search

qilingframework / qiling

A True Instrumentable Binary Emulation Framework
https://qiling.io
GNU General Public License v2.0
5.15k stars 744 forks source link

unicorn.unicorn.UcError: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED) #653

Closed nikhilh-20 closed 3 years ago

nikhilh-20 commented 3 years ago

I have a one-liner PowerShell script (Write-Host 'Hello, World!') which I converted into a 32-bit exe. I was looking into the first example - use Qiling framework to emulate a Windows EXE on a Linux machine mentioned in the README - https://github.com/qilingframework/qiling#examples. I added the debug option and changed the exe name.

from qiling import *

# sandbox to emulate the EXE
def my_sandbox(path, rootfs):
    # setup Qiling engine
    ql = Qiling(path, rootfs, output = "debug")
    # now emulate the EXE
    ql.run()

if __name__ == "__main__":
    # execute Windows EXE under our rootfs
    my_sandbox(["hello_world.exe"], "examples/rootfs/x86_windows")

The hello_world.exe runs perfectly on x64 Win10:

.\hello_world.exe
Hello, World!

When I run it on Ubuntu 20.04, I get a unicorn.unicorn.UcError: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED) error. I would have tried to fix it myself but I'm not sure how to debug this error. I found this log interesting: ERROR: unmapped memory access at 0x0

[+] [registry.py:43]    [+] Windows Registry PATH: examples/rootfs/x86_windows/Windows/registry
[=] [pe.py:410] [+] Initiate stack address at 0xfffdd000 
[=] [pe.py:425] [+] Loading hello_world.exe to 0x400000
[=] [pe.py:426] [+] PE entry point at 0x405d3e
[=] [pe.py:147] TEB addr is 0x6000
[=] [pe.py:172] PEB addr is 0x6044
[=] [pe.py:57]  [+] Loading examples/rootfs/x86_windows/Windows/SysWOW64/ntdll.dll to 0x10000000
[=] [pe.py:114] Done with loading examples/rootfs/x86_windows/Windows/SysWOW64/ntdll.dll
[=] [pe.py:57]  [+] Loading examples/rootfs/x86_windows/Windows/SysWOW64/kernel32.dll to 0x1019a000
[=] [pe.py:114] Done with loading examples/rootfs/x86_windows/Windows/SysWOW64/kernel32.dll
[=] [pe.py:57]  [+] Loading examples/rootfs/x86_windows/Windows/SysWOW64/mscoree.dll to 0x1026f000
[=] [pe.py:114] Done with loading examples/rootfs/x86_windows/Windows/SysWOW64/mscoree.dll
[+] [pe.py:552] [+] Done with loading hello_world.exe
[+] [utils.py:362]  10283330: _CorExeMain()
[+] [utils.py:24]   [+] ERROR: unmapped memory access at 0x0
[x] [os.py:95]  

[x] [os.py:101] ah  :    0x0
[x] [os.py:101] al  :    0x0
[x] [os.py:101] ch  :    0x0
[x] [os.py:101] cl  :    0x0
[x] [os.py:101] dh  :    0x0
[x] [os.py:101] dl  :    0x0
[x] [os.py:101] bh  :    0x0
[x] [os.py:101] bl  :    0x0
[x] [os.py:101] ax  :    0x0
[x] [os.py:101] cx  :    0x0
[x] [os.py:101] dx  :    0x0
[x] [os.py:101] bx  :    0x0
[x] [os.py:101] sp  :    0xd004
[x] [os.py:101] bp  :    0xd000
[x] [os.py:101] si  :    0x0
[x] [os.py:101] di  :    0x0
[x] [os.py:101] ip  :    0x0
[x] [os.py:101] eax :    0x0
[x] [os.py:101] ecx :    0x0
[x] [os.py:101] edx :    0x0
[x] [os.py:101] ebx :    0x0
[x] [os.py:101] esp :    0xffffd004
[x] [os.py:101] ebp :    0xffffd000
[x] [os.py:101] esi :    0x0
[x] [os.py:101] edi :    0x0
[x] [os.py:101] eip :    0x0
[x] [os.py:101] cr0 :    0x11
[x] [os.py:101] cr1 :    0x0
[x] [os.py:101] cr2 :    0x0
[x] [os.py:101] cr3 :    0x0
[x] [os.py:101] cr4 :    0x0
[x] [os.py:101] cr5 :    0x0
[x] [os.py:101] cr6 :    0x0
[x] [os.py:101] cr7 :    0x0
[x] [os.py:101] cr8 :    0x0
[x] [os.py:101] cr9 :    0x0
[x] [os.py:101] cr10    :    0x0
[x] [os.py:101] cr11    :    0x0
[x] [os.py:101] cr12    :    0x0
[x] [os.py:101] cr13    :    0x0
[x] [os.py:101] cr14    :    0x0
[x] [os.py:101] cr15    :    0x0
[x] [os.py:101] st0 :    0x0
[x] [os.py:101] st1 :    0x0
[x] [os.py:101] st2 :    0x0
[x] [os.py:101] st3 :    0x0
[x] [os.py:101] st4 :    0x0
[x] [os.py:101] st5 :    0x0
[x] [os.py:101] st6 :    0x0
[x] [os.py:101] st7 :    0x0
[x] [os.py:101] ef  :    0x0
[x] [os.py:101] cs  :    0x1b
[x] [os.py:101] ss  :    0x28
[x] [os.py:101] ds  :    0x28
[x] [os.py:101] es  :    0x28
[x] [os.py:101] fs  :    0x73
[x] [os.py:101] gs  :    0x78
[x] [os.py:103] 

[x] [os.py:104] PC = 0x0
[=] [os.py:110] 

