ld-linux-x86-64.so.2 Invalid memory read (UC_ERR_READ_UNMAPPED)

[chinaDL]

*Describe the bug A clear and concise description of what the bug is.

Sample Code

from capstone import *
from qiling import *

def my_puts(ql):
    addr = ql.os.function_arg[0]
    print("puts(%s)" % ql.mem.string(addr))

def hook_code(ql, address, size):
    print('>>> Tracing instruction at 0x%x, instruction size = 0x%x' %(address, size))
    buf = ql.mem.read(address, size)
    for i in md.disasm(buf, address):
        print(":: 0x%x:\t%s\t%s" % (i.address, i.mnemonic, i.op_str))


if __name__ == "__main__":
    md = Cs(CS_ARCH_X86, CS_MODE_64)
    ql = Qiling(["rootfs/x8664_linux/bin/x8664_hello"], "rootfs/x8664_linux")
    ql.set_api('puts', my_puts)
    ql.hook_code(hook_code)
    ql.run()

Expected behavior

:: 0x7ffff7df23a2: jne 0x7ffff7df3770

Tracing instruction at 0x7ffff7df3770, instruction size = 0x4 :: 0x7ffff7df3770: bsf rdx, rdx Tracing instruction at 0x7ffff7df3774, instruction size = 0x4 :: 0x7ffff7df3774: movzx ecx, byte ptr [rsi + rdx] Tracing instruction at 0x7ffff7df3778, instruction size = 0x4 :: 0x7ffff7df3778: movzx eax, byte ptr [rdi + rdx] Tracing instruction at 0x7ffff7df377c, instruction size = 0x2 :: 0x7ffff7df377c: sub eax, ecx Tracing instruction at 0x7ffff7df377e, instruction size = 0x1 :: 0x7ffff7df377e: ret Tracing instruction at 0x7ffff7de6754, instruction size = 0x2 :: 0x7ffff7de6754: test eax, eax Tracing instruction at 0x7ffff7de6756, instruction size = 0x2 :: 0x7ffff7de6756: jne 0x7ffff7de6740 Tracing instruction at 0x7ffff7de6740, instruction size = 0x4 :: 0x7ffff7de6740: mov rbx, qword ptr [rbx + 8] Tracing instruction at 0x7ffff7de6744, instruction size = 0x3 :: 0x7ffff7de6744: test rbx, rbx Tracing instruction at 0x7ffff7de6747, instruction size = 0x2 :: 0x7ffff7de6747: je 0x7ffff7de6730 Tracing instruction at 0x7ffff7de6730, instruction size = 0x2 :: 0x7ffff7de6730: xor edx, edx Tracing instruction at 0x7ffff7de6732, instruction size = 0x4 :: 0x7ffff7de6732: add rsp, 8 Tracing instruction at 0x7ffff7de6736, instruction size = 0x2 :: 0x7ffff7de6736: mov eax, edx Tracing instruction at 0x7ffff7de6738, instruction size = 0x1 :: 0x7ffff7de6738: pop rbx Tracing instruction at 0x7ffff7de6739, instruction size = 0x1 :: 0x7ffff7de6739: pop rbp Tracing instruction at 0x7ffff7de673a, instruction size = 0x1 :: 0x7ffff7de673a: ret Tracing instruction at 0x7ffff7de6a20, instruction size = 0x2 :: 0x7ffff7de6a20: test eax, eax Tracing instruction at 0x7ffff7de6a22, instruction size = 0x2 :: 0x7ffff7de6a22: je 0x7ffff7de6a08 Tracing instruction at 0x7ffff7de6a08, instruction size = 0x4 :: 0x7ffff7de6a08: mov r15, qword ptr [r15 + 0x18] Tracing instruction at 0x7ffff7de6a0c, instruction size = 0x3 :: 0x7ffff7de6a0c: test r15, r15 Tracing instruction at 0x7ffff7de6a0f, instruction size = 0x6 :: 0x7ffff7de6a0f: je 0x7ffff7de6cd0 Tracing instruction at 0x7ffff7de6a15, instruction size = 0x3 :: 0x7ffff7de6a15: mov rsi, r15 Tracing instruction at 0x7ffff7de6a18, instruction size = 0x3 :: 0x7ffff7de6a18: mov rdi, rbx Tracing instruction at 0x7ffff7de6a1b, instruction size = 0x5 :: 0x7ffff7de6a1b: call 0x7ffff7de6700 Tracing instruction at 0x7ffff7de6700, instruction size = 0x1 :: 0x7ffff7de6700: push rbp Tracing instruction at 0x7ffff7de6701, instruction size = 0x1 :: 0x7ffff7de6701: push rbx Tracing instruction at 0x7ffff7de6702, instruction size = 0x3 :: 0x7ffff7de6702: mov rbx, rsi Tracing instruction at 0x7ffff7de6705, instruction size = 0x3 :: 0x7ffff7de6705: mov rbp, rdi Tracing instruction at 0x7ffff7de6708, instruction size = 0x4 :: 0x7ffff7de6708: sub rsp, 8 Tracing instruction at 0x7ffff7de670c, instruction size = 0x4 :: 0x7ffff7de670c: mov rsi, qword ptr [rsi + 8] Tracing instruction at 0x7ffff7de6710, instruction size = 0x5 :: 0x7ffff7de6710: call 0x7ffff7df2360 Tracing instruction at 0x7ffff7df2360, instruction size = 0x2 :: 0x7ffff7df2360: mov ecx, esi Tracing instruction at 0x7ffff7df2362, instruction size = 0x2 :: 0x7ffff7df2362: mov eax, edi Tracing instruction at 0x7ffff7df2364, instruction size = 0x4 :: 0x7ffff7df2364: and rcx, 0x3f Tracing instruction at 0x7ffff7df2368, instruction size = 0x4 :: 0x7ffff7df2368: and rax, 0x3f Tracing instruction at 0x7ffff7df236c, instruction size = 0x3 :: 0x7ffff7df236c: cmp ecx, 0x30 Tracing instruction at 0x7ffff7df236f, instruction size = 0x2 :: 0x7ffff7df236f: ja 0x7ffff7df23b0 Tracing instruction at 0x7ffff7df2371, instruction size = 0x3 :: 0x7ffff7df2371: cmp eax, 0x30 Tracing instruction at 0x7ffff7df2374, instruction size = 0x2 :: 0x7ffff7df2374: ja 0x7ffff7df23b0 Tracing instruction at 0x7ffff7df2376, instruction size = 0x4 :: 0x7ffff7df2376: movlpd xmm1, qword ptr [rdi] Tracing instruction at 0x7ffff7df237a, instruction size = 0x4 :: 0x7ffff7df237a: movlpd xmm2, qword ptr [rsi] Tracing instruction at 0x7ffff7df237e, instruction size = 0x5 :: 0x7ffff7df237e: movhpd xmm1, qword ptr [rdi + 8] Tracing instruction at 0x7ffff7df2383, instruction size = 0x5 :: 0x7ffff7df2383: movhpd xmm2, qword ptr [rsi + 8] Tracing instruction at 0x7ffff7df2388, instruction size = 0x4 :: 0x7ffff7df2388: pxor xmm0, xmm0 Tracing instruction at 0x7ffff7df238c, instruction size = 0x4 :: 0x7ffff7df238c: pcmpeqb xmm0, xmm1 Tracing instruction at 0x7ffff7df2390, instruction size = 0x4 :: 0x7ffff7df2390: pcmpeqb xmm1, xmm2 Tracing instruction at 0x7ffff7df2394, instruction size = 0x4 :: 0x7ffff7df2394: psubb xmm1, xmm0 Tracing instruction at 0x7ffff7df2398, instruction size = 0x4 :: 0x7ffff7df2398: pmovmskb edx, xmm1 Tracing instruction at 0x7ffff7df239c, instruction size = 0x6 :: 0x7ffff7df239c: sub edx, 0xffff Tracing instruction at 0x7ffff7df23a2, instruction size = 0x6 :: 0x7ffff7df23a2: jne 0x7ffff7df3770 Tracing instruction at 0x7ffff7df3770, instruction size = 0x4 :: 0x7ffff7df3770: bsf rdx, rdx Tracing instruction at 0x7ffff7df3774, instruction size = 0x4 :: 0x7ffff7df3774: movzx ecx, byte ptr [rsi + rdx] Tracing instruction at 0x7ffff7df3778, instruction size = 0x4 :: 0x7ffff7df3778: movzx eax, byte ptr [rdi + rdx] Tracing instruction at 0x7ffff7df377c, instruction size = 0x2 :: 0x7ffff7df377c: sub eax, ecx Tracing instruction at 0x7ffff7df377e, instruction size = 0x1 :: 0x7ffff7df377e: ret Tracing instruction at 0x7ffff7de6715, instruction size = 0x2 :: 0x7ffff7de6715: test eax, eax Tracing instruction at 0x7ffff7de6717, instruction size = 0x5 :: 0x7ffff7de6717: mov edx, 1 Tracing instruction at 0x7ffff7de671c, instruction size = 0x2 :: 0x7ffff7de671c: je 0x7ffff7de6732 Tracing instruction at 0x7ffff7de671e, instruction size = 0x4 :: 0x7ffff7de671e: mov rbx, qword ptr [rbx + 0x38] Tracing instruction at 0x7ffff7de6722, instruction size = 0x3 :: 0x7ffff7de6722: test rbx, rbx Tracing instruction at 0x7ffff7de6725, instruction size = 0x2 :: 0x7ffff7de6725: jne 0x7ffff7de6749 Tracing instruction at 0x7ffff7de6749, instruction size = 0x3 :: 0x7ffff7de6749: mov rsi, qword ptr [rbx] Tracing instruction at 0x7ffff7de674c, instruction size = 0x3 :: 0x7ffff7de674c: mov rdi, rbp Tracing instruction at 0x7ffff7de674f, instruction size = 0x5 :: 0x7ffff7de674f: call 0x7ffff7df2360 Tracing instruction at 0x7ffff7df2360, instruction size = 0x2 :: 0x7ffff7df2360: mov ecx, esi Tracing instruction at 0x7ffff7df2362, instruction size = 0x2 :: 0x7ffff7df2362: mov eax, edi Tracing instruction at 0x7ffff7df2364, instruction size = 0x4 :: 0x7ffff7df2364: and rcx, 0x3f Tracing instruction at 0x7ffff7df2368, instruction size = 0x4 :: 0x7ffff7df2368: and rax, 0x3f Tracing instruction at 0x7ffff7df236c, instruction size = 0x3 :: 0x7ffff7df236c: cmp ecx, 0x30 Tracing instruction at 0x7ffff7df236f, instruction size = 0x2 :: 0x7ffff7df236f: ja 0x7ffff7df23b0 Tracing instruction at 0x7ffff7df2371, instruction size = 0x3 :: 0x7ffff7df2371: cmp eax, 0x30 Tracing instruction at 0x7ffff7df2374, instruction size = 0x2 :: 0x7ffff7df2374: ja 0x7ffff7df23b0 Tracing instruction at 0x7ffff7df2376, instruction size = 0x4 :: 0x7ffff7df2376: movlpd xmm1, qword ptr [rdi] Tracing instruction at 0x7ffff7df237a, instruction size = 0x4 :: 0x7ffff7df237a: movlpd xmm2, qword ptr [rsi] Tracing instruction at 0x7ffff7df237e, instruction size = 0x5 :: 0x7ffff7df237e: movhpd xmm1, qword ptr [rdi + 8] Tracing instruction at 0x7ffff7df2383, instruction size = 0x5 :: 0x7ffff7df2383: movhpd xmm2, qword ptr [rsi + 8] Tracing instruction at 0x7ffff7df2388, instruction size = 0x4 :: 0x7ffff7df2388: pxor xmm0, xmm0 Tracing instruction at 0x7ffff7df238c, instruction size = 0x4 :: 0x7ffff7df238c: pcmpeqb xmm0, xmm1 Tracing instruction at 0x7ffff7df2390, instruction size = 0x4 :: 0x7ffff7df2390: pcmpeqb xmm1, xmm2 Tracing instruction at 0x7ffff7df2394, instruction size = 0x4 :: 0x7ffff7df2394: psubb xmm1, xmm0 Tracing instruction at 0x7ffff7df2398, instruction size = 0x4 :: 0x7ffff7df2398: pmovmskb edx, xmm1 Tracing instruction at 0x7ffff7df239c, instruction size = 0x6 :: 0x7ffff7df239c: sub edx, 0xffff Tracing instruction at 0x7ffff7df23a2, instruction size = 0x6 :: 0x7ffff7df23a2: jne 0x7ffff7df3770 Tracing instruction at 0x7ffff7df3770, instruction size = 0x4 :: 0x7ffff7df3770: bsf rdx, rdx Tracing instruction at 0x7ffff7df3774, instruction size = 0x4 :: 0x7ffff7df3774: movzx ecx, byte ptr [rsi + rdx] Tracing instruction at 0x7ffff7df3778, instruction size = 0x4 :: 0x7ffff7df3778: movzx eax, byte ptr [rdi + rdx] Tracing instruction at 0x7ffff7df377c, instruction size = 0x2 :: 0x7ffff7df377c: sub eax, ecx Tracing instruction at 0x7ffff7df377e, instruction size = 0x1 :: 0x7ffff7df377e: ret Tracing instruction at 0x7ffff7de6754, instruction size = 0x2 :: 0x7ffff7de6754: test eax, eax Tracing instruction at 0x7ffff7de6756, instruction size = 0x2 :: 0x7ffff7de6756: jne 0x7ffff7de6740 Tracing instruction at 0x7ffff7de6758, instruction size = 0x4 :: 0x7ffff7de6758: add rsp, 8 Tracing instruction at 0x7ffff7de675c, instruction size = 0x5 :: 0x7ffff7de675c: mov edx, 1 Tracing instruction at 0x7ffff7de6761, instruction size = 0x2 :: 0x7ffff7de6761: mov eax, edx Tracing instruction at 0x7ffff7de6763, instruction size = 0x1 :: 0x7ffff7de6763: pop rbx Tracing instruction at 0x7ffff7de6764, instruction size = 0x1 :: 0x7ffff7de6764: pop rbp Tracing instruction at 0x7ffff7de6765, instruction size = 0x1 :: 0x7ffff7de6765: ret Tracing instruction at 0x7ffff7de6a20, instruction size = 0x2 :: 0x7ffff7de6a20: test eax, eax Tracing instruction at 0x7ffff7de6a22, instruction size = 0x2 :: 0x7ffff7de6a22: je 0x7ffff7de6a08 Tracing instruction at 0x7ffff7de6a24, instruction size = 0x4 :: 0x7ffff7de6a24: mov ecx, dword ptr [rsp + 0x4c] Tracing instruction at 0x7ffff7de6a28, instruction size = 0x2 :: 0x7ffff7de6a28: test ecx, ecx Tracing instruction at 0x7ffff7de6a2a, instruction size = 0x6 :: 0x7ffff7de6a2a: jne 0x7ffff7de6daf Tracing instruction at 0x7ffff7de6a30, instruction size = 0x5 :: 0x7ffff7de6a30: mov rax, qword ptr [rsp + 0x38] Tracing instruction at 0x7ffff7de6a35, instruction size = 0x5 :: 0x7ffff7de6a35: mov qword ptr [rsp + 0x20], r15 Tracing instruction at 0x7ffff7de6a3a, instruction size = 0x4 :: 0x7ffff7de6a3a: mov r15d, dword ptr [rsp] Tracing instruction at 0x7ffff7de6a3e, instruction size = 0x5 :: 0x7ffff7de6a3e: mov qword ptr [rsp + 0x10], r13 Tracing instruction at 0x7ffff7de6a43, instruction size = 0x3 :: 0x7ffff7de6a43: mov ebx, dword ptr [rax + 8] Tracing instruction at 0x7ffff7de6a46, instruction size = 0x3 :: 0x7ffff7de6a46: add rbx, rax Tracing instruction at 0x7ffff7de6a49, instruction size = 0x8 :: 0x7ffff7de6a49: lea rax, [rsp + 0x80] Tracing instruction at 0x7ffff7de6a51, instruction size = 0x5 :: 0x7ffff7de6a51: mov qword ptr [rsp + 0x30], rax Tracing instruction at 0x7ffff7de6a56, instruction size = 0xa :: 0x7ffff7de6a56: nop word ptr cs:[rax + rax] Tracing instruction at 0x7ffff7de6a60, instruction size = 0x4 :: 0x7ffff7de6a60: movzx eax, word ptr [rbx + 4] Tracing instruction at 0x7ffff7de6a64, instruction size = 0x4 :: 0x7ffff7de6a64: mov r12d, dword ptr [rbx + 8] Tracing instruction at 0x7ffff7de6a68, instruction size = 0x5 :: 0x7ffff7de6a68: add r12, qword ptr [rsp + 0x18] Tracing instruction at 0x7ffff7de6a6d, instruction size = 0x3 :: 0x7ffff7de6a6d: mov r13d, dword ptr [rbx] Tracing instruction at 0x7ffff7de6a70, instruction size = 0x5 :: 0x7ffff7de6a70: mov word ptr [rsp + 0x42], ax Tracing instruction at 0x7ffff7de6a75, instruction size = 0x5 :: 0x7ffff7de6a75: mov rax, qword ptr [rsp + 0x20] Tracing instruction at 0x7ffff7de6a7a, instruction size = 0x4 :: 0x7ffff7de6a7a: mov qword ptr [rsp], r12 Tracing instruction at 0x7ffff7de6a7e, instruction size = 0x4 :: 0x7ffff7de6a7e: mov rbp, qword ptr [rax + 0x28] Tracing instruction at 0x7ffff7de6a82, instruction size = 0x5 :: 0x7ffff7de6a82: mov rax, qword ptr [rsp + 0x10] Tracing instruction at 0x7ffff7de6a87, instruction size = 0x4 :: 0x7ffff7de6a87: mov r12, qword ptr [rax + 8] Tracing instruction at 0x7ffff7de6a8b, instruction size = 0x5 :: 0x7ffff7de6a8b: cmp byte ptr [r12], 0 Tracing instruction at 0x7ffff7de6a90, instruction size = 0x2 :: 0x7ffff7de6a90: jne 0x7ffff7de6aaa Tracing instruction at 0x7ffff7de6a92, instruction size = 0x7 :: 0x7ffff7de6a92: mov rax, qword ptr [rip + 0x215ca7] Tracing instruction at 0x7ffff7de6a99, instruction size = 0x3 :: 0x7ffff7de6a99: mov r12, qword ptr [rax] Tracing instruction at 0x7ffff7de6a9c, instruction size = 0x7 :: 0x7ffff7de6a9c: lea rax, [rip + 0xef4c] Tracing instruction at 0x7ffff7de6aa3, instruction size = 0x3 :: 0x7ffff7de6aa3: test r12, r12 Tracing instruction at 0x7ffff7de6aa6, instruction size = 0x4 :: 0x7ffff7de6aa6: cmove r12, rax Tracing instruction at 0x7ffff7de6aaa, instruction size = 0x4 :: 0x7ffff7de6aaa: mov rax, qword ptr [rbp + 0x68] Tracing instruction at 0x7ffff7de6aae, instruction size = 0x4 :: 0x7ffff7de6aae: mov rax, qword ptr [rax + 8] [x] CPU Context: [x] ah : 0x0 [x] al : 0x0 [x] ch : 0x0 [x] cl : 0x0 [x] dh : 0x0 [x] dl : 0x1 [x] bh : 0x44 [x] bl : 0x0 [x] ax : 0x0 [x] cx : 0x0 [x] dx : 0x1 [x] bx : 0x4400 [x] sp : 0xda00 [x] bp : 0xe930 [x] si : 0xedc0 [x] di : 0x4361 [x] ip : 0x6aae [x] eax : 0x0 [x] ecx : 0x0 [x] edx : 0x1 [x] ebx : 0x55554400 [x] esp : 0xda00 [x] ebp : 0xf7ffe930 [x] esi : 0xf7ffedc0 [x] edi : 0x55554361 [x] eip : 0xf7de6aae [x] rax : 0x0 [x] rbx : 0x555555554400 [x] rcx : 0x0 [x] rdx : 0x1 [x] rsi : 0x7ffff7ffedc0 [x] rdi : 0x555555554361 [x] rbp : 0x7ffff7ffe930 [x] rsp : 0x80000000da00 [x] r8 : 0x0 [x] r9 : 0x0 [x] r10 : 0x32 [x] r11 : 0x3ec860 [x] r12 : 0x80000000dfd8 [x] r13 : 0x9691a75 [x] r14 : 0x7ffff7df5840 [x] r15 : 0x0 [x] rip : 0x7ffff7de6aae [x] cr0 : 0x11 [x] cr1 : 0x0 [x] cr2 : 0x0 [x] cr3 : 0x0 [x] cr4 : 0x0 [x] cr8 : 0x0 [x] st0 : 0x0 [x] st1 : 0x0 [x] st2 : 0x0 [x] st3 : 0x0 [x] st4 : 0x0 [x] st5 : 0x0 [x] st6 : 0x0 [x] st7 : 0x0 [x] ef : 0x4 [x] cs : 0x1b [x] ss : 0x28 [x] ds : 0x28 [x] es : 0x28 [x] fs : 0x0 [x] gs : 0x0 [x] r8b : 0x0 [x] r9b : 0x0 [x] r10b : 0x32 [x] r11b : 0x60 [x] r12b : 0xd8 [x] r13b : 0x75 [x] r14b : 0x40 [x] r15b : 0x0 [x] r8w : 0x0 [x] r9w : 0x0 [x] r10w : 0x32 [x] r11w : 0xc860 [x] r12w : 0xdfd8 [x] r13w : 0x1a75 [x] r14w : 0x5840 [x] r15w : 0x0 [x] r8d : 0x0 [x] r9d : 0x0 [x] r10d : 0x32 [x] r11d : 0x3ec860 [x] r12d : 0xdfd8 [x] r13d : 0x9691a75 [x] r14d : 0xf7df5840 [x] r15d : 0x0 [x] fsbase : 0x0 [x] gsbase : 0x6000000 [x] Hexdump: [x] 48 8b 40 08 48 89 44 24 [x] Disassembly: [=] 00007ffff7de6aae [ld-linux-x86-64.so.2 + 0x011aae] 48 8b 40 08 48 89 44 24 08 48 8d 05 a2 5c 21 00 f6 00 10 0f 85 b9 01 00 00 48 8b 85 68 01 00 00 48 85 c0 0f 84 61 01 00 00 48 8b 50 08 48 85 d2 0f 84 c7 05 00 00 48 03 55 00 66 83 3a 01 75 35mov rax, qword ptr [rax + 8] mov qword ptr [rsp + 8], rax lea rax, [rip + 0x215ca2] test byte ptr [rax], 0x10 jne 0x7ffff7de6c80 mov rax, qword ptr [rbp + 0x168] test rax, rax je 0x7ffff7de6c38 mov rdx, qword ptr [rax + 8] test rdx, rdx je 0x7ffff7de70ab add rdx, qword ptr [rbp] cmp word ptr [rdx], 1 jne 0x7ffff7de6b23 [x] PC = 0x00007ffff7de6aae

