search

qilingframework / qiling

A True Instrumentable Binary Emulation Framework
https://qiling.io
GNU General Public License v2.0
5.07k stars 738 forks source link

Invalid instruction (UC_ERR_INSN_INVALID) #816

Closed leepeter2019 closed 3 years ago

leepeter2019 commented 3 years ago

*Describe the bug As soon as the emulation begins, it stop with error message Invalid instruction (UC_ERR_INSN_INVALID) when i checked the log, it says '[!] api stdio_common_vsprintf is not implemented', '[!] api stdio_common_vsprintf_s is not implemented'. I think UC_ERR_INSN_INVALID error message is generated because of stdio_common_vsprintf , stdio_common_vsprintf_s. But I added VS dynamic library 'msvcrt.dll' in the dll directory. I don't know why it cannot find correspond api in the dll.

Sample Code

ql = Qiling(["test.exe", "model", "test", log.txt"], "x8664_windows")
ql.run()

Expected behavior It generates code coverage on target sw

Screenshots

C:\Users\Steve\AppData\Local\Programs\Python\Python37\python.exe A:/Project/qiling-dev/test.py
[=] Initiate stack address at 0x7ffffffde000
[=] Loading helloworld.exe to 0x140000000
[=] PE entry point at 0x140004788
[=] TEB addr is 0x6000030
[=] PEB addr is 0x60000b8
[=] Loading examples/rootfs/x8664_windows\Windows\System32\ntdll.dll to 0x7ffff0000000
[!] Warnings while loading examples/rootfs/x8664_windows\Windows\System32\ntdll.dll:
[!]  - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!]  - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[=] Done with loading examples/rootfs/x8664_windows\Windows\System32\ntdll.dll
[=] Loading examples/rootfs/x8664_windows\Windows\System32\kernel32.dll to 0x7ffff01f5000
[=] Done with loading examples/rootfs/x8664_windows\Windows\System32\kernel32.dll
[=] Loading examples/rootfs/x8664_windows\Windows\System32\user32.dll to 0x7ffff02b2000
[=] Done with loading examples/rootfs/x8664_windows\Windows\System32\user32.dll
[=] Loading examples/rootfs/x8664_windows\Windows\System32\shlwapi.dll to 0x7ffff0452000
[=] Done with loading examples/rootfs/x8664_windows\Windows\System32\shlwapi.dll
[=] Loading examples/rootfs/x8664_windows\Windows\System32\msvcp140.dll to 0x7ffff04a3000
[=] Done with loading examples/rootfs/x8664_windows\Windows\System32\msvcp140.dll
[=] Loading examples/rootfs/x8664_windows\Windows\System32\vcruntime140.dll to 0x7ffff053e000
[=] Done with loading examples/rootfs/x8664_windows\Windows\System32\vcruntime140.dll
[=] Loading examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll to 0x7ffff0559000
[!] Warnings while loading examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll:
[!]  - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!]  - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[=] Done with loading examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll
[=] Loading examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-heap-l1-1-0.dll to 0x7ffff055d000
[!] Warnings while loading examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-heap-l1-1-0.dll:
[!]  - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!]  - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[=] Done with loading examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-heap-l1-1-0.dll
[=] Loading examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-convert-l1-1-0.dll to 0x7ffff0560000
[!] Warnings while loading examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-convert-l1-1-0.dll:
[!]  - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!]  - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[=] Done with loading examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-convert-l1-1-0.dll
[=] Loading examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-filesystem-l1-1-0.dll to 0x7ffff0564000
[!] Warnings while loading examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-filesystem-l1-1-0.dll:
[!]  - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!]  - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[=] Done with loading examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-filesystem-l1-1-0.dll
[=] Loading examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-time-l1-1-0.dll to 0x7ffff0567000
[!] Warnings while loading examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-time-l1-1-0.dll:
[!]  - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!]  - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[=] Done with loading examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-time-l1-1-0.dll
[=] Loading examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dll to 0x7ffff056a000
[!] Warnings while loading examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dll:
[!]  - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!]  - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[=] Done with loading examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dll
[=] Loading examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-math-l1-1-0.dll to 0x7ffff056e000
[!] Warnings while loading examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-math-l1-1-0.dll:
[!]  - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!]  - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[=] Done with loading examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-math-l1-1-0.dll
[=] Loading examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-locale-l1-1-0.dll to 0x7ffff0573000
[!] Warnings while loading examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-locale-l1-1-0.dll:
[!]  - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!]  - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[=] Done with loading examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-locale-l1-1-0.dll
[=] _initterm_e(pfbegin = 0x140006460, pfend = 0x140006478) = 0x0
[=] _initterm(pfbegin = 0x140006428, pfend = 0x140006458)
[=] __p___argv() = 0x5000016bc
[=] __p___argc() = 0x50000170c
[=] _get_initial_narrow_environment() = 0x0
[=] lstrcpyA(lpString1 = 0x14000adf0, lpString2 = "helloworld.exe") = 0x14000adf0
[=] _time64(destTime = 0) = 0x60bec9ba
[!] api __stdio_common_vsprintf is not implemented
[!] api __stdio_common_vsprintf_s is not implemented
[x]

[x] ah  :    0xaf
[x] al  :    0x60
[x] ch  :    0x0
[x] cl  :    0x1
[x] dh  :    0xad
[x] dl  :    0xa0
[x] bh  :    0xff
[x] bl  :    0xff
[x] ax  :    0xaf60
[x] cx  :    0x1
[x] dx  :    0xada0
[x] bx  :    0xffff
[x] sp  :    0xbee0
[x] bp  :    0x0
[x] si  :    0xbf3d
[x] di  :    0x0
[x] ip  :    0xab09
[x] eax :    0x4000af60
[x] ecx :    0x1
[x] edx :    0x4000ada0
[x] ebx :    0xffffffff
[x] esp :    0x1bee0
[x] ebp :    0x0
[x] esi :    0x1bf3d
[x] edi :    0x0
[x] eip :    0xf055ab09
[x] rax :    0x14000af60
[x] rbx :    0xffffffffffffffff
[x] rcx :    0x1
[x] rdx :    0x14000ada0
[x] rsi :    0x80000001bf3d
[x] rdi :    0x0
[x] rbp :    0x0
[x] rsp :    0x80000001bee0
[x] r8  :    0xffffffffffffffff
[x] r9  :    0x14000657c
[x] r10 :    0x2828350d
[x] r11 :    0x0
[x] r12 :    0x0
[x] r13 :    0x0
[x] r14 :    0x0
[x] r15 :    0x0
[x] rip :    0x7ffff055ab09
[x] cr0 :    0x11
[x] cr1 :    0x0
[x] cr2 :    0x0
[x] cr3 :    0x0
[x] cr4 :    0x0
[x] cr5 :    0x0
[x] cr6 :    0x0
[x] cr7 :    0x0
[x] cr8 :    0x0
[x] cr9 :    0x0
[x] cr10    :    0x0
[x] cr11    :    0x0
[x] cr12    :    0x0
[x] cr13    :    0x0
[x] cr14    :    0x0
[x] cr15    :    0x0
[x] st0 :    0x0
[x] st1 :    0x0
[x] st2 :    0x0
[x] st3 :    0x0
[x] st4 :    0x0
[x] st5 :    0x0
[x] st6 :    0x0
[x] st7 :    0x0
[x] ef  :    0x44
[x] cs  :    0x0
[x] ss  :    0x0
[x] ds  :    0x0
[x] es  :    0x0
[x] fs  :    0x0
[x] gs  :    0x0
[x] r8b :    0xff
[x] r9b :    0x7c
[x] r10b    :    0xd
[x] r11b    :    0x0
[x] r12b    :    0x0
[x] r13b    :    0x0
[x] r14b    :    0x0
[x] r15b    :    0x0
[x] r8w :    0xffff
[x] r9w :    0x657c
[x] r10w    :    0x350d
[x] r11w    :    0x0
[x] r12w    :    0x0
[x] r13w    :    0x0
[x] r14w    :    0x0
[x] r15w    :    0x0
[x] r8d :    0xffffffff
[x] r9d :    0x4000657c
[x] r10d    :    0x2828350d
[x] r11d    :    0x0
[x] r12d    :    0x0
[x] r13d    :    0x0
[x] r14d    :    0x0
[x] r15d    :    0x0
[x] fsbase  :    0x0
[x] gsbase  :    0x6000000
[x]

[x] PC = 0x7ffff055ab09
[x]  (examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll+0x1b09)
[=] Start      End        Perm    Label          Image
[=] 06000000 - 07400000   rwx     [GS]
[=] 140000000 - 14000e000   rwx     [PE]           helloworld.exe
[=] 500000000 - 500001000   rwx     [heap]
[=] 500001000 - 500002000   rwx     [heap]
[=] 7ffff0000000 - 7ffff01f5000   rwx     ntdll.dll      examples/rootfs/x8664_windows\Windows\System32\ntdll.dll
[=] 7ffff01f5000 - 7ffff02b2000   rwx     kernel32.dll   examples/rootfs/x8664_windows\Windows\System32\kernel32.dll
[=] 7ffff02b2000 - 7ffff0452000   rwx     user32.dll     examples/rootfs/x8664_windows\Windows\System32\user32.dll
[=] 7ffff0452000 - 7ffff04a3000   rwx     shlwapi.dll    examples/rootfs/x8664_windows\Windows\System32\shlwapi.dll
[=] 7ffff04a3000 - 7ffff053e000   rwx     msvcp140.dll   examples/rootfs/x8664_windows\Windows\System32\msvcp140.dll
[=] 7ffff053e000 - 7ffff0559000   rwx     vcruntime140.dll   examples/rootfs/x8664_windows\Windows\System32\vcruntime140.dll
[=] 7ffff0559000 - 7ffff055d000   rwx     api-ms-win-crt-stdio-l1-1-0.dll   examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll
[=] 7ffff055d000 - 7ffff0560000   rwx     api-ms-win-crt-heap-l1-1-0.dll   examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-heap-l1-1-0.dll
[=] 7ffff0560000 - 7ffff0564000   rwx     api-ms-win-crt-convert-l1-1-0.dll   examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-convert-l1-1-0.dll
[=] 7ffff0564000 - 7ffff0567000   rwx     api-ms-win-crt-filesystem-l1-1-0.dll   examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-filesystem-l1-1-0.dll
[=] 7ffff0567000 - 7ffff056a000   rwx     api-ms-win-crt-time-l1-1-0.dll   examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-time-l1-1-0.dll
[=] 7ffff056a000 - 7ffff056e000   rwx     api-ms-win-crt-runtime-l1-1-0.dll   examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dll
[=] 7ffff056e000 - 7ffff0573000   rwx     api-ms-win-crt-math-l1-1-0.dll   examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-math-l1-1-0.dll
[=] 7ffff0573000 - 7ffff0576000   rwx     api-ms-win-crt-locale-l1-1-0.dll   examples/rootfs/x8664_windows\Windows\System32\api-ms-win-crt-locale-l1-1-0.dll
[=] 7ffffffde000 - 80000001e000   rwx     [stack]
[x] ['0x62', '0x61', '0x73', '0x65', '0x2e', '0x5f', '0x5f', '0x73']
[=]

[=] 0x00007ffff055ab09 {api-ms-win-crt-stdio-l1-1-0.dll + 0x001b09}   62 61 73 65 2e 5f 5f 73 74 64 69 6f 5f 63 6f 6d 6d 6f 6e 5f 76 73 70 72 69 6e 74 66 5f 73 00 5f 5f 73 74 64 69 6f 5f 63 6f 6d 6d 6f 6e 5f 76 73 73 63 61 6e 66 00 75 63 72 74 62 61 73 65 2e 5f
Traceback (most recent call last):
  File "A:/Project/qiling-dev/test.py", line 13, in <module>
    my_sandbox(["helloworld.exe", "model", "testimages", "log.txt"], "examples/rootfs/x8664_windows")
  File "A:/Project/qiling-dev/test.py", line 8, in my_sandbox
    ql.run()
  File "A:\Project\qiling-dev\qiling\core.py", line 755, in run
    self.os.run()
  File "A:\Project\qiling-dev\qiling\os\windows\windows.py", line 188, in run
    self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count)
  File "A:\Project\qiling-dev\qiling\core.py", line 896, in emu_start
    self.uc.emu_start(begin, end, timeout, count)
  File "A:\Project\qiling-dev\unicorn\unicorn.py", line 341, in emu_start
    raise UcError(status)
unicorn.unicorn.UcError: Invalid instruction (UC_ERR_INSN_INVALID)

Process finished with exit code 1
xwings commented 3 years ago

UC_ERR_INSN_INVALID normally referring to Unicorn Engine did not support the CPU Instruction.

In this case, you can try to implement __stdio_common_vsprintf_s and check again. If problem exits, we need to wait for new unicorn upgrade.

elicn commented 3 years ago

That bytes that attempted to be executed appear to be a string: base.__stdio_common_vsprintf_s, so no wonder Unicorn fails to execute them. My guess is that since those two functions were not called, their arguments remained on the stack and Qiling messed up the instruction pointer by "returning" to one of those arguments that happened to be a pointer to the function name (maybe an import lookup..?).

I'll see if I can implement those two functions in the coming days. That shouldn't be too difficult. Would it be possible for you to attach the executable for testing purposes?

elicn commented 3 years ago

@leepeter2019 Can you pull the latest dev branch and test again?

xwings commented 3 years ago

No response. Issue close