| Traditionally, embedded devices firmware may be some malicious code reverse analysis is conducted on specific hardware development board. Due to the firmware processor architecture type diversity, requiring firmware reverse analysis method and analysis tool must have scalability to adapt to the multiprocessor architecture platform. In order to save hardware cost and meet the needs of diversity of processor architectures, this paper improved the traditional inverse analysis on the development board firmware, based on a simulator QEMU remote debugging analysis firmware technology, can let the researchers get rid of the difficult of development board hardware devices.The embedded device firmware is. Bin binary image file format, device firmware is working on the development board for development and debugging during the studying. Because of the embedded firmware of limited resources, the firmware is direct mapping methods used by the operating system kernel address, can only be run in a specific hardware environment, so the kernel cannot be used directly in the virtual simulation environment.In order to make the embedded firmware run in the simulation environment and meet the diverse processor architecture platform debugging analysis, This paper proposes a novel approach, first of all, to parse embedded device firmware, through by the matching firmware compile the kernel types, static compiler debugger cross-compilation way, finally based on the compiling the kernel mount handmade root file system to realize the simulation running. In addition, because of the target machine the QEMU virtual machine resources limitation, if use QEMU built-in GDB debugging module directly to debug the application being debugged, can cause the target to frequently need to be cleared to compile the buffer block operation, which can lead to poor user experience in the process of debugging, performance, operation inconvenient, and so on and so forth. To this end, the paper put forward the compilation transplantation lightweight GDBSERVER debugging agent tools, and combined with the GDB, by RSP protocols for communication, realizing remote debugging GDB + GDBSERVER way to debug the firmware of the target program. In order to get rid of the researchers on QEMU debugging analysis directly, this paper USES the bridge network communication mode, NFS mount the file, eventually achieve the researchers direct control on the host and the debugging target machine the purpose of the application, it also solves the traditional directly or via a serial port communication JTAG debug interface communication modes of the unstable shortcomings and so on, debugging is difficult.The study of this article for the researchers in hardware environment shows that development board by simulating the hardware environment for embedded devices QEMU binary firmware simulation running and dynamic remote debugging tracking application provides the effective method, also created a good platform for the reverse analysis. At the same time, this paper also improves the traditional analysis of the mechanism of firmware, firmware is proposed based on dynamic simulator remote debugging analysis, to enhance the scalability, the debugging process from the traditional "single architecture debugging" model to "system-level debugging" model transformation. |
PDF Full Text Request