smallworld-re 1.0.2__py3-none-any.whl → 2.0.0__py3-none-any.whl

smallworld/state/memory/elf/rela/mips.py

@@ -3,7 +3,9 @@ from .....exceptions import ConfigurationError
 from ..structs import ElfRela
 from .rela import ElfRelocator
 
+R_MIPS_NONE = 0
 R_MIPS_32 = 2  # 32-bit direct
+R_MIPS_REL32 = 3
 R_MIPS_64 = 18  # 64-bit direct
 
 
@@ -12,24 +14,43 @@ class MIPSElfRelocator(ElfRelocator):
     byteorder = platforms.Byteorder.BIG
 
     def _compute_value(self, rela: ElfRela):
-        # Because mypy doesn't believe I know what I'm doing...
-
-        if rela.type == R_MIPS_32:
-            # 32-bit direct
-            val = rela.symbol.value + rela.symbol.baseaddr + rela.addend
-            return val.to_bytes(
-                4, "big" if self.byteorder == platforms.Byteorder.BIG else "little"
-            )
-        elif rela.type == R_MIPS_64:
-            # 64-bit direct
-            val = rela.symbol.value + rela.symbol.baseaddr + rela.addend
-            return val.to_bytes(
-                8, "big" if self.byteorder == platforms.Byteorder.BIG else "little"
-            )
-        else:
-            raise ConfigurationError(
-                "Invalid relocation type for {rela.symbol.name}: {rela.type}"
-            )
+        # Unpack a MIPS64 relocation.
+        #
+        # It's not possible to build a 64-bit address in one instruction in MIPS64.
+        # Rather than tell the linker to live with it,
+        # MIPS64 relocation entries can define up to three nested relocations,
+        # with relocations 2 and 3 acting as if the symbol value were the result
+        # of the previous relocation.
+        #
+        # There's a fourth argument, which is a parameter to relocation 2, I think.
+        # Don't want to waste those bytes...
+        rela_types = []
+        # rela_special = (rela.type >> 24) & 0xFF
+        for i in range(0, 3):
+            rela_types.append((rela.type >> (i * 8)) & 0xFF)
+
+        val = rela.symbol.value + rela.symbol.baseaddr
+        is_64 = False
+        for i in range(0, 3):
+            rela_type = rela_types[i]
+            if rela_type == R_MIPS_NONE:
+                break
+            elif rela_type == R_MIPS_32 or rela_type == R_MIPS_REL32:
+                # 32-bit direct
+                val = val + rela.addend
+            elif rela_type == R_MIPS_64:
+                # 64-bit direct
+                val = val + rela.addend
+                is_64 = True
+            else:
+                raise ConfigurationError(
+                    f"Invalid relocation type {i} for {rela.symbol.name}: {rela_type}"
+                )
+
+        return val.to_bytes(
+            8 if is_64 else 4,
+            "big" if self.byteorder == platforms.Byteorder.BIG else "little",
+        )
 
 
 class MIPSELElfRelocator(MIPSElfRelocator):

smallworld/state/memory/elf/rela/ppc.py

@@ -3,6 +3,7 @@ from .....exceptions import ConfigurationError
 from ..structs import ElfRela
 from .rela import ElfRelocator
 
+R_PPC_ABS32 = 1  # Direct 32-bit
 R_PPC_GLOB_DAT = 20  # Create GOT entry
 R_PPC_JUMP_SLOT = 21  # Create PLT entry
 R_PPC_RELATIVE = 22  # Adjust by program base
@@ -14,7 +15,10 @@ class PowerPCElfRelocator(ElfRelocator):
     addrsz = 4
 
     def _compute_value(self, rela: ElfRela):
-        if (
+        if rela.type == R_PPC_ABS32:
+            val = rela.symbol.value + rela.symbol.baseaddr + rela.addend
+            return val.to_bytes(4, "big")
+        elif (
             rela.type == R_PPC_GLOB_DAT
             or rela.type == R_PPC_JUMP_SLOT
             or rela.type == R_PPC_RELATIVE
@@ -24,22 +28,35 @@ class PowerPCElfRelocator(ElfRelocator):
             return val.to_bytes(self.addrsz, "big")
         else:
             raise ConfigurationError(
-                "Invalid relocation type for {rela.symbol.name}: {rela.type}"
+                f"Invalid relocation type for {rela.symbol.name}: {rela.type}"
             )
 
