Windows API Implementation: (Find/Load)Resource

qilingframework / qiling

A True Instrumentable Binary Emulation Framework

https://qiling.io

GNU General Public License v2.0

5.14k stars 744 forks source link

Windows API Implementation: (Find/Load)Resource #163

Closed xwings closed 4 years ago

xwings commented 4 years ago

From: @0ssigeno

Still having an error with sample DHL_FORMAT. Another sample that I'm testing is emotet_1.zip, but having problem with a real implementation of (Find/Load)Resource. Help is welcomed

learn-more commented 4 years ago

Most of the kernel32 resource functions are wrapper for the ntdll Ldr*Resource* functions, and those mostly operate on mapped files (that should be available when running in qiling).

If the imports from kernel32->ntdll would be fixed, then the native functions would probably work most of the time.

What would be the preferred way?:

Using the native kernel32/ntdll functions
Writing a python implementation

xwings commented 4 years ago

We are thinking some way to fix the kernel dll issue. I guess this will be another issue.