search

qilingframework / qiling

A True Instrumentable Binary Emulation Framework
https://qiling.io
GNU General Public License v2.0
5.06k stars 737 forks source link

DLL not automaticly loaded. #1438

Closed fishfacegit closed 7 months ago

fishfacegit commented 7 months ago

Describe the bug user32.dll tries to call dword ptr [0x69eadabc] which is WIN32U.DLL::NtUserGetThreadState. WIN32U.DLL is not automaticly loaded.

Expected behavior WIN32U.DLL should be loaded on demand. Alternativly show me a way to manually load this dll and add it to docs.

Screenshots

[=]     69e35319 [user32.dll           + 0x035319]  ff 15 bc da ea 69    call                 dword ptr [0x69eadabc]
[x]     CPU Context:
[x]     ah  : 0x0
[x]     al  : 0x0
[x]     ch  : 0x60
[x]     cl  : 0x0
[x]     dh  : 0x5a
[x]     dl  : 0x8
[x]     bh  : 0x5a
[x]     bl  : 0x8
[x]     ax  : 0x0
[x]     cx  : 0x6000
[x]     dx  : 0x5a08
[x]     bx  : 0x5a08
[x]     sp  : 0xbf40
[x]     bp  : 0xc198
[x]     si  : 0x8040
[x]     di  : 0x0
[x]     ip  : 0x1d2c
[x]     eax : 0x0
[x]     ecx : 0x6000
[x]     edx : 0x415a08
[x]     ebx : 0x415a08
[x]     esp : 0xffffbf40
[x]     ebp : 0xffffc198
[x]     esi : 0x8040
[x]     edi : 0x0
[x]     eip : 0xb1d2c
[x]     cr0 : 0x11
[x]     cr1 : 0x0
[x]     cr2 : 0x0
[x]     cr3 : 0x0
[x]     cr4 : 0x0
[x]     cr8 : 0x0
[x]     dr0 : 0x0
[x]     dr1 : 0x0
[x]     dr2 : 0x0
[x]     dr3 : 0x0
[x]     dr4 : 0x0
[x]     dr5 : 0x0
[x]     dr6 : 0xffff0ff0
[x]     dr7 : 0x400
[x]     st0 : 0x0
[x]     st1 : 0x0
[x]     st2 : 0x0
[x]     st3 : 0x0
[x]     st4 : 0x0
[x]     st5 : 0x0
[x]     st6 : 0x0
[x]     st7 : 0x0
[x]     eflags  : 0x46
[x]     cs  : 0x1b
[x]     ss  : 0x28
[x]     ds  : 0x28
[x]     es  : 0x28
[x]     fs  : 0x73
[x]     gs  : 0x7b
[x]     PC = 0x000b1d2c (unreachable)

[x]     Memory map:
[x]     Start        End          Perm    Label                                                                  Image
[x]     0000006000 - 000000c000   rwx     [FS]                                                                   
[x]     0000030000 - 0000031000   rwx     [GDT]                                                                  
[x]     0000400000 - 000080c000   rwx     27540e7ca4117cc858d253fa2575c5d060b20495410d27da135c91a28e0f22a8.exe   
[x]     0005000000 - 0005001000   rwx     [heap]                                                                 
[x]     0005001000 - 0005002000   rwx     [heap]                                                                 
[x]     0005002000 - 0005003000   rwx     [heap]                                                                 
[x]     0005003000 - 0005004000   rwx     [heap]                                                                 
[x]     0005004000 - 000501d000   rwx     [heap]                                                                 
[x]     0006000000 - 0007400000   rwx     [GS]                                                                   
[x]     0010000000 - 001006f000   rwx     mscoree.dll                                                            [.../rootfs/x86_windows/Windows/System32/mscoree.dll]
[x]     0011810000 - 0011930000   rwx     ucrtbase.dll                                                           .../rootfs/x86_windows/Windows/System32/ucrtbase.dll]
[x]     004b280000 - 004b423000   rwx     ntdll.dll                                                              [.../rootfs/x86_windows/Windows/System32/ntdll.dll]
[x]     004c300000 - 004c37b000   rwx     advapi32.dll                                                           [.../rootfs/x86_windows/Windows/System32/advapi32.dll]
[x]     004d500000 - 004d524000   rwx     gdi32.dll                                                              [.../rootfs/x86_windows/Windows/System32/gdi32.dll]
[x]     0069e00000 - 0069fa0000   rwx     user32.dll                                                             [.../rootfs/x86_windows/Windows/System32/USER32.DLL]
[x]     006b800000 - 006b8e5000   rwx     kernel32.dll                                                           [.../rootfs/x86_windows/Windows/System32/kernel32.dll]
[x]     006d930000 - 006d981000   rwx     winspool.drv                                                           [.../rootfs/x86_windows/Windows/System32/WINSPOOL.DRV]
[x]     007ffe0000 - 007ffe1000   rwx     [kuser shared data]                                                    
[x]     00fffdd000 - 00ffffe000   rwx     [stack]                                                                
[=]     emulation stopped.
elicn commented 7 months ago

You can load a DLL using:

ql.loader.load_dll('my_lib.dll')

The loading process will attempt to call DllMain and execute it on a best-effort basis. When DllMain does not complete successfully the emulation resumes anyway. Also, make sure the DLL resides somewhere under the rootfs directory.