[=] [memory.py:133] [+] Start      End        Perm.  Path
[=] [memory.py:139] [+] 00006000 - 0000c000 - rwx    [FS/GS]
[=] [memory.py:139] [+] 00030000 - 00031000 - rwx    [GDT]
[=] [memory.py:139] [+] 00400000 - 0040a000 - rwx    [PE] (hello_world.exe)
[=] [memory.py:139] [+] 05000000 - 05001000 - rwx    [heap]
[=] [memory.py:139] [+] 05001000 - 05002000 - rwx    [heap]
[=] [memory.py:139] [+] 05002000 - 05003000 - rwx    [heap]
[=] [memory.py:139] [+] 05003000 - 05004000 - rwx    [heap]
[=] [memory.py:139] [+] 05004000 - 05005000 - rwx    [heap]
[=] [memory.py:139] [+] 05005000 - 05006000 - rwx    [heap]
[=] [memory.py:139] [+] 05006000 - 05007000 - rwx    [heap]
[=] [memory.py:139] [+] 05007000 - 05008000 - rwx    [heap]
[=] [memory.py:139] [+] 05008000 - 05009000 - rwx    [heap]
[=] [memory.py:139] [+] 05009000 - 0500a000 - rwx    [heap]
[=] [memory.py:139] [+] 0500a000 - 0500b000 - rwx    [heap]
[=] [memory.py:139] [+] 0500b000 - 0500c000 - rwx    [heap]
[=] [memory.py:139] [+] 0500c000 - 0500d000 - rwx    [heap]
[=] [memory.py:139] [+] 0500d000 - 0500e000 - rwx    [heap]
[=] [memory.py:139] [+] 0500e000 - 0500f000 - rwx    [heap]
[=] [memory.py:139] [+] 0500f000 - 05010000 - rwx    [heap]
[=] [memory.py:139] [+] 05010000 - 05011000 - rwx    [heap]
[=] [memory.py:139] [+] 05011000 - 05012000 - rwx    [heap]
[=] [memory.py:139] [+] 05012000 - 05013000 - rwx    [heap]
[=] [memory.py:139] [+] 05013000 - 05014000 - rwx    [heap]
[=] [memory.py:139] [+] 05014000 - 05015000 - rwx    [heap]
[=] [memory.py:139] [+] 05015000 - 05016000 - rwx    [heap]
[=] [memory.py:139] [+] 05016000 - 05017000 - rwx    [heap]
[=] [memory.py:139] [+] 05017000 - 05018000 - rwx    [heap]
[=] [memory.py:139] [+] 05018000 - 05019000 - rwx    [heap]
[=] [memory.py:139] [+] 05019000 - 0501a000 - rwx    [heap]
[=] [memory.py:139] [+] 0501a000 - 0501b000 - rwx    [heap]
[=] [memory.py:139] [+] 0501b000 - 0501c000 - rwx    [heap]
[=] [memory.py:139] [+] 0501c000 - 0501d000 - rwx    [heap]
[=] [memory.py:139] [+] 0501d000 - 0501e000 - rwx    [heap]
[=] [memory.py:139] [+] 0501e000 - 0501f000 - rwx    [heap]
[=] [memory.py:139] [+] 0501f000 - 05020000 - rwx    [heap]
[=] [memory.py:139] [+] 05020000 - 05021000 - rwx    [heap]
[=] [memory.py:139] [+] 05021000 - 05022000 - rwx    [heap]
[=] [memory.py:139] [+] 05022000 - 05023000 - rwx    [heap]
[=] [memory.py:139] [+] 05023000 - 05024000 - rwx    [heap]
[=] [memory.py:139] [+] 05024000 - 05025000 - rwx    [heap]
[=] [memory.py:139] [+] 05025000 - 05026000 - rwx    [heap]
[=] [memory.py:139] [+] 05026000 - 05027000 - rwx    [heap]
[=] [memory.py:139] [+] 05027000 - 05028000 - rwx    [heap]
[=] [memory.py:139] [+] 05028000 - 05029000 - rwx    [heap]
[=] [memory.py:139] [+] 06000000 - 0c000000 - rwx    [FS/GS]
[=] [memory.py:139] [+] 10000000 - 1019a000 - rwx    ntdll.dll (examples/rootfs/x86_windows/Windows/SysWOW64/ntdll.dll)
[=] [memory.py:139] [+] 1019a000 - 1026f000 - rwx    kernel32.dll (examples/rootfs/x86_windows/Windows/SysWOW64/kernel32.dll)
[=] [memory.py:139] [+] 1026f000 - 102c1000 - rwx    mscoree.dll (examples/rootfs/x86_windows/Windows/SysWOW64/mscoree.dll)
[=] [memory.py:139] [+] fffdd000 - ffffe000 - rwx    [stack]
[x] [os.py:120] Error: PC(0x0) Unreachable
Traceback (most recent call last):
  File "emu.py", line 12, in <module>
    my_sandbox(["hello_world.exe"], "examples/rootfs/x86_windows")
  File "emu.py", line 8, in my_sandbox
    ql.run()
  File "/home/kaido/.local/lib/python3.8/site-packages/qiling/core.py", line 765, in run
    self.os.run()
  File "/home/kaido/.local/lib/python3.8/site-packages/qiling/os/windows/windows.py", line 143, in run
    self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count)
  File "/home/kaido/.local/lib/python3.8/site-packages/qiling/core.py", line 994, in emu_start
    self.uc.emu_start(begin, end, timeout, count)
  File "/home/kaido/.local/lib/python3.8/site-packages/unicorn/unicorn.py", line 318, in emu_start
    raise UcError(status)
unicorn.unicorn.UcError: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED)

I'm using Python 3.8.5, Qiling 1.2.1, Unicorn 1.0.2. I also read in Qiling documentation for UC_ERR_FETCH_UNMAPPED error: Firmware might need interface br0 and a users testing enviroment might not have it. In this case, ql.patch will come in handy. Does this mean I need to create a br0 network interface on my Ubuntu machine? Why does Qiling need it?

learn-more commented 3 years ago

mscoree.dll is a runtime dll from the .NET framework. Having this example run would mean emulating the .NET framework.

nikhilh-20 commented 3 years ago

Hmmm, that makes sense. I'll close this issue as I don't see emulating .NET to be a goal anytime soon. Thanks!