Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't relocate image, no relocation flag #23

Open
UnlimitedChild opened this issue Mar 1, 2021 · 10 comments
Open

Can't relocate image, no relocation flag #23

UnlimitedChild opened this issue Mar 1, 2021 · 10 comments

Comments

@UnlimitedChild
Copy link

Hi,

this situation must be handled internally by the emulator. If you edit the header manually, the emulation hangs.

unicorn_pe cpuid.exe -disasm
BlackBone: Allocate: Allocating at address 0x000002A6F2DC0000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x000002A6F2DD0000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x000002A6F2DE0000 (0x4000 bytes)
BlackBone: ManualMap: Mapping image 'cpuid.exe' with flags 0x1d001
BlackBone: ManualMap: Loading new image 'cpuid.exe'
BlackBone: ManualMap: Image base allocated at 0x000002a6f2df0000
BlackBone: ManualMap: Performing image copy
BlackBone: ManualMap: Relocating image 'cpuid.exe'
BlackBone: ManualMap: Can't relocate image, no relocation flag
BlackBone: Free: Free at address 0x000002A6F2DF0000
BlackBone: Free: Free at address 0x000002A6F2DC0000
BlackBone: Free: Free at address 0x000002A6F2DD0000
BlackBone: Free: Free at address 0x000002A6F2DE0000
failed to MapImage

cpuid_.zip
@UnlimitedChild
Copy link
Author

UnlimitedChild commented Apr 22, 2021
edited
Loading

_on the last update nothing works at all...

unicorn_pe cpuid.exe -disasm
BlackBone: Allocate: Allocating at address 0x0000027C75920000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x0000027C75930000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x0000027C75940000 (0x4000 bytes)
BlackBone: ManualMap: Mapping image 'cpuid' with flags 0x5d001
BlackBone: ManualMap: Failed to load image 'cpuid'/0x0000000000000000. Status 0xC0000034
failed to MapImage
BlackBone: Free: Free at address 0x0000027C75920000
BlackBone: Free: Free at address 0x0000027C75940000
BlackBone: Free: Free at address 0x0000027C75930000_

when entering a file name, you need to enter the name in full with the extension, then it works!

@UnlimitedChild
Copy link
Author

Build 22.04.2021

unicorn_pe cpuid.exe -disasm
BlackBone: Allocate: Allocating at address 0x000001F8CEEA0000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x000001F8CEEB0000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x000001F8CEEC0000 (0x4000 bytes)
BlackBone: ManualMap: Mapping image 'cpuid.exe' with flags 0x5d001
BlackBone: ManualMap: Loading new image 'cpuid.exe'
BlackBone: ManualMap: Image base allocated at 0x000001f8ceed0000
BlackBone: ManualMap: Performing image copy
BlackBone: ManualMap: Relocating image 'cpuid.exe'
BlackBone: ManualMap: Image does not use relocations
BlackBone: ManualMap: Loading new dependency 'kernel32.dll'
BlackBone: ManualMap: Dependency path resolved to 'C:\Windows\system32\kernel32.dll'
BlackBone: ManualMap: Loading new image 'C:\Windows\system32\kernel32.dll'
BlackBone: ManualMap: Image base allocated at 0x000001f8d0900000
BlackBone: ManualMap: Performing image copy
BlackBone: ManualMap: Relocating image 'c:\windows\system32\kernel32.dll'
BlackBone: ManualMap: Loading new dependency 'kernelbase.dll'
BlackBone: ManualMap: Dependency path resolved to 'c:\windows\system32\kernelbase.dll'
BlackBone: ManualMap: Loading new image 'c:\windows\system32\kernelbase.dll'
BlackBone: ManualMap: Image base allocated at 0x000001f8d3b80000
BlackBone: ManualMap: Performing image copy
BlackBone: ManualMap: Relocating image 'c:\windows\system32\kernelbase.dll'
BlackBone: ManualMap: Loading new dependency 'ntdll.dll'
BlackBone: ManualMap: Dependency path resolved to 'c:\windows\system32\ntdll.dll'
BlackBone: ManualMap: Loading new image 'c:\windows\system32\ntdll.dll'
BlackBone: ManualMap: Image base allocated at 0x000001f8d42e0000
BlackBone: ManualMap: Performing image copy
BlackBone: ManualMap: Relocating image 'c:\windows\system32\ntdll.dll'
BlackBone: ManualMap: Performing security cookie initializtion for image 'ntdll.dll'
BlackBone: ManualMap: Performing security cookie initializtion for image 'kernelbase.dll'
BlackBone: ManualMap: Performing security cookie initializtion for image 'kernel32.dll'
BlackBone: ManualMap: Loading new dependency 'msvcrt.dll'
BlackBone: ManualMap: Dependency path resolved to 'C:\Windows\system32\MSVCRT.dll'
BlackBone: ManualMap: Loading new image 'C:\Windows\system32\MSVCRT.dll'
BlackBone: ManualMap: Image base allocated at 0x000001f8d3a50000
BlackBone: ManualMap: Performing image copy
BlackBone: ManualMap: Relocating image 'c:\windows\system32\msvcrt.dll'
BlackBone: ManualMap: Performing security cookie initializtion for image 'msvcrt.dll'
BlackBone: Free: Decommit at address 0x000001F8D44CF000 (0x1000 bytes)
BlackBone: Free: Decommit at address 0x000001F8D3DFE000 (0x25000 bytes)
BlackBone: Free: Decommit at address 0x000001F8D09B1000 (0x1000 bytes)
BlackBone: Free: Decommit at address 0x000001F8D3AED000 (0x1000 bytes)
1f8ceed1000 enter 0x80, 0
1f8ceed1004 sub rsp, 0x200
1f8ceed100b lea rax, [rbp - 0xf8]
1f8ceed1012 mov qword ptr [rbp - 0x78], rax
1f8ceed1016 mov rcx, qword ptr [rbp - 0x78]
1f8ceed101a call 0x1f8ceed17a0
1f8ceed17a0 mov r11, rbx
1f8ceed17a3 mov r10, rcx
1f8ceed17a6 xor rax, rax
1f8ceed17a9 cpuid
1f8ceed17ab mov dword ptr [r10], ebx
1f8ceed17ae mov dword ptr [r10 + 4], edx
1f8ceed17b2 mov dword ptr [r10 + 8], ecx
1f8ceed17b6 mov byte ptr [r10 + 0xc], 0
1f8ceed17bb mov rbx, r11
1f8ceed17be ret
1f8ceed101f mov rcx, qword ptr [rip + 0x10b1]
1f8ceed1026 call 0x1f8ceed17c0
1f8ceed17c0 enter 0x80, 0
1f8ceed17c4 sub rsp, 0x80
1f8ceed17cb mov qword ptr [rbp - 0x78], r14
1f8ceed17cf mov qword ptr [rbp - 0x80], r15
1f8ceed17d3 mov r14, rcx
1f8ceed17d6 mov rax, r14
1f8ceed17d9 sub rax, 1
1f8ceed17dd add rax, 1
1f8ceed17e1 cmp byte ptr [rax], 0
UC_MEM_READ_UNMAPPED from 1400020d4
UC_MEM_READ_UNMAPPED rip at cpuid.exe+17e1
BlackBone: ManualMap: Unmapping image 'cpuid.exe'
BlackBone: Free: Free at address 0x000001F8CEED0000
BlackBone: ManualMap: Unmapping image 'msvcrt.dll'
BlackBone: Free: Free at address 0x000001F8D3A50000
BlackBone: ManualMap: Unmapping image 'kernel32.dll'
BlackBone: Free: Free at address 0x000001F8D0900000
BlackBone: ManualMap: Unmapping image 'kernelbase.dll'
BlackBone: Free: Free at address 0x000001F8D3B80000
BlackBone: ManualMap: Unmapping image 'ntdll.dll'
BlackBone: Free: Free at address 0x000001F8D42E0000
uc_emu_start return: 0
entrypoint return: 1400020d4
last rip: 1f8ceed17e1 (cpuid.exe+17e1)
BlackBone: Free: Free at address 0x000001F8CEEA0000
BlackBone: Free: Free at address 0x000001F8CEEC0000
BlackBone: Free: Free at address 0x000001F8CEEB0000

This message - UC_MEM_READ_UNMAPPED - appears on any file.

