search

qilingframework / qiling

A True Instrumentable Binary Emulation Framework
https://qiling.io
GNU General Public License v2.0
5.15k stars 744 forks source link

fail when running driver ------> api WdfVersionBind is not implemented #879

Closed imbawenzi closed 3 years ago

imbawenzi commented 3 years ago

qiling code

from qiling import *

def my_sandbox(path, rootfs):
    ql = Qiling(path, rootfs)
    ql.run()

if __name__ == "__main__":
    my_sandbox(["test/KMDFDriver6.sys"], "rootfs/x8664_windows")

driver code(build with vs2019, WindowsKernelModeDriver10.0)

#include<ntddk.h>

VOID myDriverUnload(PDRIVER_OBJECT driver)
{
    DbgPrint("Driver Unload!\n");
}

NTSTATUS DriverEntry(
    IN PDRIVER_OBJECT pDriverObject,
    IN PUNICODE_STRING pRegistryPath)
{
    pDriverObject->DriverUnload = myDriverUnload;

    DbgPrint("hello world!");

    return STATUS_SUCCESS;
}

output

PS C:\Users\iu\Desktop\qiling> python3 .\test.py
[=]     Initiate stack address at 0x7ffffffde000
[=]     Loading test/KMDFDriver6.sys to 0x140000000
[=]     PE entry point at 0x140001080
[=]     Driver object addr is 0x6000000
[=]     Registry path addr is 0x6000150
[=]     EPROCESS is is 0x6000160
[=]     KI_USER_SHARED_DATA is 0xfffff78000000000
[=]     Loading rootfs/x8664_windows\Windows\System32\ntdll.dll ...
[!]     Warnings while loading rootfs/x8664_windows\Windows\System32\ntdll.dll:
[!]      - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!]      - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[=]     Done with loading rootfs/x8664_windows\Windows\System32\ntdll.dll
[=]     Loading rootfs/x8664_windows\Windows\System32\kernel32.dll ...
[=]     Done with loading rootfs/x8664_windows\Windows\System32\kernel32.dll
[=]     Loading rootfs/x8664_windows\Windows\System32\ntoskrnl.exe ...
[=]     Done with loading rootfs/x8664_windows\Windows\System32\ntoskrnl.exe
[=]     Loading rootfs/x8664_windows\Windows\System32\wdfldr.sys ...
[=]     Done with loading rootfs/x8664_windows\Windows\System32\wdfldr.sys
[=]     RtlCopyUnicodeString(DestinationString = "", SourceString = "") (PASSTHRU)
[=]     memmove(dest = 0x140003080, src = 0x6000150, num = 0) = 0x140003080
[!]     api WdfVersionBind is not implemented
[x]

