Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stack seems to be corrupted when running on Windows #1316

Closed
wtdcode opened this issue Aug 12, 2020 · 3 comments
Closed

Stack seems to be corrupted when running on Windows #1316

wtdcode opened this issue Aug 12, 2020 · 3 comments

Comments

@wtdcode
Copy link
Member

wtdcode commented Aug 12, 2020

When I run Qiling tests on Windows (native, not wsl), the Unicorn crashes and causes the whole python process to die siliently. To locate the exception, I attach Windbg to python process and below is the stacktrace.

0:000> kv
 # Child-SP          RetAddr               : Args to Child                                                           : Call Site
00 00000042`215eb400 00007ff9`dee33033     : 00000194`6bf86fb0 00007ff9`f5ebe2d9 00000042`215f0000 00000042`00000000 : _ctypes!DllCanUnloadNow+0x7c38
01 00000042`215eb440 00007ff9`f5f4124f     : 00007ff9`dee3f000 00007ff9`dee20000 000012d8`00023000 00000042`215ebc10 : _ctypes!DllCanUnloadNow+0x8bb3
02 00000042`215eb470 00007ff9`f5ebd9b2     : 00007ff9`dee3ff78 00000042`215ec420 00007ff9`dee3f8a0 00007ff9`dee30025 : ntdll!_chkstk+0x19f
03 00000042`215eb4a0 00007ff9`84c7f87a     : 00000000`00000000 000001d6`49b3bee8 00000000`00000004 00000000`00000004 : ntdll!RtlUnwindEx+0x522
04 00000042`215ebbb0 00007ff9`84955670     : 00000000`00000000 0000395c`1d8654ed 000001d6`4762fdf0 00000000`00000000 : unicorn!uc_version+0x3757aa
05 00000042`215ec0f0 00007ff9`849561de     : 000001d6`49b8a030 00007ff9`ae0ba97d ffffffff`00000000 000001d6`49b82360 : unicorn!uc_version+0x4b5a0
06 00000042`215ec120 000001d6`4c1069b0     : 00000000`00000000 00000000`00000000 00000042`215ec270 00007ff9`849f7bba : unicorn!uc_version+0x4c10e
07 00000042`215ec150 00000000`00000000     : 00000000`00000000 00000042`215ec270 00007ff9`849f7bba 000001d6`4c8f28a3 : 0x000001d6`4c1069b0
start             end                 module name
00000000`59c30000 00000000`59cc6000   pythoncom37   (deferred)             
00000000`5a770000 00000000`5a779000   _win32sysloader   (deferred)             
00000000`5a780000 00000000`5a7a7000   pywintypes37   (deferred)             
00000000`5a7b0000 00000000`5a7d6000   win32api   (deferred)             
00000000`61440000 00000000`6145a000   libgcc_s_seh_1   (deferred)             
00000000`64940000 00000000`64955000   libwinpthread_1   (deferred)             
00007ff6`97320000 00007ff6`9733b000   python     (deferred)             
00007ff9`5dca0000 00007ff9`5e171000   capstone   (deferred)             
00007ff9`809d0000 00007ff9`80f01000   keystone   (deferred)             
00007ff9`84900000 00007ff9`84d63000   unicorn  C (export symbols)       C:\Program Files\Python37\lib\site-packages\unicorn\lib\unicorn.dll
00007ff9`ae0a0000 00007ff9`ae467000   python37   (deferred)             
00007ff9`c73c0000 00007ff9`c73f2000   pyexpat    (deferred)             
00007ff9`cd300000 00007ff9`cd30c000   secur32    (deferred)             
00007ff9`ced20000 00007ff9`cef86000   libcrypto_1_1_x64   (deferred)             
00007ff9`dcb00000 00007ff9`dcda6000   iertutil   (deferred)             
00007ff9`dcdb0000 00007ff9`dcf86000   urlmon     (deferred)             
00007ff9`dee20000 00007ff9`dee43000   _ctypes    (export symbols)       C:\Program Files\Python37\DLLs\_ctypes.pyd
00007ff9`dee50000 00007ff9`dee91000   _lzma      (deferred)             
00007ff9`df070000 00007ff9`df085000   _socket    (deferred)             
00007ff9`df180000 00007ff9`df198000   _bz2       (deferred)             
00007ff9`e37b0000 00007ff9`e37b9000   select     (deferred)             
00007ff9`ea0b0000 00007ff9`ea0bd000   _hashlib   (deferred)             
00007ff9`ea0c0000 00007ff9`ea0d6000   VCRUNTIME140   (deferred)             
00007ff9`eb670000 00007ff9`eb67a000   VERSION    (deferred)             
00007ff9`ebf20000 00007ff9`ebf2f000   python3    (deferred)             
00007ff9`f0d30000 00007ff9`f0dc9000   uxtheme    (deferred)             
00007ff9`f20d0000 00007ff9`f2103000   rsaenh     (deferred)             
00007ff9`f2790000 00007ff9`f279c000   CRYPTBASE   (deferred)             
00007ff9`f2c40000 00007ff9`f2c6f000   SSPICLI    (deferred)             
00007ff9`f2d50000 00007ff9`f2d60000   UMPDC      (deferred)             
00007ff9`f2d60000 00007ff9`f2d83000   profapi    (deferred)             
00007ff9`f2db0000 00007ff9`f2dc1000   kernel_appcore   (deferred)             
00007ff9`f2dd0000 00007ff9`f2e1a000   powrprof   (deferred)             
00007ff9`f2e20000 00007ff9`f2e41000   win32u     (deferred)             
00007ff9`f2e50000 00007ff9`f2e67000   CRYPTSP    (deferred)             
00007ff9`f2ed0000 00007ff9`f2f1a000   cfgmgr32   (deferred)             
00007ff9`f2f20000 00007ff9`f31c4000   KERNELBASE   (deferred)             
00007ff9`f31d0000 00007ff9`f326e000   msvcp_win   (deferred)             
00007ff9`f3270000 00007ff9`f336a000   ucrtbase   (deferred)             
00007ff9`f3370000 00007ff9`f33f0000   bcryptPrimitives   (deferred)             
00007ff9`f34a0000 00007ff9`f3c22000   windows_storage   (deferred)             
00007ff9`f3c30000 00007ff9`f3dc6000   gdi32full   (deferred)             
00007ff9`f3dd0000 00007ff9`f3df6000   bcrypt     (deferred)             
00007ff9`f3f50000 00007ff9`f4636000   SHELL32    (deferred)             
00007ff9`f4640000 00007ff9`f46de000   msvcrt     (deferred)             
00007ff9`f46e0000 00007ff9`f4837000   ole32      (deferred)             
00007ff9`f49a0000 00007ff9`f49f2000   SHLWAPI    (deferred)             
00007ff9`f4a80000 00007ff9`f4aa6000   GDI32      (deferred)             
00007ff9`f4ab0000 00007ff9`f4b1f000   WS2_32     (deferred)             
00007ff9`f4b80000 00007ff9`f4d14000   USER32     (deferred)             
00007ff9`f4d20000 00007ff9`f4db7000   sechost    (deferred)             
00007ff9`f52d0000 00007ff9`f5395000   OLEAUT32   (deferred)             
00007ff9`f53b0000 00007ff9`f5462000   KERNEL32   (deferred)             
00007ff9`f5610000 00007ff9`f5730000   RPCRT4     (deferred)             
00007ff9`f5730000 00007ff9`f575e000   IMM32      (deferred)             
00007ff9`f5760000 00007ff9`f5809000   shcore     (deferred)             
00007ff9`f5810000 00007ff9`f58b3000   ADVAPI32   (deferred)             
00007ff9`f5b20000 00007ff9`f5e55000   combase    (deferred)             
00007ff9`f5ea0000 00007ff9`f6090000   ntdll      (export symbols)       C:\Windows\SYSTEM32\ntdll.dll
@wtdcode
Copy link
Member Author

wtdcode commented Sep 14, 2020

A piece of minimum reproduction code:

