-
Notifications
You must be signed in to change notification settings - Fork 745
/
qltool
executable file
·300 lines (229 loc) · 11.5 KB
/
qltool
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
#!/usr/bin/env python3
#
# Cross Platform and Multi Architecture Advanced Binary Emulation Framework
#
import argparse
import os
import sys
import ast
import pickle
from pprint import pprint
from typing import TYPE_CHECKING, Mapping, Type
from unicorn import __version__ as uc_ver
from qiling import __version__ as ql_ver
from qiling import Qiling
from qiling.arch import utils as arch_utils
from qiling.debugger.qdb import QlQdb
from qiling.const import QL_VERBOSE, QL_ENDIAN, os_map, arch_map, verbose_map
from qiling.extensions.coverage import utils as cov_utils
from qiling.extensions import report
if TYPE_CHECKING:
from enum import Enum
# read code from file
def read_file(fname: str):
with open(fname, "rb") as f:
content = f.read()
return content
class __arg_env(argparse.Action):
def __call__(self, parser, namespace, values: str, option_string):
if os.path.exists(values):
with open(values, 'rb') as f:
env = pickle.load(f)
else:
env = ast.literal_eval(values)
setattr(namespace, self.dest, env or {})
def __make_enum_arg(enum_rmap: Mapping[str, 'Enum'], aliases: Mapping[str, str] = {}) -> Type[argparse.Action]:
class __enum_arg(argparse.Action):
def __call__(self, parser, namespace, values: str, option_string):
values = values.casefold()
if values in aliases:
values = aliases[values]
setattr(namespace, self.dest, enum_rmap[values])
return __enum_arg
__arg_archtype = __make_enum_arg(arch_map, {'x86_64': 'x8664', 'riscv32': 'riscv'})
__arg_ostype = __make_enum_arg(os_map, {'darwin': 'macos'})
__arg_verbose = __make_enum_arg(verbose_map)
def handle_code(options: argparse.Namespace):
archendian = {
'little': QL_ENDIAN.EL,
'big' : QL_ENDIAN.EB
}[options.endian]
if options.format == 'hex':
if options.input is not None:
print("Load HEX from ARGV")
code = str(options.input).strip("\\\\x").split("x")
code = "".join(code).strip()
code = bytes.fromhex(code)
elif options.filename is not None:
print("Load HEX from FILE")
code = str(read_file(options.filename)).strip('b\'').strip('\\n')
code = code.strip('x').split("\\\\x")
code = "".join(code).strip()
code = bytes.fromhex(code)
else:
print("ERROR: File not found")
exit(1)
elif options.format == 'asm':
print("Load ASM from FILE")
assembly = read_file(options.filename)
assembler = arch_utils.assembler(options.arch, archendian, options.thumb)
code, _ = assembler.asm(assembly)
code = bytes(code)
elif options.format == 'bin':
print("Load BIN from FILE")
if options.filename is not None:
code = read_file(options.filename)
else:
print("ERROR: File not found")
exit(1)
ql = Qiling(
rootfs=options.rootfs,
env=options.env,
code=code,
ostype=options.os,
archtype=options.arch,
verbose=options.verbose,
profile=options.profile,
filter=options.filter,
endian=archendian,
thumb=options.thumb,
)
return ql
def handle_run(options: argparse.Namespace):
effective_argv = []
# with argv
if options.filename is not None and options.run_args == []:
effective_argv = [options.filename] + options.args
# Without argv
elif options.filename is None and options.args == [] and options.run_args != []:
effective_argv = options.run_args
else:
print("ERROR: Command error!")
ql = Qiling(
argv=effective_argv,
rootfs=options.rootfs,
env=options.env,
verbose=options.verbose,
profile=options.profile,
console=options.console,
log_file=options.log_file,
log_plain=options.log_plain,
multithread=options.multithread,
filter=options.filter,
libcache=options.libcache
)
# attach Qdb at entry point
if options.qdb is True:
QlQdb(ql, rr=options.rr).run()
exit()
return ql
def handle_examples(parser: argparse.ArgumentParser):
prog = os.path.basename(__file__)
__ql_examples = f"""Examples:
With code:
{prog} code --os linux --arch arm --format hex -f examples/shellcodes/linarm32_tcp_reverse_shell.hex
{prog} code --os linux --arch x86 --format asm -f examples/shellcodes/lin32_execve.asm
With binary file:
{prog} run -f examples/rootfs/x8664_linux/bin/x8664_hello --rootfs examples/rootfs/x8664_linux
{prog} run -f examples/rootfs/mips32el_linux/bin/mips32el_hello --rootfs examples/rootfs/mips32el_linux
With binary file and Qdb:
{prog} run -f examples/rootfs/mips32el_linux/bin/mips32el_hello --rootfs examples/rootfs/mips32el_linux --qdb
{prog} run -f examples/rootfs/mips32el_linux/bin/mips32el_hello --rootfs examples/rootfs/mips32el_linux --qdb --rr
With binary file and gdbserver:
{prog} run -f examples/rootfs/x8664_linux/bin/x8664_hello --gdb 127.0.0.1:9999 --rootfs examples/rootfs/x8664_linux
With binary file and additional argv:
{prog} run -f examples/rootfs/x8664_linux/bin/x8664_args --rootfs examples/rootfs/x8664_linux --args test1 test2 test3
With binary file and various output format:
{prog} run -f examples/rootfs/mips32el_linux/bin/mips32el_hello --rootfs examples/rootfs/mips32el_linux --verbose disasm
{prog} run -f examples/rootfs/mips32el_linux/bin/mips32el_hello --rootfs examples/rootfs/mips32el_linux --filter ^open
With UEFI file:
{prog} run -f examples/rootfs/x8664_efi/bin/TcgPlatformSetupPolicy --rootfs examples/rootfs/x8664_efi --env examples/rootfs/x8664_efi/rom2_nvar.pickel
With binary file and json output:
{prog} run -f examples/rootfs/x86_windows/bin/x86_hello.exe --rootfs examples/rootfs/x86_windows --no-console --json
"""
parser.exit(0, __ql_examples)
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('--version', action='version', version=f'qltool for Qiling {ql_ver}, using Unicorn {uc_ver}')
commands = parser.add_subparsers(title='sub commands', description='select execution mode', dest='subcommand', required=True)
# set "run" subcommand options
run_parser = commands.add_parser('run', help='run a program')
run_parser.add_argument('-f', '--filename', default=None, metavar="FILE", help="filename")
run_parser.add_argument('--rootfs', required=True, help='emulated rootfs')
run_parser.add_argument('--args', default=[], nargs=argparse.REMAINDER, dest="args", help="args")
run_parser.add_argument('run_args', default=[], nargs=argparse.REMAINDER)
# set "code" subcommand options
code_parser = commands.add_parser('code', help='execute a shellcode')
code_parser.add_argument('-f', '--filename', metavar="FILE", help="filename")
code_parser.add_argument('-i', '--input', metavar="INPUT", dest="input", help='input hex value')
code_parser.add_argument('--arch', required=True, choices=arch_map, action=__arg_archtype)
code_parser.add_argument('--thumb', action='store_true', default=False, help='specify thumb mode for ARM')
code_parser.add_argument('--endian', choices=('little', 'big'), default='little', help='specify endianess for bi-endian archs')
code_parser.add_argument('--os', required=True, choices=os_map, action=__arg_ostype)
code_parser.add_argument('--rootfs', default='.', help='emulated root filesystem, that is where all libraries reside')
code_parser.add_argument('--format', choices=('asm', 'hex', 'bin'), default='bin', help='input file format')
# set "examples" subcommand
expl_parser = commands.add_parser('examples', help='show examples and exit', add_help=False)
# set "qltui" subcommand
qltui_parser = commands.add_parser('qltui', help='show qiling Terminal User Interface', add_help=False)
qltui_enabled = False
comm_parser = run_parser
if len(sys.argv) > 1 and sys.argv[1] == 'code':
comm_parser = code_parser
# set common options
comm_parser.add_argument('-v', '--verbose', choices=verbose_map, default=QL_VERBOSE.DEFAULT, action=__arg_verbose, help='set verbosity level')
comm_parser.add_argument('--env', metavar="FILE", action=__arg_env, default={}, help="pickle file containing an environment dictionary")
comm_parser.add_argument('-g', '--gdb', nargs='?', metavar='SERVER:PORT', const='gdb', help='enable gdb server')
comm_parser.add_argument('--qdb', action='store_true', help='attach Qdb at entry point, it\'s MIPS, ARM(THUMB) supported only for now')
comm_parser.add_argument('--rr', action='store_true', help='switch on record and replay feature in qdb, only works with --qdb')
comm_parser.add_argument('--profile', help="define a customized profile")
comm_parser.add_argument('--no-console', action='store_false', dest='console', help='do not emit output to console')
comm_parser.add_argument('-e', '--filter', metavar='REGEXP', default=None, help="apply a filtering regexp on log output")
comm_parser.add_argument('--log-file', help="write log to a file")
comm_parser.add_argument('--log-plain', action='store_true', help="do not use colors in log output")
comm_parser.add_argument('--root', action='store_true', help='enable sudo required mode')
comm_parser.add_argument('--debug-stop', action='store_true', help='stop running on error; requires verbose to be set to either "debug" or "dump"')
comm_parser.add_argument('-m', '--multithread', action='store_true', help='run in multithread mode')
comm_parser.add_argument('--timeout', type=int, default=0, help='set emulation timeout')
comm_parser.add_argument('-c', '--coverage-file', default=None, help='code coverage file name')
comm_parser.add_argument('--coverage-format', default='drcov', choices=cov_utils.factory.formats, help='code coverage file format')
comm_parser.add_argument('--json', action='store_true', help='print a json report of the emulation')
comm_parser.add_argument('--libcache', action='store_true', help='enable dll caching for windows')
options = parser.parse_args()
if options.subcommand == 'examples':
handle_examples(parser)
if options.subcommand == 'qltui':
import qltui
options = qltui.get_data()
qltui_enabled = True
# ql file setup
if options.subcommand == 'run':
ql = handle_run(options)
# ql code setup
if options.subcommand == 'code':
ql = handle_code(options)
# ql execute additional options
if options.gdb:
argval = options.gdb
if argval != 'gdb':
argval = f'gdb:{argval}'
ql.debugger = argval
if options.debug_stop:
if options.verbose not in (QL_VERBOSE.DEBUG, QL_VERBOSE.DUMP):
parser.error('the debug_stop option requires verbose to be set to either "debug" or "dump"')
ql.debug_stop = True
if options.root:
ql.root = True
# ql run
with cov_utils.collect_coverage(ql, options.coverage_format, options.coverage_file):
if qltui_enabled:
hook_dictionary = qltui.hook(ql)
ql.run(timeout=options.timeout)
if options.json:
report = report.generate_report(ql)
if qltui_enabled:
report["syscalls"] = qltui.transform_syscalls(ql.os.stats.syscalls)
qltui.show_report(ql, report, hook_dictionary)
else:
pprint(report)
exit(ql.os.exit_code)