
 
 sys.path.append("..")
 from qiling import Qiling
-from qiling.const import QL_VERBOSE
-
-X86_LIN      = unhexlify('31c050682f2f7368682f62696e89e3505389e1b00bcd80')
-X8664_LIN    = unhexlify('31c048bbd19d9691d08c97ff48f7db53545f995257545eb03b0f05')
-MIPS32EL_LIN = unhexlify('ffff0628ffffd004ffff05280110e4270ff08424ab0f02240c0101012f62696e2f7368')
-X86_WIN      = unhexlify('fce8820000006089e531c0648b50308b520c8b52148b72280fb74a2631ffac3c617c022c20c1cf0d01c7e2f252578b52108b4a3c8b4c1178e34801d1518b592001d38b4918e33a498b348b01d631ffacc1cf0d01c738e075f6037df83b7d2475e4588b582401d3668b0c4b8b581c01d38b048b01d0894424245b5b61595a51ffe05f5f5a8b12eb8d5d6a01eb2668318b6f87ffd5bbf0b5a25668a695bd9dffd53c067c0a80fbe07505bb4713726f6a0053ffd5e8d5ffffff63616c6300')
-X8664_WIN    = unhexlify('fc4881e4f0ffffffe8d0000000415141505251564831d265488b52603e488b52183e488b52203e488b72503e480fb74a4a4d31c94831c0ac3c617c022c2041c1c90d4101c1e2ed5241513e488b52203e8b423c4801d03e8b80880000004885c0746f4801d0503e8b48183e448b40204901d0e35c48ffc93e418b34884801d64d31c94831c0ac41c1c90d4101c138e075f13e4c034c24084539d175d6583e448b40244901d0663e418b0c483e448b401c4901d03e418b04884801d0415841585e595a41584159415a4883ec204152ffe05841595a3e488b12e949ffffff5d49c7c1000000003e488d95fe0000003e4c8d850f0100004831c941ba45835607ffd54831c941baf0b5a256ffd548656c6c6f2c2066726f6d204d534621004d657373616765426f7800') 
-ARM_LIN      = unhexlify('01108fe211ff2fe102200121921a0f02193701df061c08a11022023701df3f270221301c01df0139fbd505a0921a05b469460b2701dfc046020012340a0002022f73797374656d2f62696e2f736800')
-ARM64_LIN    = unhexlify('420002ca210080d2400080d2c81880d2010000d4e60300aa01020010020280d2681980d2010000d4410080d2420002cae00306aa080380d2010000d4210400f165ffff54e0000010420002ca210001caa81b80d2010000d4020004d27f0000012f62696e2f736800')
-X8664_FBSD   = unhexlify('6a61586a025f6a015e990f054897baff02aaaa80f2ff524889e699046680c2100f05046a0f05041e4831f6990f0548976a035852488d7424f080c2100f0548b8523243427730637257488d3e48af74084831c048ffc00f055f4889d04889fe48ffceb05a0f0575f799043b48bb2f62696e2f2f73685253545f5257545e0f05')
-X8664_MACOS  = unhexlify('4831f65648bf2f2f62696e2f7368574889e74831d24831c0b00248c1c828b03b0f05')
+from qiling.const import QL_ARCH, QL_OS, QL_VERBOSE
+
+X86_LIN = bytes.fromhex('31c050682f2f7368682f62696e89e3505389e1b00bcd80')
+X8664_LIN = bytes.fromhex('31c048bbd19d9691d08c97ff48f7db53545f995257545eb03b0f05')
+
+MIPS32EL_LIN = bytes.fromhex('''
+    ffff0628ffffd004ffff05280110e4270ff08424ab0f02240c0101012f62696e
+    2f7368
+''')
+
+X86_WIN = bytes.fromhex('''
+    fce8820000006089e531c0648b50308b520c8b52148b72280fb74a2631ffac3c
+    617c022c20c1cf0d01c7e2f252578b52108b4a3c8b4c1178e34801d1518b5920
+    01d38b4918e33a498b348b01d631ffacc1cf0d01c738e075f6037df83b7d2475
+    e4588b582401d3668b0c4b8b581c01d38b048b01d0894424245b5b61595a51ff
+    e05f5f5a8b12eb8d5d6a01eb2668318b6f87ffd5bbf0b5a25668a695bd9dffd5
+    3c067c0a80fbe07505bb4713726f6a0053ffd5e8d5ffffff63616c6300
+''')
+
+X8664_WIN = bytes.fromhex('''
+    fc4881e4f0ffffffe8d0000000415141505251564831d265488b52603e488b52
+    183e488b52203e488b72503e480fb74a4a4d31c94831c0ac3c617c022c2041c1
+    c90d4101c1e2ed5241513e488b52203e8b423c4801d03e8b80880000004885c0
+    746f4801d0503e8b48183e448b40204901d0e35c48ffc93e418b34884801d64d
+    31c94831c0ac41c1c90d4101c138e075f13e4c034c24084539d175d6583e448b
+    40244901d0663e418b0c483e448b401c4901d03e418b04884801d0415841585e
+    595a41584159415a4883ec204152ffe05841595a3e488b12e949ffffff5d49c7
+    c1000000003e488d95fe0000003e4c8d850f0100004831c941ba45835607ffd5
+    4831c941baf0b5a256ffd548656c6c6f2c2066726f6d204d534621004d657373
+    616765426f7800
+''')
+
+ARM_LIN = bytes.fromhex('''
+    01108fe211ff2fe102200121921a0f02193701df061c08a11022023701df3f27
+    0221301c01df0139fbd505a0921a05b469460b2701dfc046020012340a000202
+    2f73797374656d2f62696e2f736800
+''')
+
+ARM64_LIN = bytes.fromhex('''
+    420002ca210080d2400080d2c81880d2010000d4e60300aa01020010020280d2
+    681980d2010000d4410080d2420002cae00306aa080380d2010000d4210400f1
+    65ffff54e0000010420002ca210001caa81b80d2010000d4020004d27f000001
+    2f62696e2f736800
+''')
+
+X8664_FBSD = bytes.fromhex('''
+    6a61586a025f6a015e990f054897baff02aaaa80f2ff524889e699046680c210
+    0f05046a0f05041e4831f6990f0548976a035852488d7424f080c2100f0548b8
+    523243427730637257488d3e48af74084831c048ffc00f055f4889d04889fe48
+    ffceb05a0f0575f799043b48bb2f62696e2f2f73685253545f5257545e0f05
+''')
+
+X8664_MACOS = bytes.fromhex('''
+    4831f65648bf2f2f62696e2f7368574889e74831d24831c0b00248c1c828b03b
+    0f05
+''')
+
 
 if __name__ == "__main__":
     print("\nLinux ARM 64bit Shellcode")
-    ql = Qiling(code=ARM64_LIN, archtype="arm64", ostype="linux", verbose=QL_VERBOSE.DEBUG)
+    ql = Qiling(code=ARM64_LIN, archtype=QL_ARCH.ARM64, ostype=QL_OS.LINUX, verbose=QL_VERBOSE.DEBUG)
     ql.run()
 
     print("\nLinux ARM 32bit Shellcode")
-    ql = Qiling(code=ARM_LIN, archtype="arm", ostype="linux", verbose=QL_VERBOSE.DEBUG)
+    ql = Qiling(code=ARM_LIN, archtype=QL_ARCH.ARM, ostype=QL_OS.LINUX, verbose=QL_VERBOSE.DEBUG)
     ql.run()
 
-    print("\nLinux X86 32bit Shellcode")
-    ql = Qiling(code=X86_LIN, archtype="x86", ostype="linux", verbose=QL_VERBOSE.DEBUG)
+    print("\nLinux x86 32bit Shellcode")
+    ql = Qiling(code=X86_LIN, archtype=QL_ARCH.X86, ostype=QL_OS.LINUX, verbose=QL_VERBOSE.DEBUG)
     ql.run()
 
     print("\nLinux MIPS 32bit EL Shellcode")
-    ql = Qiling(code=MIPS32EL_LIN, archtype="mips", ostype="linux", verbose=QL_VERBOSE.DEBUG)
+    ql = Qiling(code=MIPS32EL_LIN, archtype=QL_ARCH.MIPS, ostype=QL_OS.LINUX, verbose=QL_VERBOSE.DEBUG)
     ql.run()
 
-    print("\nLinux X86 64bit Shellcode")
-    ql = Qiling(code=X8664_LIN, archtype="x8664", ostype="linux", verbose=QL_VERBOSE.DEBUG)
+    print("\nLinux x86-64 Shellcode")
+    ql = Qiling(code=X8664_LIN, archtype=QL_ARCH.X8664, ostype=QL_OS.LINUX, verbose=QL_VERBOSE.DEBUG)
     ql.run()
 
-    print("\nWindows X86 32bit Shellcode")
-    ql = Qiling(code=X86_WIN, archtype="x86", ostype="windows", rootfs="rootfs/x86_windows")
+    print("\nWindows x86 Shellcode")
+    ql = Qiling(code=X86_WIN, archtype=QL_ARCH.X86, ostype=QL_OS.WINDOWS, rootfs=r'rootfs/x86_windows')
     ql.run()
 
-    print("\nWindows X8664 64bit Shellcode")
-    ql = Qiling(code=X8664_WIN, archtype="x8664", ostype="windows", rootfs="rootfs/x8664_windows")
+    print("\nWindows x86-64 Shellcode")
+    ql = Qiling(code=X8664_WIN, archtype=QL_ARCH.X8664, ostype=QL_OS.WINDOWS, rootfs=r'rootfs/x8664_windows')
     ql.run()
 
-    print("\nFreeBSD X86 64bit Shellcode")
-    ql = Qiling(code=X8664_FBSD, archtype="x8664", ostype="freebsd", verbose=QL_VERBOSE.DEBUG)
-    ql.run()
+    # FIXME: freebsd sockets are currently broken.
+    #
+    # print("\nFreeBSD x86-64 Shellcode")
+    # ql = Qiling(code=X8664_FBSD, archtype=QL_ARCH.X8664, ostype=QL_OS.FREEBSD, verbose=QL_VERBOSE.DEBUG)
+    # ql.run()
 
-    print("\nmacos X86 64bit Shellcode")
-    ql = Qiling(code=X8664_MACOS, archtype="x8664", ostype="macos", verbose=QL_VERBOSE.DEBUG)
-    ql.run()
+    # FIXME: macos shellcode loader is currently broken
+    #
+    # print("\nMacOS x86-64 Shellcode")
+    # ql = Qiling(code=X8664_MACOS, archtype=QL_ARCH.X8664, ostype=QL_OS.MACOS, verbose=QL_VERBOSE.DEBUG)
+    # ql.run()

qiling/loader/elf.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-# 
+#
 # Cross Platform and Multi Architecture Advanced Binary Emulation Framework
 #
 
@@ -26,6 +26,7 @@
 from qiling.os.linux.kernel_api.hook import *
 from qiling.os.linux.kernel_api.kernel_api import hook_sys_open, hook_sys_read, hook_sys_write
 
+
 # auxiliary vector types
 # see: https://man7.org/linux/man-pages/man3/getauxval.3.html
 class AUXV(IntEnum):
@@ -53,13 +54,15 @@ class AUXV(IntEnum):
     AT_HWCAP2   = 26
     AT_EXECFN   = 31
 
+
 # start area memory for API hooking
 # we will reserve 0x1000 bytes for this (which contains multiple slots of 4/8 bytes, each for one api)
 API_HOOK_MEM = 0x1000000
 
 # memory for syscall table
 SYSCALL_MEM = API_HOOK_MEM + 0x1000
 
+
 class QlLoaderELF(QlLoader):
     def __init__(self, ql: Qiling):
         super().__init__(ql)
@@ -77,16 +80,11 @@ def run(self):
 
             return
 
-        section = {
-            32 : 'OS32',
-            64 : 'OS64'
-        }[self.ql.arch.bits]
-
-        self.profile = self.ql.os.profile[section]
+        self.profile = self.ql.os.profile[f'OS{self.ql.arch.bits}']
 
         # setup program stack
-        stack_address = int(self.profile.get('stack_address'), 0)
-        stack_size = int(self.profile.get('stack_size'), 0)
+        stack_address = self.profile.getint('stack_address')
+        stack_size = self.profile.getint('stack_size')
         self.ql.mem.map(stack_address, stack_size, info='[stack]')
 
         self.path = self.ql.path
@@ -110,7 +108,7 @@ def run(self):
 
         # is it a shared object?
         elif elftype == 'ET_DYN':
-            load_address = int(self.profile.get('load_address'), 0)
+            load_address = self.profile.getint('load_address')
 
             self.load_with_ld(elffile, stack_address + stack_size, load_address, self.argv, self.env)
 
@@ -242,7 +240,7 @@ def load_elf_segments(elffile: ELFFile, load_address: int, info: str):
                 # determine interpreter base address
                 # some old interpreters may not be PIE: p_vaddr of the first LOAD segment is not zero
                 # we should load interpreter at the address p_vaddr specified in such situation
-                interp_address = int(self.profile.get('interp_address'), 0) if min_vaddr == 0 else 0
+                interp_address = self.profile.getint('interp_address') if min_vaddr == 0 else 0
                 self.ql.log.debug(f'Interpreter addr: {interp_address:#x}')
 
                 # load interpreter segments data to memory
@@ -255,7 +253,7 @@ def load_elf_segments(elffile: ELFFile, load_address: int, info: str):
                 entry_point = interp_address + interp['e_entry']
 
         # set mmap addr
-        mmap_address = int(self.profile.get('mmap_address'), 0)
+        mmap_address = self.profile.getint('mmap_address')
         self.ql.log.debug(f'mmap_address is : {mmap_address:#x}')
 
         # set info to be used by gdb
@@ -658,7 +656,7 @@ def get_elfdata_mapping(self, elffile: ELFFile) -> bytes:
         # pick up loadable sections
         for sec in elffile.iter_sections():
             if sec['sh_flags'] & SH_FLAGS.SHF_ALLOC:
-                # pad aggregated elf data to the offset of the current section 
+                # pad aggregated elf data to the offset of the current section
                 elfdata_mapping.extend(b'\x00' * (sec['sh_offset'] - len(elfdata_mapping)))
 
                 # aggregate section data

qiling/os/linux/procfs.py

@@ -9,6 +9,16 @@
     from qiling.os.memory import QlMemoryManager
 
 
+class FsMappedStream(io.BytesIO):
+    """Wrap stream objects to make them look like a QlFsMappedObject.
+    """
+
+    def __init__(self, fname: str, *args) -> None:
+        super().__init__(*args)
+
+        self.name = fname
+
+
 class QlProcFS:
 
     @staticmethod
@@ -28,14 +38,14 @@ def self_auxv(os: 'QlOsLinux') -> QlFsMappedObject:
             auxv_data.extend(os.ql.mem.read(auxv_addr, nbytes))
             auxv_addr += nbytes
 
-        return io.BytesIO(bytes(auxv_data))
+        return FsMappedStream(r'/proc/self/auxv', auxv_data)
 
     @staticmethod
     def self_cmdline(os: 'QlOsLinux') -> QlFsMappedObject:
         entries = (arg.encode('utf-8') for arg in os.ql.argv)
         cmdline = b'\x00'.join(entries) + b'\x00'
 
-        return io.BytesIO(cmdline)
+        return FsMappedStream(r'/proc/self/cmdline', cmdline)
 
     @staticmethod
     def self_environ(os: 'QlOsLinux') -> QlFsMappedObject:
@@ -48,14 +58,14 @@ def __to_bytes(s: AnyStr) -> bytes:
         entries = (b'='.join((__to_bytes(k), __to_bytes(v))) for k, v in os.ql.env.items())
         environ = b'\x00'.join(entries) + b'\x00'
 
-        return io.BytesIO(environ)
+        return FsMappedStream(r'/proc/self/environ', environ)
 
     @staticmethod
     def self_exe(os: 'QlOsLinux') -> QlFsMappedObject:
         with open(os.ql.path, 'rb') as exefile:
             content = exefile.read()
 
-        return io.BytesIO(content)
+        return FsMappedStream(r'/proc/self/exe', content)
 
     @staticmethod
     def self_map(mem: 'QlMemoryManager') -> QlFsMappedObject:
@@ -65,4 +75,4 @@ def self_map(mem: 'QlMemoryManager') -> QlFsMappedObject:
         for lbound, ubound, perms, label, container in mapinfo:
             content += f"{lbound:x}-{ubound:x}\t{perms}p\t0\t00:00\t0\t{container if container else label}\n".encode("utf-8")
 
-        return io.BytesIO(bytes(content))
+        return FsMappedStream(r'/proc/self/map', content)

qiling/os/linux/thread.py

@@ -239,7 +239,7 @@ def _run(self):
             self.ql.log.debug(f"Scheduled from {hex(start_address)}.")
             try:
                 # Known issue for timeout: https://github.com/unicorn-engine/unicorn/issues/1355
-                self.ql.emu_start(start_address, self.exit_point, count=30000)
+                self.ql.emu_start(start_address, self.exit_point, count=31337)
             except UcError as e:
                 self.ql.os.emu_error()
                 self.ql.log.exception("")