def _check_qemu_install(self): """ Check the install location of QEMU. """ btype = binary_type(self.binary) if btype == "cgc": tname = "cgc-tracer" elif btype == "elf": self._record_magic = False r2 = Radare2(self.binary) if r2.arch == "x86" and r2.bits == 64: tname = "linux-x86_64" elif r2.arch == "x86" and r2.bits == 32: tname = "linux-i386" else: raise RunnerEnvironmentError("Binary type not supported") else: raise RunnerEnvironmentError("Binary type not supported") self._trace_source_path = shellphish_qemu.qemu_path(tname) if not os.access(self._trace_source_path, os.X_OK): if os.path.isfile(self._trace_source_path): error_msg = "%s is not executable" % self.trace_source l.error(error_msg) raise RunnerEnvironmentError(error_msg) else: error_msg = "\"%s\" does not exist" % self._trace_source_path l.error(error_msg) raise RunnerEnvironmentError(error_msg)
def _check_qemu_install(self): """ Check the install location of QEMU. """ if self.os == "cgc": suffix = "tracer" if self._record_trace else "base" self.trace_source = "shellphish-qemu-cgc-%s" % suffix else: self.trace_source = "shellphish-qemu-linux-%s" % self._p.arch.qemu_name if self._trace_source_path is None or not os.access( self._trace_source_path, os.X_OK): if self._trace_source_path is not None: l.warning("Problem accessing forced %s. Using our default %s.", self._trace_source_path, self.trace_source) self._trace_source_path = shellphish_qemu.qemu_path( self.trace_source) if not os.access(self._trace_source_path, os.X_OK): if os.path.isfile(self._trace_source_path): error_msg = "%s is not executable" % self.trace_source l.error(error_msg) raise RunnerEnvironmentError(error_msg) else: error_msg = "\"%s\" does not exist" % self._trace_source_path l.error(error_msg) raise RunnerEnvironmentError(error_msg)
def _run_qemu(self, payload, args=None): if not SHELLPHISH_QEMU: raise ModuleNotFoundError("Phuzzer's Extender requires 'shellphish-qemu' to be installed ") qemu_path = shellphish_qemu.qemu_path("cgc-tracer") pargs = [qemu_path] if isinstance(args, list): pargs += args pargs += ["-m", "8G"] pargs += [self.binary] with open("/dev/null", "wb") as devnull: p = subprocess.Popen( pargs, stdin=subprocess.PIPE, stdout=devnull, stderr=devnull) _, _ = p.communicate(payload) return p.wait()
def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) self.l = logging.getLogger("patcherex.test.test_detourbackend") self.bin_location = str( os.path.join(os.path.dirname(os.path.realpath(__file__)), '../../binaries/tests/mips64/patchrex')) self.qemu_location = shellphish_qemu.qemu_path('mips64')
def trace(self): if not SHELLPHISH_QEMU_INSTALLED: raise ImportError( "The module 'shellphish-qemu' is not found, but it is required for tracing." ) if self._trace is not None: return self._trace with open(self.filepath, 'rb') as sf: cmd_args = [ 'timeout', '2', shellphish_qemu.qemu_path('cgc-tracer'), '-d', 'exec', self.hierarchy._fuzzer.binary_path ] #print("cat %s | %s" % (self.filepath, ' '.join(cmd_args))) process = subprocess.Popen(cmd_args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) _, you = process.communicate(sf.read()) trace = [] for tline in you.split(b'\n'): result = re.match(b'Trace 0x[0-9a-fA-F]* \\[([0-9a-fA-F]*)\\]', tline.strip()) if not result: continue trace.append(int(result.group(1), base=16)) self._trace = trace return trace
def trace(self): if self._trace is not None: return self._trace with open(self.filepath, 'rb') as sf: cmd_args = [ 'timeout', '2', shellphish_qemu.qemu_path('cgc-tracer'), '-d', 'exec', self.hierarchy._fuzzer.target ] #print("cat %s | %s" % (self.filepath, ' '.join(cmd_args))) process = subprocess.Popen(cmd_args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) _, you = process.communicate(sf.read()) trace = [] for tline in you.split(b'\n'): result = re.match(b'Trace 0x[0-9a-fA-F]* \\[([0-9a-fA-F]*)\\]', tline.strip()) if not result: continue trace.append(int(result.group(1), base=16)) self._trace = trace return trace
def output(self): with open('/dev/null', 'w') as tf, open(self.filepath) as sf: cmd_args = [ 'timeout', '60', shellphish_qemu.qemu_path('cgc-tracer'), self.hierarchy._fuzzer.binary_path ] process = subprocess.Popen(cmd_args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=tf) f**k, _ = process.communicate(sf.read()) return f**k
def add_test_or_crash(args): p = subprocess.Popen([shellphish_qemu.qemu_path('cgc-base'), args.cb], stdin=subprocess.PIPE) p.poll() test = "" if args.batch: test = sys.stdin.read() p.communicate(test) else: try: while p.returncode is None: r, _, _ = select([sys.stdin], [], [], 0.05) if r is not None: b = sys.stdin.read(1) test += b p.stdin.write(b) p.poll() except KeyboardInterrupt: p.returncode = 0 except IOError: p.returncode = 1 if p.returncode == 0: print "Finished test, inserting now..." cs = CS.select().where(CS.name == args.cs) # first we have to make a fake job job = Job.create(cs=cs, completed_at=datetime.datetime.now(), worker="garbage") Test.create(cs=cs, job=job, blob=test) print "Test inserted!" else: print "Found a crash, inserting now..." qc = QuickCrash(args.cb, test) print "appears to be of type " + qc.kind print "cs = " + args.cs cs = CS.select().where(CS.name == args.cs) # first we have to make a fake job job = Job.create(cs=cs, completed_at=datetime.datetime.now(), worker="garbage") Crash.create(cs=cs, job=job, blob=test, kind=qc.kind) print "Crash inserted!"
def try_bin_with_input(path, tinput, seed=123): pipe = subprocess32.PIPE qemu_location = shellphish_qemu.qemu_path('cgc-nxtracer') main_args = [qemu_location, "-seed", str(seed)] if bitflip: used_args = main_args + ["-bitflip"] else: used_args = main_args final_args = used_args + [os.path.realpath(path)] print " ".join(final_args) p = subprocess32.Popen(final_args, stdin=pipe, stdout=pipe, stderr=pipe, preexec_fn=process_killer) status = "ok" try: try: stdout, stderr = p.communicate(tinput, timeout=10) print stdout print stderr print p.returncode except OSError: print "OSError" # I have seen: "OSError: [Errno 32] Broken pipe" # likely because the process dies before it reads all the input # I just "pass", the code later on will check if it is a crash or normal exit if p.returncode == None: # returncode == None means the process is still running # this means the process did not terminate # I am not even sure this is possible, but I am going to terminate it to be sure p.terminate() p.wait( ) # either communicate has finished or I called terminate, so wait will not stall # 46 is the special error code value used in cgc-nxtracer used to indicate # execution attempt of not executable memory if p.returncode < 0 or p.returncode == 46: status = "crash" except subprocess32.TimeoutExpired: print "Timeout" status = "halt" p.terminate() p.wait() print status return status
def _check_qemu_install(self): """ check the install location of qemu """ if self.os == "cgc": self.tracer_qemu = "shellphish-qemu-cgc-%s" % ( "tracer" if self._record_trace else "base") self.tracer_qemu_path = shellphish_qemu.qemu_path(self.tracer_qemu) if not os.access(self.tracer_qemu_path, os.X_OK): if os.path.isfile(self.tracer_qemu_path): l.error("%s is not executable", self.tracer_qemu) raise TracerEnvironmentError else: l.error("\"%s\" does not exist", self.tracer_qemu_path) raise TracerEnvironmentError
def output(self): if not SHELLPHISH_QEMU_INSTALLED: raise ImportError( "The module 'shellphish-qemu' is not found, but it is required for the output functionality." ) with open('/dev/null', 'w') as tf, open(self.filepath) as sf: cmd_args = [ 'timeout', '60', shellphish_qemu.qemu_path('cgc-tracer'), self.hierarchy._fuzzer.binary_path ] process = subprocess.Popen(cmd_args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=tf) f**k, _ = process.communicate(sf.read()) return f**k
