Hello!
I am using the Qiling Framework for malware analysis by emulating portable executables. However, I have been getting invalid memory fetch when I am passing in Whiterose ransomware
My python code
import pefile
from qiling import *
from qiling.const import *
from capstone import *
def loader_pe(pe):
entry_point = pe.OPTIONAL_HEADER.AddressOfEntryPoint
data = pe.get_memory_mapped_image()[entry_point:]
cs = Cs(CS_ARCH_X86, CS_MODE_32)
cs.detail = True
global rdbin
rdbin = cs.disasm(data, 0x10000)
return rdbin
def check_arch(pe):
if pe.FILE_HEADER.Machine == 0x14c:
bit = 32
elif pe.FILE_HEADER.Machine == 0x8664:
bit = 64
print("[+] Sample is %s bit" % bit)
return bit
def GetProcAddress(ql, addr, params,retrav):
print(params)
return
def my_sandbox(path, rootfs):
ql = Qiling(path, rootfs, verbose=QL_VERBOSE.DEBUG)
ql.set_api("GetProcAddress", GetProcAddress, QL_INTERCEPT.EXIT)
ql.run()
file = sys.argv[-1]
if __name__ == "__main__":
exefile = sys.argv[-1]
try:
exe = pefile.PE(exefile)
except OSError as e:
print(e)
sys.exit()
except pefile.PEFormatError as e:
sys.exit()
rdbin = loader_pe(exe)
check_arch(exe)
my_sandbox([exefile], "examples/rootfs/x86_windows")
Expect to show me the output of the emulation but it showed me a UC_ERR_FETCH_UNMAPPED error.
[+] Profile: Default
[+] Map GDT at 0x30000 with GDT_LIMIT=4096
[+] Write to 0x30018 for new entry b'\x00\xf0\x00\x00\x00\xfeO\x00'
[+] Write to 0x30028 for new entry b'\x00\xf0\x00\x00\x00\x96O\x00'
[+] Write to 0x30070 for new entry b'\x00`\x00`\x00\xf6@\x00'
[+] Write to 0x30078 for new entry b'\x00\x00\x00\x00\x00\xf6@\x06'
[+] Windows Registry PATH: examples/rootfs/x86_windows\Windows\registry
[=] Initiate stack address at 0xfffdd000
[=] Loading ..\Ransomware\9614b9bc6cb2d06d261f97ba25743a89df44906e750c52398b5dbdbcb66a9415 to 0x400000
[=] PE entry point at 0x40813e
[=] TEB addr is 0x6000
[=] PEB addr is 0x6044
[=] Loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll to 0x10000000
[!] Warnings while loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll:
[!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\kernel32.dll to 0x101a3000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\kernel32.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\mscoree.dll to 0x10288000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\mscoree.dll
[+] Done with loading ..\Ransomware\9614b9bc6cb2d06d261f97ba25743a89df44906e750c52398b5dbdbcb66a9415
[+] 0x10292bd0: _CorExeMain()
[+] ERROR: unmapped memory access at 0x0
[x]
[x] ah : 0x0
[x] al : 0x0
[x] ch : 0x0
[x] cl : 0x0
[x] dh : 0x0
[x] dl : 0x0
[x] bh : 0x0
[x] bl : 0x0
[x] ax : 0x0
[x] cx : 0x0
[x] dx : 0x0
[x] bx : 0x0
[x] sp : 0xd004
[x] bp : 0xd000
[x] si : 0x0
[x] di : 0x0
[x] ip : 0x0
[x] eax : 0x0
[x] ecx : 0x0
[x] edx : 0x0
[x] ebx : 0x0
[x] esp : 0xffffd004
[x] ebp : 0xffffd000
[x] esi : 0x0
[x] edi : 0x0
[x] eip : 0x0
[x] cr0 : 0x11
[x] cr1 : 0x0
[x] cr2 : 0x0
[x] cr3 : 0x0
[x] cr4 : 0x0
[x] cr5 : 0x0
[x] cr6 : 0x0
[x] cr7 : 0x0
[x] cr8 : 0x0
[x] cr9 : 0x0
[x] cr10 : 0x0
[x] cr11 : 0x0
[x] cr12 : 0x0
[x] cr13 : 0x0
[x] cr14 : 0x0
[x] cr15 : 0x0
[x] st0 : 0x0
[x] st1 : 0x0
[x] st2 : 0x0
[x] st3 : 0x0
[x] st4 : 0x0
[x] st5 : 0x0
[x] st6 : 0x0
[x] st7 : 0x0
[x] ef : 0x0
[x] cs : 0x1b
[x] ss : 0x28
[x] ds : 0x28
[x] es : 0x28
[x] fs : 0x73
[x] gs : 0x78
[x]
[x] PC = 0x0
[=]
[=] Start End Perm Label Image
[=] 00006000 - 0000c000 rwx [FS/GS]
[=] 00030000 - 00031000 rwx [GDT]
[=] 00400000 - 0040e000 rwx [PE] ..\Ransomware\9614b9bc6cb2d06d261f97ba25743a89df44906e750c52398b5dbdbcb66a9415
[=] 05000000 - 05001000 rwx [heap]
[=] 06000000 - 0c000000 rwx [FS/GS]
[=] 10000000 - 101a3000 rwx ntdll.dll examples/rootfs/x86_windows\Windows\System32\ntdll.dll
[=] 101a3000 - 10288000 rwx kernel32.dll examples/rootfs/x86_windows\Windows\System32\kernel32.dll
[=] 10288000 - 102ed000 rwx mscoree.dll examples/rootfs/x86_windows\Windows\System32\mscoree.dll
[=] fffdd000 - ffffe000 rwx [stack]
[x] Error: PC(0x0) Unreachable
Traceback (most recent call last):
File "C:\Users\VMadmin\Desktop\qiling\malwareAna.py", line 45, in <module>
my_sandbox([exefile], "examples/rootfs/x86_windows")
File "C:\Users\VMadmin\Desktop\qiling\malwareAna.py", line 31, in my_sandbox
ql.run()
File "C:\Users\VMadmin\Desktop\qiling\qiling\core.py", line 755, in run
self.os.run()
File "C:\Users\VMadmin\Desktop\qiling\qiling\os\windows\windows.py", line 188, in run
self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count)
File "C:\Users\VMadmin\Desktop\qiling\qiling\core.py", line 896, in emu_start
self.uc.emu_start(begin, end, timeout, count)
File "C:\Users\VMadmin\AppData\Local\Programs\Python\Python39\lib\site-packages\unicorn\unicorn.py", line 341, in emu_start
raise UcError(status)
unicorn.unicorn.UcError: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED)
wtdcode
commented
3 years ago
Hello! I am using the Qiling Framework for malware analysis by emulating portable executables. However, I have been getting invalid memory fetch when I am passing in Whiterose ransomware
My python code
Expect to show me the output of the emulation but it showed me a UC_ERR_FETCH_UNMAPPED error.
Any help will be appreciated!