Qiling Emulation crashes on Windows machine

3 weeks ago 14
ARTICLE AD BOX

Describe the bug I had a qiling code and a cpp compiled exe that I emulated, it worked fine few months back but I executed it today and it failed. I tried to fix the error but apparently I don't have enough knowledge of the qiling framework. I think the issue is somewhat related to #1594

Sample Code

from qiling import * from qiling.const import QL_VERBOSE from qiling.os.windows.fncc import * # 1. Define a dummy function for FlsGetValue2 def my_FlsGetValue2(ql, address, params): # Returning 0 (NULL) is usually safe for stubs return 0 def emulate_pe(path : str, rootfs : str, json_out : str, timeout: int=0, count: int=0, debug=QL_VERBOSE.DEFAULT): qil = Qiling([path], rootfs, verbose=debug) qil.os.set_api("FlsGetValue2", my_FlsGetValue2) qil.run(timeout=timeout, count=count) print(f"[=] Emulation completed") if __name__ == "__main__": qiling_rootfs = r"F:\Studies\University\FYP\Qiling\examples\rootfs\x8664_windows" bin_file = r"F:\Studies\University\FYP\Qiling\examples\rootfs\x8664_windows\bin\WinAPI\winapi_demo.exe" json_out = r"F:\Studies\University\FYP\TestCode\winapi_demo.exe.json" print(f">> ROOTFS : {qiling_rootfs}") print(f">> Binary : {bin_file}") if json_out: print(f">> Output File : {json_out}") emulate_pe(bin_file, qiling_rootfs, json_out)

Execution Logs

>> ROOTFS : F:\Studies\University\FYP\Qiling\examples\rootfs\x8664_windows >> Binary : F:\Studies\University\FYP\Qiling\examples\rootfs\x8664_windows\bin\WinAPI\winapi_demo.exe >> Output File : F:\Studies\University\FYP\TestCode\winapi_demo.exe.json [=] Initiate stack address at 0xfffdd000 [=] Loading F:\Studies\University\FYP\Qiling\examples\rootfs\x8664_windows\bin\WinAPI\winapi_demo.exe to 0x400000 [=] PE entry point at 0x407f41 [=] TEB is at 0x6000 [=] PEB is at 0x61b0 [=] LDR is at 0x6630 [=] Loading ntdll.dll ... [=] Done loading ntdll.dll [=] Loading kernelbase.dll ... [=] Done loading kernelbase.dll [=] Loading kernel32.dll ... [=] Done loading kernel32.dll [=] Loading mscoree.dll ... [=] Calling mscoree.dll DllMain at 0x10749780 [x] Error encountered while running mscoree.dll DllMain, bailing [=] Done loading mscoree.dll [=] Loading ucrtbase.dll ... [=] Done loading ucrtbase.dll [=] Loading advapi32.dll ... [=] Loading msvcrt.dll ... [=] Done loading msvcrt.dll [!] Failed to resolve api-ms-win-eventing-controller-l1-1-0.dll [!] Failed to resolve api-ms-win-eventing-consumer-l1-1-0.dll [!] Failed to resolve api-ms-win-eventing-consumer-l1-1-1.dll [=] Loading sechost.dll ... [=] Done loading sechost.dll [!] Failed to resolve api-ms-win-service-core-l1-1-0.dll [!] Failed to resolve api-ms-win-service-core-l1-1-1.dll [!] Failed to resolve api-ms-win-service-core-l1-1-2.dll [!] Failed to resolve api-ms-win-service-management-l1-1-0.dll [!] Failed to resolve api-ms-win-service-management-l2-1-0.dll [!] Failed to resolve api-ms-win-service-private-l1-1-4.dll [!] Failed to resolve api-ms-win-service-private-l1-1-2.dll [!] Failed to resolve api-ms-win-service-private-l1-1-3.dll [!] Failed to resolve api-ms-win-service-private-l1-1-0.dll [!] Failed to resolve api-ms-win-service-winsvc-l1-1-0.dll [=] Loading rpcrt4.dll ... [=] Done loading rpcrt4.dll [!] Failed to resolve api-ms-win-security-audit-l1-1-1.dll [!] Failed to resolve api-ms-win-security-audit-l1-1-0.dll [=] Done loading advapi32.dll [=] GetSystemTimeAsFileTime(lpSystemTimeAsFileTime = 0xffffcfe0) [=] GetCurrentThreadId() = 0x0 [=] GetCurrentProcessId() = 0x7cc [=] QueryPerformanceCounter(lpPerformanceCount = 0xffffcfd8) = 0x0 [=] IsProcessorFeaturePresent(ProcessorFeature = 0xa) = 0x1 [=] InitializeCriticalSectionEx(lpCriticalSection = 0x42e404, dwSpinCount = 0xfa0, Flags = 0) = 0x1 [=] FlsAlloc(lpCallback = 0x40ac39) = 0x0 [=] FlsSetValue(dwFlsIndex = 0, lpFlsData = 0x42e3d8) = 0x1 [=] VirtualProtect(lpAddress = 0x42f000, dwSize = 0x80, flNewProtect = 0x2, lpflOldProtect = 0xffffcf90) = 0x1 [=] InitializeCriticalSectionEx(lpCriticalSection = 0x42e430, dwSpinCount = 0xfa0, Flags = 0) = 0x1 [=] InitializeCriticalSectionEx(lpCriticalSection = 0x42e448, dwSpinCount = 0xfa0, Flags = 0) = 0x1 [=] InitializeCriticalSectionEx(lpCriticalSection = 0x42e460, dwSpinCount = 0xfa0, Flags = 0) = 0x1 [=] InitializeCriticalSectionEx(lpCriticalSection = 0x42e478, dwSpinCount = 0xfa0, Flags = 0) = 0x1 [=] InitializeCriticalSectionEx(lpCriticalSection = 0x42e490, dwSpinCount = 0xfa0, Flags = 0) = 0x1 [=] InitializeCriticalSectionEx(lpCriticalSection = 0x42e4a8, dwSpinCount = 0xfa0, Flags = 0) = 0x1 [=] InitializeCriticalSectionEx(lpCriticalSection = 0x42e4c0, dwSpinCount = 0xfa0, Flags = 0) = 0x1 [=] InitializeCriticalSectionEx(lpCriticalSection = 0x42e4d8, dwSpinCount = 0xfa0, Flags = 0) = 0x1 [=] InitializeCriticalSectionEx(lpCriticalSection = 0x42e4f0, dwSpinCount = 0xfa0, Flags = 0) = 0x1 [=] InitializeCriticalSectionEx(lpCriticalSection = 0x42e508, dwSpinCount = 0xfa0, Flags = 0) = 0x1 [=] InitializeCriticalSectionEx(lpCriticalSection = 0x42e520, dwSpinCount = 0xfa0, Flags = 0) = 0x1 [=] InitializeCriticalSectionEx(lpCriticalSection = 0x42e538, dwSpinCount = 0xfa0, Flags = 0) = 0x1 [=] InitializeCriticalSectionEx(lpCriticalSection = 0x42e550, dwSpinCount = 0xfa0, Flags = 0) = 0x1 [=] InitializeCriticalSectionEx(lpCriticalSection = 0x42e568, dwSpinCount = 0xfa0, Flags = 0) = 0x1 [=] InitializeCriticalSectionEx(lpCriticalSection = 0x42e580, dwSpinCount = 0xfa0, Flags = 0) = 0x1 [=] GetProcessHeap() = 0x5000000 [=] LoadLibraryExW(lpLibFileName = "api-ms-win-core-fibers-l1-1-2", hFile = 0, dwFlags = 0x800) = 0x0 [=] GetLastError() = 0x0 [=] LoadLibraryExW(lpLibFileName = "kernelbase", hFile = 0, dwFlags = 0x800) = 0x10270000 [=] GetProcAddress(hModule = 0x10270000, lpProcName = "FlsGetValue2") = 0x100d7e20 [=] EnterCriticalSection(lpCriticalSection = 0x42e580) = 0x0 [=] VirtualProtect(lpAddress = 0x42f000, dwSize = 0x80, flNewProtect = 0x4, lpflOldProtect = 0xffffcf78) = 0x1 [=] VirtualProtect(lpAddress = 0x42f000, dwSize = 0x80, flNewProtect = 0x2, lpflOldProtect = 0xffffcf78) = 0x1 [=] LeaveCriticalSection(lpCriticalSection = 0x42e580) = 0x0 [=] FlsAlloc(lpCallback = 0x413399) = 0x1 [x] CPU Context: [x] ah : 0x7e [x] al : 0x1f [x] ch : 0x0 [x] cl : 0xe [x] dh : 0xff [x] dl : 0xff [x] bh : 0x36 [x] bl : 0xa0 [x] ax : 0x7e1f [x] cx : 0xe [x] dx : 0xffff [x] bx : 0x36a0 [x] sp : 0xcf6c [x] bp : 0xcf90 [x] si : 0x5fd0 [x] di : 0x5f98 [x] ip : 0x7e22 [x] eax : 0x100d7e1f [x] ecx : 0xe [x] edx : 0xffffffff [x] ebx : 0x4136a0 [x] esp : 0xffffcf6c [x] ebp : 0xffffcf90 [x] esi : 0x425fd0 [x] edi : 0x425f98 [x] eip : 0x100d7e22 [x] cr0 : 0x11 [x] cr1 : 0x0 [x] cr2 : 0x0 [x] cr3 : 0x0 [x] cr4 : 0x50200 [x] dr0 : 0x0 [x] dr1 : 0x0 [x] dr2 : 0x0 [x] dr3 : 0x0 [x] dr4 : 0x0 [x] dr5 : 0x0 [x] dr6 : 0xffff0ff0 [x] dr7 : 0x400 [x] st0 : 0x0 [x] st1 : 0x0 [x] st2 : 0x0 [x] st3 : 0x0 [x] st4 : 0x0 [x] st5 : 0x0 [x] st6 : 0x0 [x] st7 : 0x0 [x] eflags : 0x13 [x] cs : 0x1b [x] ss : 0x28 [x] ds : 0x28 [x] es : 0x28 [x] fs : 0x73 [x] gs : 0x7b [x] xmm0 : 0x0 [x] xmm1 : 0x0 [x] xmm2 : 0x0 [x] xmm3 : 0x0 [x] xmm4 : 0x0 [x] xmm5 : 0x0 [x] xmm6 : 0x0 [x] xmm7 : 0x0 [x] ymm0 : 0x0 [x] ymm1 : 0x0 [x] ymm2 : 0x0 [x] ymm3 : 0x0 [x] ymm4 : 0x0 [x] ymm5 : 0x0 [x] ymm6 : 0x0 [x] ymm7 : 0x0 [x] Hexdump: [x] 8b 14 25 c8 17 00 00 8d [x] Disassembly: [=] 100d7e22 [ntdll.dll + 0x0d7e22] 8b1425c8170000 mov edx, dword ptr [0x17c8] [=] 100d7e29 [ntdll.dll + 0x0d7e29] 8d41ff lea eax, [ecx - 1] [=] 100d7e2c [ntdll.dll + 0x0d7e2c] 3dee0f0000 cmp eax, 0xfee [=] 100d7e31 [ntdll.dll + 0x0d7e31] 772f ja 0x100d7e62 [=] 100d7e33 [ntdll.dll + 0x0d7e33] 48 dec eax [=] 100d7e34 [ntdll.dll + 0x0d7e34] 85d2 test edx, edx [=] 100d7e36 [ntdll.dll + 0x0d7e36] 742a je 0x100d7e62 [=] 100d7e38 [ntdll.dll + 0x0d7e38] 44 inc esp [=] 100d7e39 [ntdll.dll + 0x0d7e39] 8d4110 lea eax, [ecx + 0x10] [=] 100d7e3c [ntdll.dll + 0x0d7e3c] 41 inc ecx [=] 100d7e3d [ntdll.dll + 0x0d7e3d] b901000000 mov ecx, 1 [=] 100d7e42 [ntdll.dll + 0x0d7e42] 41 inc ecx [=] 100d7e43 [ntdll.dll + 0x0d7e43] 0fbdc8 bsr ecx, eax [=] 100d7e46 [ntdll.dll + 0x0d7e46] 33c0 xor eax, eax [=] 100d7e48 [ntdll.dll + 0x0d7e48] 41 inc ecx [=] 100d7e49 [ntdll.dll + 0x0d7e49] d3e1 shl ecx, cl [=] 100d7e4b [ntdll.dll + 0x0d7e4b] 83c1fc add ecx, -4 [=] 100d7e4e [ntdll.dll + 0x0d7e4e] 45 inc ebp [=] 100d7e4f [ntdll.dll + 0x0d7e4f] 33c8 xor ecx, eax [=] 100d7e51 [ntdll.dll + 0x0d7e51] 48 dec eax [=] 100d7e52 [ntdll.dll + 0x0d7e52] 8b4cca10 mov ecx, dword ptr [edx + ecx*8 + 0x10] [=] 100d7e56 [ntdll.dll + 0x0d7e56] 48 dec eax [=] 100d7e57 [ntdll.dll + 0x0d7e57] 85c9 test ecx, ecx [=] 100d7e59 [ntdll.dll + 0x0d7e59] 7405 je 0x100d7e60 [=] 100d7e5b [ntdll.dll + 0x0d7e5b] 4a dec edx [=] 100d7e5c [ntdll.dll + 0x0d7e5c] 8b44c908 mov eax, dword ptr [ecx + ecx*8 + 8] [=] 100d7e60 [ntdll.dll + 0x0d7e60] c3 ret [=] 100d7e61 [ntdll.dll + 0x0d7e61] cc int3 [x] PC = 0x100d7e22 (F:\Studies\University\FYP\Qiling\examples\rootfs\x8664_windows\Windows\System32\ntdll.dll + 0xd7e22) [x] Memory map: [x] Start End Perm Label Image [x] 0000006000 - 000000c000 rwx [FS] [x] 0000030000 - 0000031000 rwx [GDT] [x] 0000400000 - 0000432000 rwx winapi_demo.exe F:\Studies\University\FYP\Qiling\examples\rootfs\x8664_windows\bin\WinAPI\winapi_demo.exe [x] 0005000000 - 0005001000 rwx [heap] [x] 0006000000 - 0007400000 rwx [GS] [x] 0010000000 - 0010268000 rwx ntdll.dll F:\Studies\University\FYP\Qiling\examples\rootfs\x8664_windows\Windows\System32\ntdll.dll [x] 0010270000 - 0010668000 rwx kernelbase.dll F:\Studies\University\FYP\Qiling\examples\rootfs\x8664_windows\Windows\System32\kernelbase.dll [x] 0010670000 - 0010739000 rwx kernel32.dll F:\Studies\University\FYP\Qiling\examples\rootfs\x8664_windows\Windows\System32\kernel32.dll [x] 0010740000 - 00107ad000 rwx mscoree.dll F:\Studies\University\FYP\Qiling\examples\rootfs\x8664_windows\Windows\System32\mscoree.dll [x] 00107b0000 - 00108fb000 rwx ucrtbase.dll F:\Studies\University\FYP\Qiling\examples\rootfs\x8664_windows\Windows\System32\ucrtbase.dll [x] 0010900000 - 00109b4000 rwx advapi32.dll F:\Studies\University\FYP\Qiling\examples\rootfs\x8664_windows\Windows\System32\ADVAPI32.dll [x] 00109c0000 - 0010a69000 rwx msvcrt.dll F:\Studies\University\FYP\Qiling\examples\rootfs\x8664_windows\Windows\System32\msvcrt.dll [x] 0010a70000 - 0010b16000 rwx sechost.dll F:\Studies\University\FYP\Qiling\examples\rootfs\x8664_windows\Windows\System32\SECHOST.dll [x] 0010b20000 - 0010c38000 rwx rpcrt4.dll F:\Studies\University\FYP\Qiling\examples\rootfs\x8664_windows\Windows\System32\RPCRT4.dll [x] 007ffe0000 - 007ffe1000 rwx [kuser shared data] [x] 00fffdd000 - 00ffffe000 rwx [stack] >> Emulation finished. Logs saved to emulation_log.txt Traceback (most recent call last): File "f:\Studies\University\FYP\TestCode\qil_test.py", line 52, in <module> emulate_pe(bin_file, qiling_rootfs, json_out) File "f:\Studies\University\FYP\TestCode\qil_test.py", line 24, in emulate_pe qil.run(timeout=timeout, count=count) File "C:\Users\farha\AppData\Roaming\Python\Python310\site-packages\qiling\core.py", line 588, in run self.os.run() File "C:\Users\farha\AppData\Roaming\Python\Python310\site-packages\qiling\os\windows\windows.py", line 212, in run self.ql.emu_start(entry_point, exit_point, self.ql.timeout, self.ql.count) File "C:\Users\farha\AppData\Roaming\Python\Python310\site-packages\qiling\core.py", line 768, in emu_start self.uc.emu_start(begin, end, timeout, count) File "C:\Users\farha\AppData\Local\Programs\Python\Python310\lib\site-packages\unicorn\unicorn_py3\unicorn.py", line 766, in emu_start raise UcError(status) unicorn.unicorn_py3.unicorn.UcError: Invalid memory read (UC_ERR_READ_UNMAPPED)

Expected behavior The exe should have been emulated correctly, I also tested few other binaries they also failed.

Additional context Below is the .cpp code that was being emulated. The compilation command for this is cl.exe main.cpp advapi32.lib /EHsc /std:c++17 /Fe:winapi_demo.exe

#include <windows.h> #include <iostream> // cl.exe main.cpp advapi32.lib /EHsc /std:c++17 /Fe:winapi_demo.exe //----------------------------------------------------- // FILE OPERATIONS //----------------------------------------------------- void file_ops() { std::cout << "\n[+] Running file_ops...\n"; const char* fileA = "testA.txt"; const char* fileA2 = "testA2.txt"; const wchar_t* fileW = L"testW.txt"; // Create file using CreateFileA HANDLE hFileA = CreateFileA( fileA, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL ); if (hFileA != INVALID_HANDLE_VALUE) { const char* data = "Hello from CreateFileA!\n"; DWORD written; WriteFile(hFileA, data, (DWORD)strlen(data), &written, NULL); CloseHandle(hFileA); std::cout << "[+] File created (ANSI): " << fileA << "\n"; } // Create file using CreateFileA HANDLE hFileA2 = CreateFileA( fileA2, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL ); if (hFileA2 != INVALID_HANDLE_VALUE) { const char* data = "Hello from CreateFileA!\n"; DWORD written; WriteFile(hFileA2, data, (DWORD)strlen(data), &written, NULL); CloseHandle(hFileA2); std::cout << "[+] File created (ANSI): " << fileA << "\n"; } // Create file using CreateFileW HANDLE hFileW = CreateFileW( fileW, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL ); if (hFileW != INVALID_HANDLE_VALUE) { const char* data = "Hello from CreateFileW!\n"; DWORD written; WriteFile(hFileW, data, (DWORD)strlen(data), &written, NULL); CloseHandle(hFileW); std::wcout << L"[+] File created (Unicode): " << fileW << L"\n"; } // Clean up files DeleteFileA(fileA); DeleteFileW(fileW); std::cout << "[*] Files cleaned.\n"; } //----------------------------------------------------- // REGISTRY OPERATIONS //----------------------------------------------------- void reg_ops() { std::cout << "\n[+] Running reg_ops...\n"; HKEY hKey; const wchar_t* regPathW = L"Software\\TestKeyW"; const char* regPathA = "Software\\TestKeyA"; // Create registry key (Unicode) if (RegCreateKeyExW(HKEY_CURRENT_USER, regPathW, 0, NULL, 0, KEY_WRITE, NULL, &hKey, NULL) == ERROR_SUCCESS) { std::wcout << L"[+] Registry key created (W): " << regPathW << L"\n"; RegCloseKey(hKey); } // Create registry key (Unicode) if (RegCreateKeyExW(HKEY_CURRENT_USER, regPathW, 0, NULL, 0, KEY_WRITE, NULL, &hKey, NULL) == ERROR_SUCCESS) { std::wcout << L"[+] Registry key created (W): " << regPathW << L"\n"; RegCloseKey(hKey); } } //----------------------------------------------------- // MAIN //----------------------------------------------------- int main() { std::cout << "=== Windows API Demo ===\n"; file_ops(); reg_ops(); std::cout << "\n[+] All operations completed successfully.\n"; return 0; }

The compiled exe drive link is https://drive.google.com/file/d/1OaovRjIW0FdQnoDeV-Vu7SyS5keEuYzs/view?usp=sharing

Read Entire Article
  3. Qiling Emulation crashes on Windows machine

Related

Applying Kolmogorov-Smirnov (KS) test to evaluate multivariate synthetic tabular data (TVAE/TabDDPM vs. Empirical baseline)

Applying Kolmogorov-Smirnov (KS) test to evaluate multivariate synthetic tabular data (TVAE/TabDDPM vs. Empirical baseline)

Browser not Responsive when using Profile

Browser not Responsive when using Profile

How can I reliably recover and preserve page numbers from legal-document HTML/PDF text in Python at scale?

How can I reliably recover and preserve page numbers from legal-document HTML/PDF text in Python at scale?

LEFT SIDEBAR AD

Hidden in mobile, Best for skyscrapers.