def monitor_interaction(oname, rname, result_callback): proc = subprocess.Popen("stdbuf -i0 -o0 python -u %s/fixup_input.py %s | stdbuf -i0 -o0 tee %s 2>/dev/null | (%s %s; sleep 2; killall -2 tee 2>/dev/null; kill -2 $PPID 2>/dev/null) | %s ./color" % ( os.path.dirname(__file__), os.path.basename(args.binary), oname, shellphish_qemu.qemu_path('cgc-tracer'), args.binary, sys.executable ), shell=True) last_size = -1 try: while proc.poll() is None: time.sleep(1) new_size = os.path.getsize(oname) if new_size != last_size: last_size = new_size with open(rname, 'a') as rf: r = result_callback(oname) r['output_file'] = oname json.dump(r, rf) rf.write('\n') except KeyboardInterrupt: pass
def execute_binary(iname, oname, tname, trace_blocks=True, trace_syscalls=True): infile = open(iname) outfile = open(oname, 'w') tracefile = open(tname, 'w') if tname != oname else outfile cmd_args = [ "timeout", "60", shellphish_qemu.qemu_path('cgc-tracer') ] if trace_blocks: cmd_args += [ '-d', 'exec' ] if trace_syscalls: cmd_args += [ '-strace' ] if trace_blocks and not trace_syscalls: tracefile.close() cmd_args += [ '-D', tname ] tracefile = open('/dev/null', 'w') cmd_args += [ args.binary ] process = subprocess.Popen(cmd_args, stdin=infile, stdout=outfile, stderr=tracefile) process.wait() return process.pid
def _check_qemu_install(self): ''' check the install location of qemu ''' if self.os == "cgc": self.tracer_qemu = "shellphish-qemu-cgc-tracer" qemu_platform = 'cgc-tracer' elif self.os == "unix": self.tracer_qemu = "shellphish-qemu-linux-%s" % self._p.arch.qemu_name qemu_platform = self._p.arch.qemu_name self.tracer_qemu_path = shellphish_qemu.qemu_path(qemu_platform) if not os.access(self.tracer_qemu_path, os.X_OK): if os.path.isfile(self.tracer_qemu_path): l.error("tracer-qemu-cgc is not executable") raise TracerEnvironmentError else: l.error("\"%s\" does not exist", self.tracer_qemu_path) raise TracerEnvironmentError
def _run_qemu(self, payload, args=None): qemu_path = shellphish_qemu.qemu_path("cgc-tracer") pargs = [qemu_path] if isinstance(args, list): pargs += args pargs += ["-m", "8G"] pargs += [self.binary] with open("/dev/null", "wb") as devnull: p = subprocess.Popen(pargs, stdin=subprocess.PIPE, stdout=devnull, stderr=devnull) _, _ = p.communicate(payload) return p.wait()
def execute_binary(binary_path, iname, oname, tname, blocks=True, syscalls=True): infile = open(iname) outfile = open(oname, 'w') tracefile = open(tname, 'w') if tname != oname else outfile cmd_args = [shellphish_qemu.qemu_path('cgc-tracer')] if blocks: cmd_args += ['-d', 'exec'] if syscalls: cmd_args += ['-strace'] cmd_args += [binary_path] print cmd_args process = subprocess.Popen(cmd_args, stdin=infile, stdout=outfile, stderr=tracefile) process.wait() return process.pid
def analyze_single(tar_path): if "nrfin00056" in tar_path or "NRFIN_00056" in tar_path: return print "analyze_single", tar_path bin_name = os.path.basename(os.path.dirname(tar_path)) res_dir = os.path.dirname(tar_path) experiment_name = "-".join(os.path.basename(tar_path).split("-")[1:]) experiment_name = experiment_name.split(".tar.gz")[0] print "experiment name", experiment_name if os.path.exists(os.path.join(res_dir, "over_time-" + experiment_name)): print "already done" return # get the cfgfast # of block # coverage out of cfgfast p = os.path.join("/results/bins", bin_name) import angr b = angr.Project(p) cfg = b.analyses.CFG() num_nodes = len([ n.addr for n in cfg.graph.nodes() if not n.is_syscall and not n.is_simprocedure ]) # unpack tar try: shutil.rmtree("/home/angr/tmp") except: pass tar = tarfile.open(tar_path, "r:gz") tar.extractall(path="/home/angr") tar.close() # get all inputs to run to analyze coverage fuzzer_dir = "/home/angr/tmp/afl_sync/fuzzer-master/queue/" min_time = None trace_to_time = dict() for x in os.listdir(fuzzer_dir): # print x, t, type(t) if not x.startswith("id"): continue # if not x.endswith(".seed"): # continue x = os.path.join(fuzzer_dir, x) t = os.path.getmtime(x) if min_time is None or t < min_time: min_time = t trace_to_time[x] = t # do it multiprocessing sorted_traces = sorted(trace_to_time.items(), key=operator.itemgetter(1)) sorted_traces = [ x for x in sorted_traces if trace_to_time[x[0]] - min_time < 60 * 60 ] to_run = [] for x, t in sorted_traces: # print seconds # input_path, qemu_path, binary_path tracer_path = shellphish_qemu.qemu_path('cgc-tracer') to_run.append((x, tracer_path, p)) print "first to run:", to_run[0] print "path exits:", [os.path.exists(x) for x in to_run[0]] pool = Pool(8) traces_iter = pool.imap(get_trace, to_run, chunksize=2) blocks_hit = set() block_fraction_over_time = list() count = 0 for a, trace in itertools.izip(sorted_traces, traces_iter): count += 1 if count % 10 == 0: print "count:", count, "/", len(sorted_traces) path, t = a blocks, transitions = trace blocks_hit.update(blocks) block_fraction_over_time.append( ((t - min_time), float(len(blocks_hit)) / num_nodes)) pool.close() with open(os.path.join(res_dir, "over_time-" + experiment_name), "wb") as f: for a, b in block_fraction_over_time: f.write(str(int(a)) + ", " + str(b) + "\n") with open(os.path.join(res_dir, "fraction-" + experiment_name), "wb") as f: f.write(str(float(len(blocks_hit)) / num_nodes) + "\n")
def try_one_patch(args): test, patch_type, td = args print "=" * 5, "test", test, patch_type, "started" inputs = ["", "A", "\x00", "\nA\x00 " * 50] # if ("fidget" not in patch_type): continue pm = PatchMaster(test) patched_bin, nrule = pm.create_one_patch(patch_type) if ((os.path.basename(test), patch_type) in PATCH_TYPES_EXPECTED_FAIL): nose.tools.assert_true(patched_bin == None) return None else: nose.tools.assert_true(patched_bin != None) tmp_fname = os.path.join(td, os.path.basename(test) + "_" + patch_type) save_patch(tmp_fname, patched_bin) # save_patch("/tmp/aaa",patched_bin) # save_patch(os.path.join("/tmp/cfe1",os.path.basename(test)+"_"+patch_type),patched_bin) fp = open(test) ocontent = fp.read() fp.close() fp = open(tmp_fname) pcontent = fp.read() fp.close() if patch_type not in PATCH_TYPES_AS_ORIGINAL: # it is not impossible that a patched binary is exactly as the original # but it is worth investigation nose.tools.assert_true(ocontent != pcontent) else: nose.tools.assert_equal(ocontent, pcontent) nose.tools.assert_equal(type(patched_bin), str) nose.tools.assert_equal(type(nrule), str) if patch_type in PATCH_TYPES_WITH_RULES: nose.tools.assert_true(len(nrule) > 0) else: nose.tools.assert_true(len(nrule) == 0) if "bitflip" in nrule: bitflip = True else: bitflip = False # see: https://git.seclab.cs.ucsb.edu/cgc/qemu/issues/5 pov_tester = CGCPovSimulator( qemu=shellphish_qemu.qemu_path("cgc-nxtracer")) res = pov_tester.test_binary_pov(backdoor_pov_location, tmp_fname, bitflip=bitflip) if patch_type in PATCH_TYPES_WITH_BACKDOOR: nose.tools.assert_true(res) else: nose.tools.assert_equal(res, False) for stdin in inputs: # TODO: test properly multi-cb, right now they are tested as separate binaries pipe = subprocess.PIPE p = subprocess.Popen([qemu_location, test], stdin=pipe, stdout=pipe, stderr=pipe) res = p.communicate(stdin) expected = (res[0], p.returncode) print expected print "testing:", os.path.basename(test), "input:", stdin[:10].encode( "hex"), patch_type #save_patch("/tmp/",patch) nose.tools.assert_true(os.path.getsize(tmp_fname) > 1000) argv = [qemu_location, tmp_fname] if "bitflip" in nrule: argv = [argv[0]] + ["-bitflip"] + argv[1:] p = subprocess.Popen(argv, stdin=pipe, stdout=pipe, stderr=pipe) # very very partial support to network rules # TODO if we add other "interesting rules", handle them here res = p.communicate(stdin) real = (res[0], p.returncode) # there may be special cases in which the behavior changes # because the patch prevent exploitation # this is unlikely, given the naive inputs nose.tools.assert_equal(real, expected) print "=" * 5, "test", test, patch_type, "ended" return (True, (test, patch_type), pcontent)
