QEMUTracerAnalyzer Improvements #99
Conversation
Add strace parsing capability Enables the strace logging capability in QEMU Filters and parses the strace entries into python objects Record file mappings (uses the strace parsing capability) Tracks filenames to open file descriptors through the open/close syscalls Records the memory mappings for those files through the mmap syscalls Some additional smaller changes: Record the image base directly, parsed from the QEMU page dump Record the entry point used by QEMU The entry point for a binary which is not always the same address as what is extracted from the ELF For example in dynamically linked binary, the entry point logged by QEMU is from the runtime linker
|
This is excellent! Can you write a testcase for this? I'd love to merge this as soon as I have some sort of guarantee it won't just break in the future. |
|
Sure thing! I can do that. |
add new tests for new strace capabilities
tests the file mapping capability since the strace data isn't exposed directly
new docker build with small program to test file mapping
mapped_file is just some random data
also add asserts for new trace properties (image_base and entry_point)
|
I've added two tests for the file mapping recording - one for the DockerTarget and one for the LocalTarget I'm not sure how to debug what's going on, or if I should just remove the LocalTarget version (since it's just calling the same internal function as the DockerTarget version) I've also added a couple of assertions to an existing test for the other new properties I've added to the QemuTraceResult class. |
|
Eh... I was able to replicate the issue locally. I'll see if I can sort out the necessary paths for both Targets to work. |
|
Alrighty, I've got the tests working. Looks like the remaining failures are related to the QTraceAnalyzer. |
|
Thanks! I'll see about fixing the remaining CI failures. |
I've made some improvements/modifications to the QEMUTracerAnalyzer to support some projects. These changes seemed worth submitting as a PR.
Most notably I've added strace log parsing to the QEMUTracerAnalyzer as there can be useful information gleaned from tracking various syscalls. I didn't find a parser simple enough to more easily integrate, and the information I wanted to track called for a complex enough regex system that building a simple parser was actually easier to do and understand
The main capability I've built using the strace parser is to track file mappings made using the mmap syscall. This required parsing multiple syscalls (hence the strace parser) to track filenames and open/closed file descriptors to obtain the correct mappings.
I am using this to feed the exact addresses used by shared libraries back into angr to help sort out address synchronization issues.
I also record the image base address as opposed to just the executable segment address for the same reason.
And to get the address used by QEMU for the runtime linker I am recording the entry point from the QEMU logs.