shellcode execution LDR error

[WBGlIl]

hexdump.hexdump(ql.mem.read(0x50000012C,0x100))
Python 3.9.5 (tags/v3.9.5:0a7dcbd, May  3 2021, 17:27:52) [MSC v.1928 64 bit (AMD64)]
Type 'copyright', 'credits' or 'license' for more information
IPython 7.24.1 -- An enhanced Interactive Python. Type '?' for help.
PyDev console: using IPython 7.24.1
00000000: 68 02 00 00 05 00 00 00  98 08 00 06 00 00 00 00  h...............
00000010: 00 00 00 80 01 00 00 00  00 00 00 00 00 00 00 00  ................
00000020: 00 00 00 00 00 00 00 00  3A 00 3C 00 00 00 00 00  ........:.<.....
00000030: F4 01 00 00 05 00 00 00  12 00 14 00 00 00 00 00  ................
00000040: 30 02 00 00 05 00 00 00  00 00 00 00 00 00 00 00  0...............
00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000060: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000070: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000080: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000090: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
000000A0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
000000B0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
000000C0: 00 00 00 00 00 00 00 00  43 00 3A 00 5C 00 57 00  ........C.:.\.W.
000000D0: 69 00 6E 00 64 00 6F 00  77 00 73 00 5C 00 53 00  i.n.d.o.w.s.\.S.
000000E0: 79 00 73 00 74 00 65 00  6D 00 33 00 32 00 5C 00  y.s.t.e.m.3.2.\.
000000F0: 6E 00 74 00 64 00 6C 00  6C 00 2E 00 64 00 6C 00  n.t.d.l.l...d.l.
print(ql.unpack64(ql.mem.read(0x50000012C, 8)))
21474837096
hexdump.hexdump(ql.mem.read(21474837096,0x100))
00000000: B0 03 00 00 05 00 00 00  2C 01 00 00 05 00 00 00  ........,.......
00000010: 00 00 20 80 01 00 00 00  00 00 00 00 00 00 00 00  .. .............
00000020: 00 00 00 00 00 00 00 00  40 00 42 00 00 00 00 00  ........@.B.....
00000030: 30 03 00 00 05 00 00 00  18 00 1A 00 00 00 00 00  0...............
00000040: 72 03 00 00 05 00 00 00  00 00 00 00 00 00 00 00  r...............
00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000060: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000070: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000080: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000090: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
000000A0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
000000B0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
000000C0: 00 00 00 00 00 00 00 00  43 00 3A 00 5C 00 57 00  ........C.:.\.W.
000000D0: 69 00 6E 00 64 00 6F 00  77 00 73 00 5C 00 53 00  i.n.d.o.w.s.\.S.
000000E0: 79 00 73 00 74 00 65 00  6D 00 33 00 32 00 5C 00  y.s.t.e.m.3.2.\.
000000F0: 6B 00 65 00 72 00 6E 00  65 00 6C 00 33 00 32 00  k.e.r.n.e.l.3.2.

LDR sequence error InLoadOrderLinks= ntdll, kernel32, ... InMemoryOrderLinks= ntdll,kernel32, ... InInitializationOrderLinks= ntdll, kernel32, ... (no process entry)

The correct order should be InLoadOrderLinks= process, ntdll, kernel32, ... InMemoryOrderLinks= process, ntdll,kernel32, ... InInitializationOrderLinks= ntdll, kernel32, ... (no process entry)

Forgive my bad english

[xwings]

Hi,

what is the issue ?

[WBGlIl]

@xwings There is a problem with the order of the linked list Some shellcodes cannot be run

[WBGlIl]

The first one should be the process itself instead of ntdll

[xwings]

can u please provide the full code so we can test?

[WBGlIl]

@xwings

from qiling import Qiling

file = open("w32-exec-calc-shellcode-esp-func.bin","rb")
X8664_WIN = file.read()
rootfs_x86 = "examples\\rootfs\\x86_windows"
ql = Qiling(code=X8664_WIN, archtype="x86", ostype="windows", rootfs=rootfs_x86)
ql.run()

test shellcode link https://github.com/peterferrie/win-exec-calc-shellcode/blob/master/build/bin/w32-exec-calc-shellcode-esp-func.bin

[xwings]

Close for now.

We updated the codebase for Qiling and Unicorn since this issue being posted.

Feel free to try the latest version.