 
+R_PPC64_ADDR64 = 38  # Adjust by program base, I think...
+
+
 class PowerPC64ElfRelocator(PowerPCElfRelocator):
     arch = platforms.Architecture.POWERPC64
+    byteorder = platforms.Byteorder.BIG
     addrsz = 8
-    # TODO: This is only the beginning
-    #
-    # The PowerPC64 JUMP_SLOT relocation is much more complicated,
-    # possibly the most complicated I've ever seen.
-    # It actually fills in three 64-bit values:
-    #
-    # 1. The actual function address
-    # 2. The TOC base address; serves a similar purpose to the Global Pointer in MIPS.
-    # 3. An "environment" pointer, not used by C.
-    #
-    # We're currently correctly filling in 1.
-    # Entry 2. is the address of the GOT section of the containing binary + 0x8000.
+
+    def _compute_value(self, rela: ElfRela):
+        if rela.type == R_PPC64_ADDR64:
+            val = rela.symbol.value + rela.symbol.baseaddr + rela.addend
+            return val.to_bytes(self.addrsz, "big")
+        elif rela.type == R_PPC_JUMP_SLOT:
+            # The PowerPC64 JUMP_SLOT relocation is much more complicated.
+            # It actually fills in three 64-bit values:
+            #
+            # 1. The actual function address
+            # 2. The TOC base address; serves a similar purpose to the Global Pointer in MIPS.
+            # 3. An "environment" pointer, not used by C.
+            #
+            # We're currently correctly filling in 1.
+            # Entry 2. is the address of the GOT section of the containing binary + 0x8000.
+            #
+            # This requires a reference to the containing binary,
+            # which I have no idea how to pass.
+            raise NotImplementedError("R_PPC64_JUMP_SLOT not implemented")
+        else:
+            return super()._compute_value(rela)

smallworld/state/memory/elf/structs.py

@@ -24,11 +24,14 @@ class ElfSymbol:
     without a separate dict.
     """
 
+    idx: int  # Symbol table index
+    dynamic: bool  # Is this in the static or dynamic symbol table?
     name: str  # Symbol name
     type: int  # Symbol type
     bind: int  # Symbol binding
     visibility: int  # Symbol visibility
     shndx: int  # Symbol section index, or reserved flags
+    defined: bool  # Is this symbol defined?
     value: int  # Symbol value
     size: int  # Symbol size
     baseaddr: int  # Base address for relative symbol values

smallworld/state/memory/heap.py

@@ -42,7 +42,7 @@ class Heap(memory.Memory):
         return self.allocate(value)
 
     def allocate_bytes(
-        self, content: typing.Union[bytes, bytearray], label: str
+        self, content: typing.Union[bytes, bytearray], label: typing.Optional[str]
     ) -> int:
         """Allocate space for and write bytes to the heap.
 
@@ -79,7 +79,7 @@ class BumpAllocator(Heap):
         return self.address + offset
 
     def free(self, address: int) -> None:
-        raise NotImplementedError("freeing with a BumpAllocator is not yet implemented")
+        pass
 
 
 __all__ = ["Heap", "BumpAllocator"]

smallworld/state/memory/memory.py

@@ -114,6 +114,24 @@ class Memory(state.Stateful, dict):
         self.clear()
         self[0] = value
 
+    def write_bytes(self, address: int, data: bytes) -> None:
+        """Overwrite part of this memory region with specific bytes
+
+        This will fail if the data you want to overwrite is in a symbolic sub-region.
+        """
+
+        for segment_offset, segment in self.items():
+            segment_address = self.address + segment_offset
+            if address >= segment_address and address < segment_address + segment._size:
+                contents = segment.get_content()
+                if not isinstance(contents, bytes):
+                    raise exceptions.SymbolicValueError(
+                        f"Tried to write {len(data)} bytes at {hex(address)}; data in {segment_address:x} - {segment_address + segment._size:x} is symbolic."
+                    )
+                offset = address - segment_address
+                contents = contents[0:offset] + data + contents[offset + len(data) :]
+                segment.set_content(contents)
+
     def __hash__(self):
         return super(dict, self).__hash__()
 

