当它在 WinDbg 中处于不同的偏移量时,如何设置断点以定位此模拟位置?
How can I set a breakpoint to target this emulated location when it's at a different offset in WinDbg?
我正在使用 qiling 框架模拟贪吃蛇游戏,在我的 x86 64 Windows 环境中 运行 没问题,但在模拟环境中失败了。它正常工作 运行,但我无法在 WinDbg 失败的地方设置断点。我的问题更多是关于了解我在 WinDbg 中的问题,但我会提供上下文的模拟器日志:
[=] Initiate stack address at 0xfffdd000
[=] Loading snake.exe to 0x400000
[=] PE entry point at 0x4033ae
[=] TEB addr is 0x6000
[=] PEB addr is 0x6044
[=] Loading ../examples/rootfs/x8664_windows\Windows\System32\ntdll.dll ...
[!] Warnings while loading ../examples/rootfs/x8664_windows\Windows\System32\ntdll.dll:
[!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[=] Done with loading ../examples/rootfs/x8664_windows\Windows\System32\ntdll.dll
[=] Loading ../examples/rootfs/x8664_windows\Windows\System32\kernel32.dll ...
[=] Done with loading ../examples/rootfs/x8664_windows\Windows\System32\kernel32.dll
[=] Loading ../examples/rootfs/x8664_windows\Windows\System32\mscoree.dll ...
[=] Done with loading ../examples/rootfs/x8664_windows\Windows\System32\mscoree.dll
0x4033ae: jmp qword ptr [rip + 0x402000]
[!] api _CorExeMain is not implemented
这似乎是罪魁祸首,所以我尝试在 WinDbg 中使用命令 bu 0x4033ae 在 0x4033ae 处设置断点。我也试过 bp.
0x102bdbd1: push rbx
0x102bdbd3: sub esp, 0x20
0x102bdbd7: and dword ptr [rsp + 0x30], 0
0x102bdbdd: lea ecx, [rsp + 0x30]
0x102bdbe1: call 0x102b4548
0x102b4549: push rbx
0x102b454b: sub esp, 0x20
0x102b454e: mov eax, dword ptr [rip + 0x5b4dc]
[x] CPU Context:
[x] ah : 0xff
... snip ...
[x] gs : 0x78
[x] Hexdump:
[x] 8b 05 dc b4 05 00 48 8b
[x] Disassembly:
[=] 102b454e [mscoree.dll + 0x00154e] 8b 05 dc b4 05 00 48 8b d9 85 c0 75 05 e8 c4 fc ff ff 8b 05 ca b4 05 00 83 f8 02 75 0f 48 85 db 74 0a 48 8b 05 c9 b4 05 00 48 89 03 8b 05 b0 b4 05 00 48 83 c4 20 5b c3 cc cc cc cc cc cc cc ccmov eax, dword ptr [0x5b4dc]
> dec eax
> mov ebx, ecx
> test eax, eax
> jne 0x102b4560
> call 0x102b4224
> mov eax, dword ptr [0x5b4ca]
> cmp eax, 2
> jne 0x102b457a
> dec eax
> test ebx, ebx
> je 0x102b457a
> dec eax
> mov eax, dword ptr [0x5b4c9]
> dec eax
> mov dword ptr [ebx], eax
> mov eax, dword ptr [0x5b4b0]
> dec eax
> add esp, 0x20
> pop ebx
> ret
> int3
> int3
> int3
> int3
> int3
> int3
> int3
> int3
[x] PC = 0x102b454e (../examples/rootfs/x8664_windows\Windows\System32\mscoree.dll + 0x154e)
[=] Memory map:
[=] Start End Perm Label Image
[=] 00006000 - 0000c000 rwx [FS/GS]
[=] 00030000 - 00031000 rwx [GDT]
[=] 00400000 - 00408000 rwx [PE] snake.exe
[=] 05000000 - 05001000 rwx [heap]
[=] 06000000 - 0c000000 rwx [FS/GS]
[=] 10000000 - 101f5000 rwx ntdll.dll ../examples/rootfs/x8664_windows\Windows\System32\ntdll.dll
[=] 101f5000 - 102b3000 rwx kernel32.dll ../examples/rootfs/x8664_windows\Windows\System32\kernel32.dll
[=] 102b3000 - 10318000 rwx mscoree.dll ../examples/rootfs/x8664_windows\Windows\System32\mscoree.dll
[=] fffdd000 - ffffe000 rwx [stack]
Traceback (most recent call last):
... snip ...
