qiling

qiling copied to clipboard

*Describe the bug For strlen in libc, qiling failed to emulate it.

Emulated Code

size_t strlen(const char *s)
{
  return off_56561FBC(s);   // this line is 0x56555870
}

; Attributes: thunk

; size_t strlen(const char *s)
_strlen proc near

s= dword ptr  4

jmp     ds:off_56561FBC ; PIC mode    // this line is 0x56555870
_strlen endp

[=] Executing: 0x5655c1b2 [=] Executing: 0x5655c1b8 [=] Executing: 0x5655c1bb [=] Executing: 0x5655c1be [=] Executing: 0x56555870 // jmp ds:off_56561FBC [=] Executing: 0x876 [=] Executing: 0x878 [=] Executing: 0x87a [=] Executing: 0x87c

Anymore info ?

So the .so I analysis just called __strlen__ which he write himself which only contains jmp ds:off_56561FBC. So how qiling implement libc hooking(how qiling recognizes ds:off_56561FBC is libc.so:strlen?

Does my problem caused by I rebase the program on IDA pro and run qiling ida pro plugin to run my binary?

This is due to function hook implementation in qiling in order to implement set_api with proper interception. The memory at 0x876 is supposed to be mapped for function hooks. Does the program crash in your case?

Will you be able to try the latest version of Qiling and see if you still face same issue. There is lots of rework since 2021. Feel free to open a new issue if you have any similar problem.