301 lines
12 KiB
Python
Executable File

#!/home/eljakim/Source/tegrax1_plus/source/Shofel2_T124_python/venv/bin/python3
#
# Cross Platform and Multi Architecture Advanced Binary Emulation Framework
#
import argparse
import os
import sys
import ast
import pickle
from pprint import pprint
from typing import TYPE_CHECKING, Mapping, Type
from unicorn import __version__ as uc_ver
from qiling import __version__ as ql_ver
from qiling import Qiling
from qiling.arch import utils as arch_utils
from qiling.debugger.qdb import QlQdb
from qiling.const import QL_VERBOSE, QL_ENDIAN, os_map, arch_map, verbose_map
from qiling.extensions.coverage import utils as cov_utils
from qiling.extensions import report
if TYPE_CHECKING:
from enum import Enum
# read code from file
def read_file(fname: str):
with open(fname, "rb") as f:
content = f.read()
return content
class __arg_env(argparse.Action):
def __call__(self, parser, namespace, values: str, option_string):
if os.path.exists(values):
with open(values, 'rb') as f:
env = pickle.load(f)
else:
env = ast.literal_eval(values)
setattr(namespace, self.dest, env or {})
def __make_enum_arg(enum_rmap: Mapping[str, 'Enum'], aliases: Mapping[str, str] = {}) -> Type[argparse.Action]:
class __enum_arg(argparse.Action):
def __call__(self, parser, namespace, values: str, option_string):
values = values.casefold()
if values in aliases:
values = aliases[values]
setattr(namespace, self.dest, enum_rmap[values])
return __enum_arg
__arg_archtype = __make_enum_arg(arch_map, {'x86_64': 'x8664', 'riscv32': 'riscv'})
__arg_ostype = __make_enum_arg(os_map, {'darwin': 'macos'})
__arg_verbose = __make_enum_arg(verbose_map)
def handle_code(options: argparse.Namespace):
archendian = {
'little': QL_ENDIAN.EL,
'big' : QL_ENDIAN.EB
}[options.endian]
if options.format == 'hex':
if options.input is not None:
print("Load HEX from ARGV")
code = str(options.input).strip("\\\\x").split("x")
code = "".join(code).strip()
code = bytes.fromhex(code)
elif options.filename is not None:
print("Load HEX from FILE")
code = str(read_file(options.filename)).strip('b\'').strip('\\n')
code = code.strip('x').split("\\\\x")
code = "".join(code).strip()
code = bytes.fromhex(code)
else:
print("ERROR: File not found")
exit(1)
elif options.format == 'asm':
print("Load ASM from FILE")
assembly = read_file(options.filename)
assembler = arch_utils.assembler(options.arch, archendian, options.thumb)
code, _ = assembler.asm(assembly)
code = bytes(code)
elif options.format == 'bin':
print("Load BIN from FILE")
if options.filename is not None:
code = read_file(options.filename)
else:
print("ERROR: File not found")
exit(1)
ql = Qiling(
rootfs=options.rootfs,
env=options.env,
code=code,
ostype=options.os,
archtype=options.arch,
verbose=options.verbose,
profile=options.profile,
filter=options.filter,
endian=archendian,
thumb=options.thumb,
)
return ql
def handle_run(options: argparse.Namespace):
effective_argv = []
# with argv
if options.filename is not None and options.run_args == []:
effective_argv = [options.filename] + options.args
# Without argv
elif options.filename is None and options.args == [] and options.run_args != []:
effective_argv = options.run_args
else:
print("ERROR: Command error!")
ql = Qiling(
argv=effective_argv,
rootfs=options.rootfs,
env=options.env,
verbose=options.verbose,
profile=options.profile,
console=options.console,
log_file=options.log_file,
log_plain=options.log_plain,
multithread=options.multithread,
filter=options.filter,
libcache=options.libcache
)
# attach Qdb at entry point
if options.qdb is True:
QlQdb(ql, rr=options.rr).run()
exit()
return ql
def handle_examples(parser: argparse.ArgumentParser):
prog = os.path.basename(__file__)
__ql_examples = f"""Examples:
With code:
{prog} code --os linux --arch arm --format hex -f examples/shellcodes/linarm32_tcp_reverse_shell.hex
{prog} code --os linux --arch x86 --format asm -f examples/shellcodes/lin32_execve.asm
With binary file:
{prog} run -f examples/rootfs/x8664_linux/bin/x8664_hello --rootfs examples/rootfs/x8664_linux
{prog} run -f examples/rootfs/mips32el_linux/bin/mips32el_hello --rootfs examples/rootfs/mips32el_linux
With binary file and Qdb:
{prog} run -f examples/rootfs/mips32el_linux/bin/mips32el_hello --rootfs examples/rootfs/mips32el_linux --qdb
{prog} run -f examples/rootfs/mips32el_linux/bin/mips32el_hello --rootfs examples/rootfs/mips32el_linux --qdb --rr
With binary file and gdbserver:
{prog} run -f examples/rootfs/x8664_linux/bin/x8664_hello --gdb 127.0.0.1:9999 --rootfs examples/rootfs/x8664_linux
With binary file and additional argv:
{prog} run -f examples/rootfs/x8664_linux/bin/x8664_args --rootfs examples/rootfs/x8664_linux --args test1 test2 test3
With binary file and various output format:
{prog} run -f examples/rootfs/mips32el_linux/bin/mips32el_hello --rootfs examples/rootfs/mips32el_linux --verbose disasm
{prog} run -f examples/rootfs/mips32el_linux/bin/mips32el_hello --rootfs examples/rootfs/mips32el_linux --filter ^open
With UEFI file:
{prog} run -f examples/rootfs/x8664_efi/bin/TcgPlatformSetupPolicy --rootfs examples/rootfs/x8664_efi --env examples/rootfs/x8664_efi/rom2_nvar.pickel
With binary file and json output:
{prog} run -f examples/rootfs/x86_windows/bin/x86_hello.exe --rootfs examples/rootfs/x86_windows --no-console --json
"""
parser.exit(0, __ql_examples)
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('--version', action='version', version=f'qltool for Qiling {ql_ver}, using Unicorn {uc_ver}')
commands = parser.add_subparsers(title='sub commands', description='select execution mode', dest='subcommand', required=True)
# set "run" subcommand options
run_parser = commands.add_parser('run', help='run a program')
run_parser.add_argument('-f', '--filename', default=None, metavar="FILE", help="filename")
run_parser.add_argument('--rootfs', required=True, help='emulated rootfs')
run_parser.add_argument('--args', default=[], nargs=argparse.REMAINDER, dest="args", help="args")
run_parser.add_argument('run_args', default=[], nargs=argparse.REMAINDER)
# set "code" subcommand options
code_parser = commands.add_parser('code', help='execute a shellcode')
code_parser.add_argument('-f', '--filename', metavar="FILE", help="filename")
code_parser.add_argument('-i', '--input', metavar="INPUT", dest="input", help='input hex value')
code_parser.add_argument('--arch', required=True, choices=arch_map, action=__arg_archtype)
code_parser.add_argument('--thumb', action='store_true', default=False, help='specify thumb mode for ARM')
code_parser.add_argument('--endian', choices=('little', 'big'), default='little', help='specify endianess for bi-endian archs')
code_parser.add_argument('--os', required=True, choices=os_map, action=__arg_ostype)
code_parser.add_argument('--rootfs', default='.', help='emulated root filesystem, that is where all libraries reside')
code_parser.add_argument('--format', choices=('asm', 'hex', 'bin'), default='bin', help='input file format')
# set "examples" subcommand
expl_parser = commands.add_parser('examples', help='show examples and exit', add_help=False)
# set "qltui" subcommand
qltui_parser = commands.add_parser('qltui', help='show qiling Terminal User Interface', add_help=False)
qltui_enabled = False
comm_parser = run_parser
if len(sys.argv) > 1 and sys.argv[1] == 'code':
comm_parser = code_parser
# set common options
comm_parser.add_argument('-v', '--verbose', choices=verbose_map, default=QL_VERBOSE.DEFAULT, action=__arg_verbose, help='set verbosity level')
comm_parser.add_argument('--env', metavar="FILE", action=__arg_env, default={}, help="pickle file containing an environment dictionary")
comm_parser.add_argument('-g', '--gdb', nargs='?', metavar='SERVER:PORT', const='gdb', help='enable gdb server')
comm_parser.add_argument('--qdb', action='store_true', help='attach Qdb at entry point, it\'s MIPS, ARM(THUMB) supported only for now')
comm_parser.add_argument('--rr', action='store_true', help='switch on record and replay feature in qdb, only works with --qdb')
comm_parser.add_argument('--profile', help="define a customized profile")
comm_parser.add_argument('--no-console', action='store_false', dest='console', help='do not emit output to console')
comm_parser.add_argument('-e', '--filter', metavar='REGEXP', default=None, help="apply a filtering regexp on log output")
comm_parser.add_argument('--log-file', help="write log to a file")
comm_parser.add_argument('--log-plain', action='store_true', help="do not use colors in log output")
comm_parser.add_argument('--root', action='store_true', help='enable sudo required mode')
comm_parser.add_argument('--debug-stop', action='store_true', help='stop running on error; requires verbose to be set to either "debug" or "dump"')
comm_parser.add_argument('-m', '--multithread', action='store_true', help='run in multithread mode')
comm_parser.add_argument('--timeout', type=int, default=0, help='set emulation timeout')
comm_parser.add_argument('-c', '--coverage-file', default=None, help='code coverage file name')
comm_parser.add_argument('--coverage-format', default='drcov', choices=cov_utils.factory.formats, help='code coverage file format')
comm_parser.add_argument('--json', action='store_true', help='print a json report of the emulation')
comm_parser.add_argument('--libcache', action='store_true', help='enable dll caching for windows')
options = parser.parse_args()
if options.subcommand == 'examples':
handle_examples(parser)
if options.subcommand == 'qltui':
import qltui
options = qltui.get_data()
qltui_enabled = True
# ql file setup
if options.subcommand == 'run':
ql = handle_run(options)
# ql code setup
if options.subcommand == 'code':
ql = handle_code(options)
# ql execute additional options
if options.gdb:
argval = options.gdb
if argval != 'gdb':
argval = f'gdb:{argval}'
ql.debugger = argval
if options.debug_stop:
if options.verbose not in (QL_VERBOSE.DEBUG, QL_VERBOSE.DUMP):
parser.error('the debug_stop option requires verbose to be set to either "debug" or "dump"')
ql.debug_stop = True
if options.root:
ql.root = True
# ql run
with cov_utils.collect_coverage(ql, options.coverage_format, options.coverage_file):
if qltui_enabled:
hook_dictionary = qltui.hook(ql)
ql.run(timeout=options.timeout)
if options.json:
report = report.generate_report(ql)
if qltui_enabled:
report["syscalls"] = qltui.transform_syscalls(ql.os.stats.syscalls)
qltui.show_report(ql, report, hook_dictionary)
else:
pprint(report)
exit(ql.os.exit_code)