[x]     ah      :        0xcb
[x]     al      :        0x40
[x]     ch      :        0xcb
[x]     cl      :        0x50
[x]     dh      :        0x0
[x]     dl      :        0x1
[x]     bh      :        0x0
[x]     bl      :        0x0
[x]     ax      :        0xcb40
[x]     cx      :        0xcb50
[x]     dx      :        0x1
[x]     bx      :        0x0
[x]     sp      :        0xcb00
[x]     bp      :        0xcc08
[x]     si      :        0x32b0
[x]     di      :        0x0
[x]     ip      :        0xc45e
[x]     eax     :        0x1cb40
[x]     ecx     :        0x1cb50
[x]     edx     :        0x1
[x]     ebx     :        0x0
[x]     esp     :        0x1cb00
[x]     ebp     :        0x1cc08
[x]     esi     :        0x400032b0
[x]     edi     :        0x0
[x]     eip     :        0xc45e
[x]     rax     :        0x80000001cb40
[x]     rbx     :        0x0
[x]     rcx     :        0x80000001cb50
[x]     rdx     :        0x1
[x]     rsi     :        0x1400032b0
[x]     rdi     :        0x0
[x]     rbp     :        0x80000001cc08
[x]     rsp     :        0x80000001cb00
[x]     r8      :        0x80000001cb80
[x]     r9      :        0x0
[x]     r10     :        0x0
[x]     r11     :        0x20
[x]     r12     :        0x80000001ce48
[x]     r13     :        0x140003000
[x]     r14     :        0x0
[x]     r15     :        0x140003000
[x]     rip     :        0xc45e
[x]     cr0     :        0x11
[x]     cr1     :        0x0
[x]     cr2     :        0x0
[x]     cr3     :        0x0
[x]     cr4     :        0x6f8
[x]     cr5     :        0x0
[x]     cr6     :        0x0
[x]     cr7     :        0x0
[x]     cr8     :        0x0
[x]     cr9     :        0x0
[x]     cr10    :        0x0
[x]     cr11    :        0x0
[x]     cr12    :        0x0
[x]     cr13    :        0x0
[x]     cr14    :        0x0
[x]     cr15    :        0x0
[x]     st0     :        0x0
[x]     st1     :        0x0
[x]     st2     :        0x0
[x]     st3     :        0x0
[x]     st4     :        0x0
[x]     st5     :        0x0
[x]     st6     :        0x0
[x]     st7     :        0x0
[x]     ef      :        0x44
[x]     cs      :        0x0
[x]     ss      :        0x0
[x]     ds      :        0x0
[x]     es      :        0x0
[x]     fs      :        0x0
[x]     gs      :        0x0
[x]     r8b     :        0x80
[x]     r9b     :        0x0
[x]     r10b    :        0x0
[x]     r11b    :        0x20
[x]     r12b    :        0x48
[x]     r13b    :        0x0
[x]     r14b    :        0x0
[x]     r15b    :        0x0
[x]     r8w     :        0xcb80
[x]     r9w     :        0x0
[x]     r10w    :        0x0
[x]     r11w    :        0x20
[x]     r12w    :        0xce48
[x]     r13w    :        0x3000
[x]     r14w    :        0x0
[x]     r15w    :        0x3000
[x]     r8d     :        0x1cb80
[x]     r9d     :        0x0
[x]     r10d    :        0x0
[x]     r11d    :        0x20
[x]     r12d    :        0x1ce48
[x]     r13d    :        0x40003000
[x]     r14d    :        0x0
[x]     r15d    :        0x40003000
[x]     fsbase  :        0x0
[x]     gsbase  :        0x6000000
[x]

[x]     PC = 0xc45e
[=]

[=]     Start      End        Perm    Label          Image
[=]     06000000 - 07400000   rwx     [GS]
[=]     140000000 - 140007000   rwx     [PE]           test/KMDFDriver6.sys
[=]     140010000 - 141056000   rwx     ntoskrnl.exe   rootfs/x8664_windows\Windows\System32\ntoskrnl.exe
[=]     180000000 - 1801f5000   rwx     ntdll.dll      rootfs/x8664_windows\Windows\System32\ntdll.dll
[=]     180200000 - 1802bd000   rwx     kernel32.dll   rootfs/x8664_windows\Windows\System32\kernel32.dll
[=]     1c0000000 - 1c0013000   rwx     wdfldr.sys     rootfs/x8664_windows\Windows\System32\wdfldr.sys
[=]     500000000 - 500001000   rwx     [heap]
[=]     7ffffffde000 - 80000001e000   rwx     [stack]
[=]     fffff78000000000 - fffff78000001000   rwx     [mapped]
[x]     Error: PC(0xc45e) Unreachable
Traceback (most recent call last):
  File ".\test.py", line 12, in <module>
    my_sandbox(["test/KMDFDriver6.sys"], "rootfs/x8664_windows")
  File ".\test.py", line 8, in my_sandbox
    ql.run()
  File "C:\Users\iu\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.7_qbz5n2kfra8p0\LocalCache\local-packages\Python37\site-packages\qiling\core.py", line 755, in run
    self.os.run()
  File "C:\Users\iu\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.7_qbz5n2kfra8p0\LocalCache\local-packages\Python37\site-packages\qiling\os\windows\windows.py", line 188, in run
    self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count)
  File "C:\Users\iu\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.7_qbz5n2kfra8p0\LocalCache\local-packages\Python37\site-packages\qiling\core.py", line 896, in emu_start
    self.uc.emu_start(begin, end, timeout, count)
  File "C:\Users\iu\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.7_qbz5n2kfra8p0\LocalCache\local-packages\Python37\site-packages\unicorn\unicorn.py", line 341, in emu_start
    raise UcError(status)
unicorn.unicorn.UcError: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED)

and where can i get sample code about running driver with qiling? thx

imbawenzi commented 3 years ago

it looks like qiling does not support WDK driver, I switch the WDK driver to WDM driver and it works so will qiling support WDK driver in the future?

xwings commented 3 years ago

Dont think we have much time to work on Windows now. At least for now. All the available OS/module we still need to wait for more help from the community.

imbawenzi commented 3 years ago

thx for reply