Windows Emulator goes wrong...

Question

Windows Emulator goes wrong...

Closed this issue a year ago · 5 comments

When running code for Windows Dynamic analysis, seems the script is looking for the file to be present at '/Qu1cksc0pe-master/Systems/Windows/x86_windows' instead elsewhere. I then place the file in there and emulator still goes wrong. What shall be done?

python qu1cksc0pe.py --file malware.exe --watch

Error:

[x] 	'malware.exe' is not in the subpath of '/home/linux/Desktop/Qu1cksc0pe-master/Systems/Windows/x86_windows' OR one path is relative and the other is absolute.
Traceback (most recent call last):
  File "/home/linux/.local/lib/python3.9/site-packages/qiling/os/windows/windows.py", line 193, in hook_winapi
    api_func(ql, address, api_name)
  File "/home/linux/.local/lib/python3.9/site-packages/qiling/os/windows/fncc.py", line 26, in wrapper
    return ql.os.call(pc, func, params, onenter, onexit, passthru=passthru)
  File "/home/linux/.local/lib/python3.9/site-packages/qiling/os/os.py", line 187, in call
    targs, retval, retaddr = self.fcall.call(func, proto, args, onenter, onexit, passthru)
  File "/home/linux/.local/lib/python3.9/site-packages/qiling/os/fcall.py", line 159, in call
    retval = func(ql, pc, params)
  File "/home/linux/.local/lib/python3.9/site-packages/qiling/os/windows/dlls/kernel32/libloaderapi.py", line 110, in hook_GetModuleFileNameA
    return __GetModuleFileName(ql, address, params, wide=False)
  File "/home/linux/.local/lib/python3.9/site-packages/qiling/os/windows/dlls/kernel32/libloaderapi.py", line 88, in __GetModuleFileName
    vpath = ql.os.path.host_to_virtual_path(hpath)
  File "/home/linux/.local/lib/python3.9/site-packages/qiling/os/path.py", line 273, in host_to_virtual_path
    virtpath = self._cwd_anchor / resolved.relative_to(self._rootfs_path)
  File "/usr/lib/python3.9/pathlib.py", line 928, in relative_to
    raise ValueError("{!r} is not in the subpath of {!r}"
ValueError: 'malware.exe' is not in the subpath of '/home/linux/Desktop/M-Analysis/Qu1cksc0pe-master/Systems/Windows/x86_windows' OR one path is relative and the other is absolute.
[!] An error occurred while performing x86 emulation.

Answer 1 · 2023-06-15T19:51:41.000Z

Hmm did you entered absolute path of the file instead of using its name?
For example: /home/user/malware.exe
If your answer is yes what environment did you used? Docker, Venv or something?

By the way Qiling based dynamic analysis is unstable. It gave me lots of errors I'll need to take care of it

Answer 2 · 2023-06-16T01:38:28.000Z

Yeah, Both absolute path and filename tried, I even place the file inside Windows Folde, the issue seems to be due to kernel in ParrotOS? what do you think?

I manually installed from source;

Answer 3 · 2023-06-16T09:23:01.000Z

I'll look for how can i fix this issue. By the way If you want to help feel free to make a pull request :)

Answer 4 · 2023-06-16T14:31:06.000Z

I'll definitely help on this one :) I am having a look at what the issue might be, ok?

Answer 5 · 2023-06-16T15:17:04.000Z

Thank you very much for helping Qu1cksc0pe project :)