Merge pull request #1299 from qilingframework/dev

Getting ready for 1.4.5

.github/workflows/build-ci.yml

@@ -10,21 +10,18 @@ jobs:
       fail-fast: false
       matrix:
         #os: [windows-2019, macos-10.15, ubuntu-18.04, ubuntu-20.04]
-        os: [windows-latest, ubuntu-18.04, ubuntu-20.04]
-        python-version: [3.8, 3.9]
-        exclude:
-          - os: ubuntu-18.04
-            python-version: 3.9                   
+        os: [windows-latest, ubuntu-20.04]
+        python-version: [3.8, 3.9]              
         include:
-          - os: ubuntu-18.04
+          - os: ubuntu-22.04
             python-version: 3.9
             container: Docker
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
 
     - name: Set up Python
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@v4
       with:
         python-version: ${{ matrix.python-version }}
 

ChangeLog

@@ -1,5 +1,48 @@
 This file details the changelog of Qiling Framework.
 
+------------------------------------
+[Version 1.4.5]: December 29th, 2022
+
+New features:
+- Qdb with PE (#1295)
+
+Improvements:
+- Add pstate in const_arm64.py (#1236)
+- Implement ql_syscall_sched_yield (#1237)
+- Periodic quality PR (#1238)
+- Speed up MCU interrupt handler (#1240)
+- Minor update for setup.py, mcu test and windows registry (#1246)
+- Optimize qltui (#1247)
+- Optimize evm dependency package version manage (#1248)
+- Fix getrlimit related syscall (aka tenda fix) (#1249)
+- Add new ci for arm firmware (#1250)
+- More detailed tenda CI test and cleanup elf multithrad http test (#1251)
+- Fix MIPS relocs (#1252)
+- Newly compiled picohttpd for armeb and new test script (#1254)
+- Update armeb test binary and testing docker (#1255)
+- Update rootfs (#1256)
+- Qdb bug fix and improvement (#1257)
+- Improve handling of gdb 42000 magic pid (#1259)
+- Fix mcu issue in qdb and show flags in uppercase (#1263)
+- Update setup.py (#1267)
+- Handle Cortex M as a specific arch (#1271)
+- Fix some error in syscall fcntl and getsockopt (#1272)
+- Periodic maintenance PR (#1274)
+- Fix gdb attach on ARM thumb mode (#1285)
+- Qdb: add command show_args (#1289)
+- Periodic maintenance PR (#1293)
+
+Contributors:
+- richor1042
+- vhertz
+- elicn
+- kabeor
+- xwings
+- ucgJhe
+- aquynh
+- owl129
+- 
+
 ------------------------------------
 [Version 1.4.4]: September 24th, 2022
 
@@ -87,7 +130,6 @@ Contributors:
 - elicn
 - xwings
 - cq674350529
-- elicn
 - TheZ3ro
 - bet4it
 - chinggg

README.md

@@ -28,6 +28,10 @@ Qiling is an advanced binary emulation framework, with the following features:
 
 Qiling also made its way to various international conferences.
 
+2022:
+- [Black Hat, EU](https://www.blackhat.com/eu-22/arsenal/schedule/#reversing-mcu-with-firmware-emulation-29553)
+- [Black Hat, MEA](https://blackhatmea.com/node/724)
+
 2021:
 - [Black Hat, USA](https://www.blackhat.com/us-21/arsenal/schedule/index.html#bringing-the-x-complete-re-experience-to-smart-contract-24119)
 - [Hack In The Box, Amsterdam](https://conference.hitb.org/hitbsecconf2021ams/sessions/when-qiling-framework-meets-symbolic-execution/)

