The Official Radare2 Book — страница 48 из 64

So, when radare reads a block of bytes, it is the task of an IO plugin to get these bytes from any place and put them into internal buffer. An IO plugin is chosen by a file's URI to be opened. Some examples:

   • Debugging URIs

$ r2 dbg:///bin/ls

$ r2 pid://1927

   • Remote sessions

$ r2 rap://:1234

$ r2 rap://:1234//bin/ls

   • Virtual buffers

$ r2 malloc://512

shortcut for

$ r2 -

You can get a list of the radare IO plugins by typing radare2 -L:

$ r2 -L

rw_ ar Open ar/lib files [ar|lib]://[file//path] (LGPL3)

rw_ bfdbg BrainFuck Debugger (bfdbg://path/to/file) (LGPL3)

rwd bochs Attach to a BOCHS debugger (LGPL3)

r_d debug Native debugger (dbg:///bin/ls dbg://1388 pidof:// waitfor://) (LGPL3) v0.2.0 pancake

rw_ default open local files using def_mmap:// (LGPL3)

rwd gdb Attach to gdbserver, 'qemu -s', gdb://localhost:1234 (LGPL3)

rw_ gprobe open gprobe connection using gprobe:// (LGPL3)

rw_ gzip read/write gzipped files (LGPL3)

rw_ http http get (http://rada.re/) (LGPL3)

rw_ ihex Intel HEX file (ihex://eeproms.hex) (LGPL)

r__ mach mach debug io (unsupported in this platform) (LGPL)

rw_ malloc memory allocation (malloc://1024 hex://cd8090) (LGPL3)

rw_ mmap open file using mmap:// (LGPL3)

rw_ null null-plugin (null://23) (LGPL3)

rw_ procpid /proc/pid/mem io (LGPL3)

rwd ptrace ptrace and /proc/pid/mem (if available) io (LGPL3)

rwd qnx Attach to QNX pdebug instance, qnx://host:1234 (LGPL3)

rw_ r2k kernel access API io (r2k://) (LGPL3)

rw_ r2pipe r2pipe io plugin (MIT)

rw_ r2web r2web io client (r2web://cloud.rada.re/cmd/) (LGPL3)

rw_ rap radare network protocol (rap://:port rap://host:port/file) (LGPL3)

rw_ rbuf RBuffer IO plugin: rbuf:// (LGPL)

rw_ self read memory from myself using 'self://' (LGPL3)

rw_ shm shared memory resources (shm://key) (LGPL3)

rw_ sparse sparse buffer allocation (sparse://1024 sparse://) (LGPL3)

rw_ tcp load files via TCP (listen or connect) (LGPL3)

rwd windbg Attach to a KD debugger (windbg://socket) (LGPL3)

rwd winedbg Wine-dbg io and debug.io plugin for r2 (MIT)

rw_ zip Open zip files [apk|ipa|zip|zipall]://[file//path] (BSD)

Implementing a new disassembly plugin

Radare2 has modular architecture, thus adding support for a new architecture is very easy, if you are fluent in C. For various reasons it might be easier to implement it out of the tree. For this we will need to create single C file, called asm_mycpu.c and makefile for it.

The key thing of RAsm plugin is a structure

RAsmPlugin r_asm_plugin_mycpu = {

.name = "mycpu",

.license = "LGPL3",

.desc = "MYCPU disassembly plugin",

.arch = "mycpu",

.bits = 32,

.endian = R_SYS_ENDIAN_LITTLE,

.disassemble = &disassemble

};

where .disassemble is a pointer to disassembly function, which accepts the bytes buffer and length:

static int disassemble(RAsm *a, RAsmOp *op, const ut8 *buf, int len)

Makefile

NAME=asm_snes

R2_PLUGIN_PATH=$(shell r2 -H R2_USER_PLUGINS)

LIBEXT=$(shell r2 -H LIBEXT)

CFLAGS=-g -fPIC $(shell pkg-config --cflags r_anal)

LDFLAGS=-shared $(shell pkg-config --libs r_anal)

OBJS=$(NAME).o

LIB=$(NAME).$(LIBEXT)


all: $(LIB)


clean:

rm -f $(LIB) $(OBJS)


$(LIB): $(OBJS)

$(CC) $(CFLAGS) $(LDFLAGS) $(OBJS) -o $(LIB)


install:

cp -f asm_mycpu.$(SO_EXT) $(R2_PLUGIN_PATH)


uninstall:

rm -f $(R2_PLUGIN_PATH)/asm_mycpu.$(SO_EXT)

asm_mycpu.c

/* radare - LGPL - Copyright 2018 - user */


#include 

#include 

#include 

#include 

#include 


static int disassemble(RAsm *a, RAsmOp *op, const ut8 *buf, int len) {

struct op_cmd cmd = {

.instr = "",

.operands = ""

};

if (len < 2) return -1;

int ret = decode_opcode (buf, len, &cmd);

if (ret > 0) {

snprintf (op->buf_asm, R_ASM_BUFSIZE, "%s %s",

cmd.instr, cmd.operands);

}

return op->size = ret;

}


RAsmPlugin r_asm_plugin_mycpu = {

.name = "mycpu",

.license = "LGPL3",

.desc = "MYCPU disassembly plugin",

.arch = "mycpu",

.bits = 32,

.endian = R_SYS_ENDIAN_LITTLE,

.disassemble = &disassemble

};


#ifndef R2_PLUGIN_INCORE

R_API RLibStruct radare_plugin = {

.type = R_LIB_TYPE_ASM,

.data = &r_asm_plugin_mycpu,

.version = R2_VERSION

};

#endif

After compiling radare2 will list this plugin in the output:

_d__ _8_32 mycpu LGPL3 MYCPU

Moving plugin into the tree

Pushing a new architecture into the main branch of r2 requires to modify several files in order to make it fit into the way the rest of plugins are built.

List of affected files:

   • plugins.def.cfg : add the asm.mycpu plugin name string in there

   • libr/asm/p/mycpu.mk : build instructions

   • libr/asm/p/asm_mycpu.c : implementation

   • libr/include/r_asm.h : add the struct definition in there

Check out how the NIOS II CPU disassembly plugin was implemented by reading those commits:

Implement RAsm plugin: https://github.com/radareorg/radare2/commit/933dc0ef6ddfe44c88bbb261165bf8f8b531476b

Implement RAnal plugin: https://github.com/radareorg/radare2/commit/ad430f0d52fbe933e0830c49ee607e9b0e4ac8f2

Implementing a new analysis plugin

After implementing disassembly plugin, you might have noticed that output is far from being good - no proper highlighting, no reference lines and so on. This is because radare2 requires every architecture plugin to provide also analysis information about every opcode. At the moment the implementation of disassembly and opcodes analysis is separated between two modules - RAsm and RAnal. Thus we need to write an analysis plugin too. The principle is very similar - you just need to create a C file and corresponding Makefile.

They structure of RAnal plugin looks like

RAnalPlugin r_anal_plugin_v810 = {

.name = "mycpu",

.desc = "MYCPU code analysis plugin",

.license = "LGPL3",

.arch = "mycpu",

.bits = 32,

.op = mycpu_op,

.esil = true,

.set_reg_profile = set_reg_profile,

};

Like with disassembly plugin there is a key function - mycpu_op which scans the opcode and builds RAnalOp structure. On the other hand, in this example analysis plugins also performs uplifting to ESIL, which is enabled in .esil = true statement. Thus, mycpu_op obliged to fill the corresponding RAnalOp ESIL field for the opcodes. Second important thing for ESIL uplifting and emulation - register profile, like in debugger, which is set within set_reg_profile function.

Makefile

NAME=anal_snes

R2_PLUGIN_PATH=$(shell r2 -H R2_USER_PLUGINS)

LIBEXT=$(shell r2 -H LIBEXT)

CFLAGS=-g -fPIC $(shell pkg-config --cflags r_anal)

LDFLAGS=-shared $(shell pkg-config --libs r_anal)

OBJS=$(NAME).o

LIB=$(NAME).$(LIBEXT)


all: $(LIB)


clean:

rm -f $(LIB) $(OBJS)


$(LIB): $(OBJS)

$(CC) $(CFLAGS) $(LDFLAGS) $(OBJS) -o $(LIB)


install:

Оглавление

К карточке книги