本文博客地址:http://blog.csdn.net/qq1084283172/article/details/70140865

01.路由器固件分析和动态调试环境搭建简述的原文

《Emulating and Debugging Workspace》这篇博文时间比较早,但是详细的介绍了路由器固件分析和动态调试环境搭建简要步骤和一些重要的信息。为了避免翻译带来的错误,直接将作者的原文摘抄过来进行学习,后面会进行作者博客的思路的整理。

A grad student(研究生) emailed me in response to(作为反馈) my Netgear auth bypass post.  He's working on a research project and wanted to know if I knew of any resources or techniques touse emulation for executing and debugging the net-cgi binary in the Netgear firmware.  It turns out(事实证明) I've got all the resources to do just that.  I replied with a description of my workspace and some links to resources I use, and, in many cases(在大多数情况下), have developed.  I thought this might make an interesting blog post, but I don't really have time to write it up all blog-post-like.  Instead I'll just paste in my email.  Maybe it'll be useful to other people as well.

Hello,

I think the best approach(最好的方法) is to describe how I set up my tool chain and environment.  Hopefully that will be helpful for you.

To start with, I do my work in an Ubuntu VM.  Specifically 12.04.  I don't think the exact release matters(我不知道其他的版本是否运行OK), but I know 12.04 works with my tools.

I keep a set of cross compilers in my path for various architectures(交叉编译器). In my opinion(在我看来), building with a cross compiler is faster and easier than building with gcc inside QEMU.  I recommendbuilding a set of cross-compiling toolchains using Buildroot. Buildroot uses a Linux Kernel-style menuconfig build system.  I don't have anything written up on building cross compilers, but I could probably send you my buildroot configuration if you need it, and if I can find it.

You can download the firmware for the routerfrom Netgear's support website.
Here's a link to the firmware:
http://support.netgear.com/product/wndr3700v4 
In order to unpack the firmware, I recommend my colleague(同事), Craig Heffner's tool,Binwalk:
https://code.google.com/p/binwalk/ 
Binwalk will analyze a binary file and describe the subcomponents(组成结构)it finds within, such asfilesystems,compressed kernel, etc. Additionally(另外), it canunpack the subcomponents it finds, assuming it knows how.
Install binwalk in your Ubuntu environment using the "debian_quick_install.sh" installation script, which will apt-get install a number of dependencies.
Rather than describe binwalk's usage, I'll refer you to the wiki:
https://code.google.com/p/binwalk/wiki/Usage?tm=6 
Also, in your Ubuntu environment you'llneed a Debian MIPS QEMU system that you canuse to emulate(模拟) the firmware's binaries.

I found lots of information about running Debian in QEMU, but most of it was incomplete(不完整), and a lot of it was inconsistent(不一致), so I've written a blog post describing how I set up my QEMU systems:
http://shadow-file.blogspot.com/2013/05/running-debian-mips-linux-in-qemu.html 
This is just personal, but I like to export my workspace to the QEMU machines via NFS.  In fact, I export my workspace from my Mac via NFS, and my Ubuntu VMs and Debian QEMU VMs all mount the same directory. That wayI'm not having to copy firmware, scripts and debuggers around.

Once logged into your QEMU VM, you can chroot into the router's firmware andrun some of its binaries:

firmware_rootfs # chroot . /bin/sh
#

The simple ones, such as busybox, will run with no problem. The web server,upnp server, etc.are more complicated(复杂)because they make a lot of assumptions(假设)about the router's specific hardware(特定的硬件环境)being present.

One of the problems you run into has to do with queries(获取) to NVRAM(路由器的非易失性存储器)for runtime configuration.  Obviously(显然),your Debian MIPS Linux has no NVRAM, so thesequeries will fail.  For that,I have a project called "nvram-faker":
https://github.com/zcutlip/nvram-faker 
You build the library for your target andpreload it using the LD_PRELOAD environment variable. It intercepts calls(拦截函数调用) tonvram_getand provides answers based on the contentsan nvram.ini file that you provide. It prints all the nvram queries to stdout, and colorizes the ones that it couldn't find in the .ini file.  Obviouslyit takes some guesswork(猜测) to provide sane(合理) configuration parameters.

Sometimes you can skip(略过) running the web server andjust run the cgi binaries from a shell script.  Most cgi binaries take their input from the web server as a combination(结合)of standard input and environment variables.  They send their response to the web server over standard output.

I hope this helps.  Let me know if I can help any other way.

Zach

02.路由器固件分析和动态调试环境的搭建简述步骤整理

1.创建一个ubuntu 12.04的虚拟机

2.使用Buildroot构建MIPS程序的交叉编译工具链,Buildroot使用Linux内核配置menuconfig的形式进行编译工具的构建

3.从路由器的官方网站下载路由器使用的固件,以Netgear的为例,下载地址为:
http://support.netgear.com/product/wndr3700v4

4.路由器固件的解包使用binwalk工具,binwalk工具能够分析出固件的文件结构组成,binwalk工具的介绍和下载地址:
https://code.google.com/p/binwalk/

在ubuntu系统上安装binwalk的时,只需要运行binwalk工具安装包里的 "debian_quick_install.sh" 脚本即可,binwalk工具的需要的依赖库文件和组件会自动下载安装好。更详细的有关binwalk工具的介绍和使用参考地址:
https://code.google.com/p/binwalk/wiki/Usage?tm=6

5.在ubuntu环境下运行MIPS程序还需要 Debian MIPS QEMU 虚拟机,有关MIPS QEMU虚拟机搭建的步骤参考网址:
http://shadow-file.blogspot.com/2013/05/running-debian-mips-linux-in-qemu.html

6.为了qemu-mips虚拟机在系统模式下能够运行路由器固件的mips程序,还需要为ubuntu主机和qemu虚拟机建立 NFS 进行文件共享,使 qemu 虚拟机能够通过 mount 的方式访问ubuntu主机系统的上的路由器系统文件而不需要拷贝。

7.登陆到qemu虚拟机上,chroot切换到路由器固件的文件系统的根目录下,运行一些mips程序。路由器系统文件里的一下简单的mips程序如:busybox直接运行没有什么问题,但是一些像路由器系统文件里的 web server, upnp server 等比较复杂,需要特定的硬件环境的支持才能成功运行。比如说:它们运行的时候可能会获取路由器的NVRAM(非易失性存储器)里的 .ini配置文件里信息,但是Debian MIPS QEMU 虚拟机上没有NVRAM,因此会运行失败。

8."nvram-faker"的工程能解决7.中提到的问题,下载地址如下;编译"nvram-faker"工程得到一个动态库,在qemu上运行mips程序时通过 LD_PRELOAD 环境变量预加载该动态库文件。该动态库文件会拦截 nvram_get 函数的调用,通过 nvram.ini 文件为运行的misp程序提供需要的配置参数信息。该动态库还会打印出mips程序运行时的需要获取的信息并用颜色标识出 nvram.ini 文件中找不到的。 nvram.ini 配置文件的编写需要进行一些合理的假设。
https://github.com/zcutlip/nvram-faker

路由器逆向分析------路由器固件分析和动态调试环境搭建简述相关推荐

  1. weblogic动态调试环境搭建

    一:docker配置修改以支持远程调试 Docker-compose.yml 添加8453端口,该端口会是远程调试端口 Docker-compose up -d 下载并运行镜像 修改weblogic配 ...

  2. 看雪2W课-Frida逆向与利用自动化 Frida开发和调试环境搭建 课时1

    一.下载kali虚拟机镜像 下载地址:Get Kali | Kali Linux 依次执行一下命令,kali每次只能有一个命令行在执行下载任务 # 更新apt apt update 安装中文字体 ap ...