import patcherex.utils as utils import patcherex import shellphish_qemu from patcherex.patch_master import PatchMaster from povsim import CGCPovSimulator l = logging.getLogger("patcherex.test.test_patch_master") bin_location = str( os.path.join(os.path.dirname(os.path.realpath(__file__)), '../test_binaries')) logging.getLogger("povsim.cgc_pov_simulator").setLevel('DEBUG') patcherex_main_folder = str( os.path.join(os.path.dirname(os.path.realpath(__file__)), '../patcherex')) qemu_location = shellphish_qemu.qemu_path('cgc-tracer') self_location_folder = os.path.dirname(os.path.realpath(__file__)) backdoor_pov_location = os.path.join(self_location_folder, "../backdoor_stuff/backdoor_pov.pov") GLOBAL_PATCH_TYPES = [ "medium_reassembler_optimized", "medium_detour", "medium_reassembler" ] PATCH_TYPES_WITH_RULES = [] PATCH_TYPES_WITH_BACKDOOR = [ "medium_reassembler_optimized", "medium_detour", "medium_reassembler" ] PATCH_TYPES_AS_ORIGINAL = [] PATCH_TYPES_EXPECTED_FAIL = [('KPRCA_00044', 'medium_reassembler'), ('KPRCA_00044', 'medium_reassembler_optimized')]
megabyte = 1024 * kilobyte gigabyte = 1024 * megabyte 4 CHALLENGE_BLACKLIST = [ ('finals', 'KPRCA_00064', 'pov_0'), ('finals', 'KPRCA_00064', 'pov_4'), ('qualifiers', 'KPRCA_00034', 'pov_0'), ('qualifiers', 'KPRCA_00034', 'pov_1'), ('qualifiers', 'KPRCA_00038', 'pov_4'), ('qualifiers', 'KPRCA_00044', 'pov_0'), ('qualifiers', 'KPRCA_00047', 'pov_0'), ('qualifiers', 'KPRCA_00047', 'pov_1'), ] qemu_path = shellphish_qemu.qemu_path('cgc-tracer') base_dir = DESKTOP_BASE_DIR for event in EVENTS: results_dir = get_results_dir(base_dir, event) challenges = os.listdir(results_dir) for i, challenge_name in enumerate(challenges): print "Progress: {}/{}".format(i, len(challenges)) binary_path = os.path.join(results_dir, challenge_name, 'bin', challenge_name) pov_results_dir_path = os.path.join(results_dir, challenge_name, 'pov')
def _test_binary_pov(self, pov_filename, cb_path, enable_randomness=True, debug=False, bitflip=False, timeout=15): # Test the binary pov # sanity checks if not os.path.isfile(pov_filename): raise ValueError("pov is does not exist") if not os.access(pov_filename, os.X_OK): raise ValueError("pov is not executable") if not os.path.isfile(cb_path): raise ValueError("cb does not exist") if not os.access(cb_path, os.X_OK): raise ValueError("cb is not executable") # create the communication pipes pov_r, pov_w = os.pipe() challenge_r, challenge_w = os.pipe() negotiation_pov, negotiation_infra = socket.socketpair() if self.forced_qemu == None: qemu_path = shellphish_qemu.qemu_path('cgc-base') else: qemu_path = self.forced_qemu # create directory for core files directory = tempfile.mkdtemp(prefix='rex-test-', dir='/tmp') cb_path = os.path.realpath(cb_path) # fork off the challenge binary challenge_bin_pid = os.fork() if challenge_bin_pid == 0: try: # cd in tempdir os.chdir(directory) # set up core dumping, only used by type1 though # pylint:disable=no-member resource.setrlimit( resource.RLIMIT_CORE, (resource.RLIM_INFINITY, resource.RLIM_INFINITY)) devnull = open('/dev/null', 'w') # close the other entry os.close(pov_w) os.close(challenge_r) os.dup2(pov_r, 0) # read from pov as stdin os.dup2(challenge_w, 1) # write to the pov if not debug: os.dup2(devnull.fileno(), 2) # silence segfault message) if enable_randomness: random.seed() seed = str(random.randint(0, 100000)) argv = [ qemu_path, "-seed", seed, "-magicdump", "magic", cb_path ] else: argv = [qemu_path, "-magicdump", "magic", cb_path] if bitflip: argv = [argv[0]] + ["-bitflip"] + argv[1:] # argv = [argv[0]] + ["-d","in_asm","-D","/tmp/log1.txt","-singlestep"] + argv[1:] os.execve(qemu_path, argv, os.environ) finally: l.error( "an exception happened in the child code (trying to run the cb)" ) sys.exit(1) assert False, "failed to execute target binary %s" % cb_path # fork off the pov binary pov_pid = os.fork() if pov_pid == 0: try: # close the other entry os.close(pov_r) os.close(challenge_w) os.dup2(challenge_r, 0) # read from challenge's stdout os.dup2(pov_w, 1) # write to challenge's stdin # file descriptor 3 is the negotiation server os.dup2(negotiation_pov.fileno(), 3) random.seed() seed = str(random.randint(0, 100000)) argv = [qemu_path, "-seed", seed, pov_filename] os.execve(qemu_path, argv, os.environ) finally: l.error( "an exception happened in the child code (trying to run the pov)" ) sys.exit(1) # clean up the pipes in the host os.close(challenge_r) os.close(challenge_w) os.close(pov_r) os.close(pov_w) l.debug("challenge_r: %d", challenge_r) l.debug("challenge_w: %d", challenge_w) l.debug("pov_r: %d", pov_r) l.debug("pov_w: %d", pov_w) l.debug("pov_pid: %d", pov_pid) l.debug("challenge_bin_pid: %d", challenge_bin_pid) # negiotation is specific to type1 / type2 result = self._do_binary_negotiation(negotiation_infra, directory, challenge_bin_pid, timeout) # try to reap child pov, if it's not dead, kill it self._reap_pid(pov_pid) # clean up test directory shutil.rmtree(directory) return result
def __init__(self, binary, input=None, simprocedures=None, preconstrain_input=True, preconstrain_flag=True, resiliency=True, add_options=None, remove_options=None, trim_history=True): """ :param binary: path to the binary to be traced :param input: concrete input string to feed to binary :param povfile: CGC PoV describing the input to trace :param hooks: A dictionary of hooks to add :param simprocedures: dictionary of replacement simprocedures :param seed: optional seed used for randomness, will be passed to QEMU :param preconstrain_input: should the path be preconstrained to the provided input :param preconstrain_flag: should the path have the cgc flag page preconstrained :param resiliency: should we continue to step forward even if qemu and angr disagree? :param chroot: trace the program as though it were executing in a chroot :param add_options: add options to the state which used to do tracing :param remove_options: remove options from the state which is used to do tracing :param trim_history: Trim the history of a path. """ self.binary = binary self.input = input self.preconstrain_input = preconstrain_input self.preconstrain_flag = preconstrain_flag self.simprocedures = {} if simprocedures is None else simprocedures self.resiliency = resiliency self.add_options = set() if add_options is None else add_options self.trim_history = trim_history self.constrained_addrs = [] cm = LocalCacheManager( ) if GlobalCacheManager is None else GlobalCacheManager # cache managers need the tracer to be set for them self._cache_manager = cm self._cache_manager.set_tracer(self) # set by a cache manager self._loaded_from_cache = False if remove_options is None: self.remove_options = set() else: self.remove_options = remove_options # internal project object, useful for obtaining certain kinds of info self._p = angr.Project(self.binary) # try to find the install base self.os = self._p.loader.main_bin.os self.base = shellphish_qemu.qemu_base() self.tracer_qemu = "shellphish-qemu-linux-%s" % self._p.arch.qemu_name qemu_platform = self._p.arch.qemu_name self.tracer_qemu_path = shellphish_qemu.qemu_path(qemu_platform) self.qemu_path = {} self.trace = self.dynamic_trace()
qemu_name = { 'x86_64': None, 'i386': 'qemu-i386', 'ppc': 'qemu-ppc', 'ppc64': 'qemu-ppc64', 'armel': 'qemu-arm', 'armhf': 'qemu-arm', 'aarch64': 'qemu-aarch64', 'mips': 'qemu-mips', 'mipsel': 'qemu-mipsel', 'mips64': 'qemu-mips64' } qemu_path = { 'x86_64': None, 'i386': shellphish_qemu.qemu_path('i386'), 'ppc': shellphish_qemu.qemu_path('ppc'), 'ppc64': shellphish_qemu.qemu_path('ppc64'), 'armel': shellphish_qemu.qemu_path('arm'), 'armhf': shellphish_qemu.qemu_path('arm'), 'aarch64': shellphish_qemu.qemu_path('aarch64'), 'mips': shellphish_qemu.qemu_path('mips'), 'mipsel': shellphish_qemu.qemu_path('mipsel'), 'mips64': shellphish_qemu.qemu_path('mips64') } ld_name = { 'x86_64': 'ld-linux-x86-64.so.2', 'i386': 'ld-linux.so.2', 'ppc': 'ld.so.1', 'ppc64': 'ld64.so.1',