qiling
qiling copied to clipboard
Published
20 hours ago •
qilingframework
qilingframework
wil qiling support run a elf which compress by upx?
i just use upx to compress a elf ,which will call system(ls -alh) after running i can run it on linux normally but i run it with qiling, it will exit, do not call system(ls -alh)
Can you share the emulation properties (i.e. how you run Qiling) and log?
Please make sure to initialize Qiling with verbose=QL_VERBOSE.DEBUG.
@elicn c code:
#include <stdio.h>
#include <stdlib.h>
int main(){
puts("hello!");
sleep(2);
system("/bin/ls -lah");
sleep(1);
return 0;
}
upx ./upx_test
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2020
UPX 3.96 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020
File size Ratio Format Name
-------------------- ------ ----------- -----------
849944 -> 313640 36.90% linux/amd64 upx_test
Packed 1 file.
run on ubuntu1804, ./upx_test
hello!
总用量 13M
drwxrwxr-x 7 xxx xxx 4.0K 3月 19 18:47 .
drwxrwxr-x 11 xxx xxx 4.0K 3月 19 04:42 ..
-rwxrwxr-x 1 xxx xxx 307K 3月 19 18:46 upx_test
-rw-rw-r-- 1 xxx xxx 133 3月 19 18:46 upx_test.c
py code
#!/usr/bin/env python3
# coding:utf-8
from qiling import Qiling
from qiling.const import QL_VERBOSE,QL_INTERCEPT
if __name__ == "__main__":
elf="./upx_test"
rootfs="../examples/rootfs/x8664_linux"
ql = Qiling([elf], rootfs,
verbose=QL_VERBOSE.DEBUG,
multithread=True,
)
ql.run()
qiing debug log:
[+] Profile: Default
[+] Map GDT at 0x30000 with GDT_LIMIT=4096
[+] Write to 0x30018 for new entry b'\x00\xf0\x00\x00\x00\xfeO\x00'
[+] Write to 0x30028 for new entry b'\x00\xf0\x00\x00\x00\x96O\x00'
[+] Mapped 0x400000-0x447000
[+] Mapped 0x447000-0x6be000
[+] mem_start : 0x400000
[+] mem_end : 0x6be000
[+] mmap_address is : 0x7fffb7dd6000
[+] [Thread 2000] Saved context: fs=0x0 tls=0x0
[+] [Thread 2000] Set fsbase to 0x0 for [Thread 2000]
[+] [Thread 2000] Restored context: fs=0x0 tls=0x0
[+] [Thread 2000] Scheduled from 0x445cd8.
[+] [Thread 2000] syscall hooked 0x445efe: ql_syscall_open()
[+] [Thread 2000] open(/proc/self/exe, 0o0) = -2
[+] [Thread 2000] **File not found /home/zeref/qiling/mytest/../examples/rootfs/x8664_linux/proc/self/exe**
[+] [Thread 2000] 0x0000000000445efe: open(filename = 0x445fbc, flags = 0x0, mode = 0x0) = -0x2 (ENOENT)
[+] [Thread 2000] syscall hooked 0x445eee: ql_syscall_write()
[+] [Thread 2000] write() CONTENT: b'/proc/self/exe'
/proc/self/exe[+] [Thread 2000] 0x0000000000445eee: write(fd = 0x2, buf = 0x445fbc, count = 0xe) = 0xe
[+] [Thread 2000] syscall hooked 0x445ef6: ql_syscall_exit()
[+] [Thread 2000] 0x0000000000445ef6: exit(code = 0x7f) = ?
[+] [Thread 2000] Suspended at 0x445ef8
[+] [Thread 2000] Saved context: fs=0x0 tls=0x0
[+] [Thread 2000] Call sched_cb: <function ql_syscall_exit.<locals>._sched_cb_exit at 0x7f0000280ae8>
[+] [Thread 2000] [Thread 2000] Terminated
if i change the rootfs to "/" then , it will get this logs:
[+] Profile: Default
[+] Map GDT at 0x30000 with GDT_LIMIT=4096
[+] Write to 0x30018 for new entry b'\x00\xf0\x00\x00\x00\xfeO\x00'
[+] Write to 0x30028 for new entry b'\x00\xf0\x00\x00\x00\x96O\x00'
[+] Mapped 0x400000-0x447000
[+] Mapped 0x447000-0x6be000
[+] mem_start : 0x400000
[+] mem_end : 0x6be000
[+] mmap_address is : 0x7fffb7dd6000
[+] [Thread 2000] Saved context: fs=0x0 tls=0x0
[+] [Thread 2000] Set fsbase to 0x0 for [Thread 2000]
[+] [Thread 2000] Restored context: fs=0x0 tls=0x0
[+] [Thread 2000] Scheduled from 0x445cd8.
[+] [Thread 2000] syscall hooked 0x445efe: ql_syscall_open()
[+] [Thread 2000] **open(/proc/self/exe, 0o0) = 3**
[+] [Thread 2000] **File found: /usr/bin/python3.6**
[+] [Thread 2000] 0x0000000000445efe: open(filename = 0x445fbc, flags = 0x0, mode = 0x0) = 0x3
[+] [Thread 2000] syscall hooked 0x445f51: ql_syscall_mmap()
[+] [Thread 2000] mmap - mapping needed for 0x7fffb7dd6000
[+] [Thread 2000] mmap - addr range 0x7fffb7dd6000 - 0x7fffb7e1cfff:
[+] [Thread 2000] 0x0000000000445f51: mmap(addr = 0x0, length = 0x467de, prot = 0x3, flags = 0x22, fd = 0xffffffff, pgoffset = 0x0) = 0x7fffb7dd6000
[+] [Thread 2000] syscall hooked 0x445f6c: ql_syscall_mmap()
[+] [Thread 2000] mmap - MAP_FIXED, mapping not needed
[+] [Thread 2000] mem write : 0x46635
[+] [Thread 2000] mem mmap : /usr/bin/python3.6
[+] [Thread 2000] 0x0000000000445f6c: mmap(addr = 0x7fffb7dd6000, length = 0x46635, prot = 0x3, flags = 0x12, fd = 0x3, pgoffset = 0x0) = 0x7fffb7dd6000
[+] [Thread 2000] Suspended at 0x445cfc
[+] [Thread 2000] Saved context: fs=0x0 tls=0x0
[+] [Thread 2000] Call sched_cb: <function QlLinuxThread._default_sched_cb at 0x7f1f8dbdaa60>
[+] [Thread 2000] Set fsbase to 0x0 for [Thread 2000]
[+] [Thread 2000] Restored context: fs=0x0 tls=0x0
[+] [Thread 2000] Scheduled from 0x445cfc.
[+] [Thread 2000] syscall hooked 0x445fb1: ql_syscall_mprotect()
[+] [Thread 2000] 0x0000000000445fb1: mprotect(start = 0x7fffb7e1b000, mlen = 0x17de, prot = 0x5) = 0x0
[+] [Thread 2000] syscall hooked 0x7fffb7e1c06f: ql_syscall_readlink()
[+] [Thread 2000] readlink(/proc/self/exe, 0x80000000cfc8, 0xfff) = 34
[+] [Thread 2000] 0x00007fffb7e1c06f: readlink(path_name = 0x445fbc, path_buff = 0x80000000cfc8, path_buffsize = 0xfff) = 0x22
[+] [Thread 2000] syscall hooked 0x7fffb7e1c129: ql_syscall_exit()
[+] [Thread 2000] 0x00007fffb7e1c129: exit(code = 0x7f) = ?
