search

hzqst / unicorn_pe

Unicorn PE is an unicorn based instrumentation project designed to emulate code execution for windows PE files.
MIT License
767 stars 200 forks source link

Can't relocate image, no relocation flag #23

Open UnlimitedChild opened 3 years ago

UnlimitedChild commented 3 years ago

Hi,

this situation must be handled internally by the emulator. If you edit the header manually, the emulation hangs.

unicorn_pe cpuid.exe -disasm BlackBone: Allocate: Allocating at address 0x000002A6F2DC0000 (0x1000 bytes) BlackBone: Allocate: Allocating at address 0x000002A6F2DD0000 (0x1000 bytes) BlackBone: Allocate: Allocating at address 0x000002A6F2DE0000 (0x4000 bytes) BlackBone: ManualMap: Mapping image 'cpuid.exe' with flags 0x1d001 BlackBone: ManualMap: Loading new image 'cpuid.exe' BlackBone: ManualMap: Image base allocated at 0x000002a6f2df0000 BlackBone: ManualMap: Performing image copy BlackBone: ManualMap: Relocating image 'cpuid.exe' BlackBone: ManualMap: Can't relocate image, no relocation flag BlackBone: Free: Free at address 0x000002A6F2DF0000 BlackBone: Free: Free at address 0x000002A6F2DC0000 BlackBone: Free: Free at address 0x000002A6F2DD0000 BlackBone: Free: Free at address 0x000002A6F2DE0000 failed to MapImage

cpuid_.zip

UnlimitedChild commented 3 years ago

_on the last update nothing works at all...

unicornpe cpuid.exe -disasm BlackBone: Allocate: Allocating at address 0x0000027C75920000 (0x1000 bytes) BlackBone: Allocate: Allocating at address 0x0000027C75930000 (0x1000 bytes) BlackBone: Allocate: Allocating at address 0x0000027C75940000 (0x4000 bytes) BlackBone: ManualMap: Mapping image 'cpuid' with flags 0x5d001 BlackBone: ManualMap: Failed to load image 'cpuid'/0x0000000000000000. Status 0xC0000034 failed to MapImage BlackBone: Free: Free at address 0x0000027C75920000 BlackBone: Free: Free at address 0x0000027C75940000 BlackBone: Free: Free at address 0x0000027C75930000

when entering a file name, you need to enter the name in full with the extension, then it works!

UnlimitedChild commented 3 years ago

Build 22.04.2021

unicorn_pe cpuid.exe -disasm BlackBone: Allocate: Allocating at address 0x000001F8CEEA0000 (0x1000 bytes) BlackBone: Allocate: Allocating at address 0x000001F8CEEB0000 (0x1000 bytes) BlackBone: Allocate: Allocating at address 0x000001F8CEEC0000 (0x4000 bytes) BlackBone: ManualMap: Mapping image 'cpuid.exe' with flags 0x5d001 BlackBone: ManualMap: Loading new image 'cpuid.exe' BlackBone: ManualMap: Image base allocated at 0x000001f8ceed0000 BlackBone: ManualMap: Performing image copy BlackBone: ManualMap: Relocating image 'cpuid.exe' BlackBone: ManualMap: Image does not use relocations BlackBone: ManualMap: Loading new dependency 'kernel32.dll' BlackBone: ManualMap: Dependency path resolved to 'C:\Windows\system32\kernel32.dll' BlackBone: ManualMap: Loading new image 'C:\Windows\system32\kernel32.dll' BlackBone: ManualMap: Image base allocated at 0x000001f8d0900000 BlackBone: ManualMap: Performing image copy BlackBone: ManualMap: Relocating image 'c:\windows\system32\kernel32.dll' BlackBone: ManualMap: Loading new dependency 'kernelbase.dll' BlackBone: ManualMap: Dependency path resolved to 'c:\windows\system32\kernelbase.dll' BlackBone: ManualMap: Loading new image 'c:\windows\system32\kernelbase.dll' BlackBone: ManualMap: Image base allocated at 0x000001f8d3b80000 BlackBone: ManualMap: Performing image copy BlackBone: ManualMap: Relocating image 'c:\windows\system32\kernelbase.dll' BlackBone: ManualMap: Loading new dependency 'ntdll.dll' BlackBone: ManualMap: Dependency path resolved to 'c:\windows\system32\ntdll.dll' BlackBone: ManualMap: Loading new image 'c:\windows\system32\ntdll.dll' BlackBone: ManualMap: Image base allocated at 0x000001f8d42e0000 BlackBone: ManualMap: Performing image copy BlackBone: ManualMap: Relocating image 'c:\windows\system32\ntdll.dll' BlackBone: ManualMap: Performing security cookie initializtion for image 'ntdll.dll' BlackBone: ManualMap: Performing security cookie initializtion for image 'kernelbase.dll' BlackBone: ManualMap: Performing security cookie initializtion for image 'kernel32.dll' BlackBone: ManualMap: Loading new dependency 'msvcrt.dll' BlackBone: ManualMap: Dependency path resolved to 'C:\Windows\system32\MSVCRT.dll' BlackBone: ManualMap: Loading new image 'C:\Windows\system32\MSVCRT.dll' BlackBone: ManualMap: Image base allocated at 0x000001f8d3a50000 BlackBone: ManualMap: Performing image copy BlackBone: ManualMap: Relocating image 'c:\windows\system32\msvcrt.dll' BlackBone: ManualMap: Performing security cookie initializtion for image 'msvcrt.dll' BlackBone: Free: Decommit at address 0x000001F8D44CF000 (0x1000 bytes) BlackBone: Free: Decommit at address 0x000001F8D3DFE000 (0x25000 bytes) BlackBone: Free: Decommit at address 0x000001F8D09B1000 (0x1000 bytes) BlackBone: Free: Decommit at address 0x000001F8D3AED000 (0x1000 bytes) 1f8ceed1000 enter 0x80, 0 1f8ceed1004 sub rsp, 0x200 1f8ceed100b lea rax, [rbp - 0xf8] 1f8ceed1012 mov qword ptr [rbp - 0x78], rax 1f8ceed1016 mov rcx, qword ptr [rbp - 0x78] 1f8ceed101a call 0x1f8ceed17a0 1f8ceed17a0 mov r11, rbx 1f8ceed17a3 mov r10, rcx 1f8ceed17a6 xor rax, rax 1f8ceed17a9 cpuid 1f8ceed17ab mov dword ptr [r10], ebx 1f8ceed17ae mov dword ptr [r10 + 4], edx 1f8ceed17b2 mov dword ptr [r10 + 8], ecx 1f8ceed17b6 mov byte ptr [r10 + 0xc], 0 1f8ceed17bb mov rbx, r11 1f8ceed17be ret 1f8ceed101f mov rcx, qword ptr [rip + 0x10b1] 1f8ceed1026 call 0x1f8ceed17c0 1f8ceed17c0 enter 0x80, 0 1f8ceed17c4 sub rsp, 0x80 1f8ceed17cb mov qword ptr [rbp - 0x78], r14 1f8ceed17cf mov qword ptr [rbp - 0x80], r15 1f8ceed17d3 mov r14, rcx 1f8ceed17d6 mov rax, r14 1f8ceed17d9 sub rax, 1 1f8ceed17dd add rax, 1 1f8ceed17e1 cmp byte ptr [rax], 0 UC_MEM_READ_UNMAPPED from 1400020d4 UC_MEM_READ_UNMAPPED rip at cpuid.exe+17e1 BlackBone: ManualMap: Unmapping image 'cpuid.exe' BlackBone: Free: Free at address 0x000001F8CEED0000 BlackBone: ManualMap: Unmapping image 'msvcrt.dll' BlackBone: Free: Free at address 0x000001F8D3A50000 BlackBone: ManualMap: Unmapping image 'kernel32.dll' BlackBone: Free: Free at address 0x000001F8D0900000 BlackBone: ManualMap: Unmapping image 'kernelbase.dll' BlackBone: Free: Free at address 0x000001F8D3B80000 BlackBone: ManualMap: Unmapping image 'ntdll.dll' BlackBone: Free: Free at address 0x000001F8D42E0000 uc_emu_start return: 0 entrypoint return: 1400020d4 last rip: 1f8ceed17e1 (cpuid.exe+17e1) BlackBone: Free: Free at address 0x000001F8CEEA0000 BlackBone: Free: Free at address 0x000001F8CEEC0000 BlackBone: Free: Free at address 0x000001F8CEEB0000

This message - UC_MEM_READ_UNMAPPED - appears on any file.

hzqst commented 3 years ago

looks like the cpuid.exe is mapped at wrong address (1f8ceed0000 instead of 140000000)?

