pwnlib.qemu — QEMU Utilities¶
Run foreign-architecture binaries
So you want to exploit ARM binaries on your Intel PC?
Pwntools has a good level of integration with QEMU user-mode emulation, in order to run, debug, and pwn foreign architecture binaries.
In general, everything magic happens “behind the scenes”, and pwntools attempts to make your life easier.
process, pwntools will attempt to blindly
execute the binary, in case your system is configured to use
If this fails, pwntools will attempt to manually launch the binary under
qemu user-mode emulation. Preference is given to statically-linked variants,
qemu-arm-static will be selected before
When debugging binaries with
gdb.debug(), pwntools automatically adds
the appropriate command-line flags to QEMU to start its GDB stub, and
automatically informs GDB of the correct architecture and sysroot.
You can override the default sysroot by setting the
environment variable. This affects where
qemu will look for files when
open() is called, e.g. when the linker is attempting to resolve
For Ubuntu 16.04 and newer, the setup is relatively straightforward for most architectures.
First, install the QEMU emulator itself. If your binary is statically-linked, this is sufficient.
$ sudo apt-get install qemu-user
If your binary is dynamically linked, you need to install libraries like libc.
Generally, this package is named
ARM comes in both soft-float and hard-float variants, e.g.
$ sudo apt-get install libc6-arm64-cross
If your binary relies on additional libraries, you can generally find them
apt-cache search. For example, if it’s a C++ binary it
$ apt-cache search 'libstdc++' | grep arm64
Any other libraries that you require you’ll have to find some other way.
Telling QEMU Where Libraries Are¶
The libraries are now installed on your system at e.g.
QEMU does not know where they are, and expects them to be at e.g.
If you try to run your library now, you’ll probably see an error about
/etc/qemu-binfmt directory if it does not exist, and create a symlink to
the appropriate path.
$ sudo mkdir /etc/qemu-binfmt $ sudo ln -s /usr/aarch64-linux-gnu /etc/qemu-binfmt/aarch64
Now QEMU should be able to run the libraries.
Returns the name which QEMU uses for the currently selected architecture.
>>> pwnlib.qemu.archname() 'i386' >>> pwnlib.qemu.archname(arch='powerpc') 'ppc'
Returns the linker prefix for the selected qemu-user binary
>>> pwnlib.qemu.ld_prefix(arch='arm') '/etc/qemu-binfmt/arm'
Returns the path to the QEMU-user binary for the currently selected architecture.
>>> pwnlib.qemu.user_path() 'qemu-i386-static' >>> pwnlib.qemu.user_path(arch='thumb') 'qemu-arm-static'