路由器逆向分析------QEMU的下载和安装(Linux平台)
本文博客地址:http://blog.csdn.net/qq1084283172/article/details/68953160
一、QEMU源码的下载和编译
QEMU源码的github下载地址:https://github.com/qemu/qemu。
QEMU源码的官方网站下载地址:http://www.qemu-project.org/download/。
QEMU的官方参考的博客的地址:http://www.qemu-project.org/blog/。
QEMU的用户帮助文档的参考地址:https://qemu.weilnetz.de/doc/qemu-doc.html。
QEMU的旧版本的所有工程源码下载地址:http://wiki.qemu-project.org/OlderNews。
QEMU的新版本的所有工程源码下载地址:http://wiki.qemu-project.org/Main_Page#News。
<1>.QEMU官方文档给出的直接安装QEMU的方法:
Linux
QEMU is packaged by most Linux distributions:
# Arch平台的安装:
$ pacman -S qemu
# Debian/Ubuntu平台的安装:
$ apt-get install qemu
# Fedora平台的安装:
$ dnf install @virtualization
# Gentoo平台的安装:
$ emerge --ask app-emulation/qemu
# RHEL/CentOS平台的安装:
$ yum install qemu-kvm
# SUSE平台的安装:
$ zypper install qemu
macOS
QEMU can be installed from Homebrew:
$ brew install qemu
QEMU requires Mac OS X 10.5 or later, but it is recommended to use Mac OS X 10.7 or later.
Windows
Stefan Weil provides binaries and installers for both 32-bit and 64-bit Windows.
# ubuntu下直接安装QEMU
$ sudo apt-get install qemu
<2>.QEMU官方文档给出的两种下载和编译QEMU的方法。
1.To download and build QEMU 2.9.0-rc2:
wget http://download.qemu-project.org/qemu-2.9.0-rc2.tar.xz
tar xvJf qemu-2.9.0-rc2.tar.xz
cd qemu-2.9.0-rc2
./configure
make
2.To download and build QEMU from git:
git clone git://git.qemu-project.org/qemu.git
cd qemu
git submodule init
git submodule update --recursive
./configure
make
The latest development happens on the master branch.
The stable trees are located in branches named stable-X.YY branch, where X.YY is the release version.
<3>.QEMU工程源码编译需要安装的依赖库文件。
经过参考QEMU官方的文档:http://wiki.qemu-project.org/Hosts/Linux 了解到 QEMU on Linux hosts 即在Linux系统上,下载和编译QEMU还需要安装一些必要的依赖库文件。
QEMU on Linux hosts
This documentation is work in progress - more information needs to be added for different Linux distributions.
Linux is QEMU's main host platform. Therefore it is the platform which gets most support. Both 32 and 64 bit Linux hosts are supported. Most of the following instructions are valid for
both variants.
Building QEMU for Linux
Most Linux distributions already provide binary packages for QEMU (or KVM).
Usually they also include all packages which are needed to compile QEMU for Linux. The default installation of most distributions will not include everything, so you have to install some
additional packages before you can build QEMU.
Fedora Linux / Debian GNU Linux / Ubuntu Linux / Linux Mint
Fedora, Debian and Debian based or similar distributions normally include compiler and compilation tools (gcc, make, ...) in their default installation.
Required additional packages(必须安装)
- git (30 MiB), version manager
- glib2.0-dev (9 MiB), this automatically includes zlib1g-dev
- libfdt-devel
For Ubuntu LTS Trusty (and maybe other Debian based distributions), all required additional packages can be installed like this:
sudo apt-get install git libglib2.0-dev libfdt-dev libpixman-1-dev zlib1g-dev
For Red Hat Enterprise Linux 7 or CentOS 7 all required additional packages can be installed like this:
yum install git glib2-devel libfdt-devel pixman-devel zlib-devel
Recommended additional packages(推荐安装)
- git-email, used for sending patches
- libsdl1.2-dev (23 MiB), needed for the SDL based graphical user interface
- gtk2-devel, for a simple UI instead of VNC
- vte-devel, for access to QEMU monitor and serial/console devices via the GTK interface
The above list is far from being complete. For maximum code coverage, as many QEMU features as possible should be enabled. When running configure, you should get many lines with "yes" and
only a few with "no".
For Ubuntu Trusty (and maybe other Debian based distributions), all recommended additional packages for maximum code coverage can be installed like this:
sudo apt-get install git-email
sudo apt-get install libaio-dev libbluetooth-dev libbrlapi-dev libbz2-dev
sudo apt-get install libcap-dev libcap-ng-dev libcurl4-gnutls-dev libgtk-3-dev
sudo apt-get install libibverbs-dev libjpeg8-dev libncurses5-dev libnuma-dev
sudo apt-get install librbd-dev librdmacm-dev
sudo apt-get install libsasl2-dev libsdl1.2-dev libseccomp-dev libsnappy-dev libssh2-1-dev
sudo apt-get install libvde-dev libvdeplug-dev libvte-2.90-dev libxen-dev liblzo2-dev
sudo apt-get install valgrind xfslibs-dev
Newer versions of Debian / Ubuntu might also try these additional packages:
sudo apt-get install libnfs-dev libiscsi-dev
Those packages also exist in Ubuntu Trusty, but they are too old for QEMU.
For Red Hat Enterprise Linux 7 or CentOS 7 some of the additional recommended packages can be installed like this:
sudo yum install libaio-devel libcap-devel libiscsi-devel
# 安装编译QEMU源码工程需要安装的依赖库文件
$ sudo apt-get update
# 必须安装的
$ sudo apt-get install git libglib2.0-dev libfdt-dev libpixman-1-dev zlib1g-dev
# 推荐可选安装的
$ sudo apt-get install git-email
$ sudo apt-get install libaio-dev libbluetooth-dev libbrlapi-dev libbz2-dev
$ sudo apt-get install libcap-dev libcap-ng-dev libcurl4-gnutls-dev libgtk-3-dev
$ sudo apt-get install libibverbs-dev libjpeg8-dev libncurses5-dev libnuma-dev
$ sudo apt-get install librbd-dev librdmacm-dev
$ sudo apt-get install libsasl2-dev libsdl1.2-dev libseccomp-dev libsnappy-dev libssh2-1-dev
$ sudo apt-get install libvde-dev libvdeplug-dev libvte-2.90-dev libxen-dev liblzo2-dev
$ sudo apt-get install valgrind xfslibs-dev
# 最新版的Debian/Ubuntu可能还需要安装的(可选)
sudo apt-get install libnfs-dev libiscsi-dev
# 安装QEMU到opt文件夹下
$ cd /opt
# 下载QEMU的源码
$ sudo git clone git://git.qemu-project.org/qemu.git
$ cd qemu
$ sudo git submodule init
$ sudo git submodule update --recursive
# 执行脚本文件,生成Makefile文件
$ sudo ./configure --static
# 编译QEMU的源码
$ sudo make
# 安装QEMU程序
$ sudo make install
# 安装依赖库文件
$ sudo apt-get update
$ sudo apt-get install libglib2.0 libglib2.0-dev
$ sudo apt-get install autoconf automake libtool
# 下载QEMU的源码
$ cd /opt
$ sudo git clone git://git.qemu-project.org/qemu.git
$ cd qemu
$ sudo git submodule update --init pixman
$ sudo git submodule update --init dtc
# 编译和安装QEMU
$ (sudo ./configure --static && sudo make && sudo make install)
<5>.关于修改QEMU的源码。
Qemu usually does a great job emulating embedded Linux applications, but as with anything you will occasionally run into bugs. While attempting to debug an embedded application in Qemu the other day, I ran into the
following error:
eve@eve:~/firmware$ sudo chroot . ./qemu-mips bin/ls
bin/ls: Invalid ELF image for this architecture
This error is usually indicative of using the wrong endian emulator, but I knew that the target binary was big endian MIPS. The file utility began to shed some light on the issue:
eve@eve:~/firmware$ file bin/busybox
bin/busybox: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), dynamically linked (uses shared libs), corrupted section header size
Hmmm, a corrupted section header? Let’s take a closer look at the binary.
Readelf will give us some more detailed information:
ELF Header:
Magic: 7f 45 4c 46 01 02 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, big endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: MIPS R3000
Version: 0x1
Entry point address: 0x4052a0
Start of program headers: 52 (bytes into file)
Start of section headers: 0 (bytes into file)
Flags: 0x1007, noreorder, pic, cpic, o32, mips1
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 6
Size of section headers: 0 (bytes)
Number of section headers: 0
Section header string table index: 0
Sure enough, the section headers had been stripped out of the ELF binary. This is commonly done by tools such as sstrip in
order to save precious storage space on embedded devices, and since section headers are not required in order to execute the program this shouldn’t prevent Qemu from loading the binary.
A quick grep of Qemu’s source quickly found the culprit in linux-user/elfload.c:
static bool elf_check_ehdr(struct elfhdr *ehdr)
{
return (elf_check_arch(ehdr->e_machine)
&& ehdr->e_ehsize == sizeof(struct elfhdr)
&& ehdr->e_phentsize == sizeof(struct elf_phdr)
&& ehdr->e_shentsize == sizeof(struct elf_shdr)
&& (ehdr->e_type == ET_EXEC || ehdr->e_type == ET_DYN));
}
Even thoughsection headers aren’t required to load an ELF file,the elf_check_ehdr
function expects the section header size to equal the size of the elf_shdr structure;simply commenting out this line and re-compiling did the trick:
eve@eve:~/firmware$ sudo chroot . ./qemu-mips bin/ls
bin lib qemu-mips tmp var
dev home sbin usr
A patch has been submitted,
but if you need this to work now it’s a quick and easy fix.
在低版本的QEMU源码中,在编译和安装之前需要如下修改 /qemu/linux-user/elfload.c文件中的 elf_check_ehdr 函数 的代码:
# 拷贝qemu-mipsel程序到固件文件系统的根目录
$ cp $(which qemu-mipsel) ./qemu
# 赋予qemu-mipsel程序可执行权限
$ chmod +x qemu
# 执行路由器固件的ls程序
$ sudo chroot . ./qemu ./bin/ls
# 或者
$ sudo chroot . ./qemu bin/ls
QEMU测试的结果截图:
$ sudo chroot . ./qemu usr/bin/wget
<6>.QEMU程序的命令行帮助(以qemu-mipsel为例)。
fly2016@ubuntu:~$ qemu-mipsel -h
usage: qemu-mipsel [options] program [arguments...]
Linux CPU emulator (compiled for mipsel emulation)
Options and associated environment variables:
Argument Env-variable Description
-h print this help
-help
-g port QEMU_GDB wait gdb connection to 'port'
-L path QEMU_LD_PREFIX set the elf interpreter prefix to 'path'
-s size QEMU_STACK_SIZE set the stack size to 'size' bytes
-cpu model QEMU_CPU select CPU (-cpu help for list)
-E var=value QEMU_SET_ENV sets targets environment variable (see below)
-U var QEMU_UNSET_ENV unsets targets environment variable (see below)
-0 argv0 QEMU_ARGV0 forces target process argv[0] to be 'argv0'
-r uname QEMU_UNAME set qemu uname release string to 'uname'
-B address QEMU_GUEST_BASE set guest_base address to 'address'
-R size QEMU_RESERVED_VA reserve 'size' bytes for guest virtual address space
-d item[,...] QEMU_LOG enable logging of specified items (use '-d help' for a list of items)
-D logfile QEMU_LOG_FILENAME write logs to 'logfile' (default stderr)
-p pagesize QEMU_PAGESIZE set the host page size to 'pagesize'
-singlestep QEMU_SINGLESTEP run in singlestep mode
-strace QEMU_STRACE log system calls
-seed QEMU_RAND_SEED Seed for pseudo-random number generator
-trace QEMU_TRACE [[enable=]<pattern>][,events=<file>][,file=<file>]
-version QEMU_VERSION display version information and exit
Defaults:
QEMU_LD_PREFIX = /usr/gnemul/qemu-mipsel
QEMU_STACK_SIZE = 8388608 byte
You can use -E and -U options or the QEMU_SET_ENV and
QEMU_UNSET_ENV environment variables to set and unset
environment variables for the target process.
It is possible to provide several variables by separating them
by commas in getsubopt(3) style. Additionally it is possible to
provide the -E and -U options multiple times.
The following lines are equivalent:
-E var1=val2 -E var2=val2 -U LD_PRELOAD -U LD_DEBUG
-E var1=val2,var2=val2 -U LD_PRELOAD,LD_DEBUG
QEMU_SET_ENV=var1=val2,var2=val2 QEMU_UNSET_ENV=LD_PRELOAD,LD_DEBUG
Note that if you provide several changes to a single variable
the last change will stay in effect.
路由器逆向分析------QEMU的下载和安装(Linux平台)的更多相关文章
- 路由器逆向分析------QEMU的基本使用方法(MIPS)
本文博客地址:http://blog.csdn.net/qq1084283172/article/details/69258334 一.QEMU的运行模式 直接摘抄自己<揭秘家用路由器0day漏 ...
