elicn
commented
11 months ago Thanks for spotting this! I submitted a fix to a draft PR; please try it and let us know whether it fixes the prolem.
Closed FernandoDoming closed 11 months ago
elicn
commented
11 months ago Thanks for spotting this! I submitted a fix to a draft PR; please try it and let us know whether it fixes the prolem.
According to MS documentation the lpData parameter in RegQueryValue / RegQueryValueEx can be null.
In Qiling's implementation the lpData parameter is used without checking its value. See: https://github.com/qilingframework/qiling/blob/9a78d186c97d6ff42d7df31155dda2cd9e1a7fe3/qiling/os/windows/dlls/advapi32.py#L85
If the parameter is NULL an address with value 0 will be received in this line: https://github.com/qilingframework/qiling/blob/9a78d186c97d6ff42d7df31155dda2cd9e1a7fe3/qiling/os/windows/registry.py#L277-L278
causing the emulation to crash with an unmapped memory write error.