我正在使用qiling框架来模拟一个蛇游戏,它在我的x86 64 Windows环境中运行良好,但在模拟环境中失败了。它运行正常,运行良好,但我在WinDbg中遇到了一个断点问题。我的问题更多的是了解我在WinDbg中的问题,但我将提供上下文的模拟器日志:
[=] Initiate stack address at 0xfffdd000
[=] Loading snake.exe to 0x400000
[=] PE entry point at 0x4033ae
[=] TEB addr is 0x6000
[=] PEB addr is 0x6044
[=] Loading ../examples/rootfs/x8664_windowsWindowsSystem32ntdll.dll ...
[!] Warnings while loading ../examples/rootfs/x8664_windowsWindowsSystem32ntdll.dll:
[!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[=] Done with loading ../examples/rootfs/x8664_windowsWindowsSystem32ntdll.dll
[=] Loading ../examples/rootfs/x8664_windowsWindowsSystem32kernel32.dll ...
[=] Done with loading ../examples/rootfs/x8664_windowsWindowsSystem32kernel32.dll
[=] Loading ../examples/rootfs/x8664_windowsWindowsSystem32mscoree.dll ...
[=] Done with loading ../examples/rootfs/x8664_windowsWindowsSystem32mscoree.dll
0x4033ae: jmp qword ptr [rip + 0x402000]
[!] api _CorExeMain is not implemented
这似乎是一个可能的罪魁祸首,所以我尝试使用命令bu 0x4033ae
在WinDbg中的0x4033ae
处设置一个断点。我也试过bp
。
0x102bdbd1: push rbx
0x102bdbd3: sub esp, 0x20
0x102bdbd7: and dword ptr [rsp + 0x30], 0
0x102bdbdd: lea ecx, [rsp + 0x30]
0x102bdbe1: call 0x102b4548
0x102b4549: push rbx
0x102b454b: sub esp, 0x20
0x102b454e: mov eax, dword ptr [rip + 0x5b4dc]
[x] CPU Context:
[x] ah : 0xff
... snip ...
[x] gs : 0x78
[x] Hexdump:
[x] 8b 05 dc b4 05 00 48 8b
[x] Disassembly:
[=] 102b454e [mscoree.dll + 0x00154e] 8b 05 dc b4 05 00 48 8b d9 85 c0 75 05 e8 c4 fc ff ff 8b 05 ca b4 05 00 83 f8 02 75 0f 48 85 db 74 0a 48 8b 05 c9 b4 05 00 48 89 03 8b 05 b0 b4 05 00 48 83 c4 20 5b c3 cc cc cc cc cc cc cc ccmov eax, dword ptr [0x5b4dc]
> dec eax
> mov ebx, ecx
> test eax, eax
> jne 0x102b4560
> call 0x102b4224
> mov eax, dword ptr [0x5b4ca]
> cmp eax, 2
> jne 0x102b457a
> dec eax
> test ebx, ebx
> je 0x102b457a
> dec eax
> mov eax, dword ptr [0x5b4c9]
> dec eax
> mov dword ptr [ebx], eax
> mov eax, dword ptr [0x5b4b0]
> dec eax
> add esp, 0x20
> pop ebx
> ret
> int3
> int3
> int3
> int3
> int3
> int3
> int3
> int3
[x] PC = 0x102b454e (../examples/rootfs/x8664_windowsWindowsSystem32mscoree.dll + 0x154e)
[=] Memory map:
[=] Start End Perm Label Image
[=] 00006000 - 0000c000 rwx [FS/GS]
[=] 00030000 - 00031000 rwx [GDT]
[=] 00400000 - 00408000 rwx [PE] snake.exe
[=] 05000000 - 05001000 rwx [heap]
[=] 06000000 - 0c000000 rwx [FS/GS]
[=] 10000000 - 101f5000 rwx ntdll.dll ../examples/rootfs/x8664_windowsWindowsSystem32ntdll.dll
[=] 101f5000 - 102b3000 rwx kernel32.dll ../examples/rootfs/x8664_windowsWindowsSystem32kernel32.dll
[=] 102b3000 - 10318000 rwx mscoree.dll ../examples/rootfs/x8664_windowsWindowsSystem32mscoree.dll
[=] fffdd000 - ffffe000 rwx [stack]
Traceback (most recent call last):
... snip ...
File "C:UsersjonatAppDataLocalPackagesPythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0LocalCachelocal-packagesPython39site-packagesunicornunicorn.py", line 465, in emu_start
raise UcError(status)
unicorn.unicorn.UcError: Invalid memory mapping (UC_ERR_MAP)
在WinDbg中,我得到:
CommandLine: C:UsersjonatDocumentsGitHubsynthesisobfusnake.exe
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
ModLoad: 00e60000 00e68000 ConsoleGraphics.exe
ModLoad: 770f0000 77293000 ntdll.dll
ModLoad: 74810000 74862000 C:WINDOWSSysWOW64MSCOREE.DLL
ModLoad: 74fb0000 750a0000 C:WINDOWSSysWOW64KERNEL32.dll
ModLoad: 75fa0000 761b5000 C:WINDOWSSysWOW64KERNELBASE.dll
(9b8.7854): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=3c560000 edx=00000000 esi=77102054 edi=7710261c
eip=771a1ba2 esp=00fff9cc ebp=00fff9f8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!LdrpDoDebuggerBreak+0x2b:
771a1ba2 cc int 3
这似乎是ntdll
触发的一个标准断点,但当它被触发时,我们已经通过了我试图应用它的地址0x4033ae
。我意识到这可能是因为进程的寻址方案似乎被我的OS/WinDbg和qiling仿真中的执行上下文映射得不同。我如何开始调试这个问题,或者至少在WinDbg中找到相关的断点。
查询与windbg 并不完全相关
正如我所评论的,启灵框架还没有实现dotnet,需要有人来帮助实现
由于这个查询有一个windbg标记和一个调试标记,并且
我一直想在windows机器上测试Qiling框架一段时间了
所以我把这个查询当作一个机会来做
麒麟是建立在独角兽仿真框架上的
我接触过独角兽,发现它非常有用
已在x64 windows10计算机上安装齐灵[pip3安装齐灵]windows文档非常稀少,github repo中指示的一个示例disasmx886_windows.py在repo 中丢失
不得不四处寻找一个工作设置
安装齐灵后,它需要一个虚拟文件系统来操作相关的windows dll和注册表配置单元
这是通过使用repo 中提供的dllcollector.bat来完成的
基本上,collector.bat xcopies相关的32位和64位dlls和reg保存注册表单元
f:>md QILING
f:>cd QILING
f:QILING>ls
f:QILING>f:wgetwget.exe -c https://raw.githubusercontent.com/qilingframework/qiling/master/examples/scripts/dllscollector.bat
2021-11-14 03:03:05 (1.28 MB/s) - 'dllscollector.bat' saved [10085/10085]
f:QILING>ls
dllscollector.bat
f:QILING>file dllscollector.bat
dllscollector.bat: DOS batch file, ASCII text, with very long lines
f:QILING>dllscollector.bat
Does F:QILINGexamplesrootfsx8664_windowsWindowsregistryNTUSER.DAT specify a file name
or directory name on the target
(F = file, D = directory)? f
C:UsersDefaultNTUSER.DAT -> F:QILINGexamplesrootfsx8664_windowsWindowsregistryNTUSER.DAT
1 File(s) copied
The operation completed successfully.
snip all copy and save operations
f:QILING>ls
dllscollector.bat examples
现在我们已经收集了dlls,让我们复制两个测试二进制文件
一个是x64控制台应用程序,
另一个是.net控制台二进制文件,并
编写一个python脚本来使用QILING框架模拟它们
f:QILING>ls
dllscollector.bat examples
f:QILING>md testqiling
f:QILING>xcopy ..tbins .testqiling
..tbinsmcall.exe
..tbinsprintxcode.exe
..tbinsqiliwin.py
3 File(s) copied
f:QILING>cd testqiling
f:QILINGtestqiling>file *
mcall.exe: PE32+ executable (GUI) x86-64, for MS Windows
printxcode.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
qiliwin.py: Python script, ASCII text executable, with CRLF line terminators
f:QILINGtestqiling>printxcode.exe |head -n 2
HResult is 80070057 xcode is E0434352 Value does not fall within the expected range.
HResult is 80004003 xcode is E0434352 Value cannot be null.
f:QILINGtestqiling>start /wait mcall.exe
f:QILINGtestqiling>echo %errorlevel%
1677
如下所示的脚本
添加stop_on_exit_trap是为了避免mcall.exe在从main((返回crt时由于无法访问PC(0x0作为rip(而崩溃
跟踪并打印所有执行的指令
verbose提供了一些附加日志
f:QILINGtestqiling>cat qiliwin.py
import os
from qiling import *
from qiling.const import QL_VERBOSE
from qiling.extensions import trace
os.system('') #bug explotation to make ansi colors
rootfs = r"F:QILINGexamplesrootfsx8664_windows"
bin2exec = [
r"F:QILINGtestqilingmcall.exe",
r"F:QILINGtestqilingprintxcode.exe"
]
for binary in bin2exec:
print("executing binaryn=====================n%sn=====================n" % binary);
ql = Qiling([binary],rootfs,verbose=QL_VERBOSE.DEBUG,stop_on_exit_trap=True)
trace.enable_full_trace(ql)
ql.run()
执行脚本,我们得到
qiling.exception.QlErrorFileNotFound: Cannot find dll in F:QILINGexamplesrootfsx8664_windowsWindowsSystem32mscoree.dll
将mscoree.dll从system32复制到rootfs/system2并检查它是否再次崩溃,并出现查询中指出的未映射错误
让我们在x64 windbg中打开.net二进制文件并检查
F:QILINGtestqiling>cdb -c "sxe ld:mscoree;g;q" printxcode.exe | awk /Reading/,/quit/
0:000> cdb: Reading initial command 'sxe ld:mscoree;g;q'
ModLoad: 00000000`77e30000 00000000`77e39000 C:WINDOWSSystem32wow64cpu.dll
ModLoad: 00000000`73f90000 00000000`73fe2000 C:WINDOWSSysWOW64MSCOREE.DLL
quit:
所以这个二进制文件需要syswow 的mscoree
f:QILINGtestqiling>copy c:WindowsSysWOW64mscoree.dll F:QILINGexamplesrootfsx8664_windowsWindowsSystem32.
Overwrite F:QILINGexamplesrootfsx8664_windowsWindowsSystem32.mscoree.dll? (Yes/No/All): y
1 file(s) copied.
现在执行不会使崩溃
F:QILINGtestqiling>python qiliwin.py
executing binary
=====================
F:QILINGtestqilingmcall.exe
=====================
[+] Profile: Default
[+] Windows Registry PATH: F:QILINGexamplesrootfsx8664_windowsWindowsregistry
[=] Initiate stack address at 0x7ffffffde000
[=] Loading F:QILINGtestqilingmcall.exe to 0x140000000
[=] PE entry point at 0x140001030
[=] TEB addr is 0x6000030
[=] PEB addr is 0x60000b8
[=] Loading F:QILINGexamplesrootfsx8664_windowsWindowsSystem32ntdll.dll ...
[!] Warnings while loading F:QILINGexamplesrootfsx8664_windowsWindowsSystem32ntdll.dll:
[!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[+] DLL preferred base address: 0x180000000
[=] Done with loading F:QILINGexamplesrootfsx8664_windowsWindowsSystem32ntdll.dll
[=] Loading F:QILINGexamplesrootfsx8664_windowsWindowsSystem32kernel32.dll ...
[+] DLL preferred base address: 0x180000000
[+] DLL preferred base address is taken, loading to: 0x1801f0000
[=] Done with loading F:QILINGexamplesrootfsx8664_windowsWindowsSystem32kernel32.dll
[+] Done with loading F:QILINGtestqilingmcall.exe
[+] Setting up exit trap at 0x0x140004000
[+] 140001030 | 4883ec48 sub rsp, 0x48 | rsp = 0x0
[+] 140001034 | 41b803000000 mov r8d, 0x3 |
[+] 14000103a | ba02000000 mov edx, 0x2 |
[+] 14000103f | b901000000 mov ecx, 0x1 |
[+] 140001044 | e8b7ffffff call 0x140001000 | rsp = 0x0, rip = 0x0
[+] 140001000 | 4489442418 mov dword ptr [0x18], r8d | rsp = 0x0, r8d = 0x0
[+] 140001005 | 89542410 mov dword ptr [0x10], edx | rsp = 0x0, edx = 0x2
[+] 140001009 | 894c2408 mov dword ptr [0x8], ecx | rsp = 0x0, ecx = 0x1
[+] 14000100d | 8b442410 mov eax, dword ptr [0x10] | rsp = 0x0
[+] 140001011 | 8b4c2408 mov ecx, dword ptr [0x8] | rsp = 0x0
[+] 140001015 | 03c8 add ecx, eax | ecx = 0x1, eax = 0x2
[+] 140001017 | 8bc1 mov eax, ecx | ecx = 0x3
[+] 140001019 | 03442418 add eax, dword ptr [0x18] | eax = 0x3, rsp = 0x0
[+] 14000101d | c3 ret | rsp = 0x0
[+] 140001049 | 89442428 mov dword ptr [0x28], eax | rsp = 0x0, eax = 0x6
[+] 14000104d | 41b806000000 mov r8d, 0x6 |
[+] 140001053 | ba07000000 mov edx, 0x7 |
[+] 140001058 | b908000000 mov ecx, 0x8 |
[+] 14000105d | e89effffff call 0x140001000 | rsp = 0x0, rip = 0x0
snipoff
[+] 140004000 | 90 nop |
[=] Process returned from entrypoint (exit_trap)!
[+] Syscalls called:
[+] Registries accessed:
[+] Strings:
executing binary
=====================
F:QILINGtestqilingprintxcode.exe
=====================
[+] Profile: Default
[+] Map GDT at 0x30000 with GDT_LIMIT=4096
[+] Write to 0x30018 for new entry b'x00xf0x00x00x00xfeOx00'
[+] Write to 0x30028 for new entry b'x00xf0x00x00x00x96Ox00'
[+] Write to 0x30070 for new entry b'x00`x00`x00xf6@x00'
[+] Write to 0x30078 for new entry b'x00x00x00x00x00xf6@x06'
[+] Windows Registry PATH: F:QILINGexamplesrootfsx8664_windowsWindowsregistry
[=] Initiate stack address at 0xfffdd000
[=] Loading F:QILINGtestqilingprintxcode.exe to 0x400000
[=] PE entry point at 0x402eda
[=] TEB addr is 0x6000
[=] PEB addr is 0x6044
[=] Loading F:QILINGexamplesrootfsx8664_windowsWindowsSystem32ntdll.dll ...
[!] Warnings while loading F:QILINGexamplesrootfsx8664_windowsWindowsSystem32ntdll.dll:
[!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[+] DLL preferred base address: 0x180000000
[+] DLL preferred base address exceeds memory upper bound, loading to: 0x10000000
[=] Done with loading F:QILINGexamplesrootfsx8664_windowsWindowsSystem32ntdll.dll
[=] Loading F:QILINGexamplesrootfsx8664_windowsWindowsSystem32kernel32.dll ...
[+] DLL preferred base address: 0x180000000
[+] DLL preferred base address exceeds memory upper bound, loading to: 0x101f0000
[=] Done with loading F:QILINGexamplesrootfsx8664_windowsWindowsSystem32kernel32.dll
[=] Loading F:QILINGexamplesrootfsx8664_windowsWindowsSystem32mscoree.dll ...
[+] DLL preferred base address: 0x10000000
[+] DLL preferred base address is taken, loading to: 0x102b0000
[=] Done with loading F:QILINGexamplesrootfsx8664_windowsWindowsSystem32mscoree.dll
[+] Done with loading F:QILINGtestqilingprintxcode.exe
[+] Setting up exit trap at 0x0xc000000
[+] 00402eda | ff2500204000 jmp dword ptr [0x402000] |
[!] api _CorExeMain is not implemented
[+] 102c4330 | 8bff mov edi, edi | edi = 0x0
[+] 102c4332 | 56 push esi | esp = 0x0, esi = 0xffffd000
snipoff
[+] 0c000000 | 90 nop |
[=] Process returned from entrypoint (exit_trap)!
[+] Syscalls called:
[+] Registries accessed:
[+] Strings: