vmlinux-to-elf 1.0__py3-none-any.whl

vmlinux_to_elf/core/architecture_detecter.py

@@ -0,0 +1,226 @@
+#!/usr/bin/env python3
+# -*- encoding: Utf-8 -*-
+import logging
+from collections import Counter
+from enum import IntEnum
+from re import DOTALL, findall
+from time import time
+from typing import Optional
+
+"""
+    Guess the architecture of a given binary.
+    
+    For this, scan it for simple function prologues.
+    Inspiration: https://github.com/ReFirmLabs/binwalk/blob/master/src/binwalk/magic/binarch
+    
+    Also, return a sequence of the spacing in bytes
+    between each detected function prologue, so that
+    it can be matched with function symbols from the
+    kallsys table and the base address at the offset
+    0 of the binary can be guessed.
+"""
+
+
+class ArchitectureGuessError(Exception):
+    pass
+
+
+class ArchitectureName(IntEnum):
+    mipsle = 1
+    mipsbe = 2
+    mips64le = 3
+    mips64be = 4
+    x86 = 5
+    x86_64 = 6
+    powerpcbe = 7
+    powerpcle = 8
+    armle = 9
+    armbe = 10
+    aarch64 = 11
+    mips16e = 12
+    superhle = 13
+    superhbe = 14
+    sparc = 15
+    arcompact = 16
+
+
+# Prologues taken from the binwalk file linked above
+architecture_to_prologue_regex: dict[ArchitectureName, bytes] = {
+    ArchitectureName.mipsle: rb".\xFF\xBD\x27..[\xA0-\xBF]\xAF",
+    ArchitectureName.mipsbe: rb"\x27\xBD\xFF.\xAF[\xA0-\xBF]..",
+    ArchitectureName.mips64le: rb".\xFF\xBD\x67..[\xA0-\xBF]\xFF",
+    ArchitectureName.mips64be: rb"\x67\xBD\xFF.\xFF[\xA0-\xBF]..",
+    ArchitectureName.x86: rb"\x55\x89\xE5(?:\x83\xEC|\x57\x56)",
+    ArchitectureName.x86_64: rb"\x55\x48\x89\xE5",
+    ArchitectureName.powerpcbe: rb"\x7C\x08\x02\xA6",
+    ArchitectureName.powerpcle: rb"\xA6\x02\x08\x7C",
+    ArchitectureName.armbe: rb"\xE9\x2D..(?:[\xE0-\xEF]...){2}",
+    ArchitectureName.armle: rb"\x2D\xE9(?:...[\xE0-\xEF]){2}",
+    ArchitectureName.mips16e: rb"\xf0\x08\x64.\x01.",
+    ArchitectureName.superhle: rb"\xF6\x69\x0B\x00\xF6\x68",  # This is an epilogue
+    ArchitectureName.superhbe: rb"\x69\xF6\x00\x0B\x68\xF6",  # This is an epilogue
+    ArchitectureName.aarch64: rb"\xc0\x03\x5f\xd6",  # This is an epilogue
+    ArchitectureName.sparc: rb"\x81\xC7\xE0\x08\x81\xE8",  # This is an epilogue
+    ArchitectureName.arcompact: b"\xf1\xc0.\x1c\x48[\xb0-\xbf]",  # push_s blink; st.a r??, [sp, -??]
+}
+
+
+# From https://github.com/torvalds/linux/blob/master/include/uapi/linux/elf-em.h
+
+
+class ElfMachine(IntEnum):
+    # These constants define the various ELF target machines
+    EM_NONE = 0
+    EM_M32 = 1
+    EM_SPARC = 2
+    EM_386 = 3
+    EM_68K = 4
+    EM_88K = 5
+    EM_486 = 6  # Perhaps disused
+    EM_860 = 7
+    EM_MIPS = 8  # MIPS R3000 (officially, big-endian only)
+    # Next two are historical and binaries and
+    # modules of these types will be rejected by
+    # Linux.
+    EM_MIPS_RS3_LE = 10  # MIPS R3000 little-endian
+    EM_MIPS_RS4_BE = 10  # MIPS R4000 big-endian
+
+    EM_PARISC = 15  # HPPA
+    EM_SPARC32PLUS = 18  # Sun's "v8plus"
+    EM_PPC = 20  # PowerPC
+    EM_PPC64 = 21  # PowerPC64
+    EM_SPU = 23  # Cell BE SPU
+    EM_ARM = 40  # ARM 32 bit
+    EM_SH = 42  # SuperH
+    EM_SPARCV9 = 43  # SPARC v9 64-bit
+    EM_H8_300 = 46  # Renesas H8/300
+    EM_IA_64 = 50  # HP/Intel IA-64
+    EM_X86_64 = 62  # AMD x86-64
+    EM_S390 = 22  # IBM S/390
+    EM_CRIS = 76  # Axis Communications 32-bit embedded processor
+    EM_M32R = 88  # Renesas M32R
+    EM_MN10300 = 89  # Panasonic/MEI MN10300, AM33
+    EM_OPENRISC = 92  # OpenRISC 32-bit embedded processor
+    EM_ARCOMPACT = 93  # ARCompact processor
+    EM_XTENSA = 94  # Tensilica Xtensa Architecture
+    EM_BLACKFIN = 106  # ADI Blackfin Processor
+    EM_UNICORE = 110  # UniCore-32
+    EM_ALTERA_NIOS2 = 113  # Altera Nios II soft-core processor
+    EM_TI_C6000 = 140  # TI C6X DSPs
+    EM_HEXAGON = 164  # QUALCOMM Hexagon
+    EM_NDS32 = 167  # Andes Technology compact code size embedded RISC processor family
+    EM_AARCH64 = 183  # ARM 64 bit
+    EM_TILEPRO = 188  # Tilera TILEPro
+    EM_MICROBLAZE = 189  # Xilinx MicroBlaze
+    EM_TILEGX = 191  # Tilera TILE-Gx
+    EM_ARCV2 = 195  # ARCv2 Cores
+    EM_RISCV = 243  # RISC-V
+    EM_BPF = 247  # Linux BPF - in-kernel virtual machine
+    EM_CSKY = 252  # C-SKY
+    EM_FRV = 0x5441  # Fujitsu FR-V
+
+    # This is an interim value that we will use until the committee comes
+    # up with a final number.
+    EM_ALPHA = 0x9026
+
+    # Bogus old m32r magic number, used by old tools.
+    EM_CYGNUS_M32R = 0x9041
+    # This is the old interim value for S/390 architecture
+    EM_S390_OLD = 0xA390
+    # Also Panasonic/MEI MN10300, AM33
+    EM_CYGNUS_MN10300 = 0xBEEF
+
+
+class ArchitectureDetectionResult:
+    architecture_name: ArchitectureName
+    elf_machine: ElfMachine
+    is_64_bit: bool
+    is_big_endian: bool
+
+    def __init__(self, architecture_name: ArchitectureName):
+        self.architecture_name = architecture_name
+
+        lookup_table: dict[ArchitectureName, tuple[int, bool, bool]] = {
+            ArchitectureName.mipsle: (ElfMachine.EM_MIPS, False, False),
+            ArchitectureName.mipsbe: (ElfMachine.EM_MIPS, False, True),
+            ArchitectureName.mips64le: (ElfMachine.EM_MIPS, True, False),
+            ArchitectureName.mips64be: (ElfMachine.EM_MIPS, True, True),
+            ArchitectureName.x86: (ElfMachine.EM_386, False, False),
+            ArchitectureName.x86_64: (ElfMachine.EM_X86_64, True, False),
+            ArchitectureName.powerpcbe: (ElfMachine.EM_PPC, False, True),
+            ArchitectureName.powerpcle: (ElfMachine.EM_PPC, False, False),
+            ArchitectureName.armbe: (ElfMachine.EM_ARM, False, True),
+            ArchitectureName.armle: (ElfMachine.EM_ARM, False, False),
+            ArchitectureName.mips16e: (ElfMachine.EM_MIPS, False, True),
+            ArchitectureName.superhle: (ElfMachine.EM_SH, False, False),
+            ArchitectureName.superhbe: (ElfMachine.EM_SH, False, True),
+            ArchitectureName.aarch64: (ElfMachine.EM_AARCH64, True, False),
+            ArchitectureName.sparc: (ElfMachine.EM_SPARC, False, True),
+            ArchitectureName.arcompact: (ElfMachine.EM_ARCOMPACT, False, False),