File "C:\Users\jonat\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\unicorn\unicorn.py", line 465, in emu_start
raise UcError(status)
unicorn.unicorn.UcError: Invalid memory mapping (UC_ERR_MAP)
在 WinDbg 中,我得到:
CommandLine: C:\Users\jonat\Documents\GitHub\synthesis\obfu\snake.exe
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
ModLoad: 00e60000 00e68000 ConsoleGraphics.exe
ModLoad: 770f0000 77293000 ntdll.dll
ModLoad: 74810000 74862000 C:\WINDOWS\SysWOW64\MSCOREE.DLL
ModLoad: 74fb0000 750a0000 C:\WINDOWS\SysWOW64\KERNEL32.dll
ModLoad: 75fa0000 761b5000 C:\WINDOWS\SysWOW64\KERNELBASE.dll
(9b8.7854): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=3c560000 edx=00000000 esi=77102054 edi=7710261c
eip=771a1ba2 esp=00fff9cc ebp=00fff9f8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!LdrpDoDebuggerBreak+0x2b:
771a1ba2 cc int 3
这似乎是由 ntdll 触发的标准断点,但在触发时,我们已经传递了我尝试应用它的地址 0x4033ae。我意识到这可能是因为我的 OS / WinDbg 和 qiling 仿真中的执行上下文似乎对进程的寻址方案进行了不同的映射。我怎样才能开始调试这个问题,或者至少在 WinDbg 中找到相关的断点。
查询与 windbg 不完全相关
正如我评论的那样Qiling Framework 尚未实施 dotnet 并且需要有人贡献实施
因为这个查询也有一个 windbg 标签和一个调试标签
我一直想在 windows 机器
上测试 Qiling 框架一段时间了
我以此查询为契机
麒麟建立在unicorn emulation framework
之上
I have dabbled with unicorn and found it quiet useful
在 x64 windows10 机器上安装了 Qiling [pip3 install Qiling]
windows 文档非常稀缺,并且在 github 存储库中指出的一个示例 disasm_x886_windows.py 在存储库
中丢失
必须四处摸索才能获得有效的设置
安装 Qiling 后,它需要一个虚拟文件系统来操作相关 windows dll 和注册表配置单元
这是通过使用 repo
中提供的 dllcollector.bat 完成的
基本上 collector.bat xcopies 相关的 32 位和 64 位 dll 和 reg 保存注册表配置单元
f:\>md QILING
f:\>cd QILING
f:\QILING>ls
f:\QILING>f:\wget\wget.exe -c https://raw.githubusercontent.com/qilingframework/qiling/master/examples/scripts/dllscollector.bat
2021-11-14 03:03:05 (1.28 MB/s) - 'dllscollector.bat' saved [10085/10085]
f:\QILING>ls
dllscollector.bat
f:\QILING>file dllscollector.bat
dllscollector.bat: DOS batch file, ASCII text, with very long lines
f:\QILING>dllscollector.bat
Does F:\QILING\examples\rootfs\x8664_windows\Windows\registry\NTUSER.DAT specify a file name
or directory name on the target
(F = file, D = directory)? f
C:\Users\Default\NTUSER.DAT -> F:\QILING\examples\rootfs\x8664_windows\Windows\registry\NTUSER.DAT
1 File(s) copied
The operation completed successfully.
snip all copy and save operations
f:\QILING>ls
dllscollector.bat examples
现在我们已经收集了 dll,让我们复制两个测试二进制文件
一个 x64 控制台应用程序和
另一个 .net 控制台二进制文件和
使用 QILING 框架
编写 python 脚本来模拟它们
f:\QILING>ls
dllscollector.bat examples
f:\QILING>md testqiling
f:\QILING>xcopy ..\tbins .\testqiling\
..\tbins\mcall.exe
..\tbins\printxcode.exe
..\tbins\qiliwin.py
3 File(s) copied
f:\QILING>cd testqiling
f:\QILING\testqiling>file *
mcall.exe: PE32+ executable (GUI) x86-64, for MS Windows
printxcode.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
qiliwin.py: Python script, ASCII text executable, with CRLF line terminators
f:\QILING\testqiling>printxcode.exe |head -n 2
HResult is 80070057 xcode is E0434352 Value does not fall within the expected range.
