當它在WinDbg中的不同偏移量時，如何設定斷點以定位此模擬位置？-有解無憂

我正在使用 qiling 框架來模擬在我的 x86 64 Windows 環境中運行良好的蛇游戲，但它在模擬環境中失敗。它可以正常運行，但我無法在 WinDbg 出現故障的地方設定斷點。我的問題更多是關于在 WinDbg 中理解我的問題，但我會提供模擬器日志的背景關系：

[=]     Initiate stack address at 0xfffdd000
[=]     Loading snake.exe to 0x400000
[=]     PE entry point at 0x4033ae
[=]     TEB addr is 0x6000
[=]     PEB addr is 0x6044
[=]     Loading ../examples/rootfs/x8664_windows\Windows\System32\ntdll.dll ...
[!]     Warnings while loading ../examples/rootfs/x8664_windows\Windows\System32\ntdll.dll:
[!]      - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!]      - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[=]     Done with loading ../examples/rootfs/x8664_windows\Windows\System32\ntdll.dll
[=]     Loading ../examples/rootfs/x8664_windows\Windows\System32\kernel32.dll ...
[=]     Done with loading ../examples/rootfs/x8664_windows\Windows\System32\kernel32.dll
[=]     Loading ../examples/rootfs/x8664_windows\Windows\System32\mscoree.dll ...
[=]     Done with loading ../examples/rootfs/x8664_windows\Windows\System32\mscoree.dll
0x4033ae:       jmp     qword ptr [rip   0x402000]
[!]     api _CorExeMain is not implemented

這似乎是罪魁禍首，所以我嘗試0x4033ae使用命令在 WinDbg 中設定斷點bu 0x4033ae。我也試過了bp。

0x102bdbd1:     push    rbx
0x102bdbd3:     sub     esp, 0x20
0x102bdbd7:     and     dword ptr [rsp   0x30], 0
0x102bdbdd:     lea     ecx, [rsp   0x30]
0x102bdbe1:     call    0x102b4548
0x102b4549:     push    rbx
0x102b454b:     sub     esp, 0x20
0x102b454e:     mov     eax, dword ptr [rip   0x5b4dc]
[x]     CPU Context:
[x]     ah      : 0xff
... snip ...
[x]     gs      : 0x78
[x]     Hexdump:
[x]     8b 05 dc b4 05 00 48 8b
[x]     Disassembly:
[=]     102b454e [mscoree.dll            0x00154e]  8b 05 dc b4 05 00 48 8b d9 85 c0 75 05 e8 c4 fc ff ff 8b 05 ca b4 05 00 83 f8 02 75 0f 48 85 db 74 0a 48 8b 05 c9 b4 05 00 48 89 03 8b 05 b0 b4 05 00 48 83 c4 20 5b c3 cc cc cc cc cc cc cc ccmov                  eax, dword ptr [0x5b4dc]
> dec                  eax
> mov                  ebx, ecx
> test                 eax, eax
> jne                  0x102b4560
> call                 0x102b4224
> mov                  eax, dword ptr [0x5b4ca]
> cmp                  eax, 2
> jne                  0x102b457a
> dec                  eax
> test                 ebx, ebx
> je                   0x102b457a
> dec                  eax
> mov                  eax, dword ptr [0x5b4c9]
> dec                  eax
> mov                  dword ptr [ebx], eax
> mov                  eax, dword ptr [0x5b4b0]
> dec                  eax
> add                  esp, 0x20
> pop                  ebx
> ret
> int3
> int3
> int3
> int3
> int3
> int3
> int3
> int3
[x]     PC = 0x102b454e (../examples/rootfs/x8664_windows\Windows\System32\mscoree.dll   0x154e)

[=]     Memory map:
[=]     Start      End        Perm    Label          Image
[=]     00006000 - 0000c000   rwx     [FS/GS]
[=]     00030000 - 00031000   rwx     [GDT]
[=]     00400000 - 00408000   rwx     [PE]           snake.exe
[=]     05000000 - 05001000   rwx     [heap]
[=]     06000000 - 0c000000   rwx     [FS/GS]
[=]     10000000 - 101f5000   rwx     ntdll.dll      ../examples/rootfs/x8664_windows\Windows\System32\ntdll.dll
[=]     101f5000 - 102b3000   rwx     kernel32.dll   ../examples/rootfs/x8664_windows\Windows\System32\kernel32.dll
[=]     102b3000 - 10318000   rwx     mscoree.dll    ../examples/rootfs/x8664_windows\Windows\System32\mscoree.dll
[=]     fffdd000 - ffffe000   rwx     [stack]
Traceback (most recent call last):
  ... snip ...
  File "C:\Users\jonat\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\unicorn\unicorn.py", line 465, in emu_start
    raise UcError(status)
unicorn.unicorn.UcError: Invalid memory mapping (UC_ERR_MAP)

在 WinDbg 中，我得到：

CommandLine: C:\Users\jonat\Documents\GitHub\synthesis\obfu\snake.exe

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*
Symbol search path is: srv*
Executable search path is: 
ModLoad: 00e60000 00e68000   ConsoleGraphics.exe
ModLoad: 770f0000 77293000   ntdll.dll
ModLoad: 74810000 74862000   C:\WINDOWS\SysWOW64\MSCOREE.DLL
ModLoad: 74fb0000 750a0000   C:\WINDOWS\SysWOW64\KERNEL32.dll
ModLoad: 75fa0000 761b5000   C:\WINDOWS\SysWOW64\KERNELBASE.dll
(9b8.7854): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=3c560000 edx=00000000 esi=77102054 edi=7710261c
eip=771a1ba2 esp=00fff9cc ebp=00fff9f8 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!LdrpDoDebuggerBreak 0x2b:
771a1ba2 cc              int     3

Which seems to be a standard breakpoint triggered by ntdll but by the time this is triggered, we have already passed the address 0x4033ae where I was trying to apply it. I realized that this is probably because the addressing scheme of the process seems to be mapped differently by the execution context within my OS / WinDbg and the qiling emulation. How can I begin debugging this problem, or at least finding the relevant breakpoint in WinDbg.

uj5u.com熱心網友回復：

該查詢與windbg 并不完全相關

正如我評論的，Qiling Framework尚未實施 dotnet，需要有人貢獻實施

因為這個查詢也有一個 windbg 標簽和一個除錯標簽，
我一直想在 Windows 機器上測驗 Qiling 框架有一段時間了，
所以我把這個查詢作為這樣做的機會

毛奇齡是在建麒麟仿真框架
我已經涉足與獨角獸，發現它安靜有用

在 x64 windows10 機器上安裝了 Qiling [pip3 install Qiling] windows 檔案很少見，并且 repo 中缺少 github repo 中指示的一個示例 disasm_x886_windows.py

不得不四處尋找作業設定

安裝 Qiling 后，它需要一個虛擬檔案系統來操作相關的 Windows dll 和注冊表配置單元，
這是通過使用 repo 中提供的 dllcollector.bat 來完成的

基本上是collector.bat xcopies 相關的32 位和64 位dll 和reg 保存注冊表配置單元

f:\>md QILING

f:\>cd QILING

f:\QILING>ls

f:\QILING>f:\wget\wget.exe -c https://raw.githubusercontent.com/qilingframework/qiling/master/examples/scripts/dllscollector.bat

2021-11-14 03:03:05 (1.28 MB/s) - 'dllscollector.bat' saved [10085/10085]

f:\QILING>ls
dllscollector.bat

f:\QILING>file dllscollector.bat
dllscollector.bat: DOS batch file, ASCII text, with very long lines

f:\QILING>dllscollector.bat
Does F:\QILING\examples\rootfs\x8664_windows\Windows\registry\NTUSER.DAT specify a file name
or directory name on the target
(F = file, D = directory)? f
C:\Users\Default\NTUSER.DAT -> F:\QILING\examples\rootfs\x8664_windows\Windows\registry\NTUSER.DAT
1 File(s) copied
The operation completed successfully.
snip all copy and save operations 

f:\QILING>ls
dllscollector.bat  examples

現在我們已經收集了 dll，讓我們復制兩個測驗二進制檔案，
一個是 x64 控制臺應用程式，
另一個是 .net 控制臺二進制檔案，然后
撰寫一個 python 腳本來使用 QILING 框架模擬它們

f:\QILING>ls
dllscollector.bat  examples

f:\QILING>md testqiling

f:\QILING>xcopy ..\tbins .\testqiling\
..\tbins\mcall.exe
..\tbins\printxcode.exe
..\tbins\qiliwin.py
3 File(s) copied

f:\QILING>cd testqiling

f:\QILING\testqiling>file *
mcall.exe:      PE32  executable (GUI) x86-64, for MS Windows
printxcode.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
qiliwin.py:     Python script, ASCII text executable, with CRLF line terminators
f:\QILING\testqiling>printxcode.exe |head -n 2
HResult is 80070057      xcode is E0434352      Value does not fall within the expected range.
HResult is 80004003      xcode is E0434352      Value cannot be null.

f:\QILING\testqiling>start /wait mcall.exe

f:\QILING\testqiling>echo %errorlevel%
1677

the script as follows
the stop_on_exit_trap is added to avoid crashing of mcall.exe when it returns to crt from main() due to unreachable PC (0x0 as rip)
trace traces and prints all executed instructions
verbose provides some additional logs

f:\QILING\testqiling>cat qiliwin.py
import os
from qiling import *
from qiling.const import QL_VERBOSE
from qiling.extensions import trace
os.system('') #bug explotation to make ansi colors
rootfs = r"F:\QILING\examples\rootfs\x8664_windows"
bin2exec = [
r"F:\QILING\testqiling\mcall.exe",
r"F:\QILING\testqiling\printxcode.exe"
]
for binary in bin2exec:
    print("executing binary\n=====================\n%s\n=====================\n" % binary);
    ql = Qiling([binary],rootfs,verbose=QL_VERBOSE.DEBUG,stop_on_exit_trap=True)
    trace.enable_full_trace(ql)
    ql.run()

executing the script we get

qiling.exception.QlErrorFileNotFound: Cannot find dll in F:\QILING\examples\rootfs\x8664_windows\Windows\System32\mscoree.dll

copying the mscoree.dll from system32 to rootfs/system2 and checking it crashes again with unmapped error as pointed in query

lets open the .net binary in an x64 windbg and check

F:\QILING\testqiling>cdb -c "sxe ld:mscoree;g;q" printxcode.exe | awk /Reading/,/quit/
0:000> cdb: Reading initial command 'sxe ld:mscoree;g;q'
ModLoad: 00000000`77e30000 00000000`77e39000   C:\WINDOWS\System32\wow64cpu.dll
ModLoad: 00000000`73f90000 00000000`73fe2000   C:\WINDOWS\SysWOW64\MSCOREE.DLL
quit:

so this binary needs the mscoree from syswow

f:\QILING\testqiling>copy c:\Windows\SysWOW64\mscoree.dll F:\QILING\examples\rootfs\x8664_windows\Windows\System32\.
Overwrite F:\QILING\examples\rootfs\x8664_windows\Windows\System32\.\mscoree.dll? (Yes/No/All): y
        1 file(s) copied.

Execution now doesnt crash

F:\QILING\testqiling>python qiliwin.py
executing binary
=====================
F:\QILING\testqiling\mcall.exe
=====================

[ ]     Profile: Default
[ ]     Windows Registry PATH: F:\QILING\examples\rootfs\x8664_windows\Windows\registry
[=]     Initiate stack address at 0x7ffffffde000
[=]     Loading F:\QILING\testqiling\mcall.exe to 0x140000000
[=]     PE entry point at 0x140001030
[=]     TEB addr is 0x6000030
[=]     PEB addr is 0x60000b8
[=]     Loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\ntdll.dll ...
[!]     Warnings while loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\ntdll.dll:
[!]      - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!]      - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[ ]     DLL preferred base address: 0x180000000
[=]     Done with loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\ntdll.dll
[=]     Loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\kernel32.dll ...
[ ]     DLL preferred base address: 0x180000000
[ ]     DLL preferred base address is taken, loading to: 0x1801f0000
[=]     Done with loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\kernel32.dll
[ ]     Done with loading F:\QILING\testqiling\mcall.exe
[ ]     Setting up exit trap at 0x0x140004000
[ ]     140001030 | 4883ec48                 sub        rsp, 0x48                                                | rsp = 0x0
[ ]     140001034 | 41b803000000             mov        r8d, 0x3                                                 |
[ ]     14000103a | ba02000000               mov        edx, 0x2                                                 |
[ ]     14000103f | b901000000               mov        ecx, 0x1                                                 |
[ ]     140001044 | e8b7ffffff               call       0x140001000                                              | rsp = 0x0, rip = 0x0
[ ]     140001000 | 4489442418               mov        dword ptr [0x18], r8d                                    | rsp = 0x0, r8d = 0x0
[ ]     140001005 | 89542410                 mov        dword ptr [0x10], edx                                    | rsp = 0x0, edx = 0x2
[ ]     140001009 | 894c2408                 mov        dword ptr [0x8], ecx                                     | rsp = 0x0, ecx = 0x1
[ ]     14000100d | 8b442410                 mov        eax, dword ptr [0x10]                                    | rsp = 0x0
[ ]     140001011 | 8b4c2408                 mov        ecx, dword ptr [0x8]                                     | rsp = 0x0
[ ]     140001015 | 03c8                     add        ecx, eax                                                 | ecx = 0x1, eax = 0x2
[ ]     140001017 | 8bc1                     mov        eax, ecx                                                 | ecx = 0x3
[ ]     140001019 | 03442418                 add        eax, dword ptr [0x18]                                    | eax = 0x3, rsp = 0x0
[ ]     14000101d | c3                       ret                                                                 | rsp = 0x0
[ ]     140001049 | 89442428                 mov        dword ptr [0x28], eax                                    | rsp = 0x0, eax = 0x6
[ ]     14000104d | 41b806000000             mov        r8d, 0x6                                                 |
[ ]     140001053 | ba07000000               mov        edx, 0x7                                                 |
[ ]     140001058 | b908000000               mov        ecx, 0x8                                                 |
[ ]     14000105d | e89effffff               call       0x140001000                                              | rsp = 0x0, rip = 0x0
snipoff
[ ]     140004000 | 90                       nop                                                                 |
[=]     Process returned from entrypoint (exit_trap)!
[ ]     Syscalls called:
[ ]     Registries accessed:
[ ]     Strings:
executing binary
=====================
F:\QILING\testqiling\printxcode.exe
=====================

[ ]     Profile: Default
[ ]     Map GDT at 0x30000 with GDT_LIMIT=4096
[ ]     Write to 0x30018 for new entry b'\x00\xf0\x00\x00\x00\xfeO\x00'
[ ]     Write to 0x30028 for new entry b'\x00\xf0\x00\x00\x00\x96O\x00'
[ ]     Write to 0x30070 for new entry b'\x00`\x00`\x00\xf6@\x00'
[ ]     Write to 0x30078 for new entry b'\x00\x00\x00\x00\x00\xf6@\x06'
[ ]     Windows Registry PATH: F:\QILING\examples\rootfs\x8664_windows\Windows\registry
[=]     Initiate stack address at 0xfffdd000
[=]     Loading F:\QILING\testqiling\printxcode.exe to 0x400000
[=]     PE entry point at 0x402eda
[=]     TEB addr is 0x6000
[=]     PEB addr is 0x6044
[=]     Loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\ntdll.dll ...
[!]     Warnings while loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\ntdll.dll:
[!]      - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!]      - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[ ]     DLL preferred base address: 0x180000000
[ ]     DLL preferred base address exceeds memory upper bound, loading to: 0x10000000
[=]     Done with loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\ntdll.dll
[=]     Loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\kernel32.dll ...
[ ]     DLL preferred base address: 0x180000000
[ ]     DLL preferred base address exceeds memory upper bound, loading to: 0x101f0000
[=]     Done with loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\kernel32.dll
[=]     Loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\mscoree.dll ...
[ ]     DLL preferred base address: 0x10000000
[ ]     DLL preferred base address is taken, loading to: 0x102b0000
[=]     Done with loading F:\QILING\examples\rootfs\x8664_windows\Windows\System32\mscoree.dll
[ ]     Done with loading F:\QILING\testqiling\printxcode.exe
[ ]     Setting up exit trap at 0x0xc000000
[ ]     00402eda | ff2500204000             jmp        dword ptr [0x402000]                                     |
[!]     api _CorExeMain is not implemented
[ ]     102c4330 | 8bff                     mov        edi, edi                                                 | edi = 0x0
[ ]     102c4332 | 56                       push       esi                                                      | esp = 0x0, esi = 0xffffd000
snipoff
[ ]     0c000000 | 90                       nop                                                                 |
[=]     Process returned from entrypoint (exit_trap)!
[ ]     Syscalls called:
[ ]     Registries accessed:
[ ]     Strings:

轉載請註明出處，本文鏈接：https://www.uj5u.com/qukuanlian/358588.html

標籤：debugging x86-64 windbg qiling

上一篇：除錯從不解決承諾/異步等待

下一篇：為什么這個字符比較會導致錯誤？