## Greenhouse QEMU
Modifications to their fork of QEMU 5
- hackproc
- when enabled redirect `/proc/*` to `/ghproc/*` and `/dev/*` to `/ghdev/*`
- applies to: openat,
- hackbind
- setsockopt is forced to return 0 for level=SOL_IPV6 and most values of optname
- `socket` syscall forces `AF_INET6` to `AF_INET`
- bind syscall..
- do nothing to IPv4 aside from printing out IP/port
- force IPv6 to bind on IPv4 0.0.0.0:port
- attempt up to 3 retries
- try a new port each time
- if port is 0 or negative, bind on 80
- increment the port and only actually retry when finding an unused port
- hacksysinfo
- set 1, 5, and 15 minute load averages to 0
- execve
- you can pass an executable using `-execve [path]` in order to have all execves pass through the given program
- pconly
- doesn't log events outside of the given executable
## Greenhouse Core
Description of the behavior of their rehosting framework.
- Log Trace
- All of the logs (syscall tracing, qemu logs, etc) are merged
- regex is used to parse out missing files and add them
- syscalls: open(at), access(at), stat, chdir
- Also used to find missing nvram values
- FirmAE Wrapper
- Nothing special here, just used to get args/nvram values like it says in the paper
- "BinTrunk" (Angr-based CFG reconstruction)
- Searches for an entrypoint
- "main" symbol -> "__libc_start_main" -> binary entrypoint
- Detects exits
- process returns
- anything with "no successor" according to angr
- Marks exits for pruning
- "Planter"
- Removes device files and replaces them with its own
- `/dev/random` and `/dev/urandom` are hardcoded strings
- Runs `file` to determine architecture
- Sets up all the greenhouse-specific files
- nvram replacement
- `/ghdev`, `/greenhouse`, etc
- Searches for binaries of interest to run based on user-input as to type of rehosting
- types of rehosting: HTTP, UPNP, DNS, DHCP
- then scans for a hardcoded list of binaries based on the given type
- checks if binary is networking-facing based on if it "links" against the "symbols" of `listen` or `bind` (according to angr)
- Plugins
-
Sign in with Wallet
Connect another wallet