+        }
+
+        self.elf_machine, self.is_64_bit, self.is_big_endian = lookup_table[
+            architecture_name
+        ]
+
+
+class ArchitectureDetector:
+    """
+    Main architecture guess function
+
+    @param binary (bytes): A raw kernel blob
+    @raises ArchitectureGuessError
+    @returns ArchitectureDetectionResult
+    """
+
+    @classmethod
+    def guess(cls, binary: bytes) -> ArchitectureDetectionResult:
+        begin_time = time()
+
+        architecture_guess = cls._guess_architecture_special(binary)
+        if not architecture_guess:
+            architecture_guess = cls._guess_architecture_common(binary)
+
+        if not architecture_guess:
+            raise ArchitectureGuessError(
+                "The architecture could not be guessed successfully"
+            )
+
+        logging.info(
+            "[+] Guessed architecture: %s successfully in %.2f seconds"
+            % (architecture_guess.name, time() - begin_time)
+        )
+
+        return ArchitectureDetectionResult(architecture_guess)
+
+    """
+        Guess the architecture based on special knowledge, like custom signatures or binary format
+    """
+
+    @staticmethod
+    def _guess_architecture_special(binary: bytes) -> Optional[ArchitectureName]:
+        if binary[:2] == b"MZ":
+            # Maybe UEFI boot stub ?
+            if binary[0x38:0x3C] == b"ARMd":
+                return ArchitectureName.aarch64
+
+        return None
+
+    """
+        Guess the architecture based on common patterns
+    """
+
+    @staticmethod
+    def _guess_architecture_common(binary: bytes) -> Optional[ArchitectureName]:
+        architecture_to_number_of_prologues: dict[ArchitectureName, int] = Counter()
+
+        for architecture, prologue in architecture_to_prologue_regex.items():
+            architecture_to_number_of_prologues[architecture] = len(
+                findall(prologue, binary, flags=DOTALL)
+            )
+
+        best_architecture_guess, number_of_prologues = (
+            architecture_to_number_of_prologues.most_common(1)[0]
+        )
+
+        return None if number_of_prologues < 100 else best_architecture_guess

vmlinux_to_elf/core/elf_symbolizer.py

@@ -0,0 +1,337 @@
+#!/usr/bin/env python3
+# -*- encoding: Utf-8 -*-
+import logging
+from io import BytesIO
+
+from vmlinux_to_elf.core.architecture_detecter import ArchitectureGuessError
+from vmlinux_to_elf.core.kallsyms import KallsymsFinder, KallsymsSymbolType
+from vmlinux_to_elf.utils.elf import (
+    SH_FLAGS,
+    SPECIAL_SECTION_INDEX,
+    ST_INFO_BINDING,
+    ST_INFO_TYPE,
+    Elf32BigEndianRelocationWithAddendTableEntry,
+    Elf32BigEndianSymbolTableEntry,
+    Elf32LittleEndianRelocationWithAddendTableEntry,
+    Elf32LittleEndianSymbolTableEntry,
+    Elf64BigEndianRelocationWithAddendTableEntry,
+    Elf64BigEndianSymbolTableEntry,
+    Elf64LittleEndianRelocationWithAddendTableEntry,
+    Elf64LittleEndianSymbolTableEntry,
+    ElfFile,
+    ElfNoBits,
+    ElfNullSection,
+    ElfProgbits,
+    ElfRela,
+    ElfStrtab,
+    ElfSymtab,
+)
+
+"""
+    The ElfSymbolizer class, defined in this file, gathers information from
+    the other modules (such as kallsyms_finder, which extracts the kernel's
+    runtime symbol table, or vmlinuz_decompressor, which processes possible
+    kernel compressions), in order to generate the output ELF file.
