QEMU Interactive Runtime Analyser
C Python Objective-C JavaScript C++ Shell Other
Clone or download
George Hotz
Latest commit 8f094b3 Mar 14, 2018
Permalink
Failed to load latest commit information.
extra ugh, z option Jan 30, 2016
ida remove prints May 1, 2016
middleware Update qira_webserver.py Apr 12, 2016
qira_tests use 64 bit test, we need to run fetchlibs to run 32 bit tests Nov 9, 2015
qiradb FIX: switch to distutils and fix cpp warnings, eliminate '-Wsign-comp… Feb 6, 2016
releases better quality v1.1 Sep 13, 2014
static2 fixed pc relative offsets in arm. dang, even stackoverflow was wrong … Jan 25, 2016
tests_auto miss return Jun 4, 2016
tests_manual Add example 32-bit and 64-bit Mach-O binaries to tests_manual. Feb 4, 2016
tracers Remove duplicate parameter Nov 17, 2016
web Fix XSS vulnerability Oct 6, 2016
.gitignore added missing apt to install, readme, gitignore Feb 16, 2015
.travis.yml little fix travis was failing on line 33 at install.sh Mar 25, 2016
README.md transfer qira back to my account Mar 14, 2018
VERSION package this as version 0.6 instead Jul 29, 2014
bap_install.sh bap days are over Aug 11, 2015
bdistrib.sh update binary distribution script and installer Jan 31, 2016
fetchlibs.sh wow i'm dumb, already supported May 1, 2016
install.bat attempting to make qira work on windows Aug 5, 2014
install.sh Merge pull request #177 from BinaryAnalysisPlatform/revert-174-master Aug 6, 2016
qira ignore PYTHONPATH Apr 1, 2016
qira.bat the server wants to work Aug 6, 2014
requirements.txt FIX QiraDB warnings add url and disc to package, move qiradb version … Feb 6, 2016
run_tests.sh qira test fix depercated libicu48 and allow new distros to use newer … Mar 25, 2016
run_tests_static.sh update run_tests_static Aug 27, 2015

README.md

QIRA

Join the chat at https://gitter.im/BinaryAnalysisPlatform/qira Build Status

  • QIRA is a competitor to strace and gdb
  • See http://qira.me/ for high level usage information
  • All QIRA code is released under GPLv2 or BSD
  • Other code in this repo released under its respective license

Installing release

See instructions on qira.me to install 1.2

Installing trunk

cd ~/
git clone https://github.com/geohot/qira.git
cd qira/
./install.sh

Installation Extras

  • ./fetchlibs.sh will fetch the libraries for i386, armhf, armel, aarch64, mips, mipsel, and ppc
  • ./tracers/pin_build.sh will install the QIRA PIN plugin, allowing --pin to work

Releases

  • v1.2 -- Many many changes. Forced release due to v1.0 not working anymore.
  • v1.1 -- Support for names and comments. Static stuff added. Register colors.
  • v1.0 -- Perf is good! Tons of bugfixes. Quality software. http://qira.me/
  • v0.9 -- Function indentation. haddrline added (look familiar?). Register highlighting in hexdump.
  • v0.8 -- Intel syntax! Shipping CDA (cda a.out) and experimental PIN backend. Bugfixes. Windows support?
  • v0.7 -- DWARF support. Builds QEMU if distributed binaries don't work. Windows IDA plugin.
  • v0.6 -- Added changes before webforking. Highlight strace addresses. Default on analysis.
  • v0.5 -- Fixed regression in C++ database causing wrong values. Added PowerPC support. Added "A" button.
  • v0.4 -- Using 50x faster C++ database. strace support. argv and envp are there.
  • v0.3 -- Built in socat, multiple traces, forks (experimental). Somewhat working x86-64 and ARM support
  • v0.2 -- Removed dependency on mongodb, much faster. IDA plugin fixes, Mac version.
  • v0.1 -- Initial release

UI

At the top, you have 4 boxes, called the controls.
  Blue = change number, grey = fork number
  red = instruction address (iaddr), yellow = data address (daddr).

On the left you have the vtimeline, this is the full trace of the program.
  The top is the start of the program, the bottom is the end/current state.
  More green = deeper into a function.
  The currently selected change is blue, red is every passthrough of the current iaddr
  Bright yellow is a write to the daddr, dark yellow is a read from the daddr.
  This color scheme is followed everywhere.

Below the controls, you have the idump, showing instructions near the current change
Under that is the regviewer, datachanges, hexeditor, and strace, all self explanatory.

Mouse Actions

Click on vtimeline to navigate around. Right-click forks to delete them. Click on data (or doubleclick if highlightable) to follow in data. Right-click on instruction address to follow in instruction.

Keyboard Shortcuts in web/client/controls.js

j -- next invocation of instruction
k -- prev invocation of instruction

shift-j -- next toucher of data
shift-k -- prev toucher of data

m -- go to return from current function
, -- go to start of current function

z -- zoom out max on vtimeline

left  -- -1 fork
right -- +1 fork
up    -- -1 clnum
down  -- +1 clnum

esc -- back

shift-c -- clear all forks

n -- rename instruction
shift-n -- rename data
: -- add comment at instruction
shift-: -- add comment at data

g -- go to change, address, or name
space -- toggle flat/function view

p -- analyze function at iaddr
c -- make code at iaddr, one instruction
a -- make ascii at iaddr
d -- make data at iaddr
u -- make undefined at iaddr

Installation on Windows (experimental)

  • Install git and python 2.7.9
  • Run install.bat

Session state

clnum -- selected changelist number
forknum -- selected fork number
iaddr -- selected instruction address
daddr -- selected data address

cview -- viewed changelists in the vtimeline
dview -- viewed window into data in the hexeditor
iview -- viewed address in the static view

max_clnum -- max changelist number for each fork
dirtyiaddr -- whether we should update the clnum based on the iaddr or not
flat -- if we are in flat view