UnlimitedChild commented 3 years ago

unicorn_pe XOR_20200817194428.exe_20200829_162834.vmp.exe -disasm BlackBone: Allocate: Allocating at address 0x000001BC4DC90000 (0x1000 bytes) BlackBone: Allocate: Allocating at address 0x000001BC4DCA0000 (0x1000 bytes) BlackBone: Allocate: Allocating at address 0x000001BC4DCC0000 (0x4000 bytes) BlackBone: ManualMap: Mapping image 'XOR_20200817194428.exe_20200829_162834.vmp.exe' with flags 0x5d001 BlackBone: ManualMap: Loading new image 'XOR_20200817194428.exe_20200829_162834.vmp.exe' BlackBone: ManualMap: Image base allocated at 0x000001bc4f540000 BlackBone: ManualMap: Performing image copy BlackBone: ManualMap: Relocating image 'xor_20200817194428.exe_20200829_162834.vmp.exe' BlackBone: ManualMap: Image does not use relocations 1bc4f541000 jmp 0x1bc4f57a103 1bc4f57a103 push 0x2babe72 1bc4f57a108 call 0x1bc4f5f3319 1bc4f5f3319 push r13 1bc4f5f331b jmp 0x1bc4f574608 1bc4f574608 pushfq 1bc4f574609 stc 1bc4f57460a cmp r8, 0x22040e88 1bc4f574611 push r8 1bc4f574613 push rbp 1bc4f574614 not r8b 1bc4f574617 push rdi 1bc4f574618 push rax 1bc4f574619 movsxd r8, r12d 1bc4f57461c shl r8w, 0xd 1bc4f574621 push r15 1bc4f574623 sub r8b, r9b 1bc4f574626 inc r8b 1bc4f574629 push r14 1bc4f57462b adc edi, esp 1bc4f57462d push rdx 1bc4f57462e push rsi 1bc4f57462f xor r8b, r15b 1bc4f574632 push r11 1bc4f574634 btc si, r10w 1bc4f574639 or esi, r11d 1bc4f57463c push r12 1bc4f57463e push r10 1bc4f574640 push rcx 1bc4f574641 mov r10b, r12b 1bc4f574644 push rbx 1bc4f574645 push r9 1bc4f574647 or r9, 0x41962761 1bc4f57464e test r12d, 0x391771bc 1bc4f574655 bsf r11, r11 1bc4f574659 movabs r8, 0 1bc4f574663 stc 1bc4f574664 push r8 1bc4f574666 mov dil, 0x20 1bc4f574669 shl r11b, 0xf7 1bc4f57466d sar r10, 0xa 1bc4f574671 mov rdi, qword ptr [rsp + 0x90] 1bc4f574679 shr r11w, cl 1bc4f57467d clc 1bc4f57467e not edi 1bc4f574680 movsx esi, r13w 1bc4f574684 add edi, 0x1f430407 1bc4f57468a movzx si, r14b 1bc4f57468f bswap edi 1bc4f574691 add edi, 0x6bfd5f9b 1bc4f574697 add rdi, r8 1bc4f57469a sar si, 0xee 1bc4f57469e mov r11, rsp 1bc4f5746a1 sub rsp, 0x140 1bc4f5746a8 and rsp, 0xfffffffffffffff0 1bc4f5746af cmp r15w, bx 1bc4f5746b3 mov r9, rdi 1bc4f5746b6 or si, r9w 1bc4f5746ba rol sil, cl 1bc4f5746bd btc r10, r9 1bc4f5746c1 movabs r8, 0 1bc4f5746cb sub r9, r8 1bc4f5746ce rcl sil, 0xf7 1bc4f5746d2 sal r10, 0xce 1bc4f5746d6 neg r10b 1bc4f5746d9 lea rsi, [rip - 7] 1bc4f5746e0 sbb r10b, 0xe2 1bc4f5746e4 mov r10d, dword ptr [rdi] UC_MEM_READ_UNMAPPED from 42e7b7 UC_MEM_READ_UNMAPPED rip at xor_20200817194428.exe_20200829_162834.vmp.exe+346e4 BlackBone: ManualMap: Unmapping image 'xor_20200817194428.exe_20200829_162834.vmp.exe' BlackBone: Free: Free at address 0x000001BC4F540000 uc_emu_start return: 0 entrypoint return: 0 last rip: 1bc4f5746e4 (xor_20200817194428.exe_20200829_162834.vmp.exe+346e4) BlackBone: Free: Free at address 0x000001BC4DC90000 BlackBone: Free: Free at address 0x000001BC4DCC0000 BlackBone: Free: Free at address 0x000001BC4DCA0000

UnlimitedChild commented 3 years ago

unicorn_pe procexp.exe -disasm

1778d85ec3b je 0x1778d85ec45 1778d85ec45 cmp r8, r12 1778d85ec48 je 0x1778d85ed27 1778d85ec4e mov esi, dword ptr [rbp] 1778d85ec51 mov rbx, qword ptr [r14 + rsi8 + 0x151948] 1778d85ec59 test rbx, rbx 1778d85ec5c je 0x1778d85ec6c 1778d85ec6c mov r14, qword ptr [r14 + rsi8 + 0xfe5f8] 1778d85ec74 xor edx, edx 1778d85ec76 mov rcx, r14 1778d85ec79 mov r8d, 0x800 1778d85ec7f call qword ptr [rip + 0x2b933] UC_MEM_FETCH_PROT from ntdll.dll+2a1b0 UC_MEM_FETCH_PROT rip at ntdll.dll+2a1b0 BlackBone: ManualMap: Unmapping image 'procexp.exe' BlackBone: Free: Free at address 0x000001778D7B0000 BlackBone: ManualMap: Unmapping image 'psapi.dll' BlackBone: Free: Free at address 0x0000017794520000 BlackBone: ManualMap: Unmapping image 'winhttp.dll' BlackBone: Free: Free at address 0x0000017794430000 BlackBone: ManualMap: Unmapping image 'comdlg32.dll' BlackBone: Free: Free at address 0x0000017794360000 BlackBone: ManualMap: Unmapping image 'uxtheme.dll' BlackBone: Free: Free at address 0x0000017793AB0000 BlackBone: ManualMap: Unmapping image 'wtsapi32.dll' BlackBone: Free: Free at address 0x00000177939A0000 BlackBone: ManualMap: Unmapping image 'aclui.dll' BlackBone: Free: Free at address 0x00000177924D0000 BlackBone: ManualMap: Unmapping image 'xmllite.dll' BlackBone: Free: Free at address 0x0000017793460000 BlackBone: ManualMap: Unmapping image 'oleaut32.dll' BlackBone: Free: Free at address 0x00000177938D0000 BlackBone: ManualMap: Unmapping image 'ole32.dll' BlackBone: Free: Free at address 0x00000177935C0000 BlackBone: ManualMap: Unmapping image 'shell32.dll' BlackBone: Free: Free at address 0x0000017792D70000 BlackBone: ManualMap: Unmapping image 'cryptsp.dll' BlackBone: Free: Free at address 0x00000177942E0000 BlackBone: ManualMap: Unmapping image 'windows.storage.dll' BlackBone: Free: Free at address 0x0000017793B60000 BlackBone: ManualMap: Unmapping image 'kernel.appcore.dll' BlackBone: Free: Free at address 0x0000017794C80000 BlackBone: ManualMap: Unmapping image 'powrprof.dll' BlackBone: Free: Free at address 0x0000017794B80000 BlackBone: ManualMap: Unmapping image 'umpdc.dll' BlackBone: Free: Free at address 0x0000017794BD0000 BlackBone: ManualMap: Unmapping image 'shcore.dll' BlackBone: Free: Free at address 0x0000017794AD0000 BlackBone: ManualMap: Unmapping image 'profapi.dll' BlackBone: Free: Free at address 0x0000017794A70000 BlackBone: ManualMap: Unmapping image 'ntdsapi.dll' BlackBone: Free: Free at address 0x0000017792D20000 uc_emu_start return: 8 entrypoint return: 22 last rip: 1778d85ec7f (procexp.exe+aec7f)

UnlimitedChild commented 3 years ago

unicorn_pe Autoruns64.exe -disasm

28a35712b60 sub rsp, 0x98 28a35712b67 lea rcx, [rsp + 0x20] 28a35712b6c call qword ptr [rip + 0x158f6] UC_MEM_FETCH_UNMAPPED from kernelbase.dll+c7f0 UC_MEM_FETCH_UNMAPPED rip at kernelbase.dll+c7f0 BlackBone: ManualMap: Unmapping image 'autoruns64.exe'

UnlimitedChild commented 3 years ago

unicorn_pe cpudata.exe -disasm BlackBone: Allocate: Allocating at address 0x00000183791B0000 (0x1000 bytes) BlackBone: Allocate: Allocating at address 0x00000183791C0000 (0x1000 bytes) BlackBone: Allocate: Allocating at address 0x00000183791D0000 (0x4000 bytes) BlackBone: ManualMap: Mapping image 'cpudata.exe' with flags 0x5d001 BlackBone: ManualMap: Loading new image 'cpudata.exe' BlackBone: ManualMap: Image base allocated at 0x000001837aad0000 BlackBone: ManualMap: Performing image copy BlackBone: ManualMap: Relocating image 'cpudata.exe' BlackBone: ManualMap: Loading new dependency 'kernel32.dll' BlackBone: ManualMap: Dependency path resolved to 'C:\Windows\system32\kernel32.dll' BlackBone: ManualMap: Loading new image 'C:\Windows\system32\kernel32.dll'

BlackBone: Free: Free at address 0x00000183791D0000 LdrLoadDllByName failed to MapImage dxcore.dll, status C0000034 BlackBone: Allocate: Allocating at address 0x00000183791B0000 (0x1000 bytes) BlackBone: Allocate: Allocating at address 0x00000183791C0000 (0x1000 bytes) BlackBone: Allocate: Allocating at address 0x00000183791D0000 (0x4000 bytes) BlackBone: ManualMap: Mapping image 'dxcore.dll' with flags 0x1d001 BlackBone: ManualMap: Failed to load image 'dxcore.dll'/0x0000000000000000. Status 0xC0000034 BlackBone: Free: Free at address 0x00000183791B0000 BlackBone: Free: Free at address 0x00000183791C0000 BlackBone: Free: Free at address 0x00000183791D0000 LdrLoadDllByName failed to MapImage dxcore.dll, status C0000034 BlackBone: Allocate: Allocating at address 0x00000183791B0000 (0x1000 bytes) BlackBone: Allocate: Allocating at address 0x00000183791C0000 (0x1000 bytes) BlackBone: Allocate: Allocating at address 0x00000183791D0000 (0x4000 bytes) BlackBone: ManualMap: Mapping image 'dxcore.dll' with flags 0x1d001 BlackBone: ManualMap: Failed to load image 'dxcore.dll'/0x0000000000000000. Status 0xC0000034 BlackBone: Free: Free at address 0x00000183791B0000 BlackBone: Free: Free at address 0x00000183791C0000 BlackBone: Free: Free at address 0x00000183791D0000 LdrLoadDllByName failed to MapImage dxcore.dll, status C0000034 BlackBone: Allocate: Allocating at address 0x00000183791B0000 (0x1000 bytes) BlackBone: Allocate: Allocating at address 0x00000183791C0000 (0x1000 bytes) BlackBone: Allocate: Allocating at address 0x00000183791D0000 (0x4000 bytes) BlackBone: ManualMap: Mapping image 'dxcore.dll' with flags 0x1d001 BlackBone: ManualMap: Failed to load image 'dxcore.dll'/0x0000000000000000. Status 0xC0000034 BlackBone: Free: Free at address 0x00000183791B0000 BlackBone: Free: Free at address 0x00000183791C0000 BlackBone: Free: Free at address 0x00000183791D0000 LdrLoadDllByName failed to MapImage dxcore.dll, status C0000034 BlackBone: Allocate: Allocating at address 0x00000183791B0000 (0x1000 bytes) BlackBone: Allocate: Allocating at address 0x00000183791C0000 (0x1000 bytes) BlackBone: Allocate: Allocating at address 0x00000183791D0000 (0x4000 bytes) BlackBone: ManualMap: Mapping image 'dxcore.dll' with flags 0x1d001 BlackBone: ManualMap: Failed to load image 'dxcore.dll'/0x0000000000000000. Status 0xC0000034 BlackBone: Free: Free at address 0x00000183791B0000 BlackBone: Free: Free at address 0x00000183791C0000 BlackBone: Free: Free at address 0x00000183791D0000 LdrLoadDllByName failed to MapImage dxcore.dll, status C0000034 BlackBone: Allocate: Allocating at address 0x00000183791B0000 (0x1000 bytes) BlackBone: Allocate: Allocating at address 0x00000183791C0000 (0x1000 bytes) BlackBone: Allocate: Allocating at address 0x00000183791D0000 (0x4000 bytes) BlackBone: ManualMap: Mapping image 'dxcore.dll' with flags 0x1d001 BlackBone: ManualMap: Failed to load image 'dxcore.dll'/0x0000000000000000. Status 0xC0000034 BlackBone: Free: Free at address 0x00000183791B0000 BlackBone: Free: Free at address 0x00000183791C0000 BlackBone: Free: Free at address 0x00000183791D0000 LdrLoadDllByName failed to MapImage dxcore.dll, status C0000034 BlackBone: Allocate: Allocating at address 0x00000183791B0000 (0x1000 bytes) BlackBone: Allocate: Allocating at address 0x00000183791C0000 (0x1000 bytes) BlackBone: Allocate: Allocating at address 0x00000183791D0000 (0x4000 bytes) BlackBone: ManualMap: Mapping image 'dxcore.dll' with flags 0x1d001 BlackBone: ManualMap: Failed to load image 'dxcore.dll'/0x0000000000000000. Status 0xC0000034 BlackBone: Free: Free at address 0x00000183791B0000 BlackBone: Free: Free at address 0x00000183791C0000 BlackBone: Free: Free at address 0x00000183791D0000 LdrLoadDllByName failed to MapImage dxcore.dll, status C0000034 BlackBone: Allocate: Allocating at address 0x00000183791B0000 (0x1000 bytes) BlackBone: Allocate: Allocating at address 0x00000183791C0000 (0x1000 bytes) BlackBone: Allocate: Allocating at address 0x00000183791D0000 (0x4000 bytes) BlackBone: ManualMap: Mapping image 'dxcore.dll' with flags 0x1d001 BlackBone: ManualMap: Failed to load image 'dxcore.dll'/0x0000000000000000. Status 0xC0000034 BlackBone: Free: Free at address 0x00000183791B0000 BlackBone: Free: Free at address 0x00000183791C0000 BlackBone: Free: Free at address 0x00000183791D0000 LdrLoadDllByName failed to MapImage dxcore.dll, status C0000034 BlackBone: Allocate: Allocating at address 0x00000183791B0000 (0x1000 bytes) BlackBone: Allocate: Allocating at address 0x00000183791C0000 (0x1000 bytes) BlackBone: Allocate: Allocating at address 0x00000183791D0000 (0x4000 bytes) BlackBone: ManualMap: Mapping image 'ext-ms-win-gdi-desktop-l1-1-0.dll' with flags 0x1d001 BlackBone: ManualMap: Failed to load image 'ext-ms-win-gdi-desktop-l1-1-0.dll'/0x0000000000000000. Status 0xC0000034 BlackBone: Free: Free at address 0x00000183791B0000 BlackBone: Free: Free at address 0x00000183791C0000 BlackBone: Free: Free at address 0x00000183791D0000 LdrLoadDllByName failed to MapImage ext-ms-win-gdi-desktop-l1-1-0.dll, status C0000034 BlackBone: ManualMap: Performing security cookie initializtion for image 'user32.dll' BlackBone: ManualMap: Loading new dependency 'msvcrt.dll' BlackBone: ManualMap: Dependency path resolved to 'C:\Windows\system32\MSVCRT.dll' BlackBone: ManualMap: Loading new image 'C:\Windows\system32\MSVCRT.dll' BlackBone: ManualMap: Image base allocated at 0x000001837dde0000 BlackBone: ManualMap: Performing image copy BlackBone: ManualMap: Relocating image 'c:\windows\system32\msvcrt.dll' BlackBone: ManualMap: Performing security cookie initializtion for image 'msvcrt.dll' BlackBone: Free: Decommit at address 0x000001837DF05000 (0x1000 bytes) BlackBone: Free: Decommit at address 0x000001837E373000 (0x1000 bytes) BlackBone: Free: Decommit at address 0x000001837DE7D000 (0x1000 bytes) BlackBone: Free: Decommit at address 0x000001837AADB000 (0x1000 bytes) 1837aad1000 enter 0x80, 0 1837aad1004 sub rsp, 0x60 1837aad1008 xor rcx, rcx 1837aad100b call qword ptr [rip + 0x3057] UC_MEM_FETCH_UNMAPPED from kernelbase.dll+e090 UC_MEM_FETCH_UNMAPPED rip at kernelbase.dll+e090 BlackBone: ManualMap: Unmapping image 'cpudata.exe' BlackBone: Free: Free at address 0x000001837AAD0000 BlackBone: ManualMap: Unmapping image 'msvcrt.dll' BlackBone: Free: Free at address 0x000001837DDE0000 BlackBone: ManualMap: Unmapping image 'user32.dll' BlackBone: Free: Free at address 0x000001837E1E0000 BlackBone: ManualMap: Unmapping image 'gdi32.dll' BlackBone: Free: Free at address 0x000001837DEE0000 uc_emu_start return: 8 entrypoint return: 0 last rip: 1837aad100b (cpudata.exe+100b)

UnlimitedChild commented 3 years ago

looks like the cpuid.exe is mapped at wrong address (1f8ceed0000 instead of 140000000)? Hi hzqst,

looks like, but I'm not sure, since the addresses don't always match.

OS: Windows 10, Version 1909 18363.418

brandonros commented 2 years ago 
.\x64\Debug\unicorn_pe.exe 
BlackBone: PDB: Failed to load msdia140.dll, error 0x0000007e
BlackBone: PDB: blackbone::PDBHelper::Init: (CoCreateDiaDataSource()) failed with HRESULT 0x8007007e
BlackBone: PatternData: LdrProtectMrdata not found
usage: unicorn_pe (filename) [-k] [-disasm]
.\x64\Debug\unicorn_pe.exe C:\Users\Brandon\Desktop\redacted.exe
BlackBone: PDB: Failed to load msdia140.dll, error 0x0000007e
BlackBone: PDB: blackbone::PDBHelper::Init: (CoCreateDiaDataSource()) failed with HRESULT 0x8007007e
BlackBone: PatternData: LdrProtectMrdata not found
BlackBone: Allocate: Allocating at address 0x00000272C9910000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x00000272C9920000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x00000272C9930000 (0x4000 bytes)
BlackBone: ManualMap: Mapping image 'C:\Users\Brandon\Desktop\redacted.exe' with flags 0x5d001
BlackBone: ManualMap: Loading new image 'C:\Users\Brandon\Desktop\redacted.exe'
BlackBone: ManualMap: Image base allocated at 0x00000272cbc40000
BlackBone: ManualMap: Performing image copy
BlackBone: ManualMap: Relocating image 'c:\users\brandon\desktop\redacted.exe'
BlackBone: ManualMap: Can't relocate image, no relocation flag
BlackBone: Free: Free at address 0x00000272CBC40000
failed to MapImage
BlackBone: Free: Free at address 0x00000272C9910000
BlackBone: Free: Free at address 0x00000272C9930000
BlackBone: Free: Free at address 0x00000272C9920000
.\x64\Debug\unicorn_pe.exe -k C:\Users\Brandon\Desktop\redacted.exe 
BlackBone: PDB: Failed to load msdia140.dll, error 0x0000007e
BlackBone: PDB: blackbone::PDBHelper::Init: (CoCreateDiaDataSource()) failed with HRESULT 0x8007007e
BlackBone: PatternData: LdrProtectMrdata not found
BlackBone: Allocate: Allocating at address 0x000002423C840000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x000002423C850000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x000002423C860000 (0x4000 bytes)
BlackBone: ManualMap: Mapping image '-k' with flags 0x5d001
BlackBone: ManualMap: Failed to load image '-k'/0x0000000000000000. Status 0xC0000034
failed to MapImage
BlackBone: Free: Free at address 0x000002423C840000
BlackBone: Free: Free at address 0x000002423C860000
BlackBone: Free: Free at address 0x000002423C850000
brandonros commented 2 years ago

Could it be that Windows Defender hates the bundled BlackBone .sys file from a virus protection perspective?