+"""
+
+
+class ElfSymbolizer:
+    def __init__(
+        self,
+        file_contents: bytes,
+        output_file: str,
+        elf_machine: int = None,
+        bit_size: int = None,
+        base_address: int = None,
+        bss_size: int = 16,
+        file_offset: int = None,
+        override_relative: bool = None,
+    ):
+        if file_contents.startswith(
+            b"\x27\x05\x19\x56"
+        ):  # uImage header magic (always big-endian)
+            if file_offset is None:
+                file_offset = (
+                    64  # uImage header size (image_header_t from u-boot/image.h)
+                )
+
+            if base_address is None:
+                base_address = int.from_bytes(file_contents[4 * 4 : 4 * 5], "big")
+
+        if file_offset:
+            file_contents = file_contents[file_offset:]
+
+        kallsyms_finder = KallsymsFinder(
+            file_contents, bit_size, override_relative, base_address
+        )
+
+        if elf_machine is None and not kallsyms_finder.elf_machine:
+            raise ArchitectureGuessError(
+                "The architecture could not be guessed successfully"
+            )
+
+        if file_contents.startswith(b"\x7fELF"):
+            kernel = ElfFile.from_bytes(BytesIO(file_contents))
+
+        else:
+            kernel = ElfFile(kallsyms_finder.is_big_endian, kallsyms_finder.is_64_bits)
+
+            #  Previsouly the register size was based on the kernel version string: bool(kallsyms_finder.offset_table_element_size >= 8 or search('itanium|(?:amd|aarch|ia|arm|x86_|\D-)64', kallsyms_finder.version_string, flags = IGNORECASE))
+
+            if elf_machine is not None:
+                kernel.file_header.e_machine = elf_machine
+            else:
+                kernel.file_header.e_machine = kallsyms_finder.elf_machine
+
+            ET_EXEC = 2
+            kernel.file_header.e_type = ET_EXEC
+
+            null = ElfNullSection(kernel)
+            null.section_name = ""
+
+            progbits = ElfProgbits(kernel)
+            progbits.section_name = ".kernel"
+            progbits.section_header.sh_flags = (
+                SH_FLAGS.SHF_ALLOC | SH_FLAGS.SHF_EXECINSTR | SH_FLAGS.SHF_WRITE
+            )
+
+            first_symbol_virtual_address = next(
+                (
+                    symbol.virtual_address
+                    for symbol in kallsyms_finder.symbols
+                    if symbol.symbol_type == KallsymsSymbolType.TEXT
+                ),
+                None,
+            )
+
+            if kallsyms_finder.has_base_relative:
+                first_symbol_virtual_address = min(
+                    first_symbol_virtual_address, kallsyms_finder.relative_base_address
+                )
+
+            if base_address is not None:
+                progbits.section_header.sh_addr = base_address
+                logging.info(
+                    f"[+] An explicit base address was given ({progbits.section_header.sh_addr:x})"
+                )
+            elif kallsyms_finder.kernel_text_candidate:
+                progbits.section_header.sh_addr = kallsyms_finder.kernel_text_candidate
+                logging.info(
+                    f"[+] Guessed the base address using the kernel_text_candidate heuristic ({progbits.section_header.sh_addr:x})"
+                )
+            else:
+                progbits.section_header.sh_addr = (
+                    first_symbol_virtual_address & 0xFFFFFFFFFFFFF000
+                )
+                logging.info(
+                    f"[+] Guessed the base address using the first_symbol_virtual_address fallback heuristic ({progbits.section_header.sh_addr:x})"
+                )
+
+            kernel.sections += [null, progbits]
+
+            if kallsyms_finder.elf64_rela:
+                # Punch a hole into the ELF to remove relocation tables
+                progbits.section_header.sh_size = kallsyms_finder.elf64_rela_start
+                progbits.section_contents = file_contents[
+                    : progbits.section_header.sh_size
+                ]
+                progbits2 = ElfProgbits(kernel)
+                progbits2.section_name = ".kernel2"
+                progbits2.section_header.sh_flags = (
+                    SH_FLAGS.SHF_ALLOC | SH_FLAGS.SHF_EXECINSTR | SH_FLAGS.SHF_WRITE
+                )
+                progbits2.section_header.sh_addr = (
+                    progbits.section_header.sh_addr
+                    + kallsyms_finder.elf64_rela_end_excl
+                )
+                progbits2.section_header.sh_size = (
+                    len(file_contents) - kallsyms_finder.elf64_rela_end_excl
+                )
+                progbits2.section_contents = file_contents[
+                    kallsyms_finder.elf64_rela_end_excl :
+                ]
+                kernel.sections += [progbits2]
+            else:
+                progbits.section_contents = file_contents
+                progbits.section_header.sh_size = len(file_contents)
+
+            bss = ElfNoBits(kernel)
+            bss.section_name = ".bss"
+            bss.section_header.sh_flags = (
+                SH_FLAGS.SHF_ALLOC | SH_FLAGS.SHF_EXECINSTR | SH_FLAGS.SHF_WRITE
+            )
+            bss.section_header.sh_size = bss_size * 1024 * 1024
+            bss.section_header.sh_addr = progbits.section_header.sh_addr + len(
+                file_contents
+            )
+
+            kernel.sections += [bss]
+
+        r"""
+            Find the entry point symbol. Based on executing this command
+            on the Linux tree source:
+            
+            for i in $(find -iname 'vmlinux.lds.S' -o -iname 'dyn.lds.S' -o -iname 'vmlinux-std.lds');
+                do echo "$i:"$(grep -P '^ENTRY\(' $i);
+            done | grep -Po 'ENTRY\((.+?)\)' | sort -u
+
+            You can find the possible symbols that are used as an entry
+            point for the kernel, here sorted from the most specific to
+            the less specific
+        """
+
+        POSSIBLE_ENTRY_POINT_SYMBOLS = [
+            "kernel_entry",
+            "microblaze_start",
+            "parisc_kernel_start",
+            "phys_startup_32",
+            "phys_startup_64",
+            "phys_start",
+            "_stext_lma",
+            "res_service",
+            "_c_int00",
+            "startup_32",
+            "startup_64",
+            "startup_continue",
+            "startup",
+            "__start",
+            "_start",
+            "start_kernel",
+            "stext",
+            "_stext",
+            "_text",
+        ]
+
+        entry_point_address: int = None
+
+        for symbol_name in POSSIBLE_ENTRY_POINT_SYMBOLS:
+            symbol = kallsyms_finder.name_to_symbol.get(symbol_name)
+
+            if symbol:
+                entry_point_address = symbol.virtual_address
+
+                break
+
+        if entry_point_address is None:
+            raise ValueError("No entry point symbol found in the kallsyms")
+
+        kernel.file_header.e_entry = entry_point_address
+
+        # Add symbols
+
+        symtab = next((i for i in kernel.sections if i.section_name == ".symtab"), None)
+
+        if not symtab:
+            symtab = ElfSymtab(kernel)
+            symtab.section_name = ".symtab"
+
+            strtab = ElfStrtab(kernel)
+            strtab.section_name = ".strtab"
+            symtab.string_table = strtab
+
+            shstrtab = ElfStrtab(kernel)
+            shstrtab.section_name = ".shstrtab"
+
+            kernel.section_string_table = shstrtab
+            kernel.sections += [symtab, strtab, shstrtab]
+
+        sections = sorted(
+            [i for i in kernel.sections if i.section_header.sh_addr > 0],
+            key=lambda x: x.section_header.sh_addr,
+        )
+
+        def _find_section(address):
+            """
+            Uses binary search to quickly find the section which the address belongs to
+            """
+            # Set baseline and roofline hypotheses, expressed in
+            # section table indexes:
+            lower_range, upper_range = 0, len(sections) - 1
+            # Wait for the hypotheses to converge
+            while lower_range < upper_range:
+                # Mean operation to pick a new tentative hypothesis
+                # (add one to ensure to ceil-round the upper
+                # hypothesis in case of a difference of 1)
+                middle = (lower_range + upper_range + 1) // 2
+                if (
+                    sections[middle].section_header.sh_addr <= address
+                ):  # Test the hypothesis
+                    lower_range = middle  # Use the hypothesis as a baseline
+                else:
+                    upper_range = middle - 1  # Disqualify the hypothesis
+            if (
+                sections[lower_range].section_header.sh_addr
+                <= address
+                <= sections[lower_range].section_header.sh_addr
+                + sections[lower_range].section_header.sh_size
+            ):
+                return sections[
+                    lower_range
+                ]  # Select the best hypothesis if it qualifies
+            return None
+
+        elf_symbol_class = {
+            (False, False): Elf32LittleEndianSymbolTableEntry,
+            (True, False): Elf32BigEndianSymbolTableEntry,
+            (False, True): Elf64LittleEndianSymbolTableEntry,
+            (True, True): Elf64BigEndianSymbolTableEntry,
+        }[(kernel.is_big_endian, kernel.is_64_bits)]
+
+        for symbol in kallsyms_finder.symbols:
+            elf_symbol = elf_symbol_class(kernel.is_big_endian, kernel.is_64_bits)
+
+            elf_symbol.symbol_name = symbol.name
+            elf_symbol.st_value = symbol.virtual_address
+
+            if symbol.symbol_type not in (
+                KallsymsSymbolType.TEXT,
+                KallsymsSymbolType.WEAK_SYMBOL_WITH_DEFAULT,
+            ):
+                elf_symbol.st_info_type = ST_INFO_TYPE.STT_OBJECT
+            else:
+                elf_symbol.st_info_type = ST_INFO_TYPE.STT_FUNC
+
+            if symbol.symbol_type in (
+                KallsymsSymbolType.WEAK_OBJECT_WITH_DEFAULT,
+                KallsymsSymbolType.WEAK_SYMBOL_WITH_DEFAULT,
+            ):
+                elf_symbol.st_info_binding = ST_INFO_BINDING.STB_WEAK
+            elif symbol.is_global:
+                elf_symbol.st_info_binding = ST_INFO_BINDING.STB_GLOBAL
+            else:
+                elf_symbol.st_info_binding = ST_INFO_BINDING.STB_LOCAL
+
+            if symbol.symbol_type == KallsymsSymbolType.ABSOLUTE:
+                elf_symbol.st_shndx = SPECIAL_SECTION_INDEX.SHN_ABS
+            else:
+                elf_symbol.associated_section = _find_section(symbol.virtual_address)
+
+            symtab.symbol_table.append(elf_symbol)
+
+        if kallsyms_finder.elf64_rela:
+            srela = ElfRela(kernel)
+            srela.section_name = ".rela.dyn"
+            relocation_class = {
+                (False, False): Elf32LittleEndianRelocationWithAddendTableEntry,
+                (True, False): Elf32BigEndianRelocationWithAddendTableEntry,
+                (False, True): Elf64LittleEndianRelocationWithAddendTableEntry,
+                (True, True): Elf64BigEndianRelocationWithAddendTableEntry,
+            }[(kernel.is_big_endian, kernel.is_64_bits)]
+            srela.relocation_table = []
+            srela.symtab_section = symtab
+            kernel.sections += [srela]
+            for rela in kallsyms_finder.elf64_rela:
+                relocation = relocation_class(kernel.is_big_endian, kernel.is_64_bits)
+
+                relocation.r_offset = rela[0]
+                relocation.r_info_type = 1027
+                relocation.r_addend = rela[2]
+
+                srela.relocation_table.append(relocation)
+
+        # Save the modified ELF
+
+        with open(output_file, "wb") as fd:
+            kernel.serialize(fd)
+
+        logging.info("[+] Successfully wrote the new ELF kernel to %s" % output_file)