search

zhkl0228 / unidbg

Allows you to emulate an Android native library, and an experimental iOS emulation
Apache License 2.0
3.91k stars 971 forks source link

KVM方案优化:基于内核hook免patch,支持KVM模拟器多实例 #670

Closed zhaodice closed 2 months ago

zhaodice commented 2 months ago

前言

暂时没有写一键脚本,所以看起来很长,但它的好处是不再需要重新编译内核了

执行步骤

  1. https://github.com/WeiJiLab/kernel-hook-framework 根据自己的机器环境编译一个适合自己机器上的内核模块,其中xxxxx是uname -r的结果 
    cd src
make arm64 KDIR=/lib/modules/xxxxx/build
  2. insmod加载 kernel-hook-framework 内核驱动
  3. native文件夹下有个driver文件夹,里面的Makefile需要提供 kernel-hook-framework 编译时的 Module.symvers 文件,例如: 
    KBUILD_EXTRA_SYMBOLS += $(PWD)/kernel-hook-framework/src/Module.symvers
  4. 将 kernel-hook-framework项目的sample的include文件夹放到hcr.c的旁边,然后make ,得到hcr-driver.ko
  5. 继续insmod hcr-driver.ko 此时成功后,dmesg应该输出 
    [13092.569744] hcr: Uninstalled Hook. kvm_arch_vcpu_ioctl=ffffffe9fb055888
[13679.083453] hcr: Installed Hook. kvm_arch_vcpu_ioctl=ffffffe9fb055888

具体原理

此时内核函数kvm_arch_vcpu_ioctl已经被hook,检测到VCPU创建将自动添加HCR_DC 相关实现在 hcr.c

int hook_vcpu_ioctl(struct file *filp,unsigned int ioctl, unsigned long arg)
{
    kvm_arch_vcpu_ioctl_func origin_vcpu_ioctl = GET_CODESPACE_ADDERSS(vcpu_ioctl);

    if(ioctl == KVM_ARM_VCPU_INIT){
        struct kvm_vcpu *vcpu = filp->private_data;
        int result = origin_vcpu_ioctl(filp,ioctl,arg);
        if(result == 0){
            vcpu->arch.hcr_el2 = HCR_GUEST_FLAGS | HCR_DC;
        }
        printk(KERN_ALERT"hcr: in hooked kvm_arch_vcpu_ioctl, KVM_ARM_VCPU_INIT result = %d\n",result);
        return result;
    }

    return origin_vcpu_ioctl(filp,ioctl,arg);
}

遗留问题

跑代码的时候dmesg输出

[36263.486438] kvm [268545]: Data abort outside memslots with no valid syndrome info
[36263.592902] kvm [268545]: Data abort outside memslots with no valid syndrome info
[36263.715833] kvm [268545]: Data abort outside memslots with no valid syndrome info
[36264.011910] kvm [268545]: Data abort outside memslots with no valid syndrome info

一些模拟执行失败

handle_exception cpsr=0x600003c0
KVM_RUN failed: reason=0, cpsr=0x3c0, pc=0x19cc7c78, err = Function not implemented(38)
[00:45:06 695]WARN:com.github.unidbg.AbstractEmulator:AbstractEmulator:448: emulate RX@0x19cc7c70[libc.so@_ZL15__pthread_startPv]0x67c70 exception sp=unidbg@0x1a04f000, msg=com.github.unidbg.arm.backend.kvm.KvmException: ret=-1, offset=2ms @ Runnable|MarshmallowThread tid=25237, fn=RX@0x19cc7c70[libc.so@_ZL15__pthread_startPv]0x67c70, arg=RW@0x19fce440
handle_exception cpsr=0x600003c0
KVM_RUN failed: reason=0, cpsr=0x3c0, pc=0x19cc7c78, err = Function not implemented(38)
[00:45:06 766]WARN:com.github.unidbg.AbstractEmulator:AbstractEmulator:448: emulate RX@0x19cc7c70[libc.so@_ZL15__pthread_startPv]0x67c70 exceptid.kvm.KvmException: ret=-1, offset=1ms @ Runnable|MarshmallowThread tid=25238, fn=RX@0x19cc7c70[libc.so@_ZL15__pthread_startPv]0x67c70, arg=RW@0
handle_exception cpsr=0x600003c0

