search

qilingframework / qiling

A True Instrumentable Binary Emulation Framework
https://qiling.io
GNU General Public License v2.0
5.07k stars 738 forks source link

Emulating virtualised Windows driver terminates in UC_ERR_FETCH_UNMAPPED #588

Closed CallumCVM closed 3 years ago

CallumCVM commented 3 years ago

When emulating a Windows driver that is virtualised with VMProtect, the emulation terminates eventually in

[!] Error: PC(0xdeadc0de) Unreachable

The full log (driver name omitted):

`[+] Windows Registry PATH: D:\Programs\qiling-1.1.3\examples\scripts\examples\rootfs\x8664_windows\Windows\registry [+] Initiate stack address at 0x7ffffffde000 [+] Loading D:\xxx.sys to 0x140000000 [+] PE entry point at 0x140017000 [+] Driver object addr is 0x6000000 [+] Registry path addr is 0x6000150 [+] EPROCESS is is 0x6000160 [+] KI_USER_SHARED_DATA is 0xfffff78000000000 [+] Setting up DriverEntry args [+] Setting RCX (arg1) to 6000000 (PDRIVER_OBJECT) [+] Setting RDX (arg2) to 6000150 (PUNICODE_STRING) [+] Loading D:\Programs\qiling-1.1.3\examples\scripts\examples\rootfs\x8664_windows\Windows\System32\ntoskrnl.exe to 0x7ffff0000000 [+] Done with loading D:\Programs\qiling-1.1.3\examples\scripts\examples\rootfs\x8664_windows\Windows\System32\ntoskrnl.exe [+] Loading D:\Programs\qiling-1.1.3\examples\scripts\examples\rootfs\x8664_windows\Windows\System32\ntdll.dll to 0x7ffff1046000 [+] Done with loading D:\Programs\qiling-1.1.3\examples\scripts\examples\rootfs\x8664_windows\Windows\System32\ntdll.dll [+] Loading D:\Programs\qiling-1.1.3\examples\scripts\examples\rootfs\x8664_windows\Windows\System32\kernel32.dll to 0x7ffff123c000 [+] Done with loading D:\Programs\qiling-1.1.3\examples\scripts\examples\rootfs\x8664_windows\Windows\System32\kernel32.dll [+] Loading D:\Programs\qiling-1.1.3\examples\scripts\examples\rootfs\x8664_windows\Windows\System32\fltmgr.sys to 0x7ffff12f9000 [+] Done with loading D:\Programs\qiling-1.1.3\examples\scripts\examples\rootfs\x8664_windows\Windows\System32\fltmgr.sys [+] Done with loading D:\xxx.sys [!] __chkstk is not implemented 0x7ffff064f440: MmGetSystemRoutineAddress(SystemRoutineName = "00120010-0000-0000-68b7-010000800000") = 0x0 [+] ERROR: unmapped memory access at 0xdeadc0de