- 路由器逆向分析------Running Debian MIPS Linux in QEMU
本文博客地址:http://blog.csdn.net/qq1084283172/article/details/70176583 下面的文章内容主要参考英文博客<Running Debian ...
- 路由器逆向分析------MIPS系统网络的配置(QEMU)
本文博客地址:http://blog.csdn.net/qq1084283172/article/details/69378333 MIPS系统网络的配置 使用QEMU 模拟正在运行的MIPS系统并 ...
- 路由器逆向分析------在QEMU MIPS虚拟机上运行MIPS程序(ssh方式)
本文博客地址:http://blog.csdn.net/qq1084283172/article/details/69652258 在QEMU MIPS虚拟机上运行MIPS程序--SSH方式 有关在u ...
- 路由器逆向分析------firmware-mod-kit工具安装和使用说明
本文博客地址:http://blog.csdn.net/qq1084283172/article/details/68061957 一.firmware-mod-kit工具的安装 firmware-m ...
- 路由器逆向分析------在Linux上安装IDA Pro
本文博客地址:http://blog.csdn.net/qq1084283172/article/details/69665905 01.在Linux系统上安装Linux版本的IDA Pro Linu ...
- 路由器逆向分析------sasquatch和squashfs-tools工具的安装和使用
本文博客地址:http://blog.csdn.net/qq1084283172/article/details/68942660 一.sasquatch工具的安装和使用 sasquatch工具支持对 ...
- 路由器逆向分析------binwalk工具的安装
本文博客链接:http://blog.csdn.net/qq1084283172/article/details/65441110 一.binwalk工具运行支持的平台 binwalk工具安装支持的平 ...
- 路由器逆向分析------MIPS交叉编译环境的搭建(Buildroot)
本文博客地址:http://blog.csdn.net/qq1084283172/article/details/68950682 为了能在我们熟悉的windows或者ubuntu下开发mips架构的 ...
随机推荐
- 不用typsescript也能使用类型增强功能
由于 JS 的弱类型.宽松的编写规范.以及开发工具的弱鸡支持,我们在维护前人的代码时,经常会出现不知道某一个方法或字段命名来自于哪里,一定要在全局搜索以后慢慢筛查才能找到 同样我们在使用接口返回的对象 ...
- Sentinel熔断降级
sentinel流量控制 Sentinel流量控制&服务熔断降级介绍 流量控制介绍 在这里我用景区的例子解释一下 一个旅游景点日接待游客数量为8K,8K以后的游客就无法买票进去景区. 对应编程 ...
- FreeBSD ports 基本用法
首先获取portsnap#portsnap fetch extract---------------------------------------使用whereis 查询软件地址如#whereis ...
- 获取SpringBoot中所有的url和其参数
获取所有url和方法的对应关系 1 @Data 2 public class Param { 3 4 /** 5 * 字段名称 6 */ 7 private String name; 8 9 /** ...
- SpEL表达式注入
一.内容简介 Spring Expression Language(简称SpEL)是一种强大的表达式语言,支持在运行时查询和操作对象图.语言语法类似于Unified EL,但提供了额外的功能,特别是方 ...
- P1055_ISBN号码(JAVA语言)
题目描述 每一本正式出版的图书都有一个ISBN号码与之对应,ISBN码包括9位数字.1位识别码和3位分隔符, 其规定格式如x-xxx-xxxxx-x,其中符号-就是分隔符(键盘上的减号), 最后一位是 ...
- python-3-3 字典
一 元组(tuple) 1.元组也是一个list,他和list的区别是 元组里面的数据无法修改 元祖用()小括号表示,如果元祖里面只有一个元素的话,必须在这个元素的后面添加一个逗号,不然就不是元祖了 ...
- MySQL-一条sql语句的执行顺序
手写: SELECT DISTINCT <select_list> FROM <left_table> <join_type> JOIN <right_tab ...
- AutoAssign源码分析
目录 AutoAssign源码分析 一. 简介 二. 论文理论 2.1 联合表示 2.2 正样本权重 2.3 负样本权重 2.4 总的loss 2.5 补充loss 三. 论文代码 四. 总结 五. ...
- Qt开发技术:图形视图框架(一)基本介绍
前话 使用到Qt的视图框架. Qt视图框架介绍 简介 图形视图框架(The Graphic View Framework)用于管理和与大量定制的二维图形项目交互,以及用于可视化项目的视图小 ...