[+] [Thread 2000] Suspended at 0x7fffb7e1c12b
[+] [Thread 2000] Saved context: fs=0x0 tls=0x0
[+] [Thread 2000] Call sched_cb: <function ql_syscall_exit.<locals>._sched_cb_exit at 0x7f1f8dbe5b70>
[+] [Thread 2000] [Thread 2000] Terminated
you can see that , still cannot run normally, i think upx will open /proc/self/exe, but qiling open itself (python),so this is a bug?
@elicn by the way,if i add a fake /proc/self/exe ( copy target elf to rootfs/proc/self/exe ) to rootfs it can run a short time, but still can't call ls -alh in the end logs : logs.txt
it seems that rootfs dont have some libc, so i add some libc to rootfs and then run again but it stilllll has erorr.... look at tail logs:
[x] [Thread 46250] CPU Context:
[x] [Thread 46250] ah : 0xde
[x] [Thread 46250] al : 0x20
[x] [Thread 46250] ch : 0x0
[x] [Thread 46250] cl : 0x0
[x] [Thread 46250] dh : 0x0
[x] [Thread 46250] dl : 0x0
[x] [Thread 46250] bh : 0x0
[x] [Thread 46250] bl : 0x0
[x] [Thread 46250] ax : 0xde20
[x] [Thread 46250] cx : 0x0
[x] [Thread 46250] dx : 0x0
[x] [Thread 46250] bx : 0x0
[x] [Thread 46250] sp : 0xde14
[x] [Thread 46250] bp : 0x0
[x] [Thread 46250] si : 0x0
[x] [Thread 46250] di : 0x0
[x] [Thread 46250] ip : 0x5c75
[x] [Thread 46250] eax : 0xde20
[x] [Thread 46250] ecx : 0x0
[x] [Thread 46250] edx : 0x0
[x] [Thread 46250] ebx : 0x0
[x] [Thread 46250] esp : 0xde14
[x] [Thread 46250] ebp : 0x0
[x] [Thread 46250] esi : 0x0
[x] [Thread 46250] edi : 0x0
[x] [Thread 46250] eip : 0xf7dd5c75
[x] [Thread 46250] rax : 0xde20
[x] [Thread 46250] rbx : 0x0
[x] [Thread 46250] rcx : 0x0
[x] [Thread 46250] rdx : 0x0
[x] [Thread 46250] rsi : 0x0
[x] [Thread 46250] rdi : 0x0
[x] [Thread 46250] rbp : 0x0
[x] [Thread 46250] rsp : 0xde14
[x] [Thread 46250] r8 : 0x0
[x] [Thread 46250] r9 : 0x0
[x] [Thread 46250] r10 : 0x0
[x] [Thread 46250] r11 : 0x0
[x] [Thread 46250] r12 : 0x0
[x] [Thread 46250] r13 : 0x0
[x] [Thread 46250] r14 : 0x0
[x] [Thread 46250] r15 : 0x0
[x] [Thread 46250] rip : 0x7ffff7dd5c75
[x] [Thread 46250] cr0 : 0x11
[x] [Thread 46250] cr1 : 0x0
[x] [Thread 46250] cr2 : 0x0
[x] [Thread 46250] cr3 : 0x0
[x] [Thread 46250] cr4 : 0x0
[x] [Thread 46250] cr8 : 0x0
[x] [Thread 46250] st0 : 0x0
[x] [Thread 46250] st1 : 0x0
[x] [Thread 46250] st2 : 0x0
[x] [Thread 46250] st3 : 0x0
[x] [Thread 46250] st4 : 0x0
[x] [Thread 46250] st5 : 0x0
[x] [Thread 46250] st6 : 0x0
[x] [Thread 46250] st7 : 0x0
[x] [Thread 46250] ef : 0x14
[x] [Thread 46250] cs : 0x1b
[x] [Thread 46250] ss : 0x28
[x] [Thread 46250] ds : 0x28
[x] [Thread 46250] es : 0x28
[x] [Thread 46250] fs : 0x0
[x] [Thread 46250] gs : 0x0
[x] [Thread 46250] r8b : 0x0
[x] [Thread 46250] r9b : 0x0
[x] [Thread 46250] r10b : 0x0
[x] [Thread 46250] r11b : 0x0
[x] [Thread 46250] r12b : 0x0
[x] [Thread 46250] r13b : 0x0
[x] [Thread 46250] r14b : 0x0
[x] [Thread 46250] r15b : 0x0
[x] [Thread 46250] r8w : 0x0
[x] [Thread 46250] r9w : 0x0
[x] [Thread 46250] r10w : 0x0
[x] [Thread 46250] r11w : 0x0
[x] [Thread 46250] r12w : 0x0
[x] [Thread 46250] r13w : 0x0
[x] [Thread 46250] r14w : 0x0
[x] [Thread 46250] r15w : 0x0
[x] [Thread 46250] r8d : 0x0
[x] [Thread 46250] r9d : 0x0
[x] [Thread 46250] r10d : 0x0
[x] [Thread 46250] r11d : 0x0
[x] [Thread 46250] r12d : 0x0
[x] [Thread 46250] r13d : 0x0
[x] [Thread 46250] r14d : 0x0
[x] [Thread 46250] r15d : 0x0
[x] [Thread 46250] fsbase : 0x0
[x] [Thread 46250] gsbase : 0x0
[x] [Thread 46250] Hexdump:
[x] [Thread 46250] 50e8850b000083c4
[x] [Thread 46250] Disassembly:
Traceback (most recent call last):
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/linux/thread.py", line 248, in _run
self.ql.emu_start(start_address, self.exit_point, count=30000)
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/core.py", line 880, in emu_start
self.uc.emu_start(begin, end, timeout, count)
File "/home/zeref/.local/lib/python3.6/site-packages/unicorn/unicorn.py", line 523, in emu_start
raise UcError(status)
unicorn.unicorn.UcError: Invalid memory write (UC_ERR_WRITE_UNMAPPED)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/os.py", line 247, in emu_error
self.ql.arch.utils.disassembler(self.ql, pc, 64)
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/arch/utils.py", line 39, in disassembler
log_data = f'{address:0{ql.archbit // 4}x} [{name:20s} + {offset:#08x}] {tmp.hex(" "):30s}'
TypeError: hex() takes no arguments (1 given)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "src/gevent/greenlet.py", line 906, in gevent._gevent_cgreenlet.Greenlet.run
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/linux/thread.py", line 250, in _run
self.ql.os.emu_error()
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/os.py", line 252, in emu_error
self.ql.log.error(f'PC = {pc:#0{self.ql.pointersize * 2 + 2}x}{pc_info}\n')
UnboundLocalError: local variable 'pc_info' referenced before assignment
2022-03-20T02:57:53Z <QlLinuxX8664Thread at 0x7fc826385648: _run> failed with UnboundLocalError
[x] [Thread 46250] Syscall ERROR: ql_syscall_execve DEBUG: local variable 'pc_info' referenced before assignment
Traceback (most recent call last):
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/linux/thread.py", line 248, in _run
self.ql.emu_start(start_address, self.exit_point, count=30000)
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/core.py", line 880, in emu_start
self.uc.emu_start(begin, end, timeout, count)
File "/home/zeref/.local/lib/python3.6/site-packages/unicorn/unicorn.py", line 523, in emu_start
raise UcError(status)
unicorn.unicorn.UcError: Invalid memory write (UC_ERR_WRITE_UNMAPPED)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/os.py", line 247, in emu_error
self.ql.arch.utils.disassembler(self.ql, pc, 64)
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/arch/utils.py", line 39, in disassembler
log_data = f'{address:0{ql.archbit // 4}x} [{name:20s} + {offset:#08x}] {tmp.hex(" "):30s}'
TypeError: hex() takes no arguments (1 given)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/posix/posix.py", line 222, in load_syscall
retval = syscall_hook(self.ql, *params)
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/posix/syscall/unistd.py", line 440, in ql_syscall_execve
ql.run()
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/core.py", line 730, in run
self.os.run()
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/linux/linux.py", line 133, in run
thread_management.run()
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/linux/thread.py", line 592, in run
previous_thread = self._prepare_lib_patch()
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/linux/thread.py", line 573, in _prepare_lib_patch
gevent.joinall([self.main_thread], raise_error=True)
File "src/gevent/greenlet.py", line 1057, in gevent._gevent_cgreenlet.joinall
File "src/gevent/greenlet.py", line 1073, in gevent._gevent_cgreenlet.joinall
File "src/gevent/greenlet.py", line 371, in gevent._gevent_cgreenlet.Greenlet._raise_exception
File "/home/zeref/.local/lib/python3.6/site-packages/gevent/_compat.py", line 65, in reraise
raise value.with_traceback(tb)
File "src/gevent/greenlet.py", line 906, in gevent._gevent_cgreenlet.Greenlet.run
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/linux/thread.py", line 250, in _run
self.ql.os.emu_error()
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/os.py", line 252, in emu_error
self.ql.log.error(f'PC = {pc:#0{self.ql.pointersize * 2 + 2}x}{pc_info}\n')
UnboundLocalError: local variable 'pc_info' referenced before assignment
[+] [Thread 46250] [Thread Manager] Stop the world.
Traceback (most recent call last):
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/linux/thread.py", line 248, in _run
self.ql.emu_start(start_address, self.exit_point, count=30000)
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/core.py", line 880, in emu_start
self.uc.emu_start(begin, end, timeout, count)
File "/home/zeref/.local/lib/python3.6/site-packages/unicorn/unicorn.py", line 523, in emu_start
raise UcError(status)
unicorn.unicorn.UcError: Invalid memory write (UC_ERR_WRITE_UNMAPPED)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/os.py", line 247, in emu_error
self.ql.arch.utils.disassembler(self.ql, pc, 64)
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/arch/utils.py", line 39, in disassembler
log_data = f'{address:0{ql.archbit // 4}x} [{name:20s} + {offset:#08x}] {tmp.hex(" "):30s}'
TypeError: hex() takes no arguments (1 given)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "src/gevent/greenlet.py", line 906, in gevent._gevent_cgreenlet.Greenlet.run
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/linux/thread.py", line 248, in _run
self.ql.emu_start(start_address, self.exit_point, count=30000)
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/core.py", line 883, in emu_start
raise self._internal_exception
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/utils.py", line 159, in wrapper
return func(*args, **kw)
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/core_hooks.py", line 71, in _hook_insn_cb
ret = hook.call(ql, *args[:-1])
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/core_hooks_types.py", line 25, in call
return self.callback(ql, *args)
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/linux/linux.py", line 104, in hook_syscall
return self.load_syscall()
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/posix/posix.py", line 240, in load_syscall
raise e
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/posix/posix.py", line 222, in load_syscall
retval = syscall_hook(self.ql, *params)
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/posix/syscall/unistd.py", line 440, in ql_syscall_execve
ql.run()
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/core.py", line 730, in run
self.os.run()
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/linux/linux.py", line 133, in run
thread_management.run()
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/linux/thread.py", line 592, in run
previous_thread = self._prepare_lib_patch()
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/linux/thread.py", line 573, in _prepare_lib_patch
gevent.joinall([self.main_thread], raise_error=True)
File "src/gevent/greenlet.py", line 1057, in gevent._gevent_cgreenlet.joinall
File "src/gevent/greenlet.py", line 1073, in gevent._gevent_cgreenlet.joinall
File "src/gevent/greenlet.py", line 371, in gevent._gevent_cgreenlet.Greenlet._raise_exception
File "/home/zeref/.local/lib/python3.6/site-packages/gevent/_compat.py", line 65, in reraise
raise value.with_traceback(tb)
File "src/gevent/greenlet.py", line 906, in gevent._gevent_cgreenlet.Greenlet.run
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/linux/thread.py", line 250, in _run
self.ql.os.emu_error()
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/os.py", line 252, in emu_error
self.ql.log.error(f'PC = {pc:#0{self.ql.pointersize * 2 + 2}x}{pc_info}\n')
UnboundLocalError: local variable 'pc_info' referenced before assignment
2022-03-20T02:57:53Z <QlLinuxX8664Thread at 0x7fc826385748: _run> failed with UnboundLocalError
Traceback (most recent call last):
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/linux/thread.py", line 248, in _run
self.ql.emu_start(start_address, self.exit_point, count=30000)
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/core.py", line 880, in emu_start
self.uc.emu_start(begin, end, timeout, count)
File "/home/zeref/.local/lib/python3.6/site-packages/unicorn/unicorn.py", line 523, in emu_start
raise UcError(status)
unicorn.unicorn.UcError: Invalid memory write (UC_ERR_WRITE_UNMAPPED)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/os.py", line 247, in emu_error
self.ql.arch.utils.disassembler(self.ql, pc, 64)
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/arch/utils.py", line 39, in disassembler
log_data = f'{address:0{ql.archbit // 4}x} [{name:20s} + {offset:#08x}] {tmp.hex(" "):30s}'
TypeError: hex() takes no arguments (1 given)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "test.py", line 16, in <module>
ql.run()
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/core.py", line 730, in run
self.os.run()
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/linux/linux.py", line 133, in run
thread_management.run()
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/linux/thread.py", line 603, in run
gevent.joinall([self.main_thread], raise_error=True)
File "src/gevent/greenlet.py", line 1057, in gevent._gevent_cgreenlet.joinall
File "src/gevent/greenlet.py", line 1073, in gevent._gevent_cgreenlet.joinall
File "src/gevent/greenlet.py", line 371, in gevent._gevent_cgreenlet.Greenlet._raise_exception
File "/home/zeref/.local/lib/python3.6/site-packages/gevent/_compat.py", line 65, in reraise
raise value.with_traceback(tb)
File "src/gevent/greenlet.py", line 906, in gevent._gevent_cgreenlet.Greenlet.run
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/linux/thread.py", line 248, in _run
self.ql.emu_start(start_address, self.exit_point, count=30000)
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/core.py", line 883, in emu_start
raise self._internal_exception
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/utils.py", line 159, in wrapper
return func(*args, **kw)
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/core_hooks.py", line 71, in _hook_insn_cb
ret = hook.call(ql, *args[:-1])
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/core_hooks_types.py", line 25, in call
return self.callback(ql, *args)
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/linux/linux.py", line 104, in hook_syscall
return self.load_syscall()
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/posix/posix.py", line 240, in load_syscall
raise e
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/posix/posix.py", line 222, in load_syscall
retval = syscall_hook(self.ql, *params)
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/posix/syscall/unistd.py", line 440, in ql_syscall_execve
ql.run()
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/core.py", line 730, in run
self.os.run()
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/linux/linux.py", line 133, in run
thread_management.run()
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/linux/thread.py", line 592, in run
previous_thread = self._prepare_lib_patch()
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/linux/thread.py", line 573, in _prepare_lib_patch
gevent.joinall([self.main_thread], raise_error=True)
File "src/gevent/greenlet.py", line 1057, in gevent._gevent_cgreenlet.joinall
File "src/gevent/greenlet.py", line 1073, in gevent._gevent_cgreenlet.joinall
File "src/gevent/greenlet.py", line 371, in gevent._gevent_cgreenlet.Greenlet._raise_exception
File "/home/zeref/.local/lib/python3.6/site-packages/gevent/_compat.py", line 65, in reraise
raise value.with_traceback(tb)
File "src/gevent/greenlet.py", line 906, in gevent._gevent_cgreenlet.Greenlet.run
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/linux/thread.py", line 250, in _run
self.ql.os.emu_error()
File "/home/zeref/.local/lib/python3.6/site-packages/qiling/os/os.py", line 252, in emu_error
self.ql.log.error(f'PC = {pc:#0{self.ql.pointersize * 2 + 2}x}{pc_info}\n')
UnboundLocalError: local variable 'pc_info' referenced before assignment
[+] [Thread 2000] 0x0000000000448952: wait4(pid = 0xb4a9, wstatus = 0x80000000db98, options = 0x0, rusage = 0x0) = 0xb4a9
[+] [Thread 2000] syscall hooked 0x45ac7b: ql_syscall_rt_sigaction()
[+] [Thread 2000] 0x000000000045ac7b: rt_sigaction(signum = 0x2, act = 0x80000000da30, oldact = 0x0) = 0x0
[+] [Thread 2000] syscall hooked 0x45ac7b: ql_syscall_rt_sigaction()
[+] [Thread 2000] 0x000000000045ac7b: rt_sigaction(signum = 0x3, act = 0x80000000da30, oldact = 0x0) = 0x0
[+] [Thread 2000] syscall hooked 0x45addb: ql_syscall_rt_sigprocmask()
[+] [Thread 2000] 0x000000000045addb: rt_sigprocmask(how = 0x2, nset = 0x80000000dbe0, oset = 0x0, sigsetsize = 0x8) = 0x0
[+] [Thread 2000] syscall hooked 0x448a8f: ql_syscall_nanosleep()
[+] [Thread 2000] 0x0000000000448a8f: nanosleep(req = 0x80000000dce0, rem = 0x80000000dce0) = 0x0
[+] [Thread 2000] Suspended at 0x448a91
[+] [Thread 2000] Saved context: fs=0x6c0880 tls=0x6c0880
[+] [Thread 2000] Call sched_cb: <function __sleep_common.<locals>._sched_sleep at 0x7fc8255f3c80>
[+] [Thread 2000] Set fsbase to 0x6c0880 for [Thread 2000]
[+] [Thread 2000] Restored context: fs=0x6c0880 tls=0x6c0880
[+] [Thread 2000] Scheduled from 0x448a91.
[+] [Thread 2000] syscall hooked 0x448b74: ql_syscall_exit_group()
[+] [Thread 2000] 0x0000000000448b74: exit_group(code = 0x0) = ?
[+] [Thread 2000] Suspended at 0x448b76
[+] [Thread 2000] Saved context: fs=0x6c0880 tls=0x6c0880
[+] [Thread 2000] Call sched_cb: <function ql_syscall_exit_group.<locals>._sched_cb_exit at 0x7fc8255f3c80>
[+] [Thread 2000] [Thread 2000] Terminated
it seems has some bug
the whole logs file: logs.txt
Thanks for the details.
The emualted filesystem does not include the /proc/self directory automatically; for now you'll have to generate it yourself - like you did. The final run fails mostly because you are using Python 3.6 instead of 3.8: if you are using dev branch, then you have to use 3.8.
@elicn i use the docker of qiling,its python is 3.8.12,but still has the same error.....
Hi you guys,
I also meet this issue and I'm trying to find the solution but I have not found it yet!
My context is:
- Python3.6
- Stable Qiling
My script python:
from qiling import Qiling
from qiling.const import QL_VERBOSE
from qiling.extensions import trace
import os
cwd = os.getcwd()
# print(cwd)
os.chdir(cwd)
if __name__ == '__main__':
argv = r"/home/h4niz/Downloads/firmware-analysis-toolkit/Zyxel/_V530ABSB5C0.bin.extracted/squashfs-root/bin/zhttpd -h".split(" ")
rootfs = r"/home/h4niz/Downloads/firmware-analysis-toolkit/Zyxel/_V530ABSB5C0.bin.extracted/squashfs-root"
libs = {"LD_LIBRARY_PATH":"/lib:/lib/private:/usr/lib"}
ql = Qiling(argv, rootfs, verbose=QL_VERBOSE.DEBUG, archtype='MIPS', profile='zyxel.ql', multithread=True, env=libs)
# trace.enable_full_trace(ql)
ql.add_fs_mapper('/proc', '/proc')
ql.run()
I attach output log in this file: emu_debug_log.txt
Are there any ideas?
@H4niz, part of the code uses features that were introduced in Python 3.8. As mentioned above, Python 3.6 is not supported and the code may break if you do use it.
Please re-try with Python 3.8 (or higher) and let us know what you encounter then.
Hi @elicn, I meet this exception when run qiling with python 3.8:
Traceback (most recent call last):
File "src/gevent/greenlet.py", line 906, in gevent._gevent_cgreenlet.Greenlet.run
File "/home/h4niz/.local/lib/python3.8/site-packages/qiling/os/linux/thread.py", line 248, in _run
self.ql.emu_start(start_address, self.exit_point, count=30000)
File "/home/h4niz/.local/lib/python3.8/site-packages/qiling/core.py", line 883, in emu_start
raise self._internal_exception
File "/home/h4niz/.local/lib/python3.8/site-packages/qiling/utils.py", line 159, in wrapper
return func(*args, **kw)
File "/home/h4niz/.local/lib/python3.8/site-packages/qiling/core_hooks.py", line 59, in _hook_intr_cb
raise QlErrorCoreHook("_hook_intr_cb : not handled")
qiling.exception.QlErrorCoreHook: _hook_intr_cb : not handled
2022-04-27T03:07:17Z <QlLinuxMIPS32Thread at 0x7fdb2aef76a0: _run> failed with QlErrorCoreHook
Traceback (most recent call last):
File "emu.py", line 19, in <module>
ql.run()
File "/home/h4niz/.local/lib/python3.8/site-packages/qiling/core.py", line 730, in run
self.os.run()
File "/home/h4niz/.local/lib/python3.8/site-packages/qiling/os/linux/linux.py", line 133, in run
thread_management.run()
File "/home/h4niz/.local/lib/python3.8/site-packages/qiling/os/linux/thread.py", line 592, in run
previous_thread = self._prepare_lib_patch()
File "/home/h4niz/.local/lib/python3.8/site-packages/qiling/os/linux/thread.py", line 573, in _prepare_lib_patch
gevent.joinall([self.main_thread], raise_error=True)
File "src/gevent/greenlet.py", line 1057, in gevent._gevent_cgreenlet.joinall
File "src/gevent/greenlet.py", line 1073, in gevent._gevent_cgreenlet.joinall
File "src/gevent/greenlet.py", line 371, in gevent._gevent_cgreenlet.Greenlet._raise_exception
File "/home/h4niz/.local/lib/python3.8/site-packages/gevent/_compat.py", line 65, in reraise
raise value.with_traceback(tb)
File "src/gevent/greenlet.py", line 906, in gevent._gevent_cgreenlet.Greenlet.run
File "/home/h4niz/.local/lib/python3.8/site-packages/qiling/os/linux/thread.py", line 248, in _run
self.ql.emu_start(start_address, self.exit_point, count=30000)
File "/home/h4niz/.local/lib/python3.8/site-packages/qiling/core.py", line 883, in emu_start
raise self._internal_exception
File "/home/h4niz/.local/lib/python3.8/site-packages/qiling/utils.py", line 159, in wrapper
return func(*args, **kw)
File "/home/h4niz/.local/lib/python3.8/site-packages/qiling/core_hooks.py", line 59, in _hook_intr_cb
raise QlErrorCoreHook("_hook_intr_cb : not handled")
qiling.exception.QlErrorCoreHook: _hook_intr_cb : not handled
Are there guide to fix this issue?
Close for now.
We updated the codebase for Qiling and Unicorn since this issue being posted.
Feel free to try the latest version.
Hey @H4niz, It's been a while, but a few fixes were introduced recently to the codebase, that should make it possible now. If this is still relevant, you should give it a shot.