[=] Memory map: [=] Start End Perm Label Image [=] 00030000 - 00031000 rwx [GDT]
[=] 06000000 - 07400000 rwx [GS]
[=] 555555554000 - 555555555000 r-x rootfs/x8664_linux/bin/x8664_hello rootfs/x8664_linux/bin/x8664_hello [=] 555555754000 - 555555756000 rw- rootfs/x8664_linux/bin/x8664_hello rootfs/x8664_linux/bin/x8664_hello [=] 555555756000 - 555555758000 rwx [hook_mem]
[=] 7fffb7dd6000 - 7fffb81c7000 rwx [syscall_mmap]
[=] 7fffb7dd6000 - 7fffb81c7000 rwx [mmap] D:\code\python\my_qiling\qiling\rootfs\x8664_linux\lib\libc.so.6
[=] 7fffb81bd000 - 7fffb81c3000 rwx [mmap] D:\code\python\my_qiling\qiling\rootfs\x8664_linux\lib\libc.so.6
[=] 7ffff7dd5000 - 7ffff7fff000 rwx D:\code\python\my_qiling\qiling\rootfs\x8664_linux\lib64\ld-linux-x86-64.so.2
[=] 7ffffffde000 - 80000000e000 rwx [stack]
[=] ffffffffff600000 - ffffffffff601000 rwx [vsyscall]
Traceback (most recent call last): File "D:\code\python\my_qiling\venv\lib\site-packages\qiling\os\linux\linux.py", line 133, in run self.ql.emu_start(self.ql.loader.entry_point, entry_address, self.ql.timeout) File "D:\code\python\my_qiling\venv\lib\site-packages\qiling\core.py", line 867, in emu_start self.uc.emu_start(begin, end, timeout, count) File "D:\code\python\my_qiling\venv\lib\site-packages\unicorn\unicorn.py", line 428, in emu_start raise UcError(status) unicorn.unicorn.UcError: Invalid memory read (UC_ERR_READ_UNMAPPED) python-BaseException

Process finished with exit code 1

[elicn]

That must be an old example, since it uses a method that was replaced about 9 months ago (ql.os.function_arg). Try updating your Qiling copy and re-running the the following code instead [I took the liberty to make a few changes]:

from capstone import Cs, CS_ARCH_X86, CS_MODE_64
from qiling import Qiling
from qiling.const import QL_VERBOSE
from qiling.os.const import STRING

def my_puts(ql: Qiling):
    # have Qiling parse the function parameters for us, given an args list
    params = ql.os.resolve_fcall_params({'s': STRING})
    s = params["s"]

    ql.log.info(f'puts("{s}")')

def hook_code(ql: Qiling, address: int, size: int, md: Cs):
    buf = ql.mem.read(address, size)

    for insn in md.disasm(buf, address):
        ql.log.debug(f'{insn.address:016x} : {insn.mnemonic:16s} {insn.op_str}')

if __name__ == "__main__":
    md = Cs(CS_ARCH_X86, CS_MODE_64)
    ql = Qiling([r'rootfs/x8664_linux/bin/x8664_hello'], r'rootfs/x8664_linux', verbose=QL_VERBOSE.DEBUG)

    ql.set_api('puts', my_puts)

    # set a code hook and pass md as an auxiliary object to the hook
    ql.hook_code(hook_code, user_data=md)
    ql.run()

[chinaDL]

Log file: error.log

[chinaDL]

My English is not very good. Can I speak Chinese? My system is Windows 10, Rootfs is the official Git repository

[elicn]

Hey @wtdcode, would you be able to help..? I think he didn't understand my message above.

[wtdcode]

Hey @wtdcode, would you be able to help..? I think he didn't understand my message above.

His log is so long that I even don't notice your reply... I would tell him to switch to dev branch.

@chinaDL

你的Qiling版本太旧了，用dev分支的试试。

[elicn]

@wtdcode, I've consolidated all the messages into one file. Should be cleaner now.

[chinaDL]

我使用的是1.4.0的qiling.好的.我切换到开发分支试试

[chinaDL]

我使用了1.4.0dev 也是出现这个问题.并且发现另外一个问题.就是 \qiling\os\posix\const_mapping.py 的40行 需要改成 if mapping_from.get(n) is None or mapping_to.get(n) is None: 才可以继续,最后也是遇到同样的问题.

[wtdcode]

你rootfs是最新的吗

---

From: chinaDL @.> Sent: Wednesday, November 3, 2021 5:13:44 PM To: qilingframework/qiling @.> Cc: lazymio @.>; Mention @.> Subject: Re: [qilingframework/qiling] ld-linux-x86-64.so.2 Invalid memory read (UC_ERR_READ_UNMAPPED) (Issue #974)

我使用了1.4.0dev 也是出现这个问题.并且发现另外一个问题.就是 \qiling\os\posix\const_mapping.py 的40行 需要改成 if mapping_from.get(n) is None or mapping_to.get(n) is None: 才可以继续,最后也是遇到同样的问题.

― You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/qilingframework/qiling/issues/974#issuecomment-959599708, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AHJULO356LBO7PERZRTNGJLUKFNTRANCNFSM5HESGT5A.

[chinaDL]

是的 rootfs是从 https://github.com/qilingframework/rootfs 拉取的最新的

[wtdcode]

麻烦你重新走一遍clone安装流程再试试然后把log发上来

---

From: chinaDL @.> Sent: Wednesday, November 3, 2021 6:03:00 PM To: qilingframework/qiling @.> Cc: lazymio @.>; Mention @.> Subject: Re: [qilingframework/qiling] ld-linux-x86-64.so.2 Invalid memory read (UC_ERR_READ_UNMAPPED) (Issue #974)

是的 rootfs是从 https://github.com/qilingframework/rootfs 拉取的最新的

― You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/qilingframework/qiling/issues/974#issuecomment-959735168, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AHJULO72XOY4D2RM6H6HJT3UKFTMJANCNFSM5HESGT5A.