HResult is 80004003 xcode is E0434352 Value cannot be null.
f:\QILING\testqiling>start /wait mcall.exe
f:\QILING\testqiling>echo %errorlevel%
1677
脚本如下
添加 stop_on_exit_trap 是为了避免 mcall.exe 从 main() returns 到 crt 由于无法访问的 PC(0x0 作为 rip)
崩溃
trace 跟踪并打印所有执行的指令
verbose 提供了一些额外的日志
f:\QILING\testqiling>cat qiliwin.py
import os
from qiling import *
from qiling.const import QL_VERBOSE
from qiling.extensions import trace
os.system('') #bug explotation to make ansi colors
rootfs = r"F:\QILING\examples\rootfs\x8664_windows"
bin2exec = [
r"F:\QILING\testqiling\mcall.exe",
r"F:\QILING\testqiling\printxcode.exe"
]
for binary in bin2exec:
print("executing binary\n=====================\n%s\n=====================\n" % binary);
ql = Qiling([binary],rootfs,verbose=QL_VERBOSE.DEBUG,stop_on_exit_trap=True)
trace.enable_full_trace(ql)
ql.run()
执行我们得到的脚本
qiling.exception.QlErrorFileNotFound: Cannot find dll in F:\QILING\examples\rootfs\x8664_windows\Windows\System32\mscoree.dll
将 mscoree.dll 从 system32 复制到 rootfs/system2 并检查它再次崩溃并出现查询中指出的未映射错误
让我们在 x64 windbg 中打开 .net 二进制文件并检查
F:\QILING\testqiling>cdb -c "sxe ld:mscoree;g;q" printxcode.exe | awk /Reading/,/quit/
0:000> cdb: Reading initial command 'sxe ld:mscoree;g;q'
ModLoad: 00000000`77e30000 00000000`77e39000 C:\WINDOWS\System32\wow64cpu.dll
ModLoad: 00000000`73f90000 00000000`73fe2000 C:\WINDOWS\SysWOW64\MSCOREE.DLL
quit:
所以这个二进制文件需要来自 syswow
的 mscoree
f:\QILING\testqiling>copy c:\Windows\SysWOW64\mscoree.dll F:\QILING\examples\rootfs\x8664_windows\Windows\System32\.
Overwrite F:\QILING\examples\rootfs\x8664_windows\Windows\System32\.\mscoree.dll? (Yes/No/All): y
1 file(s) copied.
现在执行不会崩溃
F:\QILING\testqiling>python qiliwin.py
executing binary
=====================
F:\QILING\testqiling\mcall.exe
=====================
[+] Profile: Default
[+] Windows Registry PATH: F:\QILING\examples\rootfs\x8664_windows\Windows\registry
[=] Initiate stack address at 0x7ffffffde000
[=] Loading F:\QILING\testqiling\mcall.exe to 0x140000000
[=] PE entry point at 0x140001030
[=] TEB addr is 0x6000030
[=] PEB addr is 0x60000b8
[=] Loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\ntdll.dll ...
[!] Warnings while loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\ntdll.dll:
[!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[+] DLL preferred base address: 0x180000000
[=] Done with loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\ntdll.dll
[=] Loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\kernel32.dll ...
[+] DLL preferred base address: 0x180000000
[+] DLL preferred base address is taken, loading to: 0x1801f0000
[=] Done with loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\kernel32.dll
[+] Done with loading F:\QILING\testqiling\mcall.exe
[+] Setting up exit trap at 0x0x140004000
[+] 140001030 | 4883ec48 sub rsp, 0x48 | rsp = 0x0
[+] 140001034 | 41b803000000 mov r8d, 0x3 |
[+] 14000103a | ba02000000 mov edx, 0x2 |
[+] 14000103f | b901000000 mov ecx, 0x1 |
[+] 140001044 | e8b7ffffff call 0x140001000 | rsp = 0x0, rip = 0x0
[+] 140001000 | 4489442418 mov dword ptr [0x18], r8d | rsp = 0x0, r8d = 0x0
[+] 140001005 | 89542410 mov dword ptr [0x10], edx | rsp = 0x0, edx = 0x2
[+] 140001009 | 894c2408 mov dword ptr [0x8], ecx | rsp = 0x0, ecx = 0x1
[+] 14000100d | 8b442410 mov eax, dword ptr [0x10] | rsp = 0x0
[+] 140001011 | 8b4c2408 mov ecx, dword ptr [0x8] | rsp = 0x0
[+] 140001015 | 03c8 add ecx, eax | ecx = 0x1, eax = 0x2
[+] 140001017 | 8bc1 mov eax, ecx | ecx = 0x3
[+] 140001019 | 03442418 add eax, dword ptr [0x18] | eax = 0x3, rsp = 0x0
[+] 14000101d | c3 ret | rsp = 0x0
[+] 140001049 | 89442428 mov dword ptr [0x28], eax | rsp = 0x0, eax = 0x6
[+] 14000104d | 41b806000000 mov r8d, 0x6 |
[+] 140001053 | ba07000000 mov edx, 0x7 |
[+] 140001058 | b908000000 mov ecx, 0x8 |
[+] 14000105d | e89effffff call 0x140001000 | rsp = 0x0, rip = 0x0
snipoff
[+] 140004000 | 90 nop |
[=] Process returned from entrypoint (exit_trap)!
[+] Syscalls called:
[+] Registries accessed:
[+] Strings:
executing binary
=====================
F:\QILING\testqiling\printxcode.exe
=====================
[+] Profile: Default
[+] Map GDT at 0x30000 with GDT_LIMIT=4096
[+] Write to 0x30018 for new entry b'\x00\xf0\x00\x00\x00\xfeO\x00'
[+] Write to 0x30028 for new entry b'\x00\xf0\x00\x00\x00\x96O\x00'
[+] Write to 0x30070 for new entry b'\x00`\x00`\x00\xf6@\x00'
[+] Write to 0x30078 for new entry b'\x00\x00\x00\x00\x00\xf6@\x06'
[+] Windows Registry PATH: F:\QILING\examples\rootfs\x8664_windows\Windows\registry
[=] Initiate stack address at 0xfffdd000
[=] Loading F:\QILING\testqiling\printxcode.exe to 0x400000
[=] PE entry point at 0x402eda
[=] TEB addr is 0x6000
[=] PEB addr is 0x6044
[=] Loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\ntdll.dll ...
[!] Warnings while loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\ntdll.dll:
[!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[+] DLL preferred base address: 0x180000000
[+] DLL preferred base address exceeds memory upper bound, loading to: 0x10000000
[=] Done with loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\ntdll.dll
[=] Loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\kernel32.dll ...
[+] DLL preferred base address: 0x180000000
[+] DLL preferred base address exceeds memory upper bound, loading to: 0x101f0000
[=] Done with loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\kernel32.dll
[=] Loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\mscoree.dll ...
[+] DLL preferred base address: 0x10000000
[+] DLL preferred base address is taken, loading to: 0x102b0000
[=] Done with loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\mscoree.dll
[+] Done with loading F:\QILING\testqiling\printxcode.exe
[+] Setting up exit trap at 0x0xc000000
[+] 00402eda | ff2500204000 jmp dword ptr [0x402000] |
[!] api _CorExeMain is not implemented
[+] 102c4330 | 8bff mov edi, edi | edi = 0x0
[+] 102c4332 | 56 push esi | esp = 0x0, esi = 0xffffd000
snipoff
[+] 0c000000 | 90 nop |
[=] Process returned from entrypoint (exit_trap)!
[+] Syscalls called:
[+] Registries accessed:
[+] Strings:
我正在使用 qiling 框架模拟贪吃蛇游戏,在我的 x86 64 Windows 环境中 运行 没问题,但在模拟环境中失败了。它正常工作 运行,但我无法在 WinDbg 失败的地方设置断点。我的问题更多是关于了解我在 WinDbg 中的问题,但我会提供上下文的模拟器日志:
[=] Initiate stack address at 0xfffdd000
[=] Loading snake.exe to 0x400000
[=] PE entry point at 0x4033ae
[=] TEB addr is 0x6000
[=] PEB addr is 0x6044
[=] Loading ../examples/rootfs/x8664_windows\Windows\System32\ntdll.dll ...
[!] Warnings while loading ../examples/rootfs/x8664_windows\Windows\System32\ntdll.dll:
[!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[=] Done with loading ../examples/rootfs/x8664_windows\Windows\System32\ntdll.dll
[=] Loading ../examples/rootfs/x8664_windows\Windows\System32\kernel32.dll ...
[=] Done with loading ../examples/rootfs/x8664_windows\Windows\System32\kernel32.dll
[=] Loading ../examples/rootfs/x8664_windows\Windows\System32\mscoree.dll ...
[=] Done with loading ../examples/rootfs/x8664_windows\Windows\System32\mscoree.dll
0x4033ae: jmp qword ptr [rip + 0x402000]
[!] api _CorExeMain is not implemented
这似乎是罪魁祸首,所以我尝试在 WinDbg 中使用命令 bu 0x4033ae 在 0x4033ae 处设置断点。我也试过 bp.
0x102bdbd1: push rbx
0x102bdbd3: sub esp, 0x20
0x102bdbd7: and dword ptr [rsp + 0x30], 0
0x102bdbdd: lea ecx, [rsp + 0x30]
0x102bdbe1: call 0x102b4548
0x102b4549: push rbx
0x102b454b: sub esp, 0x20
0x102b454e: mov eax, dword ptr [rip + 0x5b4dc]
[x] CPU Context:
[x] ah : 0xff
... snip ...
[x] gs : 0x78
[x] Hexdump:
[x] 8b 05 dc b4 05 00 48 8b
[x] Disassembly:
[=] 102b454e [mscoree.dll + 0x00154e] 8b 05 dc b4 05 00 48 8b d9 85 c0 75 05 e8 c4 fc ff ff 8b 05 ca b4 05 00 83 f8 02 75 0f 48 85 db 74 0a 48 8b 05 c9 b4 05 00 48 89 03 8b 05 b0 b4 05 00 48 83 c4 20 5b c3 cc cc cc cc cc cc cc ccmov eax, dword ptr [0x5b4dc]
> dec eax
> mov ebx, ecx
> test eax, eax
> jne 0x102b4560
> call 0x102b4224
> mov eax, dword ptr [0x5b4ca]
> cmp eax, 2
> jne 0x102b457a
> dec eax
> test ebx, ebx
> je 0x102b457a
> dec eax
> mov eax, dword ptr [0x5b4c9]
> dec eax
> mov dword ptr [ebx], eax
> mov eax, dword ptr [0x5b4b0]
> dec eax
> add esp, 0x20
> pop ebx
> ret
> int3
> int3
> int3
> int3
> int3
> int3
> int3
> int3
[x] PC = 0x102b454e (../examples/rootfs/x8664_windows\Windows\System32\mscoree.dll + 0x154e)
[=] Memory map:
[=] Start End Perm Label Image
[=] 00006000 - 0000c000 rwx [FS/GS]
[=] 00030000 - 00031000 rwx [GDT]
[=] 00400000 - 00408000 rwx [PE] snake.exe
[=] 05000000 - 05001000 rwx [heap]
[=] 06000000 - 0c000000 rwx [FS/GS]
[=] 10000000 - 101f5000 rwx ntdll.dll ../examples/rootfs/x8664_windows\Windows\System32\ntdll.dll
[=] 101f5000 - 102b3000 rwx kernel32.dll ../examples/rootfs/x8664_windows\Windows\System32\kernel32.dll
[=] 102b3000 - 10318000 rwx mscoree.dll ../examples/rootfs/x8664_windows\Windows\System32\mscoree.dll
[=] fffdd000 - ffffe000 rwx [stack]
Traceback (most recent call last):
... snip ...
File "C:\Users\jonat\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\unicorn\unicorn.py", line 465, in emu_start
raise UcError(status)
unicorn.unicorn.UcError: Invalid memory mapping (UC_ERR_MAP)
在 WinDbg 中,我得到:
CommandLine: C:\Users\jonat\Documents\GitHub\synthesis\obfu\snake.exe
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
ModLoad: 00e60000 00e68000 ConsoleGraphics.exe
ModLoad: 770f0000 77293000 ntdll.dll
ModLoad: 74810000 74862000 C:\WINDOWS\SysWOW64\MSCOREE.DLL
ModLoad: 74fb0000 750a0000 C:\WINDOWS\SysWOW64\KERNEL32.dll
ModLoad: 75fa0000 761b5000 C:\WINDOWS\SysWOW64\KERNELBASE.dll
(9b8.7854): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=3c560000 edx=00000000 esi=77102054 edi=7710261c
eip=771a1ba2 esp=00fff9cc ebp=00fff9f8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!LdrpDoDebuggerBreak+0x2b:
771a1ba2 cc int 3
这似乎是由 ntdll 触发的标准断点,但在触发时,我们已经传递了我尝试应用它的地址 0x4033ae。我意识到这可能是因为我的 OS / WinDbg 和 qiling 仿真中的执行上下文似乎对进程的寻址方案进行了不同的映射。我怎样才能开始调试这个问题,或者至少在 WinDbg 中找到相关的断点。
查询与 windbg 不完全相关
正如我评论的那样Qiling Framework 尚未实施 dotnet 并且需要有人贡献实施
因为这个查询也有一个 windbg 标签和一个调试标签
我一直想在 windows 机器
上测试 Qiling 框架一段时间了
我以此查询为契机
麒麟建立在unicorn emulation framework
之上
I have dabbled with unicorn and found it quiet useful
在 x64 windows10 机器上安装了 Qiling [pip3 install Qiling] windows 文档非常稀缺,并且在 github 存储库中指出的一个示例 disasm_x886_windows.py 在存储库
中丢失必须四处摸索才能获得有效的设置
安装 Qiling 后,它需要一个虚拟文件系统来操作相关 windows dll 和注册表配置单元
这是通过使用 repo
基本上 collector.bat xcopies 相关的 32 位和 64 位 dll 和 reg 保存注册表配置单元
f:\>md QILING
f:\>cd QILING
f:\QILING>ls
f:\QILING>f:\wget\wget.exe -c https://raw.githubusercontent.com/qilingframework/qiling/master/examples/scripts/dllscollector.bat
2021-11-14 03:03:05 (1.28 MB/s) - 'dllscollector.bat' saved [10085/10085]
f:\QILING>ls
dllscollector.bat
f:\QILING>file dllscollector.bat
dllscollector.bat: DOS batch file, ASCII text, with very long lines
f:\QILING>dllscollector.bat
Does F:\QILING\examples\rootfs\x8664_windows\Windows\registry\NTUSER.DAT specify a file name
or directory name on the target
(F = file, D = directory)? f
C:\Users\Default\NTUSER.DAT -> F:\QILING\examples\rootfs\x8664_windows\Windows\registry\NTUSER.DAT
1 File(s) copied
The operation completed successfully.
snip all copy and save operations
f:\QILING>ls
dllscollector.bat examples
现在我们已经收集了 dll,让我们复制两个测试二进制文件
一个 x64 控制台应用程序和
另一个 .net 控制台二进制文件和
使用 QILING 框架
f:\QILING>ls
dllscollector.bat examples
f:\QILING>md testqiling
f:\QILING>xcopy ..\tbins .\testqiling\
..\tbins\mcall.exe
..\tbins\printxcode.exe
..\tbins\qiliwin.py
3 File(s) copied
f:\QILING>cd testqiling
f:\QILING\testqiling>file *
mcall.exe: PE32+ executable (GUI) x86-64, for MS Windows
printxcode.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
qiliwin.py: Python script, ASCII text executable, with CRLF line terminators
f:\QILING\testqiling>printxcode.exe |head -n 2
HResult is 80070057 xcode is E0434352 Value does not fall within the expected range.
HResult is 80004003 xcode is E0434352 Value cannot be null.
f:\QILING\testqiling>start /wait mcall.exe
f:\QILING\testqiling>echo %errorlevel%
1677
脚本如下
添加 stop_on_exit_trap 是为了避免 mcall.exe 从 main() returns 到 crt 由于无法访问的 PC(0x0 作为 rip)
崩溃
trace 跟踪并打印所有执行的指令
verbose 提供了一些额外的日志
f:\QILING\testqiling>cat qiliwin.py
import os
from qiling import *
from qiling.const import QL_VERBOSE
from qiling.extensions import trace
os.system('') #bug explotation to make ansi colors
rootfs = r"F:\QILING\examples\rootfs\x8664_windows"
bin2exec = [
r"F:\QILING\testqiling\mcall.exe",
r"F:\QILING\testqiling\printxcode.exe"
]
for binary in bin2exec:
print("executing binary\n=====================\n%s\n=====================\n" % binary);
ql = Qiling([binary],rootfs,verbose=QL_VERBOSE.DEBUG,stop_on_exit_trap=True)
trace.enable_full_trace(ql)
ql.run()
执行我们得到的脚本
qiling.exception.QlErrorFileNotFound: Cannot find dll in F:\QILING\examples\rootfs\x8664_windows\Windows\System32\mscoree.dll
将 mscoree.dll 从 system32 复制到 rootfs/system2 并检查它再次崩溃并出现查询中指出的未映射错误
让我们在 x64 windbg 中打开 .net 二进制文件并检查
F:\QILING\testqiling>cdb -c "sxe ld:mscoree;g;q" printxcode.exe | awk /Reading/,/quit/
0:000> cdb: Reading initial command 'sxe ld:mscoree;g;q'
ModLoad: 00000000`77e30000 00000000`77e39000 C:\WINDOWS\System32\wow64cpu.dll
ModLoad: 00000000`73f90000 00000000`73fe2000 C:\WINDOWS\SysWOW64\MSCOREE.DLL
quit:
所以这个二进制文件需要来自 syswow
的 mscoreef:\QILING\testqiling>copy c:\Windows\SysWOW64\mscoree.dll F:\QILING\examples\rootfs\x8664_windows\Windows\System32\.
Overwrite F:\QILING\examples\rootfs\x8664_windows\Windows\System32\.\mscoree.dll? (Yes/No/All): y
1 file(s) copied.
现在执行不会崩溃
F:\QILING\testqiling>python qiliwin.py
executing binary
=====================
F:\QILING\testqiling\mcall.exe
=====================
[+] Profile: Default
[+] Windows Registry PATH: F:\QILING\examples\rootfs\x8664_windows\Windows\registry
[=] Initiate stack address at 0x7ffffffde000
[=] Loading F:\QILING\testqiling\mcall.exe to 0x140000000
[=] PE entry point at 0x140001030
[=] TEB addr is 0x6000030
[=] PEB addr is 0x60000b8
[=] Loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\ntdll.dll ...
[!] Warnings while loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\ntdll.dll:
[!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[+] DLL preferred base address: 0x180000000
[=] Done with loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\ntdll.dll
[=] Loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\kernel32.dll ...
[+] DLL preferred base address: 0x180000000
[+] DLL preferred base address is taken, loading to: 0x1801f0000
[=] Done with loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\kernel32.dll
[+] Done with loading F:\QILING\testqiling\mcall.exe
[+] Setting up exit trap at 0x0x140004000
[+] 140001030 | 4883ec48 sub rsp, 0x48 | rsp = 0x0
[+] 140001034 | 41b803000000 mov r8d, 0x3 |
[+] 14000103a | ba02000000 mov edx, 0x2 |
[+] 14000103f | b901000000 mov ecx, 0x1 |
[+] 140001044 | e8b7ffffff call 0x140001000 | rsp = 0x0, rip = 0x0
[+] 140001000 | 4489442418 mov dword ptr [0x18], r8d | rsp = 0x0, r8d = 0x0
[+] 140001005 | 89542410 mov dword ptr [0x10], edx | rsp = 0x0, edx = 0x2
[+] 140001009 | 894c2408 mov dword ptr [0x8], ecx | rsp = 0x0, ecx = 0x1
[+] 14000100d | 8b442410 mov eax, dword ptr [0x10] | rsp = 0x0
[+] 140001011 | 8b4c2408 mov ecx, dword ptr [0x8] | rsp = 0x0
[+] 140001015 | 03c8 add ecx, eax | ecx = 0x1, eax = 0x2
[+] 140001017 | 8bc1 mov eax, ecx | ecx = 0x3
[+] 140001019 | 03442418 add eax, dword ptr [0x18] | eax = 0x3, rsp = 0x0
[+] 14000101d | c3 ret | rsp = 0x0
[+] 140001049 | 89442428 mov dword ptr [0x28], eax | rsp = 0x0, eax = 0x6
[+] 14000104d | 41b806000000 mov r8d, 0x6 |
[+] 140001053 | ba07000000 mov edx, 0x7 |
[+] 140001058 | b908000000 mov ecx, 0x8 |
[+] 14000105d | e89effffff call 0x140001000 | rsp = 0x0, rip = 0x0
snipoff
[+] 140004000 | 90 nop |
[=] Process returned from entrypoint (exit_trap)!
[+] Syscalls called:
[+] Registries accessed:
[+] Strings:
executing binary
=====================
F:\QILING\testqiling\printxcode.exe
=====================
[+] Profile: Default
[+] Map GDT at 0x30000 with GDT_LIMIT=4096
[+] Write to 0x30018 for new entry b'\x00\xf0\x00\x00\x00\xfeO\x00'
[+] Write to 0x30028 for new entry b'\x00\xf0\x00\x00\x00\x96O\x00'
[+] Write to 0x30070 for new entry b'\x00`\x00`\x00\xf6@\x00'
[+] Write to 0x30078 for new entry b'\x00\x00\x00\x00\x00\xf6@\x06'
[+] Windows Registry PATH: F:\QILING\examples\rootfs\x8664_windows\Windows\registry
[=] Initiate stack address at 0xfffdd000
[=] Loading F:\QILING\testqiling\printxcode.exe to 0x400000
[=] PE entry point at 0x402eda
[=] TEB addr is 0x6000
[=] PEB addr is 0x6044
[=] Loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\ntdll.dll ...
[!] Warnings while loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\ntdll.dll:
[!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[+] DLL preferred base address: 0x180000000
[+] DLL preferred base address exceeds memory upper bound, loading to: 0x10000000
[=] Done with loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\ntdll.dll
[=] Loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\kernel32.dll ...
[+] DLL preferred base address: 0x180000000
[+] DLL preferred base address exceeds memory upper bound, loading to: 0x101f0000
[=] Done with loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\kernel32.dll
[=] Loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\mscoree.dll ...
[+] DLL preferred base address: 0x10000000
[+] DLL preferred base address is taken, loading to: 0x102b0000
[=] Done with loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\mscoree.dll
[+] Done with loading F:\QILING\testqiling\printxcode.exe
[+] Setting up exit trap at 0x0xc000000
[+] 00402eda | ff2500204000 jmp dword ptr [0x402000] |
[!] api _CorExeMain is not implemented
[+] 102c4330 | 8bff mov edi, edi | edi = 0x0
[+] 102c4332 | 56 push esi | esp = 0x0, esi = 0xffffd000
snipoff
[+] 0c000000 | 90 nop |
[=] Process returned from entrypoint (exit_trap)!
[+] Syscalls called:
[+] Registries accessed:
[+] Strings: