qiling icon indicating copy to clipboard operation
qiling copied to clipboard

Published 20 hours ago verified publisher icon qilingframework

在模拟httpd过程中,load shared libraries 报错,提示Operation not permitted

Open jhtshr opened this issue 1 year ago • 1 comments

*Describe the bug 在模拟httpd过程中,load shared libraries 报错,提示libpcre.so.0 Operation not permitted

─# ls usr/lib/libpcre.so* -all
lrwxrwxrwx 1 root root     16 Oct 30 02:27 usr/lib/libpcre.so.0 -> libpcre.so.0.0.1
-rwxr-xr-x 1 root root 109240 Oct 30 02:27 usr/lib/libpcre.so.0.0.1

Sample Code


from qiling import *
from qiling.const import QL_VERBOSE

def custom_geteuid32(ql, *args, **kwargs):
    return 0  # 返回一个自定义的有效用户 ID

def my_sandbox(path, rootfs):
    # setup Qiling engine
    ql = Qiling(path, rootfs,verbose=QL_VERBOSE.OFF,console=True,multithread=False) # QL_VERBOSE.OFF QL_VERBOSE.DEBUG
    ql.os.set_syscall("geteuid32", custom_geteuid32) 
    ql.run()

if __name__ == "__main__":
    my_sandbox(["./rootfs/usr/sbin/lighttpd"], "./rootfs/")

Expected behavior 运行lighttpd

Screenshots

# python qiling_v_http.py
./rootfs/usr/sbin/lighttpd: error while loading shared libraries: libpcre.so.0: cannot open shared object file: Operation not permitted
[x]     CPU Context:
[x]     r0      : 0xeee4
[x]     r1      : 0x7ff3c840
[x]     r2      : 0x7ff3c424
[x]     r3      : 0x3d4a0
[x]     r4      : 0x47d4750
[x]     r5      : 0x47d4bbc
[x]     r6      : 0x7ff3cfe4
[x]     r7      : 0xf8
[x]     r8      : 0x7ff3c858
[x]     r9      : 0x1
[x]     r10     : 0x47de000
[x]     r11     : 0x0
[x]     r12     : 0x4c180
[x]     sp      : 0x7ff3c414
[x]     lr      : 0x4c124
[x]     pc      : 0x0
[x]     cpsr    : 0x600001d3
[x]     c1_c0_2 : 0x0
[x]     c13_c0_3        : 0x0
[x]     fpexc   : 0x40000000
[x]     d0      : 0x0
[x]     d1      : 0x0
[x]     d2      : 0x0
[x]     d3      : 0x0
[x]     d4      : 0x0
[x]     d5      : 0x0
[x]     d6      : 0x0
[x]     d7      : 0x0
[x]     d8      : 0x0
[x]     d9      : 0x0
[x]     d10     : 0x0
[x]     d11     : 0x0
[x]     d12     : 0x0
[x]     d13     : 0x0
[x]     d14     : 0x0
[x]     d15     : 0x0
[x]     d16     : 0x0
[x]     d17     : 0x0
[x]     d18     : 0x0
[x]     d19     : 0x0
[x]     d20     : 0x0
[x]     d21     : 0x0
[x]     d22     : 0x0
[x]     d23     : 0x0
[x]     d24     : 0x0
[x]     d25     : 0x0
[x]     d26     : 0x0
[x]     d27     : 0x0
[x]     d28     : 0x0
[x]     d29     : 0x0
[x]     d30     : 0x0
[x]     d31     : 0x0
[x]     fpscr   : 0x0
[x]     q0      : 0x0
[x]     q1      : 0x0
[x]     q2      : 0x0
[x]     q3      : 0x0
[x]     q4      : 0x0
[x]     q5      : 0x0
[x]     q6      : 0x0
[x]     q7      : 0x0
[x]     q8      : 0x0
[x]     q9      : 0x0
[x]     q10     : 0x0
[x]     q11     : 0x0
[x]     q12     : 0x0
[x]     q13     : 0x0
[x]     q14     : 0x0
[x]     q15     : 0x0
[x]     s0      : 0x0
[x]     s1      : 0x0
[x]     s2      : 0x0
[x]     s3      : 0x0
[x]     s4      : 0x0
[x]     s5      : 0x0
[x]     s6      : 0x0
[x]     s7      : 0x0
[x]     s8      : 0x0
[x]     s9      : 0x0
[x]     s10     : 0x0
[x]     s11     : 0x0
[x]     s12     : 0x0
[x]     s13     : 0x0
[x]     s14     : 0x0
[x]     s15     : 0x0
[x]     s16     : 0x0
[x]     s17     : 0x0
[x]     s18     : 0x0
[x]     s19     : 0x0
[x]     s20     : 0x0
[x]     s21     : 0x0
[x]     s22     : 0x0
[x]     s23     : 0x0
[x]     s24     : 0x0
[x]     s25     : 0x0
[x]     s26     : 0x0
[x]     s27     : 0x0
[x]     s28     : 0x0
[x]     s29     : 0x0
[x]     s30     : 0x0
[x]     s31     : 0x0
[x]     PC = 0x00000000 (unreachable)

[x]     Memory map:
[x]     Start        End          Perm    Label              Image
[x]     0000008000 - 0000044000   r-x     lighttpd           /root/test/docker/draytek/Vigor2960_v1.5.1.4/rootfs/usr/sbin/lighttpd
[x]     000004c000 - 0000052000   rw-     lighttpd           /root/test/docker/draytek/Vigor2960_v1.5.1.4/rootfs/usr/sbin/lighttpd
[x]     0000052000 - 0000054000   rwx     [hook_mem]         
[x]     00047ba000 - 00047d6000   r-x     ld-linux.so.3      /root/test/docker/draytek/Vigor2960_v1.5.1.4/rootfs/lib/ld-2.7.so
[x]     00047dd000 - 00047df000   rw-     ld-linux.so.3      /root/test/docker/draytek/Vigor2960_v1.5.1.4/rootfs/lib/ld-2.7.so
[x]     007ff0d000 - 007ff3d000   rwx     [stack]            
[x]     0090000000 - 0090001000   rw-     [mmap anonymous]   
[x]     00ffff0000 - 00ffff1000   rwx     [arm_traps]        
Traceback (most recent call last):
  File "qiling_v_http.py", line 15, in <module>
    my_sandbox(["./rootfs/usr/sbin/lighttpd"], "./rootfs/")
  File "qiling_v_http.py", line 12, in my_sandbox
    ql.run()
  File "/root/.local/lib/python3.8/site-packages/qiling/core.py", line 597, in run
    self.os.run()
  File "/root/.local/lib/python3.8/site-packages/qiling/os/linux/linux.py", line 184, in run
    self.ql.emu_start(self.ql.loader.elf_entry, self.exit_point, self.ql.timeout, self.ql.count)
  File "/root/.local/lib/python3.8/site-packages/qiling/core.py", line 771, in emu_start
    self.uc.emu_start(begin, end, timeout, count)
  File "/usr/local/lib/python3.8/site-packages/unicorn/unicorn.py", line 547, in emu_start
    raise UcError(status)
unicorn.unicorn.UcError: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED)

谢谢!

jhtshr avatar Oct 31 '23 07:10 jhtshr

Hi there, Can you please edit your question and write it in English? From what I've noticed there are two things you should be aware of:

  • The entire context of the program is zeroed (too many registers show 0, that might indicate something)
  • A syscall hook cannot use *args and **kwargs. Please specify the correct amount of int arguments

elicn avatar Nov 02 '23 13:11 elicn