[chinaDL]

log.log 这个就是用1.4.0dev出现的所有记录.我排查是 [+] 00007ffff7de6aae : mov rax, qword ptr [rax + 8] 这里的 rax = 0 导致的报错

[wtdcode]

@elicn Could we add some lines to detect qiling version and users' platform when we call emu_error?

@chinaDL 能分别确认一下你qiling的commit hash和rootfs的commit hash吗

[cla7aye15I4nd]

That must be an old example, since it uses a method that was replaced about 9 months ago (ql.os.function_arg). Try updating your Qiling copy and re-running the the following code instead [I took the liberty to make a few changes]:

from capstone import Cs, CS_ARCH_X86, CS_MODE_64
from qiling import Qiling
from qiling.const import QL_VERBOSE
from qiling.os.const import STRING

def my_puts(ql: Qiling):
    # have Qiling parse the function parameters for us, given an args list
    params = ql.os.resolve_fcall_params({'s': STRING})
    s = params["s"]

    ql.log.info(f'puts("{s}")')

def hook_code(ql: Qiling, address: int, size: int, md: Cs):
    buf = ql.mem.read(address, size)

    for insn in md.disasm(buf, address):
        ql.log.debug(f'{insn.address:016x} : {insn.mnemonic:16s} {insn.op_str}')

if __name__ == "__main__":
    md = Cs(CS_ARCH_X86, CS_MODE_64)
    ql = Qiling([r'rootfs/x8664_linux/bin/x8664_hello'], r'rootfs/x8664_linux', verbose=QL_VERBOSE.DEBUG)

    ql.set_api('puts', my_puts)

    # set a code hook and pass md as an auxiliary object to the hook
    ql.hook_code(hook_code, user_data=md)
    ql.run()

I have tested this code under dev and I did not find any problems.

[chinaDL]

qiling hash是 a6c8d712 rootfs hash是 9f5c6cbb

[elicn]

@elicn Could we add some lines to detect qiling version and users' platform when we call emu_error?

Yes, that would be a very good idea. Let me figure out which info we need to show and how to do it.

[wtdcode]

qiling hash是 a6c8d71 rootfs hash是 9f5c6cbb

你贴的这份代码其中的API已经过期了，如果你代码库是最新的话应该是贴错代码了。

[chinaDL]

我实在不知道如何跑通这个demo了................

[wtdcode]

我实在不知道如何跑通这个demo了................

你这个Demo是从哪里来的？

[cla7aye15I4nd]

我再看了一下，代码在linux是可以跑通的，window下无法正常运行因为缺少一些常量

[chinaDL]

是的 在win下无法跑通官方的linux模拟demo. linux是正常的.我用wsl也是正常的.

[chinaDL]

@wtdcode 这些demo代码都是qiling github里面的原始代码

[wtdcode]

@wtdcode 这些demo代码都是qiling github里面的原始代码

https://github.com/qilingframework/qiling/blob/dev/examples/hello_x8664_linux_customapi.py 最新的代码应该没这样写了？

[chinaDL]

@wtdcode 我用了您提供的这个地址的代码. 还是 unicorn.unicorn.UcError: Invalid memory read (UC_ERR_READ_UNMAPPED) 错误.

[yxylwt]

我也遇到了同样的问题，官方的代码，跑不了

[wtdcode]

不好意思我前段时间有点忙没有看。

@chinaDL @yxylwt 你们可以贴一下复现的具体代码+你们的qiling版本吗

[chinaDL]

import sys
sys.path.append("..")

from qiling import Qiling
from qiling.os.const import STRING
from qiling.const import QL_VERBOSE

def my_puts(ql: Qiling):
    params = ql.os.resolve_fcall_params({'s': STRING})

    print(f'puts("{params["s"]}")')

if __name__ == "__main__":
    ql = Qiling(["rootfs/x8664_linux/bin/x8664_hello"], "rootfs/x8664_linux", verbose=QL_VERBOSE.DEBUG)
    ql.set_api('puts', my_puts)
    ql.run()

qiling版本是 1.4.2.dev0

unicorn版本是 2.0.0rc5.post1

rootfs 是目前最新的

[xwings]

Close for now.

We updated the codebase for Qiling and Unicorn since this issue being posted.

Feel free to try the latest version.