qiling icon indicating copy to clipboard operation
qiling copied to clipboard

Published 20 hours ago verified publisher icon qilingframework

Live process snapshots

Open kr1tzy opened this issue 3 years ago • 8 comments

I'm attempting to load a Qiling snapshot from a live process on a simple 'hello' binary and keep getting the qiling.exception.QlErrorCoreHook: _hook_intr_cb : catched == False error. The save/restore works when dumping only the memory and registers through Qiling itself but restoring from a modified unicorn dumper script poses problems (similar to #593). I modified the restore function in Qiling to accept a live process context in the same fashion the default snapshot is saved/restored. Screenshots of the live process restore function, the emulation script, output, and binary information are attached. Please excuse code quality, this is POC code.

qiling/os/memory.py restore functionality Screen Shot 2021-05-26 at 6 59 10 AM

'hello' binary emulation script Screen Shot 2021-05-26 at 7 03 05 AM

emulation output for 'hello' Screen Shot 2021-05-26 at 7 05 51 AM

'hello' binary / compilation info Screen Shot 2021-05-26 at 7 19 27 AM

Additional context Running on an ARM aarch64 Raspberry Pi. Tested on dev and master.

kr1tzy avatar May 26 '21 11:05 kr1tzy

Hi, thanks for your interest. Could you post your scripts as texts and post the exact steps to reproduce?

wtdcode avatar May 27 '21 11:05 wtdcode

Github didn't like the file types i was uploading so i threw everything needed on Google drive. The readme has steps for reproducing. @wtdcode

https://drive.google.com/drive/folders/10BICusaZ9JObxpYev7cO_KtRA5KL0cxr?usp=sharing

kr1tzy avatar May 28 '21 07:05 kr1tzy

ACK. Would have a look this weekend.

From: Noah Kritz @.> Sent: Friday, May 28, 2021 3:43:07 PM To: qilingframework/qiling @.> Cc: lazymio @.>; Mention @.> Subject: Re: [qilingframework/qiling] Live process snapshots (#806)

Github didn't like the file types i was uploading so i threw everything needed on Google drive. The readme has steps for reproducing. @wtdcodehttps://github.com/wtdcode

https://drive.google.com/drive/folders/10BICusaZ9JObxpYev7cO_KtRA5KL0cxr?usp=sharing

― You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/qilingframework/qiling/issues/806#issuecomment-850220026, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AHJULO76EPSWE67UBOAGCUDTP5CQXANCNFSM45R2HUXA.

wtdcode avatar May 28 '21 07:05 wtdcode

Github didn't like the file types i was uploading so i threw everything needed on Google drive. The readme has steps for reproducing. @wtdcode

https://drive.google.com/drive/folders/10BICusaZ9JObxpYev7cO_KtRA5KL0cxr?usp=sharing

Hi, I have no access to this sharing.

wtdcode avatar May 31 '21 01:05 wtdcode

@wtdcode just changed the permissions. Sorry about that

kr1tzy avatar May 31 '21 04:05 kr1tzy

Hello, note that you dumped the memory and registers as the time of hitting the breakpoints at main when ld.so has done with various setup and restore them before ql.loader.run. I suggest you trying to restore your live snapshot between ql.loader.run and ql.os.run.

wtdcode avatar Jun 04 '21 01:06 wtdcode

Hello @kr1tzy , Have you ever solved this issue? I encounter a similar one when loading a snapshot generated by unicorn_dumper_gdb.py (https://github.com/Battelle/afl-unicorn/blob/master/unicorn_mode/helper_scripts/unicorn_dumper_gdb.py)

D0nYu avatar Jul 23 '21 09:07 D0nYu

@D0nYu I don't believe this is feasible unless a mapping of OS & kernel specific structures to Qiling internal memory structures exists. I ended up setting this down after coming to that conclusion. It would be an incredible feature but there's a lot of overhead required to bring it alive.

kr1tzy avatar Oct 22 '21 18:10 kr1tzy

Close for now.

We updated the codebase for Qiling and Unicorn since this issue being posted.

Feel free to try the latest version.

xwings avatar Oct 06 '22 03:10 xwings