限于能力,这个遗留问题不知道怎么解决,作者大大想进一步了解的话可以继续讨论,不胜感激。

zhkl0228 commented 2 months ago

感谢贡献这么多优质代码,由于近期工作较忙,抽不出时间与楼主大大进一步跟进探讨

zhaodice commented 2 months ago

感谢贡献这么多优质代码,由于近期工作较忙,抽不出时间与楼主大大进一步跟进探讨

谢谢,我已经找到原因了。。。 在汇编中,sp寄存器必须基于STACK_BASE,但是unidbg这边的实现似乎是基于MMAP_BASE(是通过申请内存区域,得到的地址来当sp用)

unicorn/dynarmic对这种行为睁一只眼闭一只眼,但是kvm可能是基于真实CPU的,它忍不了:你这个sp地址有问题啊 问题文件:BaseTask.java 问题代码:

    protected final UnidbgPointer allocateStack(Emulator<?> emulator) {
        //TODO stackBlock地址基于MMAP_BASE,必须想办法让它基于STACK_BASE
        //KVM在使用sp寄存器时会校验,校验失败直接升天

        if (stackBlock == null) {
            stackBlock = emulator.getMemory().malloc(THREAD_STACK_SIZE, true);
        }
        return stackBlock.getPointer().share(THREAD_STACK_SIZE, 0);
    }
zhaodice commented 2 months ago

做了个简单的脚本,backend/kvm/src/main/native/driver/build.sh可以一键编译驱动,当然必须是arm64的linux环境

./build.sh                   
make ARCH=arm64 CROSS_COMPILE= EXTRA_CFLAGS="-D_ARCH_ARM64_ -I/home/lunzhi/qsign/qsign/kernel/kernel-hook-framework/src -I/home/lunzhi/qsign/qsign/kernel/kernel-hook-framework/src/arch/arm64 -fno-pic -fno-stack-protector" -C /lib/modules/6.6.20+rpt-rpi-v8/build M=/home/lunzhi/qsign/qsign/kernel/kernel-hook-framework/src modules
make[1]: Entering directory '/usr/src/linux-headers-6.6.20+rpt-rpi-v8'
  CC [M]  /home/lunzhi/qsign/qsign/kernel/kernel-hook-framework/src/framework/symbol_resolver_bak.o
  LD [M]  /home/lunzhi/qsign/qsign/kernel/kernel-hook-framework/src/hookFrame.o
  MODPOST /home/lunzhi/qsign/qsign/kernel/kernel-hook-framework/src/Module.symvers
  CC [M]  /home/lunzhi/qsign/qsign/kernel/kernel-hook-framework/src/hookFrame.mod.o
  LD [M]  /home/lunzhi/qsign/qsign/kernel/kernel-hook-framework/src/hookFrame.ko
make[1]: Leaving directory '/usr/src/linux-headers-6.6.20+rpt-rpi-v8'
mkdir -p "/home/lunzhi/qsign/qsign/kernel/build"
mkdir -p "/home/lunzhi/qsign/qsign/kernel/build"/kernel-hook
touch "/home/lunzhi/qsign/qsign/kernel/build/Makefile"
make -C /lib/modules/6.6.20+rpt-rpi-v8/build M=/home/lunzhi/qsign/qsign/kernel/build src=/home/lunzhi/qsign/qsign/kernel modules
make[1]: Entering directory '/usr/src/linux-headers-6.6.20+rpt-rpi-v8'
  CC [M]  /home/lunzhi/qsign/qsign/kernel/build/hcr.o
In file included from /usr/src/linux-headers-6.6.20+rpt-common-rpi/include/asm-generic/bug.h:22,
                 from /usr/src/linux-headers-6.6.20+rpt-common-rpi/arch/arm64/include/asm/bug.h:26,
                 from /usr/src/linux-headers-6.6.20+rpt-common-rpi/include/linux/bug.h:5,
                 from /usr/src/linux-headers-6.6.20+rpt-common-rpi/arch/arm64/include/asm/cpufeature.h:23,
                 from /usr/src/linux-headers-6.6.20+rpt-common-rpi/arch/arm64/include/asm/ptrace.h:11,
                 from /usr/src/linux-headers-6.6.20+rpt-common-rpi/arch/arm64/include/uapi/asm/kvm.h:37,
                 from /usr/src/linux-headers-6.6.20+rpt-common-rpi/include/uapi/linux/kvm.h:15,
                 from /home/lunzhi/qsign/qsign/kernel/hcr.c:3:
/home/lunzhi/qsign/qsign/kernel/hcr.c: In function ‘hcr_init’:
/usr/src/linux-headers-6.6.20+rpt-common-rpi/include/linux/kern_levels.h:5:25: warning: format ‘%lx’ expects argument of type ‘long unsigned int’, but argument 2 has type ‘kvm_arch_vcpu_ioctl_func’ {aka ‘int (*)(struct file *, unsigned int,  long unsigned int)’} [-Wformat=]
    5 | #define KERN_SOH        "\001"          /* ASCII Start Of Header */
      |                         ^~~~~~
/usr/src/linux-headers-6.6.20+rpt-common-rpi/include/linux/printk.h:427:25: note: in definition of macro ‘printk_index_wrap’
  427 |                 _p_func(_fmt, ##__VA_ARGS__);                           \
      |                         ^~~~
/home/lunzhi/qsign/qsign/kernel/hcr.c:66:5: note: in expansion of macro ‘printk’
   66 |     printk(KERN_INFO "hcr: Installed Hook. kvm_arch_vcpu_ioctl=%lx\n",vcpu_ioctl);
