路由器逆向分析------路由器固件分析和动态调试环境搭建简述

本文博客地址:http://blog.csdn.net/qq1084283172/article/details/70140865


01.路由器固件分析和动态调试环境搭建简述的原文

《Emulating and Debugging Workspace》这篇博文时间比较早,但是详细的介绍了路由器固件分析和动态调试环境搭建简要步骤和一些重要的信息。为了避免翻译带来的错误,直接将作者的原文摘抄过来进行学习,后面会进行作者博客的思路的整理。


A grad student(研究生) emailed me in response to(作为反馈) my  Netgear auth bypass post .  He's working on a research project and wanted to know if I knew of any resources or techniques to use emulation for executing and debugging the net-cgi binary in the Netgear firmware .  It turns out(事实证明) I've got all the resources to do just that.  I replied with a description of my workspace and some links to resources I use, and, in many cases(在大多数情况下), have developed.  I thought this might make an interesting blog post, but I don't really have time to write it up all blog-post-like.  Instead I'll just paste in my email.  Maybe it'll be useful to other people as well.

Hello,

I think the best approach(最好的方法) is to describe how I
set up my tool chain and environment .  Hopefully that will be helpful for you.

To start with, I do my work in an Ubuntu VM .  Specifically  12.04.   I don't think the exact release matters(我不知道其他的版本是否运行OK), but I know 12.04 works with my tools.

I keep a set of cross compilers in my path for various architectures(交叉编译器). In my opinion(在我看来), building with a cross compiler is faster and easier than building with gcc inside QEMU.  I recommend building a set of cross-compiling toolchains using Buildroot Buildroot uses a Linux Kernel-style menuconfig build system .  I don't have anything written up on building cross compilers, but I could probably send you my buildroot configuration if you need it, and if I can find it.

You can download the firmware for the router from Netgear's support website.
Here's a link to the firmware:
http://support.netgear.com/product/wndr3700v4  
In order to unpack the firmware , I recommend my colleague(同事), Craig Heffner's tool, Binwalk :
https://code.google.com/p/binwalk/  
Binwalk will analyze a binary file and describe the subcomponents (组成结构) it finds within , such as filesystems , compressed kernel , etc. Additionally(另外), it can unpack the subcomponents it finds , assuming it knows how.
Install binwalk in your Ubuntu environment using the " debian_quick_install.sh " installation script , which will apt-get install a number of dependencies .
Rather than describe binwalk's usage, I'll refer you to the wiki:
https://code.google.com/p/binwalk/wiki/Usage?tm=6  
Also, in your Ubuntu environment you'll need a Debian MIPS QEMU system that you can use to emulate (模拟) the firmware's binaries .

I found lots of information about running Debian in QEMU, but most of it was incomplete(不完整), and a lot of it was inconsistent(不一致), so I've written a blog post describing how I set up my QEMU systems :
http://shadow-file.blogspot.com/2013/05/running-debian-mips-linux-in-qemu.html  
This is just personal, but I like to export my workspace to the QEMU machines via NFS.   In fact, I export my workspace from my Mac via NFS , and my Ubuntu VMs and Debian QEMU VMs all mount the same directory . That way I'm not having to copy firmware, scripts and debuggers around .

Once logged into your QEMU VM , you can chroot into the router's firmware and run some of its binaries :

firmware_rootfs # chroot . /bin/sh
#

The simple ones , such as busybox, will run with no problem The web server , upnp server , etc. are more complicated (复杂)because they make a lot of assumptions (假设) about the router's specific hardware (特定的硬件环境) being present .

One of the problems you run into has to do with queries (获取) to NVRAM (路由器的非易失性存储器) for runtime configuration .  Obviously(显然), your Debian MIPS Linux has no NVRAM , so these queries will fail .  For that, I have a project called "nvram-faker" :
https://github.com/zcutlip/nvram-faker  
You build the library for your target and preload it using the LD_PRELOAD environment variable It intercepts calls (拦截函数调用) to nvram_get and provides answers based on the contents an nvram.ini file that you provide. It prints all the nvram queries to stdout, and colorizes the ones that it couldn't find in the .ini file.  Obviously it takes some guesswork (猜测) to provide sane (合理) configuration parameters .

Sometimes you can skip (略过) running the web server and just run the cgi binaries from a shell script Most cgi binaries take their input from the web server as a combination (结合) of standard input and environment variables They send their response to the web server over standard output .

I hope this helps.  Let me know if I can help any other way.

Zach 


02.路由器固件分析和动态调试环境的搭建简述步骤整理

1.创建一个ubuntu 12.04的虚拟机

2.使用Buildroot构建MIPS程序的交叉编译工具链,Buildroot使用Linux内核配置menuconfig的形式进行编译工具的构建

3.从路由器的官方网站下载路由器使用的固件,以Netgear的为例,下载地址为:
http://support.netgear.com/product/wndr3700v4 

4.路由器固件的解包使用binwalk工具,binwalk工具能够分析出固件的文件结构组成,binwalk工具的介绍和下载地址:
https://code.google.com/p/binwalk/ 

在ubuntu系统上安装binwalk的时,只需要运行binwalk工具安装包里的 "debian_quick_install.sh" 脚本即可,binwalk工具的需要的依赖库文件和组件会自动下载安装好。更详细的有关binwalk工具的介绍和使用参考地址:
https://code.google.com/p/binwalk/wiki/Usage?tm=6 

5.在ubuntu环境下运行MIPS程序还需要 Debian MIPS QEMU 虚拟机,有关MIPS QEMU虚拟机搭建的步骤参考网址:
http://shadow-file.blogspot.com/2013/05/running-debian-mips-linux-in-qemu.html 

6.为了qemu-mips虚拟机在系统模式下能够运行路由器固件的mips程序,还需要为ubuntu主机和qemu虚拟机建立 NFS 进行文件共享,使 qemu 虚拟机能够通过 mount 的方式访问ubuntu主机系统的上的路由器系统文件而不需要拷贝。

7.登陆到qemu虚拟机上,chroot切换到路由器固件的文件系统的根目录下,运行一些mips程序。路由器系统文件里的一下简单的mips程序如:busybox直接运行没有什么问题,但是一些像路由器系统文件里的 web server, upnp server 等比较复杂,需要特定的硬件环境的支持才能成功运行。比如说:它们运行的时候可能会获取路由器的NVRAM(非易失性存储器)里的 .ini配置文件里信息,但是Debian MIPS QEMU 虚拟机上没有NVRAM,因此会运行失败。

8."nvram-faker"的工程能解决7.中提到的问题,下载地址如下;编译"nvram-faker"工程得到一个动态库,在qemu上运行mips程序时通过 LD_PRELOAD 环境变量预加载该动态库文件。该动态库文件会拦截 nvram_get 函数的调用,通过 nvram.ini 文件为运行的misp程序提供需要的配置参数信息。该动态库还会打印出mips程序运行时的需要获取的信息并用颜色标识出 nvram.ini 文件中找不到的。 nvram.ini 配置文件的编写需要进行一些合理的假设。
https://github.com/zcutlip/nvram-faker 

你可能感兴趣的:(路由器逆向分析,路由器安全逆向和分析)