Giters

qilingframework / qiling

A True Instrumentable Binary Emulation Framework

Home Page:https://qiling.io

Repository from Github https://github.comqilingframework/qilingRepository from Github https://github.comqilingframework/qiling

ARM64 MACOS flag mapping error

90n20 opened this issue · comments

commented

Hi all,

I am getting a crash, trying to emulate a linux x86-64 ELF in a MAC m1 (Sonoma 14.6.1), related to flags mappings not defined for the underlaying SO/Host:

[+] 	Profile: default
[+] 	Mapping GDT at 0x30000 with limit 0x1000
[+] 	Mapped 0x555555554000-0x555555555000
[+] 	Mapped 0x555555555000-0x555555556000
[+] 	Mapped 0x555555556000-0x555555557000
[+] 	Mapped 0x555555557000-0x555555559000
[+] 	mem_start : 0x555555554000
[+] 	mem_end   : 0x555555559000
[+] 	Interpreter path: /lib64/ld-linux-x86-64.so.2
[+] 	Interpreter addr: 0x7ffff7dd5000
[+] 	Mapped 0x7ffff7dd5000-0x7ffff7dfc000
[+] 	Mapped 0x7ffff7ffc000-0x7ffff7fff000
[+] 	mmap_address is : 0x7fffb7dd6000
[+] 	rel name b'_ITM_deregisterTMCloneTable'
[+] 	rel name b'__libc_start_main'
[+] 	rel name b'__gmon_start__'
[+] 	rel name b'_ITM_registerTMCloneTable'
[+] 	rel name b'__cxa_finalize'
[+] 	rel name b'getenv'
[+] 	rel name b'strcpy'
[+] 	rel name b'puts'
[+] 	rel name b'__stack_chk_fail'
[+] 	rel name b'strcmp'
[+] 	rel name b'ptrace'
[+] 	rel name b'strcat'
[+] 	rel name b'exit'
[+] 	0x00007ffff7df0ec7: brk(inp = 0x0) = 0x55555555b000
[+] 	0x00007ffff7df2015: uname(buf = 0x7ffffffff9c0) = 0x0
[+] 	access("/etc/ld.so.nohwcap", 00) = -2
[+] 	0x00007ffff7de47dc: access(path = 0x7ffff7df6082, mode = 0x0) = -0x2 (ENOENT)
[+] 	access("/etc/ld.so.preload", 04) = -2
[+] 	0x00007ffff7df1e25: access(path = 0x7ffff7df8dd0, mode = 0x4) = -0x2 (ENOENT)
[x] 	Syscall ERROR: ql_syscall_openat DEBUG: flags were not defined for hosting ARM64 MACOS

Traceback:

File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/os/posix/posix.py", line 213, in load_syscall
    retval = syscall_hook(self.ql, *params)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/os/posix/syscall/fcntl.py", line 62, in ql_syscall_openat
    regreturn = absvpath if isinstance(absvpath, int) else __do_open(ql, absvpath, flags, mode)
                                                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/os/posix/syscall/fcntl.py", line 31, in __do_open
    flags = ql_open_flag_mapping(ql, flags)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/os/posix/const_mapping.py", line 98, in ql_open_flag_mapping
    raise NotImplementedError(f'flags were not defined for hosting {archtype.name} {ostype.name}')
NotImplementedError: flags were not defined for hosting ARM64 MACOS
Traceback (most recent call last):
  File "/Users/90n20/Projects/CTF/ine.py", line 14, in <module>
    ql.run()
  File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/core.py", line 588, in run
    self.os.run()
  File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/os/linux/linux.py", line 178, in run
    self.ql.emu_start(self.ql.loader.entry_point, entry_address, self.ql.timeout)
  File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/core.py", line 768, in emu_start
    raise self.internal_exception
  File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/core_hooks.py", line 141, in wrapper
    return callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/core_hooks.py", line 204, in _hook_insn_cb
    ret = hook.call(ql, *hook_args)
          ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/core_hooks_types.py", line 25, in call
    return self.callback(ql, *args)
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/os/linux/linux.py", line 138, in hook_syscall
    return self.load_syscall()
           ^^^^^^^^^^^^^^^^^^^
  File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/os/posix/posix.py", line 231, in load_syscall
    raise e
  File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/os/posix/posix.py", line 213, in load_syscall
    retval = syscall_hook(self.ql, *params)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/os/posix/syscall/fcntl.py", line 62, in ql_syscall_openat
    regreturn = absvpath if isinstance(absvpath, int) else __do_open(ql, absvpath, flags, mode)
                                                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/os/posix/syscall/fcntl.py", line 31, in __do_open
    flags = ql_open_flag_mapping(ql, flags)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/os/posix/const_mapping.py", line 98, in ql_open_flag_mapping
    raise NotImplementedError(f'flags were not defined for hosting {archtype.name} {ostype.name}')
NotImplementedError: flags were not defined for hosting ARM64 MACOS

Any thoughts or ideas to solve this?

commented

assuming that arm and x86 macOS using the same open flag, add this code to const.py:

class macos_arm_open_flags(QlPrettyFlag):
    O_RDONLY    = 0x000000
    O_WRONLY    = 0x000001
    O_RDWR      = 0x000002
    O_NONBLOCK  = 0x000004
    O_APPEND    = 0x000008
    O_ASYNC     = 0x000040
    O_SYNC      = 0x000080
    O_NOFOLLOW  = 0x000100
    O_CREAT     = 0x000200
    O_TRUNC     = 0x000400
    O_EXCL      = 0x000800
    O_NOCTTY    = 0x020000
    O_DIRECTORY = 0x100000
    O_BINARY    = None
    O_LARGEFILE = None

and add macos_arm_open_flags to const_mapping.py :

QL_OS.MACOS: {
            QL_ARCH.X86:   macos_x86_open_flags,
            QL_ARCH.X8664: macos_x86_open_flags,
            QL_ARCH.ARM: macos_arm_open_flags,         <------------- add this line
            QL_ARCH.ARM64: macos_arm_open_flags,         <------------- add this line
        }

this works for me

commented

assuming that arm and x86 macOS using the same open flag, add this code to const.py:

class macos_arm_open_flags(QlPrettyFlag):
O_RDONLY = 0x000000
O_WRONLY = 0x000001
O_RDWR = 0x000002
O_NONBLOCK = 0x000004
O_APPEND = 0x000008
O_ASYNC = 0x000040
O_SYNC = 0x000080
O_NOFOLLOW = 0x000100
O_CREAT = 0x000200
O_TRUNC = 0x000400
O_EXCL = 0x000800
O_NOCTTY = 0x020000
O_DIRECTORY = 0x100000
O_BINARY = None
O_LARGEFILE = None
and add macos_arm_open_flags to const_mapping.py :

QL_OS.MACOS: {
QL_ARCH.X86: macos_x86_open_flags,
QL_ARCH.X8664: macos_x86_open_flags,
QL_ARCH.ARM: macos_arm_open_flags, <------------- add this line
QL_ARCH.ARM64: macos_arm_open_flags, <------------- add this line
}
this works for me

Worked like a charm, good catch!!

do you consider to create a PR to fix/patch this @noopoo ? If not I could try to handle that giving credits to you ofc.

commented

Hi, that's great if you could create a PR to fix this, cause I don't use git or github very much.