      |     ^~~~~~
/usr/src/linux-headers-6.6.20+rpt-common-rpi/include/linux/kern_levels.h:14:25: note: in expansion of macro ‘KERN_SOH’
   14 | #define KERN_INFO       KERN_SOH "6"    /* informational */
      |                         ^~~~~~~~
/home/lunzhi/qsign/qsign/kernel/hcr.c:66:12: note: in expansion of macro ‘KERN_INFO’
   66 |     printk(KERN_INFO "hcr: Installed Hook. kvm_arch_vcpu_ioctl=%lx\n",vcpu_ioctl);
      |            ^~~~~~~~~
/home/lunzhi/qsign/qsign/kernel/hcr.c: In function ‘hcr_exit’:
/usr/src/linux-headers-6.6.20+rpt-common-rpi/include/linux/kern_levels.h:5:25: warning: format ‘%lx’ expects argument of type ‘long unsigned int’, but argument 2 has type ‘kvm_arch_vcpu_ioctl_func’ {aka ‘int (*)(struct file *, unsigned int,  long unsigned int)’} [-Wformat=]
    5 | #define KERN_SOH        "\001"          /* ASCII Start Of Header */
      |                         ^~~~~~
/usr/src/linux-headers-6.6.20+rpt-common-rpi/include/linux/printk.h:427:25: note: in definition of macro ‘printk_index_wrap’
  427 |                 _p_func(_fmt, ##__VA_ARGS__);                           \
      |                         ^~~~
/home/lunzhi/qsign/qsign/kernel/hcr.c:74:5: note: in expansion of macro ‘printk’
   74 |     printk(KERN_INFO "hcr: Uninstalled Hook. kvm_arch_vcpu_ioctl=%lx\n",vcpu_ioctl);
      |     ^~~~~~
/usr/src/linux-headers-6.6.20+rpt-common-rpi/include/linux/kern_levels.h:14:25: note: in expansion of macro ‘KERN_SOH’
   14 | #define KERN_INFO       KERN_SOH "6"    /* informational */
      |                         ^~~~~~~~
/home/lunzhi/qsign/qsign/kernel/hcr.c:74:12: note: in expansion of macro ‘KERN_INFO’
   74 |     printk(KERN_INFO "hcr: Uninstalled Hook. kvm_arch_vcpu_ioctl=%lx\n",vcpu_ioctl);
      |            ^~~~~~~~~
/home/lunzhi/qsign/qsign/kernel/hcr.c: At top level:
/home/lunzhi/qsign/qsign/kernel/hcr.c:51:12: warning: ‘error_quit’ defined but not used [-Wunused-function]
   51 | static int error_quit(const char *msg){
      |            ^~~~~~~~~~
  LD [M]  /home/lunzhi/qsign/qsign/kernel/build/hcr-driver.o
  MODPOST /home/lunzhi/qsign/qsign/kernel/build/Module.symvers
  CC [M]  /home/lunzhi/qsign/qsign/kernel/build/hcr-driver.mod.o
  LD [M]  /home/lunzhi/qsign/qsign/kernel/build/hcr-driver.ko
make[1]: Leaving directory '/usr/src/linux-headers-6.6.20+rpt-rpi-v8'
Build finished, please insmod drivers in build folder ( *.ko ).
total 92
-rw-rw-rw-+ 1 lunzhi lunzhi  8752 Aug 31 16:52 hcr-driver.ko
-rw-rw-rw-+ 1 lunzhi lunzhi    44 Aug 31 16:52 hcr-driver.mod
-rw-rw-rw-+ 1 lunzhi lunzhi  1169 Aug 31 16:52 hcr-driver.mod.c
-rw-rw-rw-+ 1 lunzhi lunzhi  4104 Aug 31 16:52 hcr-driver.mod.o
-rw-rw-rw-+ 1 lunzhi lunzhi  5408 Aug 31 16:52 hcr-driver.o
-rw-rw-rw-+ 1 lunzhi lunzhi  5408 Aug 31 16:52 hcr.o
-rw-rw-rw-+ 1 lunzhi lunzhi 33920 Aug 31 16:52 hookFrame.ko
drwxrwxrwx+ 2 lunzhi lunzhi  4096 Aug 31 16:52 kernel-hook
-rw-rw-rw-+ 1 lunzhi lunzhi     0 Aug 31 16:52 Makefile
-rw-rw-rw-+ 1 lunzhi lunzhi    51 Aug 31 16:52 modules.order
-rw-rw-rw-+ 1 lunzhi lunzhi     0 Aug 31 16:52 Module.symvers

编译后会在当前脚本旁边,创建build文件夹,里面有hookFrame.ko 和 hcr-driver.ko 分别用insmod加载hookFrame.ko和 hcr-driver.ko 即可免PATCH内核使用KVM引擎

zhkl0228 commented 2 months ago

ios 下面的 KQueue64Test 跟 KQueueTest 同步你的代码以后运行失败。

zhaodice commented 2 months ago

ios 下面的 KQueue64Test 跟 KQueueTest 同步你的代码以后运行失败。

好了,KQueue64Test 的问题是因为你在 MachOLoader 莫名其妙把我的栈地址给偏移了,删除掉就行了(因为我不知道你的用意是什么,这个你自己把握) KQueueTest 我发现即使是切到原始分支也会报同样错,所以不是我的问题

C:\Users\yiran\.jdks\jbrsdk-17.0.9\bin\java.exe -javaagent:D:\IntelliJidea\lib\idea_rt.jar=59325:D:\IntelliJidea\bin -Dfile.encoding=UTF-8 -classpath E:\Projects\ProtocolScience\unidbg\unidbg-ios\target\test-classes;E:\Projects\ProtocolScience\unidbg\unidbg-ios\target\classes;E:\Projects\ProtocolScience\unidbg\unidbg-api\target\classes;C:\Users\yiran\.m2\repository\com\github\zhkl0228\unicorn\1.0.14\unicorn-1.0.14.jar;C:\Users\yiran\.m2\repository\org\scijava\native-lib-loader\2.3.5\native-lib-loader-2.3.5.jar;C:\Users\yiran\.m2\repository\com\github\zhkl0228\capstone\3.1.8\capstone-3.1.8.jar;C:\Users\yiran\.m2\repository\net\java\dev\jna\jna\5.10.0\jna-5.10.0.jar;C:\Users\yiran\.m2\repository\com\github\zhkl0228\keystone\0.9.7\keystone-0.9.7.jar;C:\Users\yiran\.m2\repository\commons-codec\commons-codec\1.15\commons-codec-1.15.jar;C:\Users\yiran\.m2\repository\org\apache\commons\commons-collections4\4.4\commons-collections4-4.4.jar;C:\Users\yiran\.m2\repository\commons-io\commons-io\2.11.0\commons-io-2.11.0.jar;C:\Users\yiran\.m2\repository\commons-logging\commons-logging\1.2\commons-logging-1.2.jar;C:\Users\yiran\.m2\repository\com\alibaba\fastjson\1.2.83\fastjson-1.2.83.jar;C:\Users\yiran\.m2\repository\com\github\zhkl0228\demumble\1.0.4\demumble-1.0.4.jar;E:\Projects\ProtocolScience\unidbg\backend\dynarmic\target\classes;E:\Projects\ProtocolScience\unidbg\backend\hypervisor\target\classes;E:\Projects\ProtocolScience\unidbg\backend\kvm\target\classes;E:\Projects\ProtocolScience\unidbg\backend\unicorn2\target\classes;C:\Users\yiran\.m2\repository\io\kaitai\kaitai-struct-runtime\0.8\kaitai-struct-runtime-0.8.jar;C:\Users\yiran\.m2\repository\com\googlecode\plist\dd-plist\1.23\dd-plist-1.23.jar;C:\Users\yiran\.m2\repository\org\slf4j\slf4j-api\2.0.13\slf4j-api-2.0.13.jar;C:\Users\yiran\.m2\repository\junit\junit\4.13.2\junit-4.13.2.jar;C:\Users\yiran\.m2\repository\org\hamcrest\hamcrest-core\1.3\hamcrest-core-1.3.jar;C:\Users\yiran\.m2\repository\org\slf4j\slf4j-reload4j\2.0.13\slf4j-reload4j-2.0.13.jar;C:\Users\yiran\.m2\repository\ch\qos\reload4j\reload4j\1.2.22\reload4j-1.2.22.jar com.github.unidbg.ios.KQueueTest
unidbg(7780,0x402b518c) malloc: *** error for object 0x40654494: incorrect checksum for freed object - object was probably modified after being freed.
*** set a breakpoint in malloc_error_break to debug
unidbg(7780,0x402b518c) malloc: *** error for object 0x406545a4: incorrect checksum for freed object - object was probably modified after being freed.
*** set a breakpoint in malloc_error_break to debug
unidbg(7780,0x402b518c) malloc: *** error for object 0x406545b4: incorrect checksum for freed object - object was probably modified after being freed.
*** set a breakpoint in malloc_error_break to debug
unidbg(7780,0x402b518c) malloc: *** error for object 0x406545d4: incorrect checksum for freed object - object was probably modified after being freed.
*** set a breakpoint in malloc_error_break to debug
unidbg(7780,0x402b518c) malloc: *** error for object 0x406545f4: incorrect checksum for freed object - object was probably modified after being freed.
*** set a breakpoint in malloc_error_break to debug
unidbg(7780,0x402b518c) malloc: *** error for object 0x40654614: incorrect checksum for freed object - object was probably modified after being freed.
*** set a breakpoint in malloc_error_break to debug
unidbg(7780,0x402b518c) malloc: *** error for object 0x40654634: incorrect checksum for freed object - object was probably modified after being freed.
*** set a breakpoint in malloc_error_break to debug
unidbg(7780,0x402b518c) malloc: *** error for object 0x40654654: incorrect checksum for freed object - object was probably modified after being freed.
*** set a breakpoint in malloc_error_break to debug
unidbg(7780,0x402b518c) malloc: *** error for object 0x40654674: incorrect checksum for freed object - object was probably modified after being freed.
*** set a breakpoint in malloc_error_break to debug
[19:17:07 350]  WARN [com.github.unidbg.arm.AbstractARMEmulator] (AbstractARMEmulator$1:67) - Read memory failed: address=0x13, size=1, value=0x0, PC=RX@0x40306134[libobjc.A.dylib]0x2134, LR=RX@0x40305cad[libobjc.A.dylib]0x1cad
MemoryRead8[dynarmic.cpp->MemoryRead8:79]: vaddr=0x13

Process finished with exit code 3
zhkl0228 commented 2 months ago

ios 下面的 KQueue64Test 跟 KQueueTest 同步你的代码以后运行失败。

好了,KQueue64Test 的问题是因为你在 MachOLoader 莫名其妙把我的栈地址给偏移了,删除掉就行了(因为我不知道你的用意是什么,这个你自己把握) KQueueTest 我发现即使是切到原始分支也会报同样错,所以不是我的问题

C:\Users\yiran\.jdks\jbrsdk-17.0.9\bin\java.exe -javaagent:D:\IntelliJidea\lib\idea_rt.jar=59325:D:\IntelliJidea\bin -Dfile.encoding=UTF-8 -classpath E:\Projects\ProtocolScience\unidbg\unidbg-ios\target\test-classes;E:\Projects\ProtocolScience\unidbg\unidbg-ios\target\classes;E:\Projects\ProtocolScience\unidbg\unidbg-api\target\classes;C:\Users\yiran\.m2\repository\com\github\zhkl0228\unicorn\1.0.14\unicorn-1.0.14.jar;C:\Users\yiran\.m2\repository\org\scijava\native-lib-loader\2.3.5\native-lib-loader-2.3.5.jar;C:\Users\yiran\.m2\repository\com\github\zhkl0228\capstone\3.1.8\capstone-3.1.8.jar;C:\Users\yiran\.m2\repository\net\java\dev\jna\jna\5.10.0\jna-5.10.0.jar;C:\Users\yiran\.m2\repository\com\github\zhkl0228\keystone\0.9.7\keystone-0.9.7.jar;C:\Users\yiran\.m2\repository\commons-codec\commons-codec\1.15\commons-codec-1.15.jar;C:\Users\yiran\.m2\repository\org\apache\commons\commons-collections4\4.4\commons-collections4-4.4.jar;C:\Users\yiran\.m2\repository\commons-io\commons-io\2.11.0\commons-io-2.11.0.jar;C:\Users\yiran\.m2\repository\commons-logging\commons-logging\1.2\commons-logging-1.2.jar;C:\Users\yiran\.m2\repository\com\alibaba\fastjson\1.2.83\fastjson-1.2.83.jar;C:\Users\yiran\.m2\repository\com\github\zhkl0228\demumble\1.0.4\demumble-1.0.4.jar;E:\Projects\ProtocolScience\unidbg\backend\dynarmic\target\classes;E:\Projects\ProtocolScience\unidbg\backend\hypervisor\target\classes;E:\Projects\ProtocolScience\unidbg\backend\kvm\target\classes;E:\Projects\ProtocolScience\unidbg\backend\unicorn2\target\classes;C:\Users\yiran\.m2\repository\io\kaitai\kaitai-struct-runtime\0.8\kaitai-struct-runtime-0.8.jar;C:\Users\yiran\.m2\repository\com\googlecode\plist\dd-plist\1.23\dd-plist-1.23.jar;C:\Users\yiran\.m2\repository\org\slf4j\slf4j-api\2.0.13\slf4j-api-2.0.13.jar;C:\Users\yiran\.m2\repository\junit\junit\4.13.2\junit-4.13.2.jar;C:\Users\yiran\.m2\repository\org\hamcrest\hamcrest-core\1.3\hamcrest-core-1.3.jar;C:\Users\yiran\.m2\repository\org\slf4j\slf4j-reload4j\2.0.13\slf4j-reload4j-2.0.13.jar;C:\Users\yiran\.m2\repository\ch\qos\reload4j\reload4j\1.2.22\reload4j-1.2.22.jar com.github.unidbg.ios.KQueueTest
unidbg(7780,0x402b518c) malloc: *** error for object 0x40654494: incorrect checksum for freed object - object was probably modified after being freed.