@hzqst
Copy link
Owner

hzqst commented Apr 23, 2021

looks like the cpuid.exe is mapped at wrong address (1f8ceed0000 instead of 140000000)?

@UnlimitedChild
Copy link
Author

unicorn_pe XOR_20200817194428.exe_20200829_162834.vmp.exe -disasm
BlackBone: Allocate: Allocating at address 0x000001BC4DC90000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x000001BC4DCA0000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x000001BC4DCC0000 (0x4000 bytes)
BlackBone: ManualMap: Mapping image 'XOR_20200817194428.exe_20200829_162834.vmp.exe' with flags 0x5d001
BlackBone: ManualMap: Loading new image 'XOR_20200817194428.exe_20200829_162834.vmp.exe'
BlackBone: ManualMap: Image base allocated at 0x000001bc4f540000
BlackBone: ManualMap: Performing image copy
BlackBone: ManualMap: Relocating image 'xor_20200817194428.exe_20200829_162834.vmp.exe'
BlackBone: ManualMap: Image does not use relocations
1bc4f541000 jmp 0x1bc4f57a103
1bc4f57a103 push 0x2babe72
1bc4f57a108 call 0x1bc4f5f3319
1bc4f5f3319 push r13
1bc4f5f331b jmp 0x1bc4f574608
1bc4f574608 pushfq
1bc4f574609 stc
1bc4f57460a cmp r8, 0x22040e88
1bc4f574611 push r8
1bc4f574613 push rbp
1bc4f574614 not r8b
1bc4f574617 push rdi
1bc4f574618 push rax
1bc4f574619 movsxd r8, r12d
1bc4f57461c shl r8w, 0xd
1bc4f574621 push r15
1bc4f574623 sub r8b, r9b
1bc4f574626 inc r8b
1bc4f574629 push r14
1bc4f57462b adc edi, esp
1bc4f57462d push rdx
1bc4f57462e push rsi
1bc4f57462f xor r8b, r15b
1bc4f574632 push r11
1bc4f574634 btc si, r10w
1bc4f574639 or esi, r11d
1bc4f57463c push r12
1bc4f57463e push r10
1bc4f574640 push rcx
1bc4f574641 mov r10b, r12b
1bc4f574644 push rbx
1bc4f574645 push r9
1bc4f574647 or r9, 0x41962761
1bc4f57464e test r12d, 0x391771bc
1bc4f574655 bsf r11, r11
1bc4f574659 movabs r8, 0
1bc4f574663 stc
1bc4f574664 push r8
1bc4f574666 mov dil, 0x20
1bc4f574669 shl r11b, 0xf7
1bc4f57466d sar r10, 0xa
1bc4f574671 mov rdi, qword ptr [rsp + 0x90]
1bc4f574679 shr r11w, cl
1bc4f57467d clc
1bc4f57467e not edi
1bc4f574680 movsx esi, r13w
1bc4f574684 add edi, 0x1f430407
1bc4f57468a movzx si, r14b
1bc4f57468f bswap edi
1bc4f574691 add edi, 0x6bfd5f9b
1bc4f574697 add rdi, r8
1bc4f57469a sar si, 0xee
1bc4f57469e mov r11, rsp
1bc4f5746a1 sub rsp, 0x140
1bc4f5746a8 and rsp, 0xfffffffffffffff0
1bc4f5746af cmp r15w, bx
1bc4f5746b3 mov r9, rdi
1bc4f5746b6 or si, r9w
1bc4f5746ba rol sil, cl
1bc4f5746bd btc r10, r9
1bc4f5746c1 movabs r8, 0
1bc4f5746cb sub r9, r8
1bc4f5746ce rcl sil, 0xf7
1bc4f5746d2 sal r10, 0xce
1bc4f5746d6 neg r10b
1bc4f5746d9 lea rsi, [rip - 7]
1bc4f5746e0 sbb r10b, 0xe2
1bc4f5746e4 mov r10d, dword ptr [rdi]
UC_MEM_READ_UNMAPPED from 42e7b7
UC_MEM_READ_UNMAPPED rip at xor_20200817194428.exe_20200829_162834.vmp.exe+346e4
BlackBone: ManualMap: Unmapping image 'xor_20200817194428.exe_20200829_162834.vmp.exe'
BlackBone: Free: Free at address 0x000001BC4F540000
uc_emu_start return: 0
entrypoint return: 0
last rip: 1bc4f5746e4 (xor_20200817194428.exe_20200829_162834.vmp.exe+346e4)
BlackBone: Free: Free at address 0x000001BC4DC90000
BlackBone: Free: Free at address 0x000001BC4DCC0000
BlackBone: Free: Free at address 0x000001BC4DCA0000

@UnlimitedChild
Copy link
Author

unicorn_pe procexp.exe -disasm

1778d85ec3b je 0x1778d85ec45
1778d85ec45 cmp r8, r12
1778d85ec48 je 0x1778d85ed27
1778d85ec4e mov esi, dword ptr [rbp]
1778d85ec51 mov rbx, qword ptr [r14 + rsi8 + 0x151948]
1778d85ec59 test rbx, rbx
1778d85ec5c je 0x1778d85ec6c
1778d85ec6c mov r14, qword ptr [r14 + rsi8 + 0xfe5f8]
1778d85ec74 xor edx, edx
1778d85ec76 mov rcx, r14
1778d85ec79 mov r8d, 0x800
1778d85ec7f call qword ptr [rip + 0x2b933]
UC_MEM_FETCH_PROT from ntdll.dll+2a1b0
UC_MEM_FETCH_PROT rip at ntdll.dll+2a1b0
BlackBone: ManualMap: Unmapping image 'procexp.exe'
BlackBone: Free: Free at address 0x000001778D7B0000
BlackBone: ManualMap: Unmapping image 'psapi.dll'
BlackBone: Free: Free at address 0x0000017794520000
BlackBone: ManualMap: Unmapping image 'winhttp.dll'
BlackBone: Free: Free at address 0x0000017794430000
BlackBone: ManualMap: Unmapping image 'comdlg32.dll'
BlackBone: Free: Free at address 0x0000017794360000
BlackBone: ManualMap: Unmapping image 'uxtheme.dll'
BlackBone: Free: Free at address 0x0000017793AB0000
BlackBone: ManualMap: Unmapping image 'wtsapi32.dll'
BlackBone: Free: Free at address 0x00000177939A0000
BlackBone: ManualMap: Unmapping image 'aclui.dll'
BlackBone: Free: Free at address 0x00000177924D0000
BlackBone: ManualMap: Unmapping image 'xmllite.dll'
BlackBone: Free: Free at address 0x0000017793460000
BlackBone: ManualMap: Unmapping image 'oleaut32.dll'
BlackBone: Free: Free at address 0x00000177938D0000
BlackBone: ManualMap: Unmapping image 'ole32.dll'
BlackBone: Free: Free at address 0x00000177935C0000
BlackBone: ManualMap: Unmapping image 'shell32.dll'
BlackBone: Free: Free at address 0x0000017792D70000
BlackBone: ManualMap: Unmapping image 'cryptsp.dll'
BlackBone: Free: Free at address 0x00000177942E0000
BlackBone: ManualMap: Unmapping image 'windows.storage.dll'
BlackBone: Free: Free at address 0x0000017793B60000
BlackBone: ManualMap: Unmapping image 'kernel.appcore.dll'
BlackBone: Free: Free at address 0x0000017794C80000
BlackBone: ManualMap: Unmapping image 'powrprof.dll'
BlackBone: Free: Free at address 0x0000017794B80000
BlackBone: ManualMap: Unmapping image 'umpdc.dll'
BlackBone: Free: Free at address 0x0000017794BD0000
BlackBone: ManualMap: Unmapping image 'shcore.dll'
BlackBone: Free: Free at address 0x0000017794AD0000
BlackBone: ManualMap: Unmapping image 'profapi.dll'
BlackBone: Free: Free at address 0x0000017794A70000
BlackBone: ManualMap: Unmapping image 'ntdsapi.dll'
BlackBone: Free: Free at address 0x0000017792D20000
uc_emu_start return: 8
entrypoint return: 22
last rip: 1778d85ec7f (procexp.exe+aec7f)

@UnlimitedChild
Copy link
Author

unicorn_pe Autoruns64.exe -disasm

28a35712b60 sub rsp, 0x98
28a35712b67 lea rcx, [rsp + 0x20]
28a35712b6c call qword ptr [rip + 0x158f6]
UC_MEM_FETCH_UNMAPPED from kernelbase.dll+c7f0
UC_MEM_FETCH_UNMAPPED rip at kernelbase.dll+c7f0
BlackBone: ManualMap: Unmapping image 'autoruns64.exe'

@UnlimitedChild
Copy link
Author

unicorn_pe cpudata.exe -disasm
BlackBone: Allocate: Allocating at address 0x00000183791B0000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x00000183791C0000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x00000183791D0000 (0x4000 bytes)
BlackBone: ManualMap: Mapping image 'cpudata.exe' with flags 0x5d001
BlackBone: ManualMap: Loading new image 'cpudata.exe'
BlackBone: ManualMap: Image base allocated at 0x000001837aad0000
BlackBone: ManualMap: Performing image copy
BlackBone: ManualMap: Relocating image 'cpudata.exe'
BlackBone: ManualMap: Loading new dependency 'kernel32.dll'
BlackBone: ManualMap: Dependency path resolved to 'C:\Windows\system32\kernel32.dll'
BlackBone: ManualMap: Loading new image 'C:\Windows\system32\kernel32.dll'

BlackBone: Free: Free at address 0x00000183791D0000
LdrLoadDllByName failed to MapImage dxcore.dll, status C0000034
BlackBone: Allocate: Allocating at address 0x00000183791B0000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x00000183791C0000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x00000183791D0000 (0x4000 bytes)
BlackBone: ManualMap: Mapping image 'dxcore.dll' with flags 0x1d001
BlackBone: ManualMap: Failed to load image 'dxcore.dll'/0x0000000000000000. Status 0xC0000034
BlackBone: Free: Free at address 0x00000183791B0000
BlackBone: Free: Free at address 0x00000183791C0000
BlackBone: Free: Free at address 0x00000183791D0000
LdrLoadDllByName failed to MapImage dxcore.dll, status C0000034
BlackBone: Allocate: Allocating at address 0x00000183791B0000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x00000183791C0000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x00000183791D0000 (0x4000 bytes)
BlackBone: ManualMap: Mapping image 'dxcore.dll' with flags 0x1d001
BlackBone: ManualMap: Failed to load image 'dxcore.dll'/0x0000000000000000. Status 0xC0000034
BlackBone: Free: Free at address 0x00000183791B0000
BlackBone: Free: Free at address 0x00000183791C0000
BlackBone: Free: Free at address 0x00000183791D0000
LdrLoadDllByName failed to MapImage dxcore.dll, status C0000034
BlackBone: Allocate: Allocating at address 0x00000183791B0000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x00000183791C0000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x00000183791D0000 (0x4000 bytes)
BlackBone: ManualMap: Mapping image 'dxcore.dll' with flags 0x1d001
BlackBone: ManualMap: Failed to load image 'dxcore.dll'/0x0000000000000000. Status 0xC0000034
BlackBone: Free: Free at address 0x00000183791B0000
BlackBone: Free: Free at address 0x00000183791C0000
BlackBone: Free: Free at address 0x00000183791D0000
LdrLoadDllByName failed to MapImage dxcore.dll, status C0000034
BlackBone: Allocate: Allocating at address 0x00000183791B0000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x00000183791C0000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x00000183791D0000 (0x4000 bytes)
BlackBone: ManualMap: Mapping image 'dxcore.dll' with flags 0x1d001
BlackBone: ManualMap: Failed to load image 'dxcore.dll'/0x0000000000000000. Status 0xC0000034
BlackBone: Free: Free at address 0x00000183791B0000
BlackBone: Free: Free at address 0x00000183791C0000
BlackBone: Free: Free at address 0x00000183791D0000
LdrLoadDllByName failed to MapImage dxcore.dll, status C0000034
BlackBone: Allocate: Allocating at address 0x00000183791B0000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x00000183791C0000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x00000183791D0000 (0x4000 bytes)
BlackBone: ManualMap: Mapping image 'dxcore.dll' with flags 0x1d001
BlackBone: ManualMap: Failed to load image 'dxcore.dll'/0x0000000000000000. Status 0xC0000034
BlackBone: Free: Free at address 0x00000183791B0000
BlackBone: Free: Free at address 0x00000183791C0000
BlackBone: Free: Free at address 0x00000183791D0000
LdrLoadDllByName failed to MapImage dxcore.dll, status C0000034
BlackBone: Allocate: Allocating at address 0x00000183791B0000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x00000183791C0000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x00000183791D0000 (0x4000 bytes)
BlackBone: ManualMap: Mapping image 'dxcore.dll' with flags 0x1d001
BlackBone: ManualMap: Failed to load image 'dxcore.dll'/0x0000000000000000. Status 0xC0000034
BlackBone: Free: Free at address 0x00000183791B0000
BlackBone: Free: Free at address 0x00000183791C0000
BlackBone: Free: Free at address 0x00000183791D0000
LdrLoadDllByName failed to MapImage dxcore.dll, status C0000034
BlackBone: Allocate: Allocating at address 0x00000183791B0000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x00000183791C0000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x00000183791D0000 (0x4000 bytes)
BlackBone: ManualMap: Mapping image 'dxcore.dll' with flags 0x1d001
BlackBone: ManualMap: Failed to load image 'dxcore.dll'/0x0000000000000000. Status 0xC0000034
BlackBone: Free: Free at address 0x00000183791B0000
BlackBone: Free: Free at address 0x00000183791C0000
BlackBone: Free: Free at address 0x00000183791D0000
LdrLoadDllByName failed to MapImage dxcore.dll, status C0000034
BlackBone: Allocate: Allocating at address 0x00000183791B0000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x00000183791C0000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x00000183791D0000 (0x4000 bytes)
BlackBone: ManualMap: Mapping image 'ext-ms-win-gdi-desktop-l1-1-0.dll' with flags 0x1d001
BlackBone: ManualMap: Failed to load image 'ext-ms-win-gdi-desktop-l1-1-0.dll'/0x0000000000000000. Status 0xC0000034
BlackBone: Free: Free at address 0x00000183791B0000
BlackBone: Free: Free at address 0x00000183791C0000
BlackBone: Free: Free at address 0x00000183791D0000
LdrLoadDllByName failed to MapImage ext-ms-win-gdi-desktop-l1-1-0.dll, status C0000034
BlackBone: ManualMap: Performing security cookie initializtion for image 'user32.dll'
BlackBone: ManualMap: Loading new dependency 'msvcrt.dll'
BlackBone: ManualMap: Dependency path resolved to 'C:\Windows\system32\MSVCRT.dll'
BlackBone: ManualMap: Loading new image 'C:\Windows\system32\MSVCRT.dll'
BlackBone: ManualMap: Image base allocated at 0x000001837dde0000
BlackBone: ManualMap: Performing image copy
BlackBone: ManualMap: Relocating image 'c:\windows\system32\msvcrt.dll'
BlackBone: ManualMap: Performing security cookie initializtion for image 'msvcrt.dll'
BlackBone: Free: Decommit at address 0x000001837DF05000 (0x1000 bytes)
BlackBone: Free: Decommit at address 0x000001837E373000 (0x1000 bytes)
BlackBone: Free: Decommit at address 0x000001837DE7D000 (0x1000 bytes)
BlackBone: Free: Decommit at address 0x000001837AADB000 (0x1000 bytes)
1837aad1000 enter 0x80, 0
1837aad1004 sub rsp, 0x60
1837aad1008 xor rcx, rcx
1837aad100b call qword ptr [rip + 0x3057]
UC_MEM_FETCH_UNMAPPED from kernelbase.dll+e090
UC_MEM_FETCH_UNMAPPED rip at kernelbase.dll+e090
BlackBone: ManualMap: Unmapping image 'cpudata.exe'
BlackBone: Free: Free at address 0x000001837AAD0000
BlackBone: ManualMap: Unmapping image 'msvcrt.dll'
BlackBone: Free: Free at address 0x000001837DDE0000
BlackBone: ManualMap: Unmapping image 'user32.dll'
BlackBone: Free: Free at address 0x000001837E1E0000
BlackBone: ManualMap: Unmapping image 'gdi32.dll'
BlackBone: Free: Free at address 0x000001837DEE0000
uc_emu_start return: 8
entrypoint return: 0
last rip: 1837aad100b (cpudata.exe+100b)

@UnlimitedChild
Copy link
Author

UnlimitedChild commented Apr 23, 2021
edited
Loading

looks like the cpuid.exe is mapped at wrong address (1f8ceed0000 instead of 140000000)?
Hi hzqst,

looks like, but I'm not sure, since the addresses don't always match.

OS: Windows 10, Version 1909 18363.418

@brandonros
Copy link
Contributor 

.\x64\Debug\unicorn_pe.exe 
BlackBone: PDB: Failed to load msdia140.dll, error 0x0000007e
BlackBone: PDB: blackbone::PDBHelper::Init: (CoCreateDiaDataSource()) failed with HRESULT 0x8007007e
BlackBone: PatternData: LdrProtectMrdata not found
usage: unicorn_pe (filename) [-k] [-disasm]

.\x64\Debug\unicorn_pe.exe C:\Users\Brandon\Desktop\redacted.exe
BlackBone: PDB: Failed to load msdia140.dll, error 0x0000007e
BlackBone: PDB: blackbone::PDBHelper::Init: (CoCreateDiaDataSource()) failed with HRESULT 0x8007007e
BlackBone: PatternData: LdrProtectMrdata not found
BlackBone: Allocate: Allocating at address 0x00000272C9910000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x00000272C9920000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x00000272C9930000 (0x4000 bytes)
BlackBone: ManualMap: Mapping image 'C:\Users\Brandon\Desktop\redacted.exe' with flags 0x5d001
BlackBone: ManualMap: Loading new image 'C:\Users\Brandon\Desktop\redacted.exe'
BlackBone: ManualMap: Image base allocated at 0x00000272cbc40000
BlackBone: ManualMap: Performing image copy
BlackBone: ManualMap: Relocating image 'c:\users\brandon\desktop\redacted.exe'
BlackBone: ManualMap: Can't relocate image, no relocation flag
BlackBone: Free: Free at address 0x00000272CBC40000
failed to MapImage
BlackBone: Free: Free at address 0x00000272C9910000
BlackBone: Free: Free at address 0x00000272C9930000
BlackBone: Free: Free at address 0x00000272C9920000

.\x64\Debug\unicorn_pe.exe -k C:\Users\Brandon\Desktop\redacted.exe 
BlackBone: PDB: Failed to load msdia140.dll, error 0x0000007e
BlackBone: PDB: blackbone::PDBHelper::Init: (CoCreateDiaDataSource()) failed with HRESULT 0x8007007e
BlackBone: PatternData: LdrProtectMrdata not found
BlackBone: Allocate: Allocating at address 0x000002423C840000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x000002423C850000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x000002423C860000 (0x4000 bytes)
BlackBone: ManualMap: Mapping image '-k' with flags 0x5d001
BlackBone: ManualMap: Failed to load image '-k'/0x0000000000000000. Status 0xC0000034
failed to MapImage
BlackBone: Free: Free at address 0x000002423C840000
BlackBone: Free: Free at address 0x000002423C860000
BlackBone: Free: Free at address 0x000002423C850000

@brandonros
Copy link
Contributor

Could it be that Windows Defender hates the bundled BlackBone .sys file from a virus protection perspective?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@brandonros @hzqst @UnlimitedChild