search

CYB3RMX / Qu1cksc0pe

All-in-One malware analysis tool.
GNU General Public License v3.0
1.33k stars 186 forks source link

Windows Emulator goes wrong... #27

Closed brutebee closed 1 year ago

brutebee commented 1 year ago

When running code for Windows Dynamic analysis, seems the script is looking for the file to be present at '/Qu1cksc0pe-master/Systems/Windows/x86_windows' instead elsewhere. I then place the file in there and emulator still goes wrong. What shall be done?

python qu1cksc0pe.py --file malware.exe --watch

Error:

[x]     'malware.exe' is not in the subpath of '/home/linux/Desktop/Qu1cksc0pe-master/Systems/Windows/x86_windows' OR one path is relative and the other is absolute.
Traceback (most recent call last):
  File "/home/linux/.local/lib/python3.9/site-packages/qiling/os/windows/windows.py", line 193, in hook_winapi
    api_func(ql, address, api_name)
  File "/home/linux/.local/lib/python3.9/site-packages/qiling/os/windows/fncc.py", line 26, in wrapper
    return ql.os.call(pc, func, params, onenter, onexit, passthru=passthru)
  File "/home/linux/.local/lib/python3.9/site-packages/qiling/os/os.py", line 187, in call
    targs, retval, retaddr = self.fcall.call(func, proto, args, onenter, onexit, passthru)
  File "/home/linux/.local/lib/python3.9/site-packages/qiling/os/fcall.py", line 159, in call
    retval = func(ql, pc, params)
  File "/home/linux/.local/lib/python3.9/site-packages/qiling/os/windows/dlls/kernel32/libloaderapi.py", line 110, in hook_GetModuleFileNameA
    return __GetModuleFileName(ql, address, params, wide=False)
  File "/home/linux/.local/lib/python3.9/site-packages/qiling/os/windows/dlls/kernel32/libloaderapi.py", line 88, in __GetModuleFileName
    vpath = ql.os.path.host_to_virtual_path(hpath)
  File "/home/linux/.local/lib/python3.9/site-packages/qiling/os/path.py", line 273, in host_to_virtual_path
    virtpath = self._cwd_anchor / resolved.relative_to(self._rootfs_path)
  File "/usr/lib/python3.9/pathlib.py", line 928, in relative_to
    raise ValueError("{!r} is not in the subpath of {!r}"
ValueError: 'malware.exe' is not in the subpath of '/home/linux/Desktop/M-Analysis/Qu1cksc0pe-master/Systems/Windows/x86_windows' OR one path is relative and the other is absolute.
[!] An error occurred while performing x86 emulation.
CYB3RMX commented 1 year ago

Hmm did you entered absolute path of the file instead of using its name? For example: /home/user/malware.exe If your answer is yes what environment did you used? Docker, Venv or something?

By the way Qiling based dynamic analysis is unstable. It gave me lots of errors I'll need to take care of it

brutebee commented 1 year ago

Yeah, Both absolute path and filename tried, I even place the file inside Windows Folde, the issue seems to be due to kernel in ParrotOS? what do you think?

I manually installed from source;

CYB3RMX commented 1 year ago

I'll look for how can i fix this issue. By the way If you want to help feel free to make a pull request :)

brutebee commented 1 year ago

I'll definitely help on this one :) I am having a look at what the issue might be, ok?

CYB3RMX commented 1 year ago

Thank you very much for helping Qu1cksc0pe project :)