*** set a breakpoint in malloc_error_break to debug
unidbg(7780,0x402b518c) malloc: *** error for object 0x406545a4: incorrect checksum for freed object - object was probably modified after being freed.
*** set a breakpoint in malloc_error_break to debug
unidbg(7780,0x402b518c) malloc: *** error for object 0x406545b4: incorrect checksum for freed object - object was probably modified after being freed.
*** set a breakpoint in malloc_error_break to debug
unidbg(7780,0x402b518c) malloc: *** error for object 0x406545d4: incorrect checksum for freed object - object was probably modified after being freed.
*** set a breakpoint in malloc_error_break to debug
unidbg(7780,0x402b518c) malloc: *** error for object 0x406545f4: incorrect checksum for freed object - object was probably modified after being freed.
*** set a breakpoint in malloc_error_break to debug
unidbg(7780,0x402b518c) malloc: *** error for object 0x40654614: incorrect checksum for freed object - object was probably modified after being freed.
*** set a breakpoint in malloc_error_break to debug
unidbg(7780,0x402b518c) malloc: *** error for object 0x40654634: incorrect checksum for freed object - object was probably modified after being freed.
*** set a breakpoint in malloc_error_break to debug
unidbg(7780,0x402b518c) malloc: *** error for object 0x40654654: incorrect checksum for freed object - object was probably modified after being freed.
*** set a breakpoint in malloc_error_break to debug
unidbg(7780,0x402b518c) malloc: *** error for object 0x40654674: incorrect checksum for freed object - object was probably modified after being freed.
*** set a breakpoint in malloc_error_break to debug
[19:17:07 350]  WARN [com.github.unidbg.arm.AbstractARMEmulator] (AbstractARMEmulator$1:67) - Read memory failed: address=0x13, size=1, value=0x0, PC=RX@0x40306134[libobjc.A.dylib]0x2134, LR=RX@0x40305cad[libobjc.A.dylib]0x1cad
MemoryRead8[dynarmic.cpp->MemoryRead8:79]: vaddr=0x13

Process finished with exit code 3

恢复到 https://github.com/zhkl0228/unidbg/commit/505b92643ba85b5970e0495f37855e0690993f8e 这个版本能正常运行KQueueTest,我的是苹果M1笔记本,使用 dynarmic 后端,windows 上换成 unicorn2 后端试下

zhaodice commented 2 months ago

恢复到 505b926 这个版本能正常运行KQueueTest,我的是苹果M1笔记本,使用 dynarmic 后端,windows 上换成 unicorn2 后端试下

KQueueTest 不太行,private long mmap(Backend backend, Emulator<?> emulator) {甚至没能断下来,我是Windows系统,用的dynarmic

但是我切到unicorn就正常运行了