smallworld/state/memory/pe/__init__.py

@@ -0,0 +1,3 @@
+from .pe import PEExecutable
+
+__all__ = ["PEExecutable"]

smallworld/state/memory/pe/pe.py

@@ -0,0 +1,361 @@
+import typing
+
+import lief
+
+from ....exceptions import ConfigurationError
+from ....platforms import Architecture, Byteorder, Platform, PlatformDef
+from ....utils import RangeCollection
+from ...state import BytesValue
+from ..code import Executable
+from .structs import PEExport, PEImport
+
+# PE32+ machine types
+# There are a lot more of these, but I can only test on amd64 and i386
+IMAGE_FILE_MACHINE_AMD64 = 0x8664
+IMAGE_FILE_MACHINE_I386 = 0x14C
+
+# Section flags
+# Currently, the only one we care about is "code".
+# Not sure how the others interact with file loading.
+IMAGE_SCN_CNT_CODE = 0x20
+
+# Relocation types
+# All of these adjust based on the difference between
+# the requested and actual load addresses
+IMAGE_REL_BASED_ABSOLUTE = 0x0  # No-op
+IMAGE_REL_BASED_HIGHLOW = 0x3  # Add 32-bit difference to a 32-bit value
+IMAGE_REL_BASED_DIR64 = 0xA  # Add 64-bit difference to a 64-bit value
+
+
+class PEExecutable(Executable):
+    """Executable loaded from a PE32+
+
+    This loads a single PE32+ file into a SmallWorld memory object.
+    It performs no relocation or initialization,
+    just maps the file into memory as the kernel intended.
+
+    Arguments:
+        file: File-like object containing the image
+        platform: Optional platform; used for header verification
+        ignore_platform: Do not try to ID or verify platform from headers
+        user_base: Optional user-specified base address
+        page_size: System page size
+    """
+
+    def __init__(
+        self,
+        file: typing.BinaryIO,
+        platform: typing.Optional[Platform] = None,
+        ignore_platform: bool = False,
+        user_base: typing.Optional[int] = None,
+        page_size: int = 0x1000,
+    ):
+        # Initialize with null address and size;
+        # we will update these later
+        super().__init__(0, 0)
+
+        self.platform = platform
+        self.platdef: typing.Optional[PlatformDef] = None
+        self.bounds: RangeCollection = RangeCollection()
+
+        self._page_size = page_size
+        self._user_base = user_base
+        self._file_base = 0
+
+        self._exports: typing.List[PEExport] = list()
+        self._exports_by_name: typing.Dict[typing.Tuple[str, str], PEExport] = dict()
+        self._exports_by_ordinal: typing.Dict[typing.Tuple[str, int], PEExport] = dict()
+
+        self._imports: typing.List[PEImport] = list()
+        self._imports_by_name: typing.Dict[typing.Tuple[str, str], PEImport] = dict()
+        self._imports_by_ordinal: typing.Dict[typing.Tuple[str, int], PEImport] = dict()
+
+        # Read the entire image out of the file
+        image = file.read()
+
+        # Use lief to check if this is a PE
+        # NOTE: For some reason, this takes list(int), not bytes
+        if not lief.is_pe(list(image)):
+            raise ConfigurationError("Image is not a PE")
+
+        # Use lief to parse the PE
+        # NOTE: For some reason, this takes list(int), not bytes
+        # NOTE: lief objects aren't deep-copyable.
+        # I'd love to keep `pe` around for later use, but I can't.
+        pe = lief.PE.parse(list(image))
+        if pe is None:
+            raise ConfigurationError("Failed parsing PE image")
+
+        # Check machine compatibility
+        if not ignore_platform:
+            hdr_platform = self._platform_for_chdr(pe)
+            if self.platform is not None:
+                if self.platform != hdr_platform:
+                    raise ConfigurationError(
+                        "Platform mismatch: "
+                        f"specified {self.platform}, but got {hdr_platform} from header"
+                    )
+            else:
+                self.platform = hdr_platform
+            self.platdef = PlatformDef.for_platform(hdr_platform)
+
+        # Determine the file base address
+        self._file_base = pe.imagebase
+        self._determine_base()
+
+        for section in pe.sections:
+            # TODO: How do PE32+ files distinguish loadable segments?
+            # mingw objdump has some notion of allocated segments,
+            # but it doesn't map to anything in any of the flags.
+            self._map_section(section, image)
+
+        # Fix up the memory image to account for changes in the base address
+        self._apply_base_relocations(pe)
+
+        # Compute the final total capacity
+        for offset, value in self.items():
+            self.size = max(self.size, offset + value.get_size())
+
+        # Extract exports
+        self._extract_exports(pe)
+
+        # Extract imports
+        self._extract_imports(pe)
+
+    def _platform_for_chdr(self, pe):
+        if pe.header.machine.value == IMAGE_FILE_MACHINE_AMD64:
+            return Platform(Architecture.X86_64, Byteorder.LITTLE)
+        elif pe.header.machine.value == IMAGE_FILE_MACHINE_I386:
+            return Platform(Architecture.X86_32, Byteorder.LITTLE)
+        else:
+            raise ConfigurationError(f"Unsupported machine type {pe.header.machine}")
+
+    def _determine_base(self):
+        if self._user_base is None:
+            # No user base requested
+            if self._file_base == 0:
+                # No file base defined (unusal for PE32+)
+                # Need the user to provide one
+                raise ConfigurationError(
+                    "No base address provided, and none defined in PE file"
+                )
+            else:
+                self.address = self._file_base
+        else:
+            # PE files are always position-independent;
+            # we'll just have to fix things up later.
+            self.address = self._user_base
+
+    def _rebase_file(self, val: int):
+        # Rebase an offset from file-relative to image-relative
+        res = val + self.address
+        return res
+
+    def _page_align(self, val: int, up: bool = True):
+        if up:
+            val += self._page_size - 1
+        return (val // self._page_size) * self._page_size
+
+    def _map_section(self, sect, image):
+        # NOTE: Unlike ELFs, The physical address of PE sections is not page-aligned.
+        sect_start = sect.offset
+        sect_end = sect.offset + sect.size
+        sect_addr = self._page_align(self._rebase_file(sect.virtual_address), up=False)
+        sect_size = self._page_align(sect.virtual_size)
+
+        sect_data = image[sect_start:sect_end]
+        if len(sect_data) < sect_size:
+            # Section is shorter than what's available in the file;
+            # THis will get zero-padded.
+            pad_size = sect_size - len(sect_data)
+            sect_data += b"\0" * pad_size
+        if len(sect_data) != sect_size:
+            raise ConfigurationError(
+                f"Expected segment of size {sect_size}, but got {len(sect_data)}"
+            )
+
+        if 0 != (sect.characteristics & IMAGE_SCN_CNT_CODE):
+            # This is a code segment; add it to program bounds
+            self.bounds.add_range((sect_addr, sect_addr + sect_size))
+
+        sect_value = BytesValue(sect_data, None)
+        self[sect_addr - self.address] = sect_value
+
+    def _apply_base_relocations(self, pe):
+        # PE32+ files always allow the loader to override
+        # the program's base address.
+        #
+        # The relocation section marks places where
+        # an absolute offset needs fixing
+        # if the loader decides to override
+        if self.address == self._file_base:
+            # This file was not relocated.  Nothing to do.
+            return
+
+        if self.platform.byteorder == Byteorder.LITTLE:
+            byteorder = "little"
+        elif self.platform.byteorder == Byteorder.BIG:
+            byteorder = "big"
+        else:
+            raise ConfigurationError(
+                f"Can't encode byteorder {self.platform.byteorder}"
+            )
+
+        for base_reloc in pe.relocations:
+            for entry in base_reloc.entries:
+                if entry.type.value == IMAGE_REL_BASED_ABSOLUTE:
+                    # Entry is a no-op; continue
+                    continue
+                for off, val in self.items():
+                    if entry.address >= off and entry.address <= val.get_size():
+                        # Find the section containing this address
+                        contents = bytearray(val.get_content())
+                        fix_off = entry.address - off
+
+                        if entry.type.value == IMAGE_REL_BASED_HIGHLOW:
+                            # 4-byte repair
+                            tofix = int.from_bytes(
+                                contents[fix_off : fix_off + 4], byteorder
+                            )
+                            tofix += self.address - self._file_base
+                            contents[fix_off : fix_off + 4] = tofix.to_bytes(
+                                4, byteorder
+                            )
+
+                        elif entry.type.value == IMAGE_REL_BASED_DIR64:
+                            # 8-byte repair
+                            tofix = int.from_bytes(
+                                contents[fix_off : fix_off + 8], byteorder
+                            )
+                            tofix += self.address - self._file_base
+                            contents[fix_off : fix_off + 8] = tofix.to_bytes(
+                                8, byteorder
+                            )
+
+                        else:
+                            raise ConfigurationError(
+                                "Unhandled relocation type {entry.type}"
+                            )
+                        # Reset the data
+                        val.set_content(bytes(contents))
+                        break
+
+    def _extract_exports(self, pe) -> None:
+        if not pe.has_exports:
+            return
+
+        d = pe.get_export()
+        for e in d.entries:
+            if e.is_forwarded:
+                raise NotImplementedError(
+                    "{d.name}.{e.name} is forwarded to {e.forward_information}"
+                )
+            else:
+                exp = PEExport(
+                    dll=d.name,
+                    name=e.name,
+                    ordinal=e.ordinal,
+                    forwarder=None,
+                    value=e.value + self.address,
+                )
+            self._exports.append(exp)
+            self._exports_by_name[(d.name, e.name)] = exp
+            self._exports_by_ordinal[(d.name, e.ordinal)] = exp
+
+    def _extract_imports(self, pe) -> None:
+        if not pe.has_imports:
+            return
+
+        # Iterate over the import directories
+        # These group imports by the DLL that provides them
+        for d in pe.imports:
+            for e in d.entries:
+                imp = PEImport(
+                    dll=d.name,
+                    name=e.name if not e.is_ordinal else None,
+                    ordinal=e.ordinal if e.is_ordinal else None,
+                    iat_address=e.iat_address + self.address,
+                    forwarder=None,
+                    value=None,
+                )
+                if e.name == "puts":
+                    print(f"puts IAT at {e.iat_address:x} or {e.iat_value:x}")
+                self._imports.append(imp)
+                if e.is_ordinal:
+                    self._imports_by_ordinal[(d.name, e.ordinal)] = imp
+                else:
+                    self._imports_by_name[(d.name, e.name)] = imp
+
+    def update_import(
+        self, dll: str, hint: typing.Union[str, int, PEImport], value: int
+    ) -> None:
+        """Update an imported symbol in this PE file
+
+        Arguments:
+            dll: Name of the DLL where the import is defined
+            hint: Symbol name or ordinal
+            value: New value of the symbol
+        """
+        # No platform specified
+        if self.platform is None or self.platdef is None:
+            raise ConfigurationError("No platform specified; can't update imports")
+
+        if isinstance(hint, str):
+            # Look up by name
+            if (dll, hint) not in self._imports_by_name:
+                raise ConfigurationError(
+                    f"No import for {dll}.{hint}.  Try by ordinal?"
+                )
+            imp = self._imports_by_name[(dll, hint)]
+        elif isinstance(hint, int):
+            # Look up by ordinal
+            if (dll, hint) not in self._imports_by_ordinal:
+                raise ConfigurationError(f"No import for {dll}.#{hint}.  Try by name?")
+            imp = self._imports_by_ordinal[(dll, hint)]
+        elif isinstance(hint, PEImport):
+            imp = hint
+        else:
+            raise TypeError(f"Unexpected hint {hint} of type {type(hint)}")
+
+        # Save the new value to the import
+        # This marks it as initialized
+        imp.value = value
+
+        # Convert value to bytes
+        if self.platform.byteorder == Byteorder.LITTLE:
+            value_bytes = value.to_bytes(self.platdef.address_size, "little")
+        elif self.platform.byteorder == Byteorder.BIG:
+            value_bytes = value.to_bytes(self.platdef.address_size, "big")
+        else:
+            raise ConfigurationError(
+                f"Can't encode int for byteorder {self.platform.byteorder}"
+            )
+
+        # Rewrite IAT slot
+        # NOTE: PE files can have overlapping segments; check all of them.
+        for off, seg in self.items():
+            start = off + self.address
+            stop = start + seg.get_size()
+            if imp.iat_address >= start and imp.iat_address < stop:
+                start = imp.iat_address - start
+                end = start + len(value_bytes)
+                contents = seg.get_content()
+                contents = contents[0:start] + value_bytes + contents[end:]
+                seg.set_content(contents)
+
+    def link_pe(self, dll: "PEExecutable"):
+        for imp in self._imports:
+            if imp.value is not None:
+                continue
+
+            if imp.name is not None and (imp.dll, imp.name) in dll._exports_by_name:
+                exp = dll._exports_by_name[(imp.dll, imp.name)]
+            elif (
+                imp.ordinal is not None
+                and (imp.dll, imp.ordinal) in dll._exports_by_ordinal
+            ):
+                exp = dll._exports_by_ordinal[(imp.dll, imp.ordinal)]
+            else:
+                continue
+
+            self.update_import(imp.dll, imp, exp.value)

smallworld/state/memory/pe/structs.py

@@ -0,0 +1,60 @@
+import typing
+from dataclasses import dataclass
+
+
+@dataclass(frozen=False)
+class PEExport:
+    """PE export struct
+
+    Lief parses this data, but I can't keep the objects around.
+
+    An export defines a symbol that can be imported by other images.
+    See 'PEImport' for more on that process.
+
+    This is a mashup of a number of PE32+ structs
+    (export definitions are actually somewhat complicated
+    compared to import definitions).
+
+    Exports can be referenced by name or by ordinal - a numeric key
+    specific to the DLL.
+
+    Exports can provide an actual address, or a "forwarder".
+    This is the name of another export in another DLL that
+    will provide the actual value of the symbol... or possibly forward again.
+    """
+
+    dll: str
+    ordinal: int
+    name: str
+    forwarder: typing.Optional[str]
+    value: int
+
+
+@dataclass(frozen=False)
+class PEImport:
+    """PE import struct
+
+    Lief parses this data, but I can't keep the objects around.
+
+    An import defines that a specific exported symbol
+    is required from a specific DLL file.
+
+    They are closer to a relocation entry than a symbol;
+    each import defines the export required, and where
+    to write the exported value.  There is exactly one
+    relocation mechanism, making this a lot easier to parse than ELF.
+
+    This class actually mashes up two PE32+ structures:
+    an Import Directory Entry, which defines a DLL that the file needs,
+    and an Import Lookup Entry, which defines a specific export it needs.
+
+    Lookup requires two keys, either the DLL name and export name,
+    or the DLL and export ordinal - a numeric key specified wihtin the DLL.
+    """
+
+    dll: str  # Name of the DLL
+    name: typing.Optional[str]  # String name of the export
+    ordinal: typing.Optional[int]  # Ordinal of the export
+    iat_address: int  # Address of the IAT slot for this import
+    forwarder: typing.Optional[str]  # Forwarder export, if provided
+    value: typing.Optional[int]  # Value imported

smallworld/state/memory/stack/__init__.py

@@ -2,6 +2,7 @@ from .aarch64 import AArch64Stack
 from .amd64 import AMD64Stack
 from .arm import ARMv5tStack, ARMv6mStack, ARMv7aStack, ARMv7mStack, ARMv7rStack
 from .i386 import X86Stack
+from .loongarch import LoongArch64Stack
 from .mips import MIPSBEStack, MIPSELStack
 from .mips64 import MIPS64BEStack, MIPS64ELStack
 from .ppc import PowerPC32Stack, PowerPC64Stack
@@ -19,6 +20,7 @@ __all__ = __stack__ + [
     "ARMv7rStack",
     "ARMv7aStack",
     "X86Stack",
+    "LoongArch64Stack",
     "MIPSBEStack",
     "MIPSELStack",
     "MIPS64BEStack",

smallworld/state/memory/stack/loongarch.py

@@ -0,0 +1,26 @@
+import typing
+
+from .... import platforms
+from . import stack
+
+
+class LoongArchStack(stack.DescendingStack):
+    """A stack for a LoongArch CPU"""
+
+    def get_pointer(self) -> int:
+        return (self.address + self.size) - self.get_used()
+
+    def get_alignment(self) -> int:
+        return 4
+
+    @classmethod
+    def initialize_stack(cls, argv: typing.List[bytes], *args, **kwargs):
+        raise NotImplementedError("Stack initialization not implemented for MIPS64")
+
+
+class LoongArch64Stack(LoongArchStack):
+    """A stack for a LoongArch 64-bit CPU"""
+
+    platform = platforms.Platform(
+        platforms.Architecture.LOONGARCH64, platforms.Byteorder.LITTLE
+    )