def test_gdbdebug_shellcode_server(self):
X8664_LIN = bytes.fromhex(
'31c048bbd19d9691d08c97ff48f7db53545f995257545eb03b0f05')
ql = Qiling(code=X8664_LIN, archtype='x8664', ostype='linux')
ql.debugger = 'gdb:127.0.0.1:9998'
def gdb_test_client():
# yield to allow ql to launch its gdbserver
time.sleep(1.337 * 2)
with SimpleGdbClient('127.0.0.1', 9998) as client:
client.send(
'qSupported:multiprocess+;swbreak+;hwbreak+;qRelocInsn+;fork-events+;vfork-events+;exec-events+;vContSupported+;QThreadEvents+;no-resumed+;xmlRegisters=i386'
)
client.send('vMustReplyEmpty')
client.send('QStartNoAckMode')
client.send('Hgp0.0')
client.send('?')
client.send('qC')
client.send('g')
client.send('p10')
client.send('c')
client.send('k')
# yield to make sure ql gdbserver has enough time to receive our last command
time.sleep(1.337)
threading.Thread(target=gdb_test_client, daemon=True).start()
ql.run()
del ql
def sandbox(path: str, args: List[str], rootfs: str) -> None:
options = {
"filename": [path, *args],
"rootfs": rootfs,
"env": None,
"shellcoder": None,
"ostype": "Linux",
"archtype": "arm_thumb",
# "archtype": "arm",
"bigendian": False,
"output": "debug",
"verbose": 1,
"profile": None,
"console": True,
"log_dir": None,
"log_split": None,
"append": None,
"libcache": False,
"stdin": 0,
"stdout": 0,
"stderr": 0
}
ql = Qiling(**options)
for syscall, hook in hooks.items():
ql.set_syscall(syscall, syscall_hook(syscall))
ql.hook_mem_invalid(hook_invalid_memory)
ql.debugger = ":9999"
ql.run()
def test_qdb_x86_hello(self):
rootfs = "../examples/rootfs/x86_linux"
path = rootfs + "/bin/x86_hello"
ql = Qiling([path], rootfs)
ql.debugger = "qdb::rr:qdb_scripts/x86.qdb"
ql.run()
del ql
def my_sandbox(path, rootfs):
ql = Qiling(path, rootfs, verbose=QL_VERBOSE.DEBUG)
#ql.add_fs_mapper("/dev/urandom","/dev/urandom")
ql.hook_address(patcher, ql.loader.elf_entry)
# $ gdb-multiarch -q rootfs/bin/httpd
# gdb> set remotetimeout 100
# gdb> target remote localhost:9999
ql.debugger = False
if ql.debugger == True:
ql.set_syscall("vfork", myvfork)
ql.run()
def test_gdbdebug_mips32(self):
ql = Qiling(["../examples/rootfs/mips32_linux/bin/mips32_hello"],
"../examples/rootfs/mips32_linux",
verbose=QL_VERBOSE.DEBUG)
ql.debugger = True
# some random command test just to make sure we covered most of the command
def gdb_test_client():
# yield to allow ql to launch its gdbserver
time.sleep(1.337 * 2)
with SimpleGdbClient('127.0.0.1', 9999) as client:
client.send(
'qSupported:multiprocess+;swbreak+;hwbreak+;qRelocInsn+;fork-events+;vfork-events+;exec-events+;vContSupported+;QThreadEvents+;no-resumed+;xmlRegisters=i386'
)
client.send('vMustReplyEmpty')
client.send('QStartNoAckMode')
client.send('Hgp0.0')
client.send('qXfer:auxv:read::0, 1000')
client.send('?')
client.send('qXfer:threads:read::0,fff')
client.send(f'qAttached:{ql.os.pid}')
client.send('qC')
client.send('g')
client.send('m47ccd10,4')
client.send('qXfer:threads:read::0,1000')
client.send('m56555620,4')
client.send('m5655561c,4')
client.send('m56555620,4')
client.send('m5655561c,4')
client.send('m56555620,4')
client.send('qTStatus')
client.send('qTfP')
client.send('m56555600,40')
client.send('m56555620,4')
client.send('Z0,47ccd10,4')
client.send(
'QPassSignals:e;10;14;17;1a;1b;1c;21;24;25;2c;4c;97;')
client.send('vCont?')
client.send('vCont;c:pa410.-1')
client.send('c')
client.send('k')
# yield to make sure ql gdbserver has enough time to receive our last command
time.sleep(1.337)
threading.Thread(target=gdb_test_client, daemon=True).start()
ql.run()
del ql
def ql_syscall_execve(ql: Qiling, pathname: int, argv: int, envp: int):
file_path = ql.os.utils.read_cstring(pathname)
real_path = ql.os.path.transform_to_real_path(file_path)
def __read_str_array(addr: int) -> Iterator[str]:
if addr:
while True:
elem = ql.mem.read_ptr(addr)
if elem == 0:
break
yield ql.os.utils.read_cstring(elem)
addr += ql.pointersize
args = [s for s in __read_str_array(argv)]
env = {}
for s in __read_str_array(envp):
k, _, v = s.partition('=')
env[k] = v
ql.emu_stop()
ql.log.debug(
f'execve({file_path}, [{", ".join(args)}], [{", ".join(f"{k}={v}" for k, v in env.items())}])'
)
ql.loader.argv = args
ql.loader.env = env
ql._path = real_path
ql.mem.map_info = []
ql.clear_ql_hooks()
# Clean debugger to prevent port conflicts
ql.debugger = None
if ql.code:
return
ql._uc = ql.arch.init_uc
QlCoreHooks.__init__(ql, ql._uc)
ql.os.load()
ql.loader.run()
ql.run()
def test_gdbdebug_file_server(self):
ql = Qiling(["../examples/rootfs/x8664_linux/bin/x8664_hello"],
"../examples/rootfs/x8664_linux",
verbose=QL_VERBOSE.DEBUG)
ql.debugger = True
# some random command test just to make sure we covered most of the command
def gdb_test_client():
# yield to allow ql to launch its gdbserver
time.sleep(1.337 * 2)
with SimpleGdbClient('127.0.0.1', 9999) as client:
client.send(
'qSupported:multiprocess+;swbreak+;hwbreak+;qRelocInsn+;fork-events+;vfork-events+;exec-events+;vContSupported+;QThreadEvents+;no-resumed+;xmlRegisters=i386'
)
client.send('vMustReplyEmpty')
client.send('QStartNoAckMode')
client.send('Hgp0.0')
client.send('qXfer:auxv:read::0, 1000')
client.send('?')
client.send('qXfer:threads:read::0,fff')
client.send(f'qAttached:{ql.os.pid}')
client.send('qC')
client.send('g')
client.send('m555555554040, 1f8')
client.send('m555555554000, 100')
client.send('m200, 100')
client.send('p10')
client.send('Z0,555555554ada, 1')
client.send('c')
client.send('k')
# yield to make sure ql gdbserver has enough time to receive our last command
time.sleep(1.337)
threading.Thread(target=gdb_test_client, daemon=True).start()
ql.run()
del ql
#!/usr/bin/env python3
#
# Cross Platform and Multi Architecture Advanced Binary Emulation Framework
#
import sys
sys.path.append("..")
from qiling import Qiling
from qiling.const import QL_VERBOSE
if __name__ == "__main__":
ql = Qiling(["rootfs/x8664_linux/bin/x8664_hello"],
"rootfs/x8664_linux",
verbose=QL_VERBOSE.DEBUG)
ql.debugger = "gdb:0.0.0.0:9999"
ql.run()
#!/usr/bin/env python3
#
# Cross Platform and Multi Architecture Advanced Binary Emulation Framework
#
import sys
sys.path.append("..")
from qiling import Qiling
from qiling.const import QL_VERBOSE
if __name__ == "__main__":
ql = Qiling([r'rootfs/arm_linux/bin/arm_hello'],
r'rootfs/arm_linux',
verbose=QL_VERBOSE.DEBUG)
ql.debugger = "qdb" # enable qdb without options
# other possible alternatives:
# ql.debugger = "qdb::rr" # switch on record and replay with rr
# ql.debugger = "qdb:0x1030c" # enable qdb and setup breakpoin at 0x1030c
ql.run()
def run_sandbox(path, rootfs, verbose):
ql = Qiling(path, rootfs, verbose=verbose)
ql.debugger = "qdb" # enable qdb without options
# ql.debugger = "qdb::rr" # switch on record and replay with rr
# ql.debugger = "qdb:0x1030c" # enable qdb and setup breakpoin at 0x1030c
ql.run()