#define _CRT_SECURE_NO_WARNINGS
#include <cstdio>
#include "unicorn.h"

// addr:
//      INT 21h;
//      jmp addr;
const char* cmd = "\xcd\x21\xeb\xfc";
int count = 1;

void cb(uc_engine *uc, uint32_t intno, void *user_data) {
	printf("Callback count: %d\n", count);
	count += 1;
}

int main() {
	uc_engine* uc;
	uc_err err;
	printf("Start\n");
	err = uc_open(UC_ARCH_X86, UC_MODE_16, &uc);
	if (err != UC_ERR_OK) {
		printf("Failed to open uc\n");
		return -1;
	}
	err = uc_mem_map(uc, 0x7000, 4 * 1024, UC_PROT_ALL);
	if (err != UC_ERR_OK) {
		printf("Failed to allocate memory with %d\n", err);
		return -1;
	}
	int ip = 0x100;
	int cs = 0x75a;
	int address_to_load = cs * 16 + ip;
	err = uc_mem_write(uc, address_to_load, cmd, 4);
	if (err != UC_ERR_OK) {
		printf("Failed to write memory with %d\n", err);
		return -1;
	}
	err = uc_reg_write(uc, UC_X86_REG_IP, &ip);
	if (err != UC_ERR_OK) {
		printf("Failed to write register with %d\n", err);
		return -1;
	}
	err = uc_reg_write(uc, UC_X86_REG_CS, &cs);
	if (err != UC_ERR_OK) {
		printf("Failed to write register with %d\n", err);
		return -1;
	}
	uc_hook hook;
	err = uc_hook_add(uc, &hook, UC_HOOK_INTR, (void*)cb, nullptr, 0, -1);
	if (err != UC_ERR_OK) {
		printf("Hook failed with %d\n", err);
		return -1;
	}
	printf("Before emulation.\n");
	err = uc_emu_start(uc, address_to_load, address_to_load + 4, 0, 0);
	if (err != UC_ERR_OK) {
		printf("Emulation error %d\n", err);
		return -1;
	}
	printf("After emulation.\n");
	uc_close(uc);
	return 0;
}

Update:

This code works with C++ exception disabled, but it seems that we can't disable C++ exceptions for ctypes.

@wtdcode wtdcode changed the title Unicorn crashes in uc_version Stack seems to be corrupted when running on Windows Sep 14, 2020
aquynh added a commit that referenced this issue Sep 15, 2020
@wtdcode
Copy link
Member Author

wtdcode commented Sep 15, 2020

Corresponding python script.

from unicorn import *
from unicorn.x86_const import *

def test16():
    count = 0
    def cb(a, b, c):
        nonlocal count
        count += 1
        print(f"Count: {count}")
        if count >= 100:
            mu.emu_stop()

    try:
        mu = Uc(UC_ARCH_X86, UC_MODE_16)
        mu.mem_map(0x7000, 4 * 1024, UC_PROT_ALL)
        cs = 0x75a
        ip = 0x100
        mu.reg_write(UC_X86_REG_IP, 0x100)
        mu.reg_write(UC_X86_REG_CS, 0x75a)
        address_to_load = cs * 16 + ip
        mu.mem_write(address_to_load, b"\xcd\x21\xeb\xfc")
        mu.hook_add(UC_HOOK_INTR, cb)
        mu.emu_start(address_to_load, address_to_load + 4)
    except UcError as e:
        print("ERROR: %s" % e)

if __name__ == '__main__':
    test16()

@wtdcode
Copy link
Member Author

wtdcode commented Sep 22, 2020

Fixed in #1331

@wtdcode wtdcode closed this as completed Sep 22, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant