Feed r2pipe with u?int8_t*

[ghost]

I'm holding a PE into a uint8_t* buffer, and I want to give it to r2 through r2pipe for basic analysis. I can't find a way to do it without creating a temporary file.

Does anyone have an idea ?

[radare]

o malloc://sizeofbuffer malloc://sizeofbuffer wx ...bytesofthisbuffer.. oba $$

there's a faster way to transfer data between host and target via r2pipe, but that depends on the backend and language you use, obv wx needs to be truncated into blocks because you cant feed megabytes of chars in a single line to r2

On 25 Mar 2019, at 14:40, Thomas Bailleux notifications@github.com wrote:

I'm holding a PE into a uint8_t* buffer, and I want to give it to r2 through r2pipe for basic analysis. I can't find a way to do it without creating a temporary file.

Does anyone have an idea ?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/radare/radare2-r2pipe/issues/94, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-ljIAYFBOneJHoLADK1E2opJDe2Gyks5vaNG4gaJpZM4cG6G0.

[ghost]

I'm using C++ with the C binding (r_socket.h)

[radare]

then you can use the native r2pipe backend, get the RCore instance and do something like:

RIO io = core->io; RBuffer buf = r_buf_new_from_bytes (...) RIODesc *d = r_io_open_buffer (io, buf);

On 25 Mar 2019, at 16:24, Thomas Bailleux notifications@github.com wrote:

I'm using C++ with the C binding (r_socket.h)

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/radare/radare2-r2pipe/issues/94#issuecomment-476246286, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lrQYdedbcMwFp75C7pjS4sfL1K5Mks5vaOoVgaJpZM4cG6G0.

[ghost]

I'll try that. Thanks. Anyways, it could be nice if we could do that only with r2pipe, without using libr directly.

[radare]

Any PoC is welcome

On 25 Mar 2019, at 16:48, Thomas Bailleux notifications@github.com wrote:

I'll try that. Thanks. Anyways, it could be nice if we could do that only with r2pipe, without using libr directly.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[ghost]

You mean a PoC with your suggestion ?

[radare]

the suggestion was from you

On 26 Mar 2019, at 09:54, Thomas Bailleux notifications@github.com wrote:

You mean a PoC with your suggestion ?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/radare/radare2-r2pipe/issues/94#issuecomment-476530136, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-ltwMWyoID2KvR2See3Sp4J11yeA-ks5vaeA4gaJpZM4cG6G0.

[ghost]

Okay, so I have my core, my RBuffer and my RIODesc (using r_io_open_buffer), I binded the core to the R2Pipe using r_core_bind and then r2pipe_open_corebind, and if I try the ie cmd, nothing happens. I tried a px 42 too, nothing. I tried using directly r_core_cmd0(core, "px 42"), still nothing.

Maybe I'm missing a step between the moment I get the RIODesc and the moment I execute cmds ?

(Note: I've followed your step with core->io etc)

Here is my code:

#include <iostream>
#include <fstream>

#include <libr/r_core.h>
#include <libr/r_socket.h>
#include <libr/r_types.h>
#include <libr/r_util/r_buf.h>
#include <libr/r_util/r_log.h>

int main(int argc, char *argv[]) {
  if (argc < 2) {
    std::cerr << "Usage: " << argv[0] << " <BINARY>" << std::endl;
    return 1;
  }

  uint8_t buf[1204 * 1024];
  {
    std::ifstream pe(argv[1]);
    if (!pe.is_open()) {
      std::cerr << "Unable to open " << argv[1] << std::endl;
      return -1;
    }
    std::cout << argv[1] << " opened" << std::endl;
    try {
      pe.read(reinterpret_cast<char*>(buf), sizeof(buf));
      std::cout << argv[1] << " read" << std::endl;
    } catch (const std::exception&) {
      std::cerr << "Unable to read " << argv[1] << std::endl;
      pe.close();
      return 1;
    }
  }

  auto core = r_core_new();
  if (!core) {
    std::cerr << "Unable to init core" << std::endl;
    return 1;
  }
  std::cout << "r2 core init" << std::endl;

  auto io = core->io;
  RBuffer *rbuf = r_buf_new_with_bytes(buf, sizeof(buf));
  if (!rbuf) {
    std::cerr << "Unable to init a RBuffer" << std::endl;
    r_core_fini(core);
    return -1;
  }
  std::cout << "RBuffer init" << std::endl;

  RIODesc* desc = r_io_open_buffer(io, rbuf, R_PERM_R, 0);
  if (!desc) {
    r_buf_free(rbuf);
    r_core_fini(core);
    std::cerr << "Unable to attach the buffer to the core" << std::endl;
    return 1;
  }
  std::cout << "RBuffer attached to core through RIODesc" << std::endl;

  RCoreBind corebind;
  if (!r_core_bind(core, &corebind)) {
    r_buf_free(rbuf);
    r_core_fini(core);
    std::cerr << "Unable to bind the core" << std::endl;
    return 1;
  }
  std::cout << "Corebind init" << std::endl;

  r_core_seek(core, 0, true);
  R2Pipe* pipe = r2pipe_open_corebind(&corebind);
  auto msg = r2pipe_cmd(pipe, argv[2]);
  if (!msg) {
    r_buf_free(rbuf);
    r_core_fini(core);
    r2pipe_close(pipe);
    std::cerr << "Unable to perform ie operation" << std::endl;
    return 1;
  }
  std::cout << msg << std::endl;
}

When this will work, I'll try to add a method for r2pipe, something like r2pipe_open_with_bytes, or something else if someone has a better name ;)

[radare]

if you are sharing the same memory space you can r2pipe.open("rbuf://"); and that may work if you have allocated an rbuffer structure in there.

On 25 Mar 2019, at 16:48, Thomas Bailleux notifications@github.com wrote:

I'll try that. Thanks. Anyways, it could be nice if we could do that only with r2pipe, without using libr directly.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/radare/radare2-r2pipe/issues/94#issuecomment-476256947, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lmKZhlDQC_MHJFOiYbfcwROWaqFfks5vaO-2gaJpZM4cG6G0.

[ghost]

TOCTOU DETECTED

if you are sharing the same memory space you can r2pipe.open("rbuf://"); and that may work if you have allocated an rbuffer structure in there. … On 25 Mar 2019, at 16:48, Thomas Bailleux @.***> wrote: I'll try that. Thanks. Anyways, it could be nice if we could do that only with r2pipe, without using libr directly. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#94 (comment)>, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lmKZhlDQC_MHJFOiYbfcwROWaqFfks5vaO-2gaJpZM4cG6G0.

Sound nice. really nice. I'm going to try

[ghost]

if you are sharing the same memory space you can r2pipe.open("rbuf://"); and that may work if you have allocated an rbuffer structure in there. … On 25 Mar 2019, at 16:48, Thomas Bailleux @.***> wrote: I'll try that. Thanks. Anyways, it could be nice if we could do that only with r2pipe, without using libr directly. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#94 (comment)>, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lmKZhlDQC_MHJFOiYbfcwROWaqFfks5vaO-2gaJpZM4cG6G0.

This doesn't work. More, it segfaults if I simply do r2 rbuf://<pointer>, but does not if I do r2 -q0 rbuf://<pointer>

[radare]

because you have to use this from the native r2pipe api opening instead of spawning a new session

On 26 Mar 2019, at 11:12, Thomas Bailleux notifications@github.com wrote:

if you are sharing the same memory space you can r2pipe.open("rbuf://"); and that may work if you have allocated an rbuffer structure in there. … <x-msg://20/#> On 25 Mar 2019, at 16:48, Thomas Bailleux @.***> wrote: I'll try that. Thanks. Anyways, it could be nice if we could do that only with r2pipe, without using libr directly. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#94 (comment) https://github.com/radare/radare2-r2pipe/issues/94#issuecomment-476256947>, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lmKZhlDQC_MHJFOiYbfcwROWaqFfks5vaO-2gaJpZM4cG6G0 https://github.com/notifications/unsubscribe-auth/AA3-lmKZhlDQC_MHJFOiYbfcwROWaqFfks5vaO-2gaJpZM4cG6G0.

This doesn't work. More, it segfaults if I simply do r2 rbuf://, but does not if I do r2 -q0 rbuf://

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/radare/radare2-r2pipe/issues/94#issuecomment-476557382, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lqQBE9hQ9OTpYPO3inoMFoBd4ODyks5vafJ5gaJpZM4cG6G0.

[ghost]

I don't get it. I don't spawn a new session, I'm using the same session

[a1ext]

he meant you have to execute your script from the r2 shell which is already open, like this #!pipe /path/to/script.py

[ghost]

@a1ext sorry but I don't use the r2 shell for now

[ghost]

my RCore shares the memory space with my program

[radare]

Then why are you refering to r2 rbuf://...

[ghost]

if you are sharing the same memory space you can r2pipe.open("rbuf://"); and that may work if you have allocated an rbuffer structure in there. … On 25 Mar 2019, at 16:48, Thomas Bailleux @.***> wrote: I'll try that. Thanks. Anyways, it could be nice if we could do that only with r2pipe, without using libr directly. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#94 (comment)>, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lmKZhlDQC_MHJFOiYbfcwROWaqFfks5vaO-2gaJpZM4cG6G0.

About that?

[ghost]

Using snowman. closing

[radare]

wat

On 3 Apr 2019, at 11:34, Thomas Bailleux notifications@github.com wrote:

Using snowman. closing

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/radare/radare2-r2pipe/issues/94#issuecomment-479414834, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lmIliiawZjrWRdBMtNqnn6avHbubks5vdHWxgaJpZM4cG6G0.