[-] ah : 0x0 [-] al : 0x1 [-] ch : 0x0 [-] cl : 0x0 [-] dh : 0x1 [-] dl : 0x50 [-] bh : 0x0 [-] bl : 0x0 [-] ax : 0x1 [-] cx : 0x0 [-] dx : 0x150 [-] bx : 0x0 [-] sp : 0xd008 [-] bp : 0xd000 [-] si : 0x0 [-] di : 0x0 [-] ip : 0xc0de [-] eax : 0xc0000001 [-] ecx : 0x3bb0000 [-] edx : 0x6000150 [-] ebx : 0x0 [-] esp : 0x1d008 [-] ebp : 0x1d000 [-] esi : 0x0 [-] edi : 0x0 [-] eip : 0xdeadc0de [-] rax : 0xc0000001 [-] rbx : 0x0 [-] rcx : 0x8cf3416403bb0000 [-] rdx : 0x6000150 [-] rsi : 0x0 [-] rdi : 0x0 [-] rbp : 0x80000001d000 [-] rsp : 0x80000001d008 [-] r8 : 0x2b992ddfa232 [-] r9 : 0x0 [-] r10 : 0x0 [-] r11 : 0x80000001cfd8 [-] r12 : 0x0 [-] r13 : 0x0 [-] r14 : 0x0 [-] r15 : 0x0 [-] rip : 0xdeadc0de [-] r8b : 0x32 [-] r9b : 0x0 [-] r10b : 0x0 [-] r11b : 0xd8 [-] r12b : 0x0 [-] r13b : 0x0 [-] r14b : 0x0 [-] r15b : 0x0 [-] r8w : 0xa232 [-] r9w : 0x0 [-] r10w : 0x0 [-] r11w : 0xcfd8 [-] r12w : 0x0 [-] r13w : 0x0 [-] r14w : 0x0 [-] r15w : 0x0 [-] r8d : 0x2ddfa232 [-] r9d : 0x0 [-] r10d : 0x0 [-] r11d : 0x1cfd8 [-] r12d : 0x0 [-] r13d : 0x0 [-] r14d : 0x0 [-] r15d : 0x0 [-] cr0 : 0x11 [-] cr1 : 0x0 [-] cr2 : 0x0 [-] cr3 : 0x0 [-] cr4 : 0x6f8 [-] cr5 : 0x0 [-] cr6 : 0x0 [-] cr7 : 0x0 [-] cr8 : 0x0 [-] cr9 : 0x0 [-] cr10 : 0x0 [-] cr11 : 0x0 [-] cr12 : 0x0 [-] cr13 : 0x0 [-] cr14 : 0x0 [-] cr15 : 0x0 [-] st0 : 0x0 [-] st1 : 0x0 [-] st2 : 0x0 [-] st3 : 0x0 [-] st4 : 0x0 [-] st5 : 0x0 [-] st6 : 0x0 [-] st7 : 0x0 [-] ef : 0x46 [-] cs : 0x0 [-] ss : 0x0 [-] ds : 0x0 [-] es : 0x0 [-] fs : 0x0 [-] gs : 0x0