  3. Spring5.x源码分析 | 从踩坑到放弃之环境搭建

    Spring5.x源码分析--从踩坑到放弃之环境搭建 前言 自从Spring发行4.x后,很久没去好好看过Spring源码了,加上最近半年工作都是偏管理和参与设计为主,在技术细节上或多或少有点疏忽,最 ...

  4. eos源码分析和应用(一)调试环境搭建

    转载自 http://www.limerence2017.com/2018/09/02/eos1/#more eos基于区块链技术实现的开源引擎,开发人员可以基于该引擎开发DAPP(分布式应用).下面 ...

  5. JSP动态网站环境搭建应用中的详细步骤(Tomcat和Apache/IIS的整合)

    链接地址:http://www.cnblogs.com/dartagnan/archive/2011/03/25/2003426.html JSP动态网站环境搭建应用中的详细步骤(Tomcat和Apa ...

  6. Android 逆向分析(三)之动态调试Smali

    2019独角兽企业重金招聘Python工程师标准>>> 动态调试smali 实战 反编译后修改AndroidMainfest.xml 在Application节点下添加 androi ...

  7. 安卓逆向_12 --- jeb工具的使用 ( 动态调试 smali 代码 【 普通调试 和 debug调试 】)

    From:https://www.52pojie.cn/forum.php?mod=viewthread&tid=742250 jeb 动态调试 smali 代码:https://www.bi ...

  8. 安卓逆向_12 --- jeb工具的使用 ( 动态调试 smali 代码 【 普通调试 和 debug调试 】)...

    From:https://www.52pojie.cn/forum.php?mod=viewthread&tid=742250 jeb 动态调试 smali 代码:https://www.bi ...

  9. 数据库中间件MyCAT源码分析:调试环境搭建

    ???关注微信公众号:[芋艿的后端小屋]有福利: RocketMQ / MyCAT / Sharding-JDBC 所有源码分析文章列表 RocketMQ / MyCAT / Sharding-JDB ...

最新文章

  1. php使用ssh远程调用另一个服务器执行命令(python脚本)
  2. 5去掉button按钮的点击样式_CSS实现复古按钮
  3. viewsource和viewparsed_Network Panel说明
  4. django admin下拉列表不显示值,显示为object的处理
  5. CrossMap基因坐标转换:hg38和hg37互换
  6. 微信小程序调用域名服务器的服务
  7. 防止浏览器自动填充表单
  8. Java file.encoding
  9. 如何从课堂派上扒取直播视频
  10. 一款不错安卓APK签名工具及使用方法!!!
  11. Autonomous Driving in Adverse Weather Conditions: A Survey - 恶劣天气条件下的自动驾驶:一项调查 (arXiv 2021)
  12. 如何使用Jmeter对HTTP接口进行压力测试?
  13. SoftMax函数,交叉熵损失函数与熵,对数似然函数
  14. 两化融合能给企业带来什么好处
  15. 打开sqlite3文件方法
  16. 平台 恒鑫 机器人_电机转子组装机器人系统-恒鑫智能
  17. Java开发游戏脚本(第一卷)
  18. 腾讯收购康盛创想,互联网营销
  19. 谷歌身份验证器小白篇
  20. @NotEmpty和@NotBlank和@NotNull

热门文章

  1. 【skynet学习笔记】skynet的目录结构
  2. oracle日期计算
  3. 自动重发请求(ARQ)协议
  4. 普通奥运会,文艺奥运会,伦敦奥运会。
  5. eja变送器故障代码al01_横河eja变送器常见故障_横河eja故障解答
  6. 人脸识别中面对的难题
  7. [ICML19] Challenging Common Assumptions in the Unsupervised Learning of Disentangled Representations
  8. 夹娃娃动画Android,手机模拟抓娃娃
  9. select vba 网页 翻页_Excel 如何利用VBA实现快捷翻页功能?
  10. [领导梯队]读书笔记