qiling icon indicating copy to clipboard operation
qiling copied to clipboard

Published 20 hours ago verified publisher icon qilingframework

MacOS program emulation failed

Open fuzzdis opened this issue 4 years ago • 2 comments

*Describe the bug

(py37) location>python ql.py
[+] PageZero Size: 100000000
[+] ProcEntry: 0x1000
[+] Dyld entry point: 0x500001000
[+] Binary Entry Point: 0x100000CD0
thread_selfid() = 123
mprotect(0x500092000, 0x5000, 0x1) = 0
getentropy(0x5000ca650, 0x80)
getentropy(0x5000ca650, 0x80)
csrctl(0x0, 0x7ffd099ff4ac, 0x4)
[!] 0x500056490: syscall ql_syscall_fsgetpath number = 0x20001ab(33554859) not implemented
[!] 0x500056490: syscall ql_syscall_fsgetpath number = 0x20001ab(33554859) not implemented
csrctl(0x0, 0x7ffd099ff4cc, 0x4)
[!] 0x500056130: syscall ql_syscall_mac_syscall number = 0x200017d(33554813) not implemented
csrctl(0x0, 0x7ffd099ff4cc, 0x4)
shared_region_check_np(0x7ffd099ff338, 0x500097e48, 0x7ffd099ff387) =  0x16
open(\private\var\db\dyld\dyld_shared_cache_x86_64, 0x8000, 0o0) = -2
stat64(/private/var/db/dyld/dyld_shared_cache_x86_64, 0x7ffd099fb2f8) = -1
close(4294967294) = -1
csrctl(0x0, 0x7ffd099ff48c, 0x4)
csrctl(0x0, 0x7ffd099ff48c, 0x4)
[!] Syscall ERROR: ql_syscall_stat64_macos DEBUG: 'os.stat_result' object has no attribute 'st_blocks'
Traceback (most recent call last):
  File "ql.py", line 13, in <module>
    my_sandbox(["macho"], ".")
  File "ql.py", line 9, in my_sandbox
    ql.run()
  File "D:\Anaconda3\envs\py37\lib\site-packages\qiling\core.py", line 193, in run
    self.os.run()
  File "D:\Anaconda3\envs\py37\lib\site-packages\qiling\os\macos\macos.py", line 62, in run
    self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count)
  File "D:\Anaconda3\envs\py37\lib\site-packages\qiling\core.py", line 255, in emu_start
    raise self.internal_exception
  File "D:\Anaconda3\envs\py37\lib\site-packages\qiling\utils.py", line 19, in wrapper
    return func(*args, **kw)
  File "D:\Anaconda3\envs\py37\lib\site-packages\qiling\core_hooks.py", line 135, in _hook_insn_cb
    ret = h.call(ql, *args[ : -1])
  File "D:\Anaconda3\envs\py37\lib\site-packages\qiling\core_hooks.py", line 36, in call
    return self.callback(ql, *args)
  File "D:\Anaconda3\envs\py37\lib\site-packages\qiling\os\macos\macos.py", line 44, in hook_syscall
    return self.load_syscall()
  File "D:\Anaconda3\envs\py37\lib\site-packages\qiling\os\posix\posix.py", line 178, in load_syscall
    raise e
  File "D:\Anaconda3\envs\py37\lib\site-packages\qiling\os\posix\posix.py", line 169, in load_syscall
    self.syscall_map(self.ql, self.get_func_arg()[0], self.get_func_arg()[1], self.get_func_arg()[2], self.get_func_arg()[3], self.get_func_arg()[4],
self.get_func_arg()[5])
  File "D:\Anaconda3\envs\py37\lib\site-packages\qiling\os\macos\syscall.py", line 419, in ql_syscall_stat64_macos
    stat64_buf += ql.pack64(stat64_info.st_blocks)          # st_blocks         64 byte
AttributeError: 'os.stat_result' object has no attribute 'st_blocks'

with ql.debugger = True:

(py37) location>python ql.py
[+] PageZero Size: 100000000
[+] ProcEntry: 0x1000
[+] Dyld entry point: 0x500001000
[+] Binary Entry Point: 0x100000CD0
gdb> Listening on 127.0.0.1:9999
Traceback (most recent call last):
  File "ql.py", line 13, in <module>
    my_sandbox(["macho"], ".")
  File "ql.py", line 9, in my_sandbox
    ql.run()
  File "D:\Anaconda3\envs\py37\lib\site-packages\qiling\core.py", line 187, in run
    self.debugger = self.debugger_setup()
  File "D:\Anaconda3\envs\py37\lib\site-packages\qiling\core_utils.py", line 142, in debugger_setup
    return debugsession(self, *debug_opts)
  File "D:\Anaconda3\envs\py37\lib\site-packages\qiling\debugger\gdb\gdb.py", line 69, in __init__
    self.gdb.initialize(self.ql, exit_point=exit_point, mappings=[(hex(load_address))])
  File "D:\Anaconda3\envs\py37\lib\site-packages\qiling\debugger\gdb\utils.py", line 27, in initialize
    self.current_address = self.entry_point = self.ql.os.entry_point
AttributeError: 'QlOsMacos' object has no attribute 'entry_point'

Sample Code

from qiling import *

def my_sandbox(path, rootfs):
    ql = Qiling(path, rootfs)
    #ql.debugger = True
    ql.run()

if __name__ == "__main__":
    my_sandbox(["macho"], ".")

Expected behavior A clear and concise description of what you expected to happen.

Screenshots If applicable, add screenshots to help explain your problem.

Additional context git version 7f27ec3 / Version 1.1.3

fuzzdis avatar Oct 22 '20 04:10 fuzzdis

btw I put dyld_shared_cache_x86_64 under the working dir ./private/var/db/dyld/, still no luck, the path is hard coded in /usr/lib/dyld, and not found will throw as above

fuzzdis avatar Oct 22 '20 04:10 fuzzdis

Hi,

I think there are 3 issue over here.

  1. Base OS is Windows and we might have some fstat issue
  2. There are missing Syscall

Last one is, MACOS currently is way not complete compare to Windows and Linux emulation. We need community help to make it complete.

xwings avatar Oct 25 '20 13:10 xwings

No response since [22 Oct 2020] , close for now.

xwings avatar Oct 06 '22 02:10 xwings