demo: add r2 extension

chinggg · chinggg · commit ee0b3fa88d3b · 2022-04-15T22:26:54.000+08:00
diff --git a/examples/fuzzing/linux_x8664/fuzz_x8664_linux.py b/examples/fuzzing/linux_x8664/fuzz_x8664_linux.py
@@ -31,7 +31,7 @@
 from qiling.extensions import afl
 
 def main(input_file: str):
-    ql = Qiling(["./x8664_fuzz"], "../../rootfs/x8664_linux",
+    ql = Qiling(["./x8664_fuzz"], "../../rootfs/x8664_linux", analyzer="r2",
         verbose=QL_VERBOSE.OFF, # keep qiling logging off
         console=False)          # thwart program output
 
@@ -64,7 +64,7 @@ def start_afl(ql: Qiling):
     ql.hook_address(callback=lambda x: os.abort(), address=ba + 0x1225)
 
     # set afl instrumentation [re]starting point. we set it to 'main'
-    ql.hook_address(callback=start_afl, address=ba + 0x122c)
+    ql.hook_address(callback=start_afl, address=ba + ql.analyzer.addr_of("main"))
 
     # okay, ready to roll
     ql.run()
diff --git a/qiling/bin/__init__.py b/qiling/bin/__init__.py
@@ -0,0 +1,2 @@
+from .base import QlBinFunction, QlBinSection, QlBinString, QlBinSymbol
+from .analyze import QlBinAnalyzer
diff --git a/qiling/bin/analyze.py b/qiling/bin/analyze.py
@@ -0,0 +1,41 @@
+from abc import ABC, abstractmethod
+from typing import Set
+from .base import QlBinSection, QlBinString, QlBinSymbol
+
+
+class QlBinAnalyzer(ABC):
+    """
+    An abstract base class for concrete static binary analyzers.
+    To extend a new binary analyzer, just derive from this class and implement
+    all the methods marked with the @abstractmethod decorator.
+    """
+
+    def __init__(self):
+        super().__init__()
+
+    @property
+    @abstractmethod
+    def sections(self) -> Set[QlBinSection]:
+        raise NotImplementedError
+
+    @property
+    @abstractmethod
+    def strings(self) -> Set[QlBinString]:
+        raise NotImplementedError
+
+    @property
+    @abstractmethod
+    def symbols(self) -> Set[QlBinSymbol]:
+        raise NotImplementedError
+
+    @abstractmethod
+    def addr_of_sym(self, name: str) -> int | None:
+        raise NotImplementedError
+
+    @abstractmethod
+    def addr_of_fcn(self, name: str) -> int | None:
+        raise NotImplementedError
+
+    @abstractmethod
+    def addr_of(self, name: str) -> int | None:
+        raise NotImplementedError
diff --git a/qiling/bin/base.py b/qiling/bin/base.py
@@ -0,0 +1,111 @@
+#!/usr/bin/env python3
+#
+# Cross Platform and Multi Architecture Advanced Binary Emulation Framework
+#
+
+from dataclasses import dataclass, fields
+from enum import Enum
+
+
+@dataclass(unsafe_hash=True)
+class QlBinFunction:
+    name: str
+    offset: int
+    size: int
+    signature: str = None
+
+    def __init__(self, **kwargs):
+        names = set([f.name for f in fields(self)])
+        for k, v in kwargs.items():
+            if k in names:
+                setattr(self, k, v)
+
+
+@dataclass(unsafe_hash=True)
+class QlBinSection:
+    name: str
+    size: int
+    vsize: int
+    paddr: int
+    vaddr: int
+    perm: str  # TODO: use enum
+
+    def __init__(self, **kwargs):
+        names = set([f.name for f in fields(self)])
+        for k, v in kwargs.items():
+            if k in names:
+                setattr(self, k, v)
+
+
+@dataclass(unsafe_hash=True)
+class QlBinString:
+    string: str
+    vaddr: int
+    paddr: int
+    size: int
+    length: int
+    section: str = None
+
+    def __init__(self, **kwargs):
+        names = set([f.name for f in fields(self)])
+        for k, v in kwargs.items():
+            if k in names:
+                setattr(self, k, v)
+
+
+@dataclass(unsafe_hash=True)
+class QlBinSymbol:
+    # see https://github.com/rizinorg/rizin/blob/dev/librz/include/rz_bin.h
+    class SymbolType(str, Enum):
+        NOTYPE = "NOTYPE"
+        OBJ = "OBJ"
+        FUNC = "FUNC"
+        FIELD = "FIELD"
+        IFACE = "IFACE"
+        METH = "METH"
+        STATIC = "STATIC"
+        SECT = "SECT"
+        FILE = "FILE"
+        COMMON = "COMMON"
+        TLS = "TLS"
+        NUM = "NUM"
+        LOOS = "LOOS"
+        HIOS = "HIOS"
+        LOPROC = "LOPROC"
+        HIPROC = "HIPROC"
+        SPCL = "SPCL"
+        UNK = "UNK"
+
+    class SymbolBind(str, Enum):
+        LOCAL = "LOCAL"
+        GLOBAL = "GLOBAL"
+        WEAK = "WEAK"
+        NUM = "NUM"
+        LOOS = "LOOS"
+        HIOS = "HIOS"
+        LOPROC = "LOPROC"
+        HIPROC = "HIPROC"
+        IMPORT = "IMPORT"
+        UNKNOWN = "UNKNOWN"
+
+    name: str
+    realname: str
+    bind: str
+    size: int
+    type: SymbolType
+    vaddr: int
+    paddr: int
+    is_imported: bool
+
+    def __init__(self, **kwargs):
+        names = set([f.name for f in fields(self)])
+        for k, v in kwargs.items():
+            if k in names:
+                setattr(self, k, v)
+
+    def __str__(self):
+        return f"{self.name} {self.type} {hex(self.vaddr)} {hex(self.paddr)}"
+
+if __name__ == '__main__':
+    sym = QlBinFunction(**{"name": "test", "offset": 0x1234, "size": 0x5678})
+    print(sym)
diff --git a/qiling/core.py b/qiling/core.py
@@ -12,6 +12,8 @@
 
 from unicorn.unicorn import Uc
 
+from qiling.extensions.r2.r2 import R2
+
 if TYPE_CHECKING:
     from .arch.arch import QlArch
     from .os.os import QlOs
@@ -46,6 +48,7 @@ def __init__(
             multithread = False,
             filter = None,
             stop: QL_STOP = QL_STOP.NONE,
+            analyzer: str = None,
             *,
             endian: QL_ENDIAN = None,
             thumb: bool = False,
@@ -195,7 +198,13 @@ def __init__(
 
         # Run the loader
         self.loader.run()
-        self._init_stop_guard()    
+        self._init_stop_guard()
+
+        # Initialize the binary analzer if provdided
+        if analyzer == "r2":
+            self.analyzer = R2(self._path)
+        elif analyzer == "rizin":
+            self.analyzer = R2(self._path)
 
     #####################
     # Qiling Components #
diff --git a/qiling/extensions/r2/__init__.py b/qiling/extensions/r2/__init__.py
diff --git a/qiling/extensions/r2/r2.py b/qiling/extensions/r2/r2.py
@@ -0,0 +1,97 @@
+#!/usr/bin/env python3
+#
+# Cross Platform and Multi Architecture Advanced Binary Emulation Framework
+#
+
+import os
+import functools
+import json
+import ctypes
+from typing import Set
+import libr
+from qiling.bin import QlBinAnalyzer
+from qiling.bin import QlBinFunction, QlBinSection, QlBinString, QlBinSymbol
+
+
+class R2(QlBinAnalyzer):
+    def __init__(self, filename: str):
+        super().__init__()
+        filename = filename.encode()
+        filename = os.path.realpath(filename)
+        self._r2c = libr.r_core.r_core_new()
+        fh = libr.r_core.r_core_file_open(self._r2c, filename, 0b101, 0)
+        libr.r_core.r_core_bin_load(self._r2c, filename, (1 << 64) - 1)
+
+    def _cmd(self, cmd):
+        r = libr.r_core.r_core_cmd_str(
+            self._r2c, ctypes.create_string_buffer(cmd.encode("utf-8")))
+        return ctypes.string_at(r).decode('utf-8')
+
+    @functools.cached_property
+    def sections(self) -> Set[QlBinSection]:
+        res = self._cmd("iSj")
+        sec_lst = json.loads(res)
+        return {QlBinSection(**dic) for dic in sec_lst}
+
+    @functools.cached_property
+    def strings(self) -> Set[QlBinString]:
+        res = self._cmd("izzj")
+        str_lst = json.loads(res)
+        return {QlBinString(**dic) for dic in str_lst}
+
+    @functools.cached_property
+    def symbols(self) -> Set[QlBinSymbol]:
+        res = self._cmd("isj")
+        sym_lst = json.loads(res)
+        return {QlBinSymbol(**dic) for dic in sym_lst}
+
+    @functools.cached_property
+    def functions(self) -> Set[QlBinFunction]:
+        self._cmd("aaa")
+        res = self._cmd("aflj")
+        fcn_lst = json.loads(res)
+        return {QlBinFunction(**dic) for dic in fcn_lst}
+
+    @functools.cached_property
+    def baddr(self) -> int:
+        _bin = ctypes.cast(self._r2c.contents.bin,
+                           ctypes.POINTER(libr.r_bin.RBin))
+        return libr.r_bin.r_bin_get_baddr(_bin)
+
+    def addr_of_str(self, name: str) -> int | None:
+        strs = self.strings
+        for str in strs:
+            if str.string == name:
+                return str.vaddr
+
+    def addr_of_sym(self, name: str) -> int | None:
+        syms = self.symbols
+        for sym in syms:
+            if sym.name == name or sym.realname == name:
+                return sym.vaddr
+
+    def addr_of_fcn(self, name: str) -> int | None:
+        fcns = self.functions
+        for fcn in fcns:
+            if fcn.name == name or fcn.name.endswith(name):
+                return fcn.offset
+
+    def addr_of(self, name: str) -> int | None:
+        return self.addr_of_sym(name) or self.addr_of_fcn(name)
+
+    def __del__(self):
+        libr.r_core.r_core_free(self._r2c)
+
+
+if __name__ == '__main__':
+    r2 = R2("examples/fuzzing/linux_x8664/x8664_fuzz")
+    print(r2.strings)
+    print(r2.sections)
+    print(hex(r2.baddr))
+    print(hex(r2.addr_of("main")))
+    while True:
+        print("> ", end="")
+        cmd = input()
+        if cmd.strip() == "q":
+            break
+        print(r2._cmd(cmd))

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+from .base import QlBinFunction, QlBinSection, QlBinString, QlBinSymbol`
	`2`	`+from .analyze import QlBinAnalyzer`