examples/fuzzing/stm32f429/afl_inputs/sample

@@ -0,0 +1,2 @@
+hackme
+aaaaaaaaaaaa

examples/fuzzing/stm32f429/fuzz.py

@@ -0,0 +1,56 @@
+#!/usr/bin/env python3
+# 
+# Cross Platform and Multi Architecture Advanced Binary Emulation Framework
+#
+
+import os
+import sys
+
+from typing import Any, Optional
+
+sys.path.append("../../..")
+from qiling.core import Qiling
+from qiling.const import QL_VERBOSE
+
+from qiling.extensions.afl import ql_afl_fuzz_custom
+from qiling.extensions.mcu.stm32f4 import stm32f429
+
+from unicorn import UC_ERR_OK, UcError
+
+def main(input_file: str):
+    ql = Qiling(["../../rootfs/mcu/stm32f429/bof.elf"], 
+                archtype="cortex_m", 
+                env=stm32f429, 
+                ostype='mcu',
+                verbose=QL_VERBOSE.DISABLED)
+
+    ql.hw.create('rcc')
+    ql.hw.create('usart2')
+    ql.hw.create('usart3')
+
+    ql.fast_mode = True 
+
+    def place_input_callback(ql: Qiling, input_bytes: bytes, persistent_round: int) -> Optional[bool]:
+        """Called with every newly generated input."""
+
+        ql.hw.usart3.send(input_bytes)
+
+        return True
+
+    def fuzzing_callback(ql: Qiling):
+        ql.run(end=0x80006d9)            
+
+        return UC_ERR_OK
+
+    ql.uc.ctl_exits_enabled(True)
+    ql.uc.ctl_set_exits([0x80006d9])
+
+    ql_afl_fuzz_custom(ql, input_file, place_input_callback, fuzzing_callback=fuzzing_callback)
+
+    os.exit(0)
+
+if __name__ == "__main__":
+    if len(sys.argv) == 1:
+        raise ValueError("No input file provided.")
+
+    main(sys.argv[1])

examples/fuzzing/stm32f429/fuzz.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+AFL_AUTORESUME=1 afl-fuzz -i afl_inputs -o afl_outputs -U -- python3 ./fuzz.py @@

examples/hello_mips32_linux_customapi.py

@@ -17,4 +17,5 @@ def my_puts(ql: Qiling):
 
 if __name__ == "__main__":
     ql = Qiling(["rootfs/mips32_linux/bin/mips32_hello"], "rootfs/mips32_linux", verbose=QL_VERBOSE.DEBUG)
+    ql.os.set_api("puts", my_puts)
     ql.run()

examples/mcu/gd32vf103_blink.py

@@ -10,7 +10,7 @@
 from qiling.const import QL_VERBOSE
 from qiling.extensions.mcu.gd32vf1 import gd32vf103
 
-ql = Qiling(['../rootfs/mcu/gd32vf103/blink.hex'], archtype="riscv64", 
+ql = Qiling(['../rootfs/mcu/gd32vf103/blink.hex'], archtype="riscv64", ostype="mcu",
                     env=gd32vf103, verbose=QL_VERBOSE.DEBUG)
 
 ql.hw.create('rcu')

examples/mcu/stm32f407_gpio_hook.py

@@ -13,7 +13,7 @@
 
 
 ql = Qiling(["../rootfs/mcu/stm32f407/ai-sine-test.elf"],
-            archtype="cortex_m", env=stm32f407, verbose=QL_VERBOSE.DEFAULT)
+            archtype="cortex_m", ostype="mcu", env=stm32f407, verbose=QL_VERBOSE.DEFAULT)
 
 ql.hw.create('rcc')
 ql.hw.create('pwr')
@@ -23,6 +23,7 @@
 ql.hw.create('gpiod')
 ql.hw.create('spi1')
 ql.hw.create('crc')
+ql.hw.create('dbgmcu')
 
 oled = PyGameSSD1306Spi(dc=(ql.hw.gpiod, 5))
 ql.hw.spi1.connect(oled)

examples/mcu/stm32f407_hack_lock.py

@@ -27,7 +27,7 @@ def dicts():
 # Cracking the passwd of lock
 def crack(passwd):
     ql = Qiling(["../../examples/rootfs/mcu/stm32f407/backdoorlock.hex"],                    
-                        archtype="cortex_m", env=stm32f407, verbose=QL_VERBOSE.OFF)
+                        archtype="cortex_m", ostype="mcu", env=stm32f407, verbose=QL_VERBOSE.DISABLED)
 
     ql.hw.create('spi2')
     ql.hw.create('gpioe')

