def _t():
if 'QL_FAST_TEST' in os.environ:
return
class Fake_Drive(QlFsMappedObject):
def read(self, size):
return random.randint(0, 256)
def write(self, bs):
print(bs)
return
def fstat(self):
return -1
def close(self):
return 0
ql = Qiling(["../examples/rootfs/x86_windows/bin/UselessDisk.bin"],
"../examples/rootfs/x86_windows",
verbose=QL_VERBOSE.DEBUG)
ql.add_fs_mapper(r"\\.\PHYSICALDRIVE0", Fake_Drive())
ql.run()
del ql
return True
def test_x86_fake_urandom(self):
class Fake_urandom(QlFsMappedObject):
def read(self, size):
return b"\x01"
def fstat(self):
return -1
def close(self):
return 0
ql = Qiling(["../examples/rootfs/x86_linux/bin/x86_fetch_urandom"],
"../examples/rootfs/x86_linux",
verbose=QL_VERBOSE.DEBUG)
ql.add_fs_mapper("/dev/urandom", Fake_urandom())
ql.exit_code = 0
ql.exit_group_code = 0
def check_exit_group_code(ql, exit_code, *args, **kw):
ql.exit_group_code = exit_code
def check_exit_code(ql, exit_code, *args, **kw):
ql.exit_code = exit_code
ql.set_syscall("exit_group", check_exit_group_code, QL_INTERCEPT.ENTER)
ql.set_syscall("exit", check_exit_code, QL_INTERCEPT.ENTER)
ql.run()
self.assertEqual(0, ql.exit_code)
self.assertEqual(0, ql.exit_group_code)
del ql
def my_netgear(path, rootfs):
ql = Qiling(path, rootfs, verbose=QL_VERBOSE.DEBUG, profile="netgear_6220.ql", multithread=False)
ql.os.root = False
ql.add_fs_mapper('/proc', '/proc')
ql.set_syscall(4004, my_syscall_write)
ql.set_api('bind', my_bind, QL_INTERCEPT.ENTER) # intercepting the bind call on enter
ql.run()
def first_stage():
ql = Qiling(["rootfs/8086/petya/petya.DOS_MBR"],
"rootfs/8086",
console=False,
verbose=QL_VERBOSE.DEBUG)
ql.add_fs_mapper(0x80, QlDisk("rootfs/8086/petya/out_1M.raw", 0x80))
# Workaround for `until` in uc_emu_start not working with dynamic loaded code.
ql.hook_code(stop, begin=petya_2nd_stage_start, end=petya_2nd_stage_start)
ql.run()
return ql
def test_android_arm64(self):
test_binary = "../examples/rootfs/arm64_android6.0/bin/arm64_android_jniart"
rootfs = "../examples/rootfs/arm64_android6.0"
env = {"ANDROID_DATA": "/data", "ANDROID_ROOT": "/system"}
ql = Qiling([test_binary], rootfs, env, multithread=True)
ql.os.set_syscall("close", my_syscall_close)
ql.add_fs_mapper("/proc/self/task/2000/maps", Fake_maps(ql))
ql.run()
del ql
def my_sandbox(path, rootfs):
ql = Qiling(path, rootfs, verbose=QL_VERBOSE.DEBUG)
ql.add_fs_mapper("/dev/urandom", "/dev/urandom")
ql.hook_address(patcher, ql.loader.elf_entry)
# $ gdb-multiarch -q rootfs/bin/httpd
# gdb> set remotetimeout 100
# gdb> target remote localhost:9999
ql.debugger = False
if ql.debugger == True:
ql.set_syscall("vfork", myvfork)
ql.run()
def test_x86_fake_urandom_multiple_times(self):
fake_id = 0
ids = []
class Fake_urandom(QlFsMappedObject):
def __init__(self):
nonlocal fake_id
self.id = fake_id
fake_id += 1
ids.append(self.id)
ql.log.info(f"Creating Fake_urandom with id {self.id}")
def read(self, size):
return b'\x01'
def fstat(self):
return -1
def close(self):
return 0
ql = Qiling([
"../examples/rootfs/x86_linux/bin/x86_fetch_urandom_multiple_times"
],
"../examples/rootfs/x86_linux",
verbose=QL_VERBOSE.DEBUG)
# Note we pass in a class here.
ql.add_fs_mapper("/dev/urandom", Fake_urandom)
ql.exit_code = 0
ql.exit_group_code = 0
def check_exit_group_code(ql, exit_code, *args, **kw):
ql.exit_group_code = exit_code
def check_exit_code(ql, exit_code, *args, **kw):
ql.exit_code = exit_code
ql.set_syscall("exit_group", check_exit_group_code, QL_INTERCEPT.ENTER)
ql.set_syscall("exit", check_exit_code, QL_INTERCEPT.ENTER)
ql.run()
self.assertEqual(0, ql.exit_code)
self.assertEqual(0, ql.exit_group_code)
last = -1
for i in ids:
self.assertEqual(last + 1, i)
last = i
del ql
def third_stage(key):
def pass_red(ql, addr, data):
curses.ungetch(ord("\n"))
curses.ungetch(ord("\r"))
def input_key(ql, addr, data):
for i in key[::-1]:
curses.ungetch(i)
curses.ungetch(ord("\n"))
curses.ungetch(ord("\r"))
ql = Qiling(["rootfs/8086/petya/petya.DOS_MBR"],
"rootfs/8086",
console=False,
verbose=QL_VERBOSE.DEBUG)
ql.add_fs_mapper(0x80, QlDisk("rootfs/8086/petya/out_1M.raw", 0x80))
ql.hook_code(pass_red, begin=0x886d, end=0x886d)
ql.hook_code(input_key, begin=0x85f0, end=0x85f0)
ql.hook_code(stop, begin=0x6806, end=0x6806)
ql.run()
def test_x8664_map_urandom(self):
ql = Qiling(["../examples/rootfs/x8664_linux/bin/x8664_fetch_urandom"], "../examples/rootfs/x8664_linux", verbose=QL_VERBOSE.DEBUG)
ql.add_fs_mapper("/dev/urandom","/dev/urandom")
ql.exit_code = 0
ql.exit_group_code = 0
def check_exit_group_code(ql, exit_code, *args, **kw):
ql.exit_group_code = exit_code
def check_exit_code(ql, exit_code, *args, **kw):
ql.exit_code = exit_code
ql.os.set_syscall("exit_group", check_exit_group_code, QL_INTERCEPT.ENTER)
ql.os.set_syscall("exit", check_exit_code, QL_INTERCEPT.ENTER)
ql.run()
self.assertEqual(0, ql.exit_code)
self.assertEqual(0, ql.exit_group_code)
del ql
#!/usr/bin/env python3
#
# Cross Platform and Multi Architecture Advanced Binary Emulation Framework
#
from sys import path
path.append('..')
from qiling import Qiling
from qiling.os.mapper import QlFsMappedObject
class Fake_urandom(QlFsMappedObject):
def read(self, size):
return b"\x01" # fixed value for reading /dev/urandom
def fstat(self): # syscall fstat will ignore it if return -1
return -1
def close(self):
return 0
if __name__ == "__main__":
ql = Qiling(["rootfs/x86_linux/bin/x86_fetch_urandom"], "rootfs/x86_linux")
ql.add_fs_mapper("/dev/urandom", Fake_urandom())
ql.run()