qiling
qiling copied to clipboard
qilingframework
Error in emulation due to missing apis in qiling
I'm trying to emulate a driver which calls RtlDuplicateUnicodeString and it gets me an unspported api error with the following stackrace:
[=] Initiate stack address at 0x7ffffffde000
[=] Loading C:\Program Files\Riot Vanguard\vgk.sys to 0x140000000
[=] PE entry point at 0x14001478c
[=] DriverObject is at 0x6000000
[=] RegistryPath is at 0x6000150
[=] Loading ntdll.dll ...
[=] Done loading ntdll.dll
[=] Loading kernel32.dll ...
[=] Loading kernelbase.dll ...
[=] Done loading kernelbase.dll
[=] Done loading kernel32.dll
[=] Loading ucrtbase.dll ...
[=] Calling ucrtbase.dll DllMain at 0x180665e30
[=] GetSystemTimeAsFileTime(lpSystemTimeAsFileTime = 0x80000001cfb8)
[x] Error encountered while running ucrtbase.dll DllMain, bailing
[=] Done loading ucrtbase.dll
[x] Could not find DLL file: W:\Reversing Tools\qiling\qiling-dev\examples\rootfs\x8664_windows\Windows\System32\cng.sys
[=] Loading ntoskrnl.exe ...
[x] Could not find DLL file: W:\Reversing Tools\qiling\qiling-dev\examples\rootfs\x8664_windows\Windows\System32\ext-ms-win-ntos-tm-l1-1-0.dll
[=] Loading pshed.dll ...
[=] Loading hal.dll ...
[=] Done loading hal.dll
[=] Done loading pshed.dll
[=] Loading bootvid.dll ...
[=] Done loading bootvid.dll
[=] Loading kdcom.dll ...
[=] Done loading kdcom.dll
[x] Could not find DLL file: W:\Reversing Tools\qiling\qiling-dev\examples\rootfs\x8664_windows\Windows\System32\ext-ms-win-fs-clfs-l1-1-0.dll
[=] Loading ci.dll ...
[x] Could not find DLL file: W:\Reversing Tools\qiling\qiling-dev\examples\rootfs\x8664_windows\Windows\System32\msrpc.sys
[=] Done loading ci.dll
[x] Could not find DLL file: W:\Reversing Tools\qiling\qiling-dev\examples\rootfs\x8664_windows\Windows\System32\msrpc.sys
[x] Could not find DLL file: W:\Reversing Tools\qiling\qiling-dev\examples\rootfs\x8664_windows\Windows\System32\cng.sys
[=] Calling ntoskrnl.exe DllMain at 0x141274010
[x] Error encountered while running ntoskrnl.exe DllMain, bailing
[=] Done loading ntoskrnl.exe
[!] api RtlDuplicateUnicodeString (ntoskrnl) is not implemented
[!] api RtlValidateUnicodeString (ntoskrnl) is not implemented
[=] ExAllocatePoolWithTag(PoolType = 0x1, NumberOfBytes = 0x2, Tag = 0x67727453) = 0x500000008
[=] ExSystemTimeToLocalTime(SystemTime = 0x80000001cbf0, LocalTime = 0x80000001cbf8) (PASSTHRU)
[!] api PsGetThreadServerSilo (ntoskrnl) is not implemented
[x] CPU Context:
[x] ah : 0x0
[x] al : 0x0
[x] ch : 0x0
[x] cl : 0x0
[x] dh : 0xcb
[x] dl : 0xf8
[x] bh : 0xcb
[x] bl : 0xf8
[x] ax : 0x0
[x] cx : 0x0
[x] dx : 0xcbf8
[x] bx : 0xcbf8
[x] sp : 0xcb08
[x] bp : 0xcc68
[x] si : 0x0
[x] di : 0xcbf0
[x] ip : 0x54b4
[x] eax : 0x0
[x] ecx : 0x0
[x] edx : 0x1cbf8
[x] ebx : 0x1cbf8
[x] esp : 0x1cb08
[x] ebp : 0x1cc68
[x] esi : 0x6000000
[x] edi : 0x1cbf0
[x] eip : 0x40ac54b4
[x] rax : 0x0
[x] rbx : 0x80000001cbf8
[x] rcx : 0x0
[x] rdx : 0x80000001cbf8
[x] rsi : 0x6000000
[x] rdi : 0x80000001cbf0
[x] rbp : 0x80000001cc68
[x] rsp : 0x80000001cb08
[x] r8 : 0x80000001cf88
[x] r9 : 0xfffe
[x] r10 : 0x0
[x] r11 : 0x0
[x] r12 : 0x0
[x] r13 : 0x0
[x] r14 : 0x80000001cea8
[x] r15 : 0x0
[x] rip : 0x140ac54b4
[x] cr0 : 0x11
[x] cr1 : 0x0
[x] cr2 : 0x0
[x] cr3 : 0x0
[x] cr4 : 0x6f8
[x] cr8 : 0x0
[x] st0 : 0x0
[x] st1 : 0x0
[x] st2 : 0x0
[x] st3 : 0x0
[x] st4 : 0x0
[x] st5 : 0x0
[x] st6 : 0x0
[x] st7 : 0x0
[x] eflags : 0x12
[x] cs : 0x33
[x] ss : 0x28
[x] ds : 0x0
[x] es : 0x0
[x] fs : 0x0
[x] gs : 0x0
[x] r8b : 0x88
[x] r9b : 0xfe
[x] r10b : 0x0
[x] r11b : 0x0
[x] r12b : 0x0
[x] r13b : 0x0
[x] r14b : 0xa8
[x] r15b : 0x0
[x] r8w : 0xcf88
[x] r9w : 0xfffe
[x] r10w : 0x0
[x] r11w : 0x0
[x] r12w : 0x0
[x] r13w : 0x0
[x] r14w : 0xcea8
[x] r15w : 0x0
[x] r8d : 0x1cf88
[x] r9d : 0xfffe
[x] r10d : 0x0
[x] r11d : 0x0
[x] r12d : 0x0
[x] r13d : 0x0
[x] r14d : 0x1cea8
[x] r15d : 0x0
[x] fsbase : 0x6000
[x] gsbase : 0x6000000
[x] xmm0 : 0x6b00670076
[x] xmm1 : 0x0
[x] xmm2 : 0x0
[x] xmm3 : 0x0
[x] xmm4 : 0x0
[x] xmm5 : 0x0
[x] xmm6 : 0x0
[x] xmm7 : 0x0
[x] xmm8 : 0x0
[x] xmm9 : 0x0
[x] xmm10 : 0x0
[x] xmm11 : 0x0
[x] xmm12 : 0x0
[x] xmm13 : 0x0
[x] xmm14 : 0x0
[x] xmm15 : 0x0
[x] xmm16 : 0x0
[x] xmm17 : 0x0
[x] xmm18 : 0x0
[x] xmm19 : 0x0
[x] xmm20 : 0x0
[x] xmm21 : 0x0
[x] xmm22 : 0x0
[x] xmm23 : 0x0
[x] xmm24 : 0x0
[x] xmm25 : 0x0
[x] xmm26 : 0x0
[x] xmm27 : 0x0
[x] xmm28 : 0x0
[x] xmm29 : 0x0
[x] xmm30 : 0x0
[x] xmm31 : 0x0
[x] ymm0 : 0x6b00670076
[x] ymm1 : 0x0
[x] ymm2 : 0x0
[x] ymm3 : 0x0
[x] ymm4 : 0x0
[x] ymm5 : 0x0
[x] ymm6 : 0x0
[x] ymm7 : 0x0
[x] ymm8 : 0x0
[x] ymm9 : 0x0
[x] ymm10 : 0x0
[x] ymm11 : 0x0
[x] ymm12 : 0x0
[x] ymm13 : 0x0
[x] ymm14 : 0x0
[x] ymm15 : 0x0
[x] ymm16 : 0x0
[x] ymm17 : 0x0
[x] ymm18 : 0x0
[x] ymm19 : 0x0
[x] ymm20 : 0x0
[x] ymm21 : 0x0
[x] ymm22 : 0x0
[x] ymm23 : 0x0
[x] ymm24 : 0x0
[x] ymm25 : 0x0
[x] ymm26 : 0x0
[x] ymm27 : 0x0
[x] ymm28 : 0x0
[x] ymm29 : 0x0
[x] ymm30 : 0x0
[x] ymm31 : 0x0
[x] zmm0 : 0x0
[x] zmm1 : 0x0
[x] zmm2 : 0x0
[x] zmm3 : 0x0
[x] zmm4 : 0x0
[x] zmm5 : 0x0
[x] zmm6 : 0x0
[x] zmm7 : 0x0
[x] zmm8 : 0x0
[x] zmm9 : 0x0
[x] zmm10 : 0x0
[x] zmm11 : 0x0
[x] zmm12 : 0x0
[x] zmm13 : 0x0
[x] zmm14 : 0x0
[x] zmm15 : 0x0
[x] zmm16 : 0x0
[x] zmm17 : 0x0
[x] zmm18 : 0x0
[x] zmm19 : 0x0
[x] zmm20 : 0x0
[x] zmm21 : 0x0
[x] zmm22 : 0x0
[x] zmm23 : 0x0
[x] zmm24 : 0x0
[x] zmm25 : 0x0
[x] zmm26 : 0x0
[x] zmm27 : 0x0
[x] zmm28 : 0x0
[x] zmm29 : 0x0
[x] zmm30 : 0x0
[x] zmm31 : 0x0
[x] Hexdump:
[x] 48 8b 81 58 06 00 00 48
[x] Disassembly:
[=] 0000000140ac54b4 [ntoskrnl.exe + 0x2954b4] 48 8b 81 58 06 00 00 mov rax, qword ptr [rcx + 0x658]
[=] 0000000140ac54bb [ntoskrnl.exe + 0x2954bb] 48 83 f8 fd cmp rax, -3
[=] 0000000140ac54bf [ntoskrnl.exe + 0x2954bf] 75 14 jne 0x140ac54d5
[=] 0000000140ac54c1 [ntoskrnl.exe + 0x2954c1] 48 8b 81 20 02 00 00 mov rax, qword ptr [rcx + 0x220]
[=] 0000000140ac54c8 [ntoskrnl.exe + 0x2954c8] 48 8b 80 70 08 00 00 mov rax, qword ptr [rax + 0x870]
[=] 0000000140ac54cf [ntoskrnl.exe + 0x2954cf] 48 83 c4 28 add rsp, 0x28
[=] 0000000140ac54d3 [ntoskrnl.exe + 0x2954d3] c3 ret
[=] 0000000140ac54d4 [ntoskrnl.exe + 0x2954d4] cc int3
[=] 0000000140ac54d5 [ntoskrnl.exe + 0x2954d5] 48 8b c8 mov rcx, rax
[=] 0000000140ac54d8 [ntoskrnl.exe + 0x2954d8] e8 93 f5 0b 00 call 0x140b84a70
[=] 0000000140ac54dd [ntoskrnl.exe + 0x2954dd] 48 83 c4 28 add rsp, 0x28
[=] 0000000140ac54e1 [ntoskrnl.exe + 0x2954e1] c3 ret
[=] 0000000140ac54e2 [ntoskrnl.exe + 0x2954e2] cc int3
[=] 0000000140ac54e3 [ntoskrnl.exe + 0x2954e3] cc int3
[=] 0000000140ac54e4 [ntoskrnl.exe + 0x2954e4] cc int3
[=] 0000000140ac54e5 [ntoskrnl.exe + 0x2954e5] cc int3
[=] 0000000140ac54e6 [ntoskrnl.exe + 0x2954e6] cc int3
[=] 0000000140ac54e7 [ntoskrnl.exe + 0x2954e7] cc int3
[=] 0000000140ac54e8 [ntoskrnl.exe + 0x2954e8] cc int3
[=] 0000000140ac54e9 [ntoskrnl.exe + 0x2954e9] cc int3
[=] 0000000140ac54ea [ntoskrnl.exe + 0x2954ea] cc int3
[=] 0000000140ac54eb [ntoskrnl.exe + 0x2954eb] cc int3
[=] 0000000140ac54ec [ntoskrnl.exe + 0x2954ec] cc int3
[=] 0000000140ac54ed [ntoskrnl.exe + 0x2954ed] cc int3
[=] 0000000140ac54ee [ntoskrnl.exe + 0x2954ee] cc int3
[=] 0000000140ac54ef [ntoskrnl.exe + 0x2954ef] cc int3
[x] PC = 0x0000000140ac54b4 (W:\Reversing Tools\qiling\qiling-dev\examples\rootfs\x8664_windows\Windows\System32\ntoskrnl.exe + 0x2954b4)
[x] Memory map:
[x] Start End Perm Label Image
[x] 000000000000006000 - 00000000000000c000 rwx [FS]
[x] 000000000000030000 - 000000000000031000 rwx [GDT]
[x] 000000000006000000 - 000000000007400000 rwx [GS]
[x] 000000000140000000 - 000000000140825000 rwx [vgk.sys] C:\Program Files\Riot Vanguard\vgk.sys
[x] 000000000140830000 - 000000000141878000 rwx ntoskrnl.exe W:\Reversing Tools\qiling\qiling-dev\examples\rootfs\x8664_windows\Windows\System32\ntoskrnl.exe
[x] 000000000180000000 - 000000000180209000 rwx ntdll.dll W:\Reversing Tools\qiling\qiling-dev\examples\rootfs\x8664_windows\Windows\System32\ntdll.dll
[x] 000000000180210000 - 0000000001802cd000 rwx kernel32.dll W:\Reversing Tools\qiling\qiling-dev\examples\rootfs\x8664_windows\Windows\System32\kernel32.dll
[x] 0000000001802d0000 - 000000000180649000 rwx kernelbase.dll W:\Reversing Tools\qiling\qiling-dev\examples\rootfs\x8664_windows\Windows\System32\KERNELBASE.dll
[x] 000000000180650000 - 000000000180761000 rwx ucrtbase.dll W:\Reversing Tools\qiling\qiling-dev\examples\rootfs\x8664_windows\Windows\System32\ucrtbase.dll
[x] 0000000001c0000000 - 0000000001c001a000 rwx pshed.dll W:\Reversing Tools\qiling\qiling-dev\examples\rootfs\x8664_windows\Windows\System32\PSHED.dll
[x] 0000000001c0020000 - 0000000001c0026000 rwx hal.dll W:\Reversing Tools\qiling\qiling-dev\examples\rootfs\x8664_windows\Windows\System32\HAL.dll
[x] 0000000001c0030000 - 0000000001c003b000 rwx bootvid.dll W:\Reversing Tools\qiling\qiling-dev\examples\rootfs\x8664_windows\Windows\System32\BOOTVID.dll
[x] 0000000001c0040000 - 0000000001c004e000 rwx kdcom.dll W:\Reversing Tools\qiling\qiling-dev\examples\rootfs\x8664_windows\Windows\System32\kdcom.dll
[x] 0000000001c0050000 - 0000000001c0134000 rwx ci.dll W:\Reversing Tools\qiling\qiling-dev\examples\rootfs\x8664_windows\Windows\System32\CI.dll
[x] 000000000500000000 - 000000000500001000 rwx [heap]
[x] 0000007ffffffde000 - 00000080000001e000 rwx [stack]
[x] 00fffff78000000000 - 00fffff78000001000 rwx [mapped]
Traceback (most recent call last):
File "W:\Reversing Tools\qiling\qiling-dev\qltool", line 253, in <module>
ql.run(timeout=options.timeout)
File "W:\Reversing Tools\qiling\qiling-dev\qiling\core.py", line 573, in run
self.os.run()
File "W:\Reversing Tools\qiling\qiling-dev\qiling\os\windows\windows.py", line 224, in run
self.ql.emu_start(entry_point, exit_point, self.ql.timeout, self.ql.count)
File "W:\Reversing Tools\qiling\qiling-dev\qiling\core.py", line 706, in emu_start
self.uc.emu_start(begin, end, timeout, count)
File "W:\Reversing Tools\qiling\qiling-dev\venv\lib\site-packages\unicorn-2.0.0rc7-py3.10-win-amd64.egg\unicorn\unicorn.py", line 525, in emu_start
raise UcError(status)
unicorn.unicorn.UcError: Invalid memory read (UC_ERR_READ_UNMAPPED)
i run the driver with the following sets of command:
python qltool run -f vgk.sys --rootfs examples\rootfs\x8664_windows\ --json
other than that it calls two other apis which are unimplemented:
-
PsGetThreadServerSilo -
RtlValidateUnicodeString
Hi there,
The crash is most likely happening due to the missing APIs; I don't think they are related to qltool.
Could you please rename the issue to reflect that..?
@elicn i have a branch of qemu in my local pc where i implemented some of the missing api calls, ig i have also implemented those mentioned there, mind if i create a PR?
Yes, please do.
Take a look at qiling/os/windows/dlls/ntoskrnl.py to see how the code is expected to look like, and make sure you base your work on dev branch.
just to confirm with my changes the error doesnt fix in the emulation, as i had the file with me vgk.sys in this case, however i dont know about the version which @user-dead is trying to emulate but in my case 1.11.4.8.2 fails even with the correct api calls
here are the code changes from my side
ntoskrnl.py
# NTSTATUS RtlDuplicateUnicodeString
# (
# int add_nul,
# const UNICODE_STRING* source,
# UNICODE_STRING* destination
# )
@winsdkapi(cc=STDCALL, params={
'add_nul': int,
'source': PCUNICODE_STRING,
'destination': PCUNICODE_STRING
})
def hook_RtlDuplicateUnicodeString(ql: Qiling, address: int, params):
return STATUS_SUCCESS
# PESILO PsGetThreadServerSilo(
# [In] PETHREAD Thread
# );
@winsdkapi(cc=STDCALL, params={
'Thread': PETHREAD
})
def hook_PsGetThreadServerSilo(ql: Qiling, address: int, params):
THREAD = params['Thread']
if THREAD == 0:
return False
else:
return True
api.py
PETHREAD = POINTER
by the way! just noticed this is not just an issue with only vgk.sys, infact any windows driver being emulated with qiling has the same error so far from what i have tried
