wtdcode
commented
3 years ago Hello, thanks for your interest. I'm afraid we never test our emulation against dotnet executables. Maybe the ABI is different from our current implementation.
Closed frozenkp closed 3 years ago
wtdcode
commented
3 years ago Hello, thanks for your interest. I'm afraid we never test our emulation against dotnet executables. Maybe the ABI is different from our current implementation.
frozenkp
commented
3 years ago Hi, thanks for your quick response. That’s too bad. Can you give me any advice to debug it? I’m not sure how to figure out the problem. :(
wtdcode
commented
3 years ago Hi, thanks for your quick response. That’s too bad. Can you give me any advice to debug it? I’m not sure how to figure out the problem. :(
Pass verbose=QL_VERBOSE.DISASM and retrieve the debug log. You may find when PC goes zero.
frozenkp
commented
3 years ago That's nice. I will try it later.
elicn
commented
3 years ago Try use the enhanced tracing, it would be easier to track.
from qiling import Qiling
from qiling.const import QL_VERBOSE
from qiling.extensions import trace
ql = Qiling([TARGET], WINDOWS_ROOTFS, verbose=QL_VERBOSE.DEBUG)
trace.enable_full_trace(ql)
ql.run()If you want to save execution time, you can have it log a specified number of instructions before the crash (e.g. 32). In that case, replace the enable_full_trace line with:
trace.enable_history_trace(ql, 32)Hi, thanks for you guys' advices. They give me more information of executed instructions. However, after I tried them, I still don't know the problem :( It shows the instructions as I expect, while they actually looks fine. I think that the problem may be in unicorn or mscoree.dll. I'm still trying to figure out how qiling works and look for possible solution.
elicn
commented
3 years ago Comparing to my mscoree.dll, it looks fine, but it still doesn't make sense for an instruction that doesn't access the memory to fail on an invalid memory access. I suspect that might be the stack pointer, but I can't tell from this partial screenshot. Could you please attach the full registers dump and memory map that comes afterwards?
frozenkp
commented
3 years ago Here is the full log:
[+] Profile: Default
[+] Map GDT at 0x30000 with GDT_LIMIT=4096
[+] Write to 0x30018 for new entry b'\x00\xf0\x00\x00\x00\xfeO\x00'
[+] Write to 0x30028 for new entry b'\x00\xf0\x00\x00\x00\x96O\x00'
[+] Write to 0x30070 for new entry b'\x00`\x00`\x00\xf6@\x00'
[+] Write to 0x30078 for new entry b'\x00\x00\x00\x00\x00\xf6@\x06'
[+] Windows Registry PATH: /home/frozenkp/data/qiling/examples/rootfs/x86_windows/Windows/registry
[=] Initiate stack address at 0xfffdd000
[=] Loading Ransom.Thanos.exe to 0x400000
[=] PE entry point at 0x431f62
[=] TEB addr is 0x6000
[=] PEB addr is 0x6044
[=] Loading /home/frozenkp/data/qiling/examples/rootfs/x86_windows/Windows/System32/ntdll.dll to 0x10000000
[!] Warnings while loading /home/frozenkp/data/qiling/examples/rootfs/x86_windows/Windows/System32/ntdll.dll:
[!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[=] Done with loading /home/frozenkp/data/qiling/examples/rootfs/x86_windows/Windows/System32/ntdll.dll
[=] Loading /home/frozenkp/data/qiling/examples/rootfs/x86_windows/Windows/System32/kernel32.dll to 0x101a3000
[=] Done with loading /home/frozenkp/data/qiling/examples/rootfs/x86_windows/Windows/System32/kernel32.dll
[=] Loading /home/frozenkp/data/qiling/examples/rootfs/x86_windows/Windows/System32/mscoree.dll to 0x10288000
[=] Done with loading /home/frozenkp/data/qiling/examples/rootfs/x86_windows/Windows/System32/mscoree.dll
[+] Done with loading Ransom.Thanos.exe
[+] 00431f62 | ff2500204000 jmp dword ptr [0x402000] |
[+] 0x1029c330: _CorExeMain()
[+] 1029c330 | 8bff mov edi, edi | edi = 0x0
[+] ERROR: unmapped memory access at 0x0
[x]
[x] ah : 0x0
[x] al : 0x0
[x] ch : 0x0
[x] cl : 0x0
[x] dh : 0x0
[x] dl : 0x0
[x] bh : 0x0
[x] bl : 0x0
[x] ax : 0x0
[x] cx : 0x0
[x] dx : 0x0
[x] bx : 0x0
[x] sp : 0xd004
[x] bp : 0xd000
[x] si : 0x0
[x] di : 0x0
[x] ip : 0x0
[x] eax : 0x0
[x] ecx : 0x0
[x] edx : 0x0
[x] ebx : 0x0
[x] esp : 0xffffd004
[x] ebp : 0xffffd000
[x] esi : 0x0
[x] edi : 0x0
[x] eip : 0x0
[x] cr0 : 0x11
[x] cr1 : 0x0
[x] cr2 : 0x0
[x] cr3 : 0x0
[x] cr4 : 0x0
[x] cr5 : 0x0
[x] cr6 : 0x0
[x] cr7 : 0x0
[x] cr8 : 0x0
[x] cr9 : 0x0
[x] cr10 : 0x0
[x] cr11 : 0x0
[x] cr12 : 0x0
[x] cr13 : 0x0
[x] cr14 : 0x0
[x] cr15 : 0x0
[x] st0 : 0x0
[x] st1 : 0x0
[x] st2 : 0x0
[x] st3 : 0x0
[x] st4 : 0x0
[x] st5 : 0x0
[x] st6 : 0x0
[x] st7 : 0x0
[x] ef : 0x0
[x] cs : 0x1b
[x] ss : 0x28
[x] ds : 0x28
[x] es : 0x28
[x] fs : 0x73
[x] gs : 0x78
[x]
[x] PC = 0x0
[=]
[=] Start End Perm Label Image
[=] 00006000 - 0000c000 rwx [FS/GS]
[=] 00030000 - 00031000 rwx [GDT]
[=] 00400000 - 00436000 rwx [PE] Ransom.Thanos.exe
[=] 05000000 - 05001000 rwx [heap]
[=] 06000000 - 0c000000 rwx [FS/GS]
[=] 10000000 - 101a3000 rwx ntdll.dll /home/frozenkp/data/qiling/examples/rootfs/x86_windows/Windows/System32/ntdll.dll
[=] 101a3000 - 10288000 rwx kernel32.dll /home/frozenkp/data/qiling/examples/rootfs/x86_windows/Windows/System32/kernel32.dll
[=] 10288000 - 102da000 rwx mscoree.dll /home/frozenkp/data/qiling/examples/rootfs/x86_windows/Windows/System32/mscoree.dll
[=] fffdd000 - ffffe000 rwx [stack]
[x] Error: PC(0x0) Unreachable
Traceback (most recent call last):
File "run.py", line 28, in <module>
ql.run()
File "/home/frozenkp/.local/lib/python3.6/site-packages/qiling/core.py", line 755, in run
self.os.run()
File "/home/frozenkp/.local/lib/python3.6/site-packages/qiling/os/windows/windows.py", line 188, in run
self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count)
File "/home/frozenkp/.local/lib/python3.6/site-packages/qiling/core.py", line 896, in emu_start
self.uc.emu_start(begin, end, timeout, count)
File "/home/frozenkp/.local/lib/python3.6/site-packages/unicorn/unicorn.py", line 341, in emu_start
raise UcError(status)
unicorn.unicorn.UcError: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED)I ran it using Windbg. Here is the registers and memory mapping when reaching mov edi, edi. The value of registers looks different. I'm not familiar with dotnet binary. I'm not sure whether these values don't matter in the beginning of this function. Anyway, you are right. It should not be failed for an instruction that doesn't access the memory with failure of an invalid memory access. That's weird.
BaseAddr EndAddr+1 RgnSize Type State Protect Usage
-----------------------------------------------------------------------------------------------
+ 0 af0000 af0000 MEM_FREE PAGE_NOACCESS Free
+ af0000 af1000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [Ransom_Thanos; "C:\Users\frozenkp\Documents\thanos_time\ConsoleApp1\ConