search

qilingframework / qiling

A True Instrumentable Binary Emulation Framework
https://qiling.io
GNU General Public License v2.0
5.14k stars 744 forks source link

(UC_ERR_WRITE_PROT) error when trying to emulate a linux x86_64 binary #495

Closed blackb0x101 closed 4 years ago

blackb0x101 commented 4 years ago

Hello,

First thank you for this amazing project 😃 👍. I'm having an issue emulating a binary. Find below the details

Describe the bug Trying to emulate an x86_64 binary yields a UC_ERR_WRITE_PROT error:

Traceback (most recent call last):
  File "solver.py", line 11, in <module>
    ql.run()
  File "/Users/nicolasrouviere/.pyenv/versions/3.8.3/lib/python3.8/site-packages/qiling/core.py", line 198, in run
    self.os.run()
  File "/Users/nicolasrouviere/.pyenv/versions/3.8.3/lib/python3.8/site-packages/qiling/os/linux/linux.py", line 123, in run
    self.ql.emu_start(self.ql.loader.elf_entry, self.exit_point, self.ql.timeout, self.ql.count)
  File "/Users/nicolasrouviere/.pyenv/versions/3.8.3/lib/python3.8/site-packages/qiling/core.py", line 257, in emu_start
    self.uc.emu_start(begin, end, timeout, count)
  File "/Users/nicolasrouviere/.pyenv/versions/3.8.3/lib/python3.8/site-packages/unicorn/unicorn.py", line 317, in emu_start
    raise UcError(status)
unicorn.unicorn.UcError: Write to write-protected memory (UC_ERR_WRITE_PROT)

Sample Code

from qiling import *
import os

binary = "headache"
root_fs = os.path.expanduser("~/Tools/qiling/examples/rootfs/x8664_linux")

ql = Qiling([binary], root_fs, output="debug")

ql.run()

Expected behavior The binary is run successfully

Additional context

File type

$ file headache
headache: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, stripped

If it's any help, the file is the challenge "headache" from the hackthebox platform: https://www.hackthebox.eu/home/challenges/Reversing. I can provide the binary if needed

Environment

I tried on two platforms:

$ python -V
Python 3.8.3
...
$ which python
/Users/nicolasrouviere/.pyenv/shims/python
root@107586b35016:/mnt# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS"
root@107586b35016:/mnt# python3 -V
Python 3.6.9

I attached the output log to the ticket. Please feel free to come back to me for more information.

headache.txt

Many thanks for your help

xwings commented 4 years ago

I guess this is part of the trick in that binary ? anyway. u can hook the final mprotect and reimplement the mprotect.

should be easy to fix this issue.

I mean it might not be a "bug" , might be some trick from the binary. considering this is a ctf binary.

blackb0x101 commented 4 years ago

Hello @xwings and thanks for your answer.

Maybe it is, but the binary runs without problem outside of Qiling. A quick static analysis revealed that the main CTF code is not within the normal glibc main. Anyway, I'll try to hook mprotect and see where it leads me. Thanks for your help