search

qilingframework / qiling

A True Instrumentable Binary Emulation Framework
https://qiling.io
GNU General Public License v2.0
5.04k stars 735 forks source link

Packed x86 PE file (compiled Debug) cannot execute to OEP #1132

Closed LakerMoon closed 1 year ago

LakerMoon commented 2 years ago

Packed x86 PE file (compiled Debug) cannot execute to OEP, it stoped and exited when it called GetProcAddress() in pack code.

Unicorn called ExitProcess() when it get address of function in "vcruntime140d.dll".

Info: [=] Initiate stack address at 0xfffdd000 [=] Loading rootfs/x86_windows/bin/testPE32_2upx.exe to 0x400000 [=] PE entry point at 0x421300 [=] TEB addr is 0x6000 [=] PEB addr is 0x6044 [=] Loading rootfs/x86_windows\Windows\System32\ntdll.dll ... [!] Warnings while loading rootfs/x86_windows\Windows\System32\ntdll.dll: [!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8. [!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0 [=] Done with loading rootfs/x86_windows\Windows\System32\ntdll.dll [=] Loading rootfs/x86_windows\Windows\System32\kernel32.dll ... [=] Done with loading rootfs/x86_windows\Windows\System32\kernel32.dll [=] Loading rootfs/x86_windows\Windows\System32\ucrtbased.dll ... [=] Done with loading rootfs/x86_windows\Windows\System32\ucrtbased.dll [=] Loading rootfs/x86_windows\Windows\System32\vcruntime140d.dll ... [=] Done with loading rootfs/x86_windows\Windows\System32\vcruntime140d.dll [=] LoadLibraryA(lpLibFileName = "KERNEL32.DLL") = 0x6b800000 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "HeapAlloc") = 0x6b89be35 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "IsDebuggerPresent") = 0x6b8220d0 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "RaiseException") = 0x6b8205b0 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "MultiByteToWideChar") = 0x6b81df80 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "WideCharToMultiByte") = 0x6b81dff0 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "QueryPerformanceCounter") = 0x6b81df40 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "GetCurrentProcessId") = 0x6b822e90 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "GetSystemTimeAsFileTime") = 0x6b81f390 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "TerminateProcess") = 0x6b819910 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "GetCurrentProcess") = 0x6b822e80 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "GetProcAddress") = 0x6b81f550 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "FreeLibrary") = 0x6b820ae0 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "VirtualQuery") = 0x6b81f570 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "GetProcessHeap") = 0x6b81f380 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "HeapFree") = 0x6b81df60 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "GetCurrentThreadId") = 0x6b81df10 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "GetLastError") = 0x6b81e010 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "GetModuleHandleW") = 0x6b820e50 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "IsProcessorFeaturePresent") = 0x6b820b70 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "GetStartupInfoW") = 0x6b821550 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "SetUnhandledExceptionFilter") = 0x6b821720 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "UnhandledExceptionFilter") = 0x6b835c40 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "InitializeSListHead") = 0x6b89c1f4 [=] LoadLibraryA(lpLibFileName = "ucrtbased.dll") = 0x10000000 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "strcat_s") = 0x100bd8f0 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "stdio_common_vsprintf_s") = 0x100b1e70 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "pcommode") = 0x1008ddd0 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_initialize_onexit_table") = 0x10074b10 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_register_onexit_function") = 0x10074b90 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_execute_onexit_table") = 0x10074ad0 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_crt_atexit") = 0x10074aa0 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_crt_at_quick_exit") = 0x10074a70 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_controlfp_s") = 0x100d6cf0 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "terminate") = 0x1006c850 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_wmakepath_s") = 0x100fca70 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_wsplitpath_s") = 0x100ff6e0 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "wcscpy_s") = 0x100c7a30 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "strcpy_s") = 0x100be1a0 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_set_new_mode") = 0x100558b0 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_configthreadlocale") = 0x100628d0 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_register_thread_local_exe_atexit_callback") = 0x10074190 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_c_exit") = 0x10074140 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_cexit") = 0x10074170 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_pargv") = 0x1006d930 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "p_argc") = 0x1006d920 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_set_fmode") = 0x1010df70 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_exit") = 0x100740f0 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "exit") = 0x100741e0 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_initterm_e") = 0x100742b0 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_initterm") = 0x10074240 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_get_initial_narrow_environment") = 0x10019260 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_initialize_narrow_environment") = 0x100191d0 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_configure_narrow_argv") = 0x1006f060 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "setusermatherr") = 0x100ea840 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_set_app_type") = 0x10057890 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_seh_filter_exe") = 0x1006a840 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_CrtDbgReportW") = 0x10068760 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_CrtDbgReport") = 0x100686e0 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "stdio_common_vfprintf") = 0x100b1b30 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "acrt_iob_func") = 0x100b84f0 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_seh_filter_dll") = 0x1006a800 [=] LoadLibraryA(lpLibFileName = "VCRUNTIME140D.dll") = 0x101c7000 [=] GetProcAddress(hModule = 0x101c7000, lpProcName = "vcrt_GetModuleFileNameW") = 0x101d3440 [=] GetProcAddress(hModule = 0x101c7000, lpProcName = "_except_handler4_common") = 0x0 [=] ExitProcess(uExitCode = 0)

elicn commented 2 years ago

Hi. Can you please elaborate what should be the expected behavior? Is it posible to share the exeutable here for us to test?

LakerMoon commented 2 years ago

Hi. Can you please elaborate what should be the expected behavior? Is it posible to share the exeutable here for us to test?

It executed test.exe (release) and executed succeedlly:

PS D:\Code\qiling-master\qiling-master\examples> python .\crackme_x86_windows_setcallback.py [=] Initiate stack address at 0xfffdd000 [=] Loading rootfs/x86_windows/bin/Upxtest.exe to 0x400000 [=] PE entry point at 0x407e50 [=] TEB addr is 0x6000 [=] PEB addr is 0x6044 [=] Loading rootfs/x86_windows\Windows\System32\ntdll.dll ... [!] Warnings while loading rootfs/x86_windows\Windows\System32\ntdll.dll: [!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8. [!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0 [=] Done with loading rootfs/x86_windows\Windows\System32\ntdll.dll [=] Loading rootfs/x86_windows\Windows\System32\kernel32.dll ... [=] Done with loading rootfs/x86_windows\Windows\System32\kernel32.dll [=] Loading rootfs/x86_windows\Windows\System32\api-ms-win-crt-heap-l1-1-0.dll ... [!] Warnings while loading rootfs/x86_windows\Windows\System32\api-ms-win-crt-heap-l1-1-0.dll: [!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8. [!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0 [=] Done with loading rootfs/x86_windows\Windows\System32\api-ms-win-crt-heap-l1-1-0.dll [=] Loading rootfs/x86_windows\Windows\System32\api-ms-win-crt-locale-l1-1-0.dll ... [!] Warnings while loading rootfs/x86_windows\Windows\System32\api-ms-win-crt-locale-l1-1-0.dll: [!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8. [!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0 [=] Done with loading rootfs/x86_windows\Windows\System32\api-ms-win-crt-locale-l1-1-0.dll [=] Loading rootfs/x86_windows\Windows\System32\api-ms-win-crt-math-l1-1-0.dll ... [!] Warnings while loading rootfs/x86_windows\Windows\System32\api-ms-win-crt-math-l1-1-0.dll: [!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8. [!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0 [=] Done with loading rootfs/x86_windows\Windows\System32\api-ms-win-crt-math-l1-1-0.dll [=] Loading rootfs/x86_windows\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dll ... [!] Warnings while loading rootfs/x86_windows\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dll: [!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8. [!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0 [=] Done with loading rootfs/x86_windows\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dll [=] Loading rootfs/x86_windows\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll ... [!] Warnings while loading rootfs/x86_windows\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll: [!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8. [!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0 [=] Done with loading rootfs/x86_windows\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll [=] Loading rootfs/x86_windows\Windows\System32\vcruntime140.dll ... [=] Done with loading rootfs/x86_windows\Windows\System32\vcruntime140.dll [=] LoadLibraryA(lpLibFileName = "KERNEL32.DLL") = 0x6b800000 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "LoadLibraryA") = 0x6b820bd0 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "GetProcAddress") = 0x6b81f550 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "IsDebuggerPresent") = 0x6b8220d0 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "InitializeSListHead") = 0x6b89c1f4 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "GetSystemTimeAsFileTime") = 0x6b81f390 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "GetCurrentThreadId") = 0x6b81df10 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "GetCurrentProcessId") = 0x6b822e90 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "QueryPerformanceCounter") = 0x6b81df40 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "IsProcessorFeaturePresent") = 0x6b820b70 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "TerminateProcess") = 0x6b819910 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "GetCurrentProcess") = 0x6b822e80 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "SetUnhandledExceptionFilter") = 0x6b821720 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "UnhandledExceptionFilter") = 0x6b835c40 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "GetModuleHandleW") = 0x6b820e50 [=] LoadLibraryA(lpLibFileName = "api-ms-win-crt-heap-l1-1-0.dll") = 0x10000000 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_set_new_mode") = 0x100015d5 [=] LoadLibraryA(lpLibFileName = "api-ms-win-crt-locale-l1-1-0.dll") = 0x10010000 [=] GetProcAddress(hModule = 0x10010000, lpProcName = "_configthreadlocale") = 0x100113f3 [=] LoadLibraryA(lpLibFileName = "api-ms-win-crt-math-l1-1-0.dll") = 0x10020000 [=] GetProcAddress(hModule = 0x10020000, lpProcName = "setusermatherr") = 0x100223ca [=] LoadLibraryA(lpLibFileName = "api-ms-win-crt-runtime-l1-1-0.dll") = 0x10030000 [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_configure_narrow_argv") = 0x100318e8 [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_pargc") = 0x10031654 [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_initialize_onexit_table") = 0x10031e13 [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_exit") = 0x10031aaf [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_c_exit") = 0x1003188e [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_crt_atexit") = 0x100319d7 [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_controlfp_s") = 0x10031986 [=] GetProcAddress(hModule = 0x10030000, lpProcName = "terminate") = 0x100325e2 [=] GetProcAddress(hModule = 0x10030000, lpProcName = "exit") = 0x100323c1 [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_initterm_e") = 0x10031ea1 [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_register_thread_local_exe_atexit_callback") = 0x10031ffa [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_cexit") = 0x100318a6 [=] GetProcAddress(hModule = 0x10030000, lpProcName = "p___argv") = 0x10031673 [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_set_app_type") = 0x100320e4 [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_seh_filter_exe") = 0x1003208c [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_initterm") = 0x10031e82 [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_get_initial_narrow_environment") = 0x10031b5e [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_register_onexit_function") = 0x10031fac [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_initialize_narrow_environment") = 0x10031dd2 [=] LoadLibraryA(lpLibFileName = "api-ms-win-crt-stdio-l1-1-0.dll") = 0x10040000 [=] GetProcAddress(hModule = 0x10040000, lpProcName = "stdio_common_vfprintf") = 0x10041831 [=] GetProcAddress(hModule = 0x10040000, lpProcName = "pcommode") = 0x100417e4 [=] GetProcAddress(hModule = 0x10040000, lpProcName = "_set_fmode") = 0x100423f7 [=] GetProcAddress(hModule = 0x10040000, lpProcName = "acrt_iob_func") = 0x100417be [=] LoadLibraryA(lpLibFileName = "VCRUNTIME140.dll") = 0x10050000 [=] GetProcAddress(hModule = 0x10050000, lpProcName = "memset") = 0x100538a0 [=] GetProcAddress(hModule = 0x10050000, lpProcName = "current_exception_context") = 0x100562f0 [=] GetProcAddress(hModule = 0x10050000, lpProcName = "current_exception") = 0x100562e0 [=] GetProcAddress(hModule = 0x10050000, lpProcName = "_except_handler4_common") = 0x10053ff0 [=] VirtualProtect(lpAddress = 0x400000, dwSize = 0x1000, flNewProtect = 0x4, lpflOldProtect = 0xffffcfdc) = 0x1 [=] VirtualProtect(lpAddress = 0x400000, dwSize = 0x1000, flNewProtect = 0, lpflOldProtect = 0xffffcfdc) = 0x1 [=] GetSystemTimeAsFileTime(lpSystemTimeAsFileTime = 0xffffcfe0) [=] GetCurrentThreadId() = 0x0 [=] GetCurrentProcessId() = 0x7cc [=] QueryPerformanceCounter(lpPerformanceCount = 0xffffcfd8) = 0x0 [=] IsProcessorFeaturePresent(ProcessorFeature = 0xa) = 0x1 [=] _initterm_e(pfbegin = 0x4020e0, pfend = 0x4020ec) = 0x0 [=] _initterm(pfbegin = 0x4020d4, pfend = 0x4020dc) [=] _get_initial_narrow_environment() = 0x0 [=] _pargv() = 0x5000b23 [=] p___argc() = 0x5000b27 [=] Loading rootfs/x86_windows\Windows\System32\ucrtbased.dll ... [=] Done with loading rootfs/x86_windows\Windows\System32\ucrtbased.dll [=] LoadLibraryA(lpLibFileName = "ucrtbased.dll") = 0x10070000 [=] GetProcAddress(hModule = 0x10070000, lpProcName = "strcpy_s") = 0x1012e1a0 [=] acrt_iob_func(idx = 0x1) = 0x0 funcA OK! [=] __stdio_common_vfprintf(_Options = 0, _Stream = 0, _Format = "funcA OK!\n", _Locale = 0, _ArgList = 0xffffcfb8) = 0xa [=] GetModuleHandleW(lpModuleName = 0) = 0x400000 [=] exit(status = 0)

How can i send my test file to you?

elicn commented 2 years ago

@LakerMoon, I am not sure whether there is still a problem here.. If there is a problem, you can share a link to the program in subject and I'll try to debug this. If there is no problem, kindly close this issue.

LakerMoon commented 2 years ago

@LakerMoon, I am not sure whether there is still a problem here.. If there is a problem, you can share a link to the program in subject and I'll try to debug this. If there is no problem, kindly close this issue.

my program: [ testPE32upx.exe ] Link:https://cowtransfer.com/s/ee1ceef40dbf46

elicn commented 2 years ago

It looks like the packed binary does run, even though it fails afterwards - probably for another reason: image Please checkout dev branch and see if it works for you; it will take about a minute for the binary to unpack.

LakerMoon commented 2 years ago

I use master branch, it fails before unpack. Do you use dev branch?

LakerMoon commented 2 years ago

It looks like the packed binary does run, even though it fails afterwards - probably for another reason: image Please checkout dev branch and see if it works for you; it will take about a minute for the binary to unpack.

I use dev branch to have a try.

LakerMoon commented 2 years ago

I use dev branch and run packed binary. It doesn't work and exitprocess before it run oep. image image

xwings commented 1 year ago

Close for now.

We updated the codebase for Qiling and Unicorn since this issue being posted.

Feel free to try the latest version.