Merge pull request #1080 from elicn/qiling-next

qiling-next

Author: xwings

examples/crackme_x86_linux.py

@@ -16,14 +16,11 @@
 
 class Solver:
     def __init__(self, invalid: bytes):
-        mock_stdin = pipe.SimpleInStream(sys.stdin.fileno())
-        mock_stdout = pipe.NullOutStream(sys.stdout.fileno())
-
         # create a silent qiling instance
-        self.ql = Qiling([rf"{ROOTFS}/bin/crackme_linux"], ROOTFS,
-            verbose=QL_VERBOSE.OFF, # thwart qiling logger output
-            stdin=mock_stdin,       # take over the input to the program using a fake stdin
-            stdout=mock_stdout)     # disregard program output
+        self.ql = Qiling([rf"{ROOTFS}/bin/crackme_linux"], ROOTFS, verbose=QL_VERBOSE.OFF)
+
+        self.ql.os.stdin = pipe.SimpleInStream(sys.stdin.fileno())  # take over the input to the program using a fake stdin
+        self.ql.os.stdout = pipe.NullOutStream(sys.stdout.fileno()) # disregard program output
 
         # execute program until it reaches the 'main' function
         self.ql.run(end=0x0804851b)
@@ -32,7 +29,7 @@ def __init__(self, invalid: bytes):
         #
         # since the emulation halted upon entering 'main', its return address is there on
         # the stack. we use it to limit the emulation till function returns
-        self.replay_starts = self.ql.reg.arch_pc
+        self.replay_starts = self.ql.arch.regs.arch_pc
         self.replay_ends = self.ql.stack_read(0)
 
         # instead of restarting the whole program every time a new flag character is guessed,

examples/crackme_x86_windows.py

@@ -14,13 +14,10 @@ def instruction_count(ql: Qiling, address: int, size: int, user_data):
     user_data[0] += 1
 
 def get_count(flag):
-    mock_stdin = pipe.SimpleStringBuffer()
-    mock_stdout = pipe.SimpleStringBuffer()
+    ql = Qiling(["rootfs/x86_windows/bin/crackme.exe"], "rootfs/x86_windows", verbose=QL_VERBOSE.OFF)
 
-    ql = Qiling(["rootfs/x86_windows/bin/crackme.exe"], "rootfs/x86_windows",
-        verbose=QL_VERBOSE.OFF,
-        stdin=mock_stdin,
-        stdout=mock_stdout)
+    ql.os.stdin = pipe.SimpleStringBuffer()
+    ql.os.stdout = pipe.SimpleStringBuffer()
 
     ql.os.stdin.write(bytes("".join(flag) + "\n", 'utf-8'))
     count = [0]

examples/crackme_x86_windows_auto.py

@@ -8,26 +8,64 @@
 
 from qiling import Qiling
 from qiling.extensions import pipe
+from qiling.const import QL_INTERCEPT, QL_VERBOSE
+from qiling.os.windows.api import HWND, UINT, LONG
+
+def hook_DialogBoxParamA_onexit(ql: Qiling, address: int, params, retval: int):
+    # extract lpDialogFunc value
+    # [see arguments list at 'qiling/os/windows/dlls/user32.py' -> 'hook_DialogBoxParamA']
+    lpDialogFunc = params['lpDialogFunc']
+
+    def call_DialogFunc(ql: Qiling):
+        # we would like to resume from the exact same address that used to invoke
+        # this hook. in order to prevent an endless loop of hook invocations, we
+        # remove the hook through its handle.
+        hh.remove()
+
+        WM_COMMAND = 0x111
+        IDS_APPNAME = 1001
+
+        # [steps #3 and #4]
+        # set up the arguments and call the address passed through the lpDialogFunc
+        # param. make sure it resumes back to where we were.
+        ql.os.fcall.call_native(lpDialogFunc, (
+            (HWND, 0),
+            (UINT, WM_COMMAND),
+            (UINT, IDS_APPNAME),
+            (LONG, 0),
+        ), ql.arch.regs.arch_pc)
+
+    # get DialogBoxParamA return address; should be the first item on the stack
+    retaddr = ql.arch.stack_read(0)
+
+    # we would like to call DialogFunc as soon as DialogBoxParamA returns, so we
+    # hook its return address. once it returns, 'call_DialogFunc' will be invoked.
+    hh = ql.hook_address(call_DialogFunc, retaddr)
+
+def our_sandbox(path: str, rootfs: str):
+    ql = Qiling([path], rootfs, verbose=QL_VERBOSE.DEFAULT)
+
+    # this crackme's logic lies within the function passed to DialogBoxParamA through
+    # the lpDialogFunc parameter. normally DialogBoxParamA would call the function
+    # passed through that parameter, but Qiling's implementation for it doesn't do
+    # that.
+    #
+    # to solve this crackme and force the "success" dialog to show, we will:
+    #  1. set up a mock stdin and feed it with the correct flag
+    #  1. hook DialogBoxParamA to see where its lpDialogFunc param points to
+    #  2. set up a valid set of arguments DialogFunc expects to see
+    #  3. call it and see it greets us with a "success" message
+
+    # [step #1]
+    # set up a mock stdin and feed it with mocked keystrokes
+    ql.os.stdin = pipe.SimpleInStream(sys.stdin.fileno())
+    ql.os.stdin.write(b'Ea5yR3versing\n')
+
+    # [step #2]
+    # intercept DialogBoxParamA on exit
+    ql.os.set_api('DialogBoxParamA', hook_DialogBoxParamA_onexit, QL_INTERCEPT.EXIT)
 
-def force_call_dialog_func(ql: Qiling):
-    # get DialogFunc address
-    lpDialogFunc = ql.unpack32(ql.mem.read(ql.reg.esp - 0x8, 4))
-    # setup stack for DialogFunc
-    ql.stack_push(0)
-    ql.stack_push(1001)
-    ql.stack_push(273)
-    ql.stack_push(0)
-    ql.stack_push(0x0401018)
-    # force EIP to DialogFunc
-    ql.reg.eip = lpDialogFunc
-
-def our_sandbox(path, rootfs):
-    ql = Qiling(path, rootfs, stdin=pipe.SimpleInStream(sys.stdin.fileno()))
-
-    ql.os.stdin.write(b"Ea5yR3versing\n")
-    ql.hook_address(force_call_dialog_func, 0x00401016)
     ql.run()
 
 if __name__ == "__main__":
-    # Flag is : Ea5yR3versing
-    our_sandbox(["rootfs/x86_windows/bin/Easy_CrackMe.exe"], "rootfs/x86_windows")
+    our_sandbox(r"rootfs/x86_windows/bin/Easy_CrackMe.exe", r"rootfs/x86_windows")

examples/crackme_x86_windows_setcallback.py

@@ -10,15 +10,15 @@
 
 def force_call_dialog_func(ql: Qiling):
     # get DialogFunc address
-    lpDialogFunc = ql.unpack32(ql.mem.read(ql.reg.esp - 0x8, 4))
+    lpDialogFunc = ql.unpack32(ql.mem.read(ql.arch.regs.esp - 0x8, 4))
     # setup stack for DialogFunc
     ql.stack_push(0)
     ql.stack_push(1001)
     ql.stack_push(273)
     ql.stack_push(0)
     ql.stack_push(0x0401018)
     # force EIP to DialogFunc
-    ql.reg.eip = lpDialogFunc
+    ql.arch.regs.eip = lpDialogFunc
 
 def my_sandbox(path, rootfs):
     ql = Qiling(path, rootfs)

examples/crackme_x86_windows_unpatch.py

@@ -10,15 +10,15 @@
 
 def force_call_dialog_func(ql: Qiling):
     # get DialogFunc address
-    lpDialogFunc = ql.unpack32(ql.mem.read(ql.reg.esp - 0x8, 4))
+    lpDialogFunc = ql.unpack32(ql.mem.read(ql.arch.regs.esp - 0x8, 4))
     # setup stack for DialogFunc
     ql.stack_push(0)
     ql.stack_push(1001)
     ql.stack_push(273)
     ql.stack_push(0)
     ql.stack_push(0x0401018)
     # force EIP to DialogFunc
-    ql.reg.eip = lpDialogFunc
+    ql.arch.regs.eip = lpDialogFunc
 
 def our_sandbox(path, rootfs):
     ql = Qiling(path, rootfs)

examples/doogie_8086_crack.py

@@ -119,7 +119,7 @@ def echo_key(ql: Qiling, key):
 
 def show_once(ql: Qiling, key):
     klen = len(key)
-    ql.reg.ax = klen
+    ql.arch.regs.ax = klen
     ql.mem.write(0x87F4, key)
     # Partial exectution to skip input reading
     ql.run(begin=0x801B, end=0x803d)
@@ -133,7 +133,7 @@ def third_stage(keys):
                  "rootfs/8086",
                  console=False)
     ql.add_fs_mapper(0x80, QlDisk("rootfs/8086/doogie/doogie.DOS_MBR", 0x80))
-    ql.set_api((0x1a, 4), set_required_datetime, QL_INTERCEPT.EXIT)
+    ql.os.set_api((0x1a, 4), set_required_datetime, QL_INTERCEPT.EXIT)
     hk = ql.hook_code(stop, begin=0x8018, end=0x8018)
     ql.run()
     ql.hook_del(hk)
@@ -172,10 +172,10 @@ def read_until_zero(ql: Qiling, addr):
 
 def set_required_datetime(ql: Qiling):
     ql.log.info("Setting Feburary 06, 1990")
-    ql.reg.ch = BIN2BCD(19)
-    ql.reg.cl = BIN2BCD(1990%100)
-    ql.reg.dh = BIN2BCD(2)
-    ql.reg.dl = BIN2BCD(6)
+    ql.arch.regs.ch = BIN2BCD(19)
+    ql.arch.regs.cl = BIN2BCD(1990%100)
+    ql.arch.regs.dh = BIN2BCD(2)
+    ql.arch.regs.dl = BIN2BCD(6)
 
 def stop(ql, addr, data):
     ql.emu_stop()
@@ -187,7 +187,7 @@ def first_stage():
                  console=False)
     ql.add_fs_mapper(0x80, QlDisk("rootfs/8086/doogie/doogie.DOS_MBR", 0x80))
     # Doogie suggests that the datetime should be 1990-02-06.
-    ql.set_api((0x1a, 4), set_required_datetime, QL_INTERCEPT.EXIT)
+    ql.os.set_api((0x1a, 4), set_required_datetime, QL_INTERCEPT.EXIT)
     # A workaround to stop the program.
     hk = ql.hook_code(stop, begin=0x8018, end=0x8018)
     ql.run()

examples/extensions/idaplugin/custom_script.py

@@ -5,10 +5,10 @@ def __init__(self):
         pass
 
     def _show_context(self, ql:Qiling):
-        registers = [ k for k in ql.reg.register_mapping.keys() if type(k) is str ]
+        registers = [ k for k in ql.arch.regs.register_mapping.keys() if type(k) is str ]
         for idx in range(0, len(registers), 3):
             regs = registers[idx:idx+3]
-            s = "\t".join(map(lambda v: f"{v:4}: {ql.reg.__getattr__(v):016x}", regs))
+            s = "\t".join(map(lambda v: f"{v:4}: {ql.arch.regs.__getattr__(v):016x}", regs))
             ql.log.info(s)
 
     def custom_prepare(self, ql:Qiling):

examples/fuzzing/linux_x8664/fuzz_x8664_linux.py

@@ -17,50 +17,53 @@
     $ rm -fr afl_outputs/default/
 """
 
-# No more need for importing unicornafl, try ql.afl_fuzz instead!
+# No more need for importing unicornafl, try afl.ql_afl_fuzz instead!
 
 import os
 import sys
 
-from typing import Any, Optional
+from typing import Optional
 
 sys.path.append("../../..")
 from qiling import Qiling
 from qiling.const import QL_VERBOSE
 from qiling.extensions import pipe
-from qiling.extensions.afl import ql_afl_fuzz
+from qiling.extensions import afl
 
 def main(input_file: str):
-    mock_stdin = pipe.SimpleInStream(sys.stdin.fileno())
-
     ql = Qiling(["./x8664_fuzz"], "../../rootfs/x8664_linux",
-            verbose=QL_VERBOSE.OFF, # keep qiling logging off
-            console=False,          # thwart program output
-            stdin=mock_stdin,       # redirect stdin to our mock to feed it with incoming fuzzed keystrokes
-            stdout=None,
-            stderr=None)
+        verbose=QL_VERBOSE.OFF, # keep qiling logging off
+        console=False)          # thwart program output
+
+    # redirect stdin to our mock to feed it with incoming fuzzed keystrokes
+    ql.os.stdin = pipe.SimpleInStream(sys.stdin.fileno())
 
     def place_input_callback(ql: Qiling, input: bytes, persistent_round: int) -> Optional[bool]:
-        """Called with every newly generated input.
+        """Feed generated stimuli to the fuzzed target.
+
+        This method is called with every fuzzing iteration.
         """
 
+        # feed fuzzed input to our mock stdin
         ql.os.stdin.write(input)
 
+        # signal afl to proceed with this input
         return True
 
-    def start_afl(_ql: Qiling):
-        """Callback from inside.
+    def start_afl(ql: Qiling):
+        """Have Unicorn fork and start instrumentation.
         """
-        ql_afl_fuzz(_ql, input_file=input_file, place_input_callback=place_input_callback, exits=[ql.os.exit_point])
+
+        afl.ql_afl_fuzz(ql, input_file=input_file, place_input_callback=place_input_callback, exits=[ql.os.exit_point])
 
     # get image base address
     ba = ql.loader.images[0].base
 
-    # make process crash whenever __stack_chk_fail@plt is about to be called.
+    # make the process crash whenever __stack_chk_fail@plt is about to be called.
     # this way afl will count stack protection violations as crashes
     ql.hook_address(callback=lambda x: os.abort(), address=ba + 0x1225)
 
-    # set a hook on main() to let unicorn fork and start instrumentation
+    # set afl instrumentation [re]starting point. we set it to 'main'
     ql.hook_address(callback=start_afl, address=ba + 0x122c)
 
     # okay, ready to roll

examples/fuzzing/linux_x8664/libfuzzer_x8664_linux.py

@@ -10,11 +10,7 @@
 class SimpleFuzzer:
 
     def run(self):
-        ql = Qiling(["./x8664_fuzz"], "../../rootfs/x8664_linux",
-            console=False, # No output
-            stdin=None,
-            stdout=None,
-            stderr=None)
+        ql = Qiling(["./x8664_fuzz"], "../../rootfs/x8664_linux", console=False)
         ba = ql.loader.images[0].base
         try:
             # Only instrument the function `fun`, so we don't need to instrument libc and ld

examples/fuzzing/qnx_arm/fuzz_arm_qnx.py

@@ -21,16 +21,13 @@
 from qiling.extensions.afl import ql_afl_fuzz
 
 def main(input_file, enable_trace=False):
-    mock_stdin = pipe.SimpleInStream(sys.stdin.fileno())
+    ql = Qiling(["./arm_fuzz"], "../../rootfs/arm_qnx", console=enable_trace)
 
-    ql = Qiling(["./arm_fuzz"], "../../rootfs/arm_qnx",
-                stdin=mock_stdin,
-                stdout=1 if enable_trace else None,
-                stderr=1 if enable_trace else None,
-                console = True if enable_trace else False)
+    ql.os.stdin = pipe.SimpleInStream(sys.stdin.fileno())
 
-    # or this for output:
-    # ... stdout=sys.stdout, stderr=sys.stderr)
+    if not enable_trace:
+        ql.os.stdout = pipe.NullOutStream(sys.stdout.fileno())
+        ql.os.stderr = pipe.NullOutStream(sys.stderr.fileno())
 
     def place_input_callback(ql: Qiling, input: bytes, _: int):
         ql.os.stdin.write(input)
@@ -50,7 +47,7 @@ def start_afl(_ql: Qiling):
 
     if enable_trace:
         # The following lines are only for `-t` debug output
-        md = ql.create_disassembler()
+        md = ql.arch.disassembler
         count = [0]
 
         def spaced_hex(data):