[+] PC = 0xdeadc0de

[+] Start End Perm. Path [+] 06000000 - 07400000 - rwx [GS] [+] 140000000 - 1402b7000 - rwx [PE] (D:\xxx.sys) [+] 500000000 - 500001000 - rwx [heap] [+] 500001000 - 500002000 - rwx [heap] [+] 500002000 - 500003000 - rwx [heap] [+] 500003000 - 500004000 - rwx [heap] [+] 500004000 - 500005000 - rwx [heap] [+] 500005000 - 500006000 - rwx [heap] [+] 500006000 - 500007000 - rwx [heap] [+] 500007000 - 500008000 - rwx [heap] [+] 500008000 - 500009000 - rwx [heap] [+] 500009000 - 50000a000 - rwx [heap] [+] 50000a000 - 50000b000 - rwx [heap] [+] 50000b000 - 50000c000 - rwx [heap] [+] 50000c000 - 50000d000 - rwx [heap] [+] 50000d000 - 50000e000 - rwx [heap] [+] 50000e000 - 50000f000 - rwx [heap] [+] 50000f000 - 500010000 - rwx [heap] [+] 500010000 - 500011000 - rwx [heap] [+] 500011000 - 500012000 - rwx [heap] [+] 500012000 - 500013000 - rwx [heap] [+] 500013000 - 500014000 - rwx [heap] [+] 500014000 - 500015000 - rwx [heap] [+] 500015000 - 500016000 - rwx [heap] [+] 500016000 - 500017000 - rwx [heap] [+] 500017000 - 500018000 - rwx [heap] [+] 500018000 - 500019000 - rwx [heap] [+] 500019000 - 50001a000 - rwx [heap] [+] 50001a000 - 50001b000 - rwx [heap] [+] 50001b000 - 50001c000 - rwx [heap] [+] 50001c000 - 50001d000 - rwx [heap] [+] 50001d000 - 50001e000 - rwx [heap] [+] 50001e000 - 50001f000 - rwx [heap] [+] 50001f000 - 500020000 - rwx [heap] [+] 500020000 - 500021000 - rwx [heap] [+] 500021000 - 500022000 - rwx [heap] [+] 500022000 - 500023000 - rwx [heap] [+] 500023000 - 500024000 - rwx [heap] [+] 500024000 - 500025000 - rwx [heap] [+] 500025000 - 500026000 - rwx [heap] [+] 500026000 - 500027000 - rwx [heap] [+] 500027000 - 500028000 - rwx [heap] [+] 500028000 - 500029000 - rwx [heap] [+] 500029000 - 50002a000 - rwx [heap] [+] 50002a000 - 50002b000 - rwx [heap] [+] 50002b000 - 50002c000 - rwx [heap] [+] 50002c000 - 50002d000 - rwx [heap] [+] 50002d000 - 50002e000 - rwx [heap] [+] 50002e000 - 50002f000 - rwx [heap] [+] 50002f000 - 500030000 - rwx [heap] [+] 500030000 - 500031000 - rwx [heap] [+] 500031000 - 500032000 - rwx [heap] [+] 500032000 - 500033000 - rwx [heap] [+] 500033000 - 500034000 - rwx [heap] [+] 500034000 - 500035000 - rwx [heap] [+] 500035000 - 500036000 - rwx [heap] [+] 500036000 - 500037000 - rwx [heap] [+] 500037000 - 500038000 - rwx [heap] [+] 500038000 - 500039000 - rwx [heap] [+] 500039000 - 50003a000 - rwx [heap] [+] 50003a000 - 50003b000 - rwx [heap] [+] 50003b000 - 50003c000 - rwx [heap] [+] 50003c000 - 50003d000 - rwx [heap] [+] 50003d000 - 50003e000 - rwx [heap] [+] 50003e000 - 50003f000 - rwx [heap] [+] 50003f000 - 500040000 - rwx [heap] [+] 500040000 - 500041000 - rwx [heap] [+] 500041000 - 500042000 - rwx [heap] [+] 500042000 - 500043000 - rwx [heap] [+] 500043000 - 500044000 - rwx [heap] [+] 500044000 - 500045000 - rwx [heap] [+] 500045000 - 500046000 - rwx [heap] [+] 500046000 - 500047000 - rwx [heap] [+] 500047000 - 500048000 - rwx [heap] [+] 500048000 - 500049000 - rwx [heap] [+] 500049000 - 50004a000 - rwx [heap] [+] 50004a000 - 50004b000 - rwx [heap] [+] 50004b000 - 50004c000 - rwx [heap] [+] 50004c000 - 50004d000 - rwx [heap] [+] 50004d000 - 50004e000 - rwx [heap] [+] 50004e000 - 50004f000 - rwx [heap] [+] 50004f000 - 500050000 - rwx [heap] [+] 500050000 - 500051000 - rwx [heap] [+] 500051000 - 500052000 - rwx [heap] [+] 500052000 - 500053000 - rwx [heap] [+] 500053000 - 500054000 - rwx [heap] [+] 500054000 - 500055000 - rwx [heap] [+] 500055000 - 500056000 - rwx [heap] [+] 500056000 - 500057000 - rwx [heap] [+] 500057000 - 500058000 - rwx [heap] [+] 500058000 - 500059000 - rwx [heap] [+] 500059000 - 50005a000 - rwx [heap] [+] 50005a000 - 50005b000 - rwx [heap] [+] 50005b000 - 50005c000 - rwx [heap] [+] 50005c000 - 50005d000 - rwx [heap] [+] 50005d000 - 50005e000 - rwx [heap] [+] 50005e000 - 50005f000 - rwx [heap] [+] 50005f000 - 500060000 - rwx [heap] [+] 500060000 - 500061000 - rwx [heap] [+] 500061000 - 500062000 - rwx [heap] [+] 500062000 - 500063000 - rwx [heap] [+] 500063000 - 500064000 - rwx [heap] [+] 500064000 - 500065000 - rwx [heap] [+] 500065000 - 500066000 - rwx [heap] [+] 500066000 - 500067000 - rwx [heap] [+] 500067000 - 500068000 - rwx [heap] [+] 500068000 - 500069000 - rwx [heap] [+] 500069000 - 50006a000 - rwx [heap] [+] 50006a000 - 50006b000 - rwx [heap] [+] 50006b000 - 50006c000 - rwx [heap] [+] 50006c000 - 50006d000 - rwx [heap] [+] 50006d000 - 50006e000 - rwx [heap] [+] 50006e000 - 50006f000 - rwx [heap] [+] 50006f000 - 500070000 - rwx [heap] [+] 500070000 - 500071000 - rwx [heap] [+] 500071000 - 500072000 - rwx [heap] [+] 500072000 - 500073000 - rwx [heap] [+] 500073000 - 500074000 - rwx [heap] [+] 500074000 - 500075000 - rwx [heap] [+] 500075000 - 500076000 - rwx [heap] [+] 500076000 - 500077000 - rwx [heap] [+] 500077000 - 500078000 - rwx [heap] [+] 500078000 - 500079000 - rwx [heap] [+] 500079000 - 50007a000 - rwx [heap] [+] 50007a000 - 50007b000 - rwx [heap] [+] 50007b000 - 50007c000 - rwx [heap] [+] 50007c000 - 50007d000 - rwx [heap] [+] 50007d000 - 50007e000 - rwx [heap] [+] 50007e000 - 50007f000 - rwx [heap] [+] 50007f000 - 500080000 - rwx [heap] [+] 500080000 - 500081000 - rwx [heap] [+] 500081000 - 500082000 - rwx [heap] [+] 500082000 - 500083000 - rwx [heap] [+] 7ffff0000000 - 7ffff1046000 - rwx ntoskrnl.exe (D:\Programs\qiling-1.1.3\examples\scripts\examples\rootfs\x8664_windows\Windows\System32\ntoskrnl.exe) [+] 7ffff1046000 - 7ffff123c000 - rwx ntdll.dll (D:\Programs\qiling-1.1.3\examples\scripts\examples\rootfs\x8664_windows\Windows\System32\ntdll.dll) [+] 7ffff123c000 - 7ffff12f9000 - rwx kernel32.dll (D:\Programs\qiling-1.1.3\examples\scripts\examples\rootfs\x8664_windows\Windows\System32\kernel32.dll) [+] 7ffff12f9000 - 7ffff1368000 - rwx fltmgr.sys (D:\Programs\qiling-1.1.3\examples\scripts\examples\rootfs\x8664_windows\Windows\System32\fltmgr.sys) [+] 7ffffffde000 - 80000001e000 - rwx [stack] [!] Error: PC(0xdeadc0de) Unreachable Traceback (most recent call last): File "D:\Programs\qiling-1.1.3\examples\emulator.py", line 27, in my_sandbox(["D:\xxx.sys"], "D:\Programs\qiling-1.1.3\examples\scripts\examples\rootfs\x8664_windows\") File "D:\Programs\qiling-1.1.3\examples\emulator.py", line 20, in my_sandbox ql.run() File "C:\Users\xxx\AppData\Roaming\Python\Python39\site-packages\qiling\core.py", line 188, in run self.os.run() File "C:\Users\xxx\AppData\Roaming\Python\Python39\site-packages\qiling\os\windows\windows.py", line 142, in run self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count) File "C:\Users\xxx\AppData\Roaming\Python\Python39\site-packages\qiling\core.py", line 303, in emu_start self.uc.emu_start(begin, end, timeout, count) File "C:\Users\xxx\AppData\Roaming\Python\Python39\site-packages\unicorn\unicorn.py", line 318, in emu_start raise UcError(status) unicorn.unicorn.UcError: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED)`

aquynh commented 3 years ago

Are you using qiling 1.2? (only this version supports loading drivers)

CallumCVM commented 3 years ago

I wasn't, but I upgraded to 1.2 and it resulted in the same outcome.

learn-more commented 3 years ago

This means that the function has returned (which is normally what a driver entry does)

397 aims to add functionality that makes this terminate the session 'correctly'

CallumCVM commented 3 years ago

This means that the function has returned (which is normally what a driver entry does)

397 aims to add functionality that makes this terminate the session 'correctly'

Thanks for the info! I'll close this then as its not really a bug and is resolve by #397 anyway.