examples/mcu/stm32f407_mnist_oled.py

@@ -13,12 +13,13 @@
 
 
 ql = Qiling(["../rootfs/mcu/stm32f407/mnist.bin", 0x8000000],
-            archtype="cortex_m", env=stm32f407, verbose=QL_VERBOSE.DEFAULT)
+            archtype="cortex_m", ostype="mcu", env=stm32f407, verbose=QL_VERBOSE.DEFAULT)
 
 ql.hw.create('rcc')
 ql.hw.create('gpiod')
 ql.hw.create('spi1')
 ql.hw.create('crc')
+ql.hw.create('dbgmcu')
 
 oled = PyGameSSD1306Spi(dc=(ql.hw.gpiod, 5))
 ql.hw.spi1.connect(oled)

examples/mcu/stm32f411_dma_logger.py

@@ -12,7 +12,7 @@
 
 def stm32f411_dma():
     ql = Qiling(["../rootfs/mcu/stm32f411/dma-clock.hex"],                    
-        archtype="cortex_m", env=stm32f411, verbose=QL_VERBOSE.DEBUG)
+        archtype="cortex_m", ostype="mcu", env=stm32f411, verbose=QL_VERBOSE.DEBUG)
 
     ql.hw.create('usart2').watch()
     ql.hw.create('dma1').watch()

examples/mcu/stm32f411_freertos.py

@@ -13,7 +13,7 @@
 
 def stm32f411_freertos():
     ql = Qiling(["../rootfs/mcu/stm32f411/os-demo.hex"],                    
-        archtype="cortex_m", env=stm32f411, verbose=QL_VERBOSE.DEBUG)
+        archtype="cortex_m",  ostype="mcu", env=stm32f411, verbose=QL_VERBOSE.DEBUG)
 
     ql.hw.create('usart2').watch()
     ql.hw.create('gpioa').watch()

examples/mcu/stm32f411_gpio_hook.py

@@ -12,7 +12,7 @@
 
 def test_mcu_gpio_stm32f411():
     ql = Qiling(["../../examples/rootfs/mcu/stm32f411/hello_gpioA.hex"],                    
-                archtype="cortex_m", env=stm32f411, verbose=QL_VERBOSE.DEBUG)
+                archtype="cortex_m",  ostype="mcu", env=stm32f411, verbose=QL_VERBOSE.DEBUG)
 
     ql.hw.create('usart2').watch()
     ql.hw.create('rcc').watch()

examples/mcu/stm32f411_i2c_lcd.py

@@ -13,7 +13,7 @@
 from qiling.extensions.mcu.stm32f4 import stm32f411
 
 def create(path, lcd):
-    ql = Qiling([path], archtype="cortex_m", env=stm32f411, verbose=QL_VERBOSE.DEBUG)
+    ql = Qiling([path], archtype="cortex_m",  ostype="mcu", env=stm32f411, verbose=QL_VERBOSE.DEBUG)
 
     ql.hw.create('i2c1')
     ql.hw.create('rcc')

examples/mcu/stm32f411_interact_usart.py

@@ -16,7 +16,7 @@
 
 
 ql = Qiling(["../../examples/rootfs/mcu/stm32f411/md5_server.hex"], 
-            archtype="cortex_m", env=stm32f411, verbose=QL_VERBOSE.OFF)
+            archtype="cortex_m",  ostype="mcu", env=stm32f411, verbose=QL_VERBOSE.OFF)
 
 ql.hw.create('usart2')
 ql.hw.create('rcc')

examples/mcu/stm32f411_spi_oled12864.py

@@ -12,7 +12,7 @@
 from qiling.hw.external_device.oled.ssd1306 import PyGameSSD1306Spi
 
 ql = Qiling(['../rootfs/mcu/stm32f411/oled12864.hex'], 
-                archtype="cortex_m", env=stm32f411, verbose=QL_VERBOSE.DEFAULT)
+                archtype="cortex_m",  ostype="mcu", env=stm32f411, verbose=QL_VERBOSE.DEFAULT)
 
 ql.hw.create('rcc')
 ql.hw.create('gpioa')