def test_gdbdebug_shellcode_server(self): X8664_LIN = bytes.fromhex( '31c048bbd19d9691d08c97ff48f7db53545f995257545eb03b0f05') ql = Qiling(code=X8664_LIN, archtype='x8664', ostype='linux') ql.debugger = 'gdb:127.0.0.1:9998' def gdb_test_client(): # yield to allow ql to launch its gdbserver time.sleep(1.337 * 2) with SimpleGdbClient('127.0.0.1', 9998) as client: client.send( 'qSupported:multiprocess+;swbreak+;hwbreak+;qRelocInsn+;fork-events+;vfork-events+;exec-events+;vContSupported+;QThreadEvents+;no-resumed+;xmlRegisters=i386' ) client.send('vMustReplyEmpty') client.send('QStartNoAckMode') client.send('Hgp0.0') client.send('?') client.send('qC') client.send('g') client.send('p10') client.send('c') client.send('k') # yield to make sure ql gdbserver has enough time to receive our last command time.sleep(1.337) threading.Thread(target=gdb_test_client, daemon=True).start() ql.run() del ql
def sandbox(path: str, args: List[str], rootfs: str) -> None: options = { "filename": [path, *args], "rootfs": rootfs, "env": None, "shellcoder": None, "ostype": "Linux", "archtype": "arm_thumb", # "archtype": "arm", "bigendian": False, "output": "debug", "verbose": 1, "profile": None, "console": True, "log_dir": None, "log_split": None, "append": None, "libcache": False, "stdin": 0, "stdout": 0, "stderr": 0 } ql = Qiling(**options) for syscall, hook in hooks.items(): ql.set_syscall(syscall, syscall_hook(syscall)) ql.hook_mem_invalid(hook_invalid_memory) ql.debugger = ":9999" ql.run()
def test_qdb_x86_hello(self): rootfs = "../examples/rootfs/x86_linux" path = rootfs + "/bin/x86_hello" ql = Qiling([path], rootfs) ql.debugger = "qdb::rr:qdb_scripts/x86.qdb" ql.run() del ql
def my_sandbox(path, rootfs): ql = Qiling(path, rootfs, verbose=QL_VERBOSE.DEBUG) #ql.add_fs_mapper("/dev/urandom","/dev/urandom") ql.hook_address(patcher, ql.loader.elf_entry) # $ gdb-multiarch -q rootfs/bin/httpd # gdb> set remotetimeout 100 # gdb> target remote localhost:9999 ql.debugger = False if ql.debugger == True: ql.set_syscall("vfork", myvfork) ql.run()
def test_gdbdebug_mips32(self): ql = Qiling(["../examples/rootfs/mips32_linux/bin/mips32_hello"], "../examples/rootfs/mips32_linux", verbose=QL_VERBOSE.DEBUG) ql.debugger = True # some random command test just to make sure we covered most of the command def gdb_test_client(): # yield to allow ql to launch its gdbserver time.sleep(1.337 * 2) with SimpleGdbClient('127.0.0.1', 9999) as client: client.send( 'qSupported:multiprocess+;swbreak+;hwbreak+;qRelocInsn+;fork-events+;vfork-events+;exec-events+;vContSupported+;QThreadEvents+;no-resumed+;xmlRegisters=i386' ) client.send('vMustReplyEmpty') client.send('QStartNoAckMode') client.send('Hgp0.0') client.send('qXfer:auxv:read::0, 1000') client.send('?') client.send('qXfer:threads:read::0,fff') client.send(f'qAttached:{ql.os.pid}') client.send('qC') client.send('g') client.send('m47ccd10,4') client.send('qXfer:threads:read::0,1000') client.send('m56555620,4') client.send('m5655561c,4') client.send('m56555620,4') client.send('m5655561c,4') client.send('m56555620,4') client.send('qTStatus') client.send('qTfP') client.send('m56555600,40') client.send('m56555620,4') client.send('Z0,47ccd10,4') client.send( 'QPassSignals:e;10;14;17;1a;1b;1c;21;24;25;2c;4c;97;') client.send('vCont?') client.send('vCont;c:pa410.-1') client.send('c') client.send('k') # yield to make sure ql gdbserver has enough time to receive our last command time.sleep(1.337) threading.Thread(target=gdb_test_client, daemon=True).start() ql.run() del ql
def ql_syscall_execve(ql: Qiling, pathname: int, argv: int, envp: int): file_path = ql.os.utils.read_cstring(pathname) real_path = ql.os.path.transform_to_real_path(file_path) def __read_str_array(addr: int) -> Iterator[str]: if addr: while True: elem = ql.mem.read_ptr(addr) if elem == 0: break yield ql.os.utils.read_cstring(elem) addr += ql.pointersize args = [s for s in __read_str_array(argv)] env = {} for s in __read_str_array(envp): k, _, v = s.partition('=') env[k] = v ql.emu_stop() ql.log.debug( f'execve({file_path}, [{", ".join(args)}], [{", ".join(f"{k}={v}" for k, v in env.items())}])' ) ql.loader.argv = args ql.loader.env = env ql._path = real_path ql.mem.map_info = [] ql.clear_ql_hooks() # Clean debugger to prevent port conflicts ql.debugger = None if ql.code: return ql._uc = ql.arch.init_uc QlCoreHooks.__init__(ql, ql._uc) ql.os.load() ql.loader.run() ql.run()
def test_gdbdebug_file_server(self): ql = Qiling(["../examples/rootfs/x8664_linux/bin/x8664_hello"], "../examples/rootfs/x8664_linux", verbose=QL_VERBOSE.DEBUG) ql.debugger = True # some random command test just to make sure we covered most of the command def gdb_test_client(): # yield to allow ql to launch its gdbserver time.sleep(1.337 * 2) with SimpleGdbClient('127.0.0.1', 9999) as client: client.send( 'qSupported:multiprocess+;swbreak+;hwbreak+;qRelocInsn+;fork-events+;vfork-events+;exec-events+;vContSupported+;QThreadEvents+;no-resumed+;xmlRegisters=i386' ) client.send('vMustReplyEmpty') client.send('QStartNoAckMode') client.send('Hgp0.0') client.send('qXfer:auxv:read::0, 1000') client.send('?') client.send('qXfer:threads:read::0,fff') client.send(f'qAttached:{ql.os.pid}') client.send('qC') client.send('g') client.send('m555555554040, 1f8') client.send('m555555554000, 100') client.send('m200, 100') client.send('p10') client.send('Z0,555555554ada, 1') client.send('c') client.send('k') # yield to make sure ql gdbserver has enough time to receive our last command time.sleep(1.337) threading.Thread(target=gdb_test_client, daemon=True).start() ql.run() del ql
#!/usr/bin/env python3 # # Cross Platform and Multi Architecture Advanced Binary Emulation Framework # import sys sys.path.append("..") from qiling import Qiling from qiling.const import QL_VERBOSE if __name__ == "__main__": ql = Qiling(["rootfs/x8664_linux/bin/x8664_hello"], "rootfs/x8664_linux", verbose=QL_VERBOSE.DEBUG) ql.debugger = "gdb:0.0.0.0:9999" ql.run()
#!/usr/bin/env python3 # # Cross Platform and Multi Architecture Advanced Binary Emulation Framework # import sys sys.path.append("..") from qiling import Qiling from qiling.const import QL_VERBOSE if __name__ == "__main__": ql = Qiling([r'rootfs/arm_linux/bin/arm_hello'], r'rootfs/arm_linux', verbose=QL_VERBOSE.DEBUG) ql.debugger = "qdb" # enable qdb without options # other possible alternatives: # ql.debugger = "qdb::rr" # switch on record and replay with rr # ql.debugger = "qdb:0x1030c" # enable qdb and setup breakpoin at 0x1030c ql.run()
def run_sandbox(path, rootfs, verbose): ql = Qiling(path, rootfs, verbose=verbose) ql.debugger = "qdb" # enable qdb without options # ql.debugger = "qdb::rr" # switch on record and replay with rr # ql.debugger = "qdb:0x1030c" # enable qdb and setup breakpoin at 0x1030c ql.run()