barefuzz/r2pipe_impl.cc at main · jay-waves/barefuzz · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
/*
  Copyright (C) 2025, Yu JiaWei
*/

#include "r2pipe_impl.h"
#include "include/io.h"

void RingBuffer::push(std::string_view data) {
  {
    std::scoped_lock lock(mutex_);
    buffer_.insert(buffer_.end(), data.begin(), data.end());
  }
  not_empty_.notify_all();
}

vector<char> RingBuffer::pop_all() {
  std::scoped_lock lock(mutex_);
  vector<char> out(buffer_.begin(), buffer_.end());
  buffer_.clear();
  return out;
}

vector<char> RingBuffer::pop_until_nonblock(char delimiter) {
  std::scoped_lock lock(mutex_);
  auto it = std::find(buffer_.begin(), buffer_.end(), delimiter);
  if (it == buffer_.end()) {
    return {}; // 没有找到分隔符
  }
  vector<char> out(buffer_.begin(), std::next(it));
  buffer_.erase(buffer_.begin(), std::next(it)); // 移除已读取部分
  return out;
}

vector<char> RingBuffer::pop_until(char delimiter) {
  std::unique_lock lock(mutex_);
  vector<char> out;

  while (true) {
    auto it = std::find(buffer_.begin(), buffer_.end(), delimiter);
    if (it != buffer_.end()) {
      out.assign(buffer_.begin(), std::next(it));
      buffer_.erase(buffer_.begin(), std::next(it)); // 移除已读取部分
      return out;
    }

    if (eof) {
      // EOF, 不再阻塞, 直接返回.
      out.assign(buffer_.begin(), buffer_.end());
      buffer_.clear();
      return out;
    }
    not_empty_.wait(lock); // 等待新数据到来
  }
}

void RingBuffer::set_eof() {
  {
    std::scoped_lock lock(mutex_);
    eof = true;
  }
  not_empty_.notify_all();
}


/*
  将 r2pipe.h 中接口, 转发给 r2pipe_impl.h. 全部放在 r2pipe.h, 编译实在太慢.
*/
Process::Process(ArgvT args) : impl_(std::make_unique<Impl>(args)) {}
Process::~Process() = default;

int Process::join() { return impl_->join(); }
int Process::terminate() { return impl_->terminate(); }
bool Process::is_alive() { return impl_->is_alive(); }
vector<char> Process::read_all() { return impl_->read_all(); }
vector<char> Process::read_until(char d) { return impl_->read_until(d); }
vector<char> Process::read_until_nonblock(char d) { return impl_->read_until_nonblock(d); }
void Process::write(span<const char> data) { impl_->write(data); }
bool Process::in_path(ArgvT exe) { return Impl::in_path(exe); }

/*
  Process::Impl 的实际实现
*/
Process::Impl::Impl(ArgvT args) {
  if (args.empty())
    throw BadArg("Process arguments cannot be empty");
  create_subprocess(make_argv(args));
  start_reader_thread();
}

Process::Impl::~Impl() {
  subprocess_destroy(&process);
  reader_thread.request_stop();
}

int Process::Impl::join() {
  int exit_code = -1;
  subprocess_join(&process, &exit_code);
  return exit_code;
}

int Process::Impl::terminate() {
  subprocess_terminate(&process);
  return join();
}

bool Process::Impl::is_alive() {
  return subprocess_alive(&process);
}

std::vector<char> Process::Impl::read_all() { return buffer.pop_all(); }
std::vector<char> Process::Impl::read_until(char d) { return buffer.pop_until(d); }
std::vector<char> Process::Impl::read_until_nonblock(char d) { return buffer.pop_until_nonblock(d); }

void Process::Impl::write(std::span<const char> data) {
  FILE* p_stdin = subprocess_stdin(&process);
  if (!p_stdin)
    throw Error("stdin unavailable");

  size_t written = fwrite(data.data(), 1, data.size(), p_stdin);
  if (written != data.size())
    throw Error("write incomplete");

  fflush(p_stdin);
}

bool Process::Impl::in_path(ArgvT exe) {
  subprocess_s proc;
  auto argv = make_argv(exe);
  int r = subprocess_create(argv.data(), subprocess_option_search_user_path, &proc);
  if (r != 0) return false;

  subprocess_join(&proc, nullptr);
  subprocess_destroy(&proc);
  return true;
}

vector<const char*> Process::Impl::make_argv(ArgvT args) {
  std::vector<const char*> argv;
  argv.reserve(args.size() + 1);
  for (auto& a : args)
    argv.push_back(a.data());
  argv.push_back(nullptr);
  return argv;
}

void Process::Impl::start_reader_thread() {
  reader_thread = std::jthread([this](std::stop_token st) {
    char buf[4096];
    while (!st.stop_requested()) {
      int n = subprocess_read_stdout(&process, buf, sizeof(buf));
      if (n > 0) {
        buffer.push(std::string_view(buf, n));
      } else {
        buffer.set_eof(); break;
      }
    }
  });
}

void Process::Impl::create_subprocess(const std::vector<const char*>& args) {
  auto opts = subprocess_option_combined_stdout_stderr
          | subprocess_option_enable_async
          | subprocess_option_no_window;
  if (subprocess_create(args.data(), opts, &process) != 0)
    throw Error("Failed to create subprocess");
}


/*
  R2Session 的实现
*/
R2Session::R2Session(const Path& target,
    const std::string& arch, int bits,
    bool big_endian,
    uint64_t entry_addr, uint64_t load_addr) {

  if (!fs::exists(target))
    throw Error("[R2] Target not existed");

  // 需要将我们分发的 /bin 目录添加到 PATH 中.
  // r2 需要 MSVC140 依赖. -q0 静默模式, -2 无 boardloader
  if (!check_r2_in_path())
    throw Error("[R2] radare2 not in PATH");

  cmd_args_ = {
    "radare2.exe", // r2 命令
    "-q0",         // 静默模式, 不输出 banner
    "-e", "log.level=0", // 禁止日志输出
    // "-2",          // 无 boardloader
    "--"              // 不打开文件启动, 后续通过 o 命令打开
  };
  proc_ = make_unique<Process>(cmd_args_);
  read_prompt(); // 初始化, 读一个 \0. 这是 r2 的行为.

  // 在指定加载地址, 打开目标二进制文件
  cmd_nonblock(format("o {} 0x{:x}", target.string(), load_addr));

  // 配置架构相关, 目前仅支持 SPARC
  cmd_nonblock("e asm.arch=" + arch);
  cmd_nonblock("e asm.bits=" + std::to_string(bits));
  cmd_nonblock("e cfg.bigendian=" + string(big_endian ? "true" : "false"));
  // 设置入口, entry addr
  if (entry_addr != 0) cmd_nonblock(format("s 0x{:x}", entry_addr));
  // 暂时不支持设置 load addr

  // 开启一些常规分析
  cmd("aaa");  // basic full analysis
  cmd_nonblock("aeim"); // ESIL mem map
  cmd_nonblock("afta"); // funciton tail analysis
}

Json R2Session::cmdj(string_view command) {
  return Json::parse(cmd(command));
}

/*
  ================ addr2line =========================
*/
static bool addr2line_in_path() {
  static std::array<string_view, 2> check = {"addr2line.exe", "-v"};
  return Process::in_path(span<const string_view>(check));
}

string addr2line(uint64_t pc, const Path& target) {
  vector<string> args = {"addr2line.exe", "-i", "-e"};

  if (!fs::exists(target))
    throw BadArg("addr2line target not existed");

  /*
    addr2line -i -e xxx.elf 0x.....
  */
  args.push_back(target.string());
  args.push_back(std::format("0x{:x}", pc));

  if (!addr2line_in_path())
    throw Error("addr2line not in PATH");

  vector<string_view> argv(args.begin(), args.end());
  Process proc(argv);

  auto buf = proc.read_until('\n');

  string file(buf.begin(), buf.end());
  if (!file.empty() && file.back() == '\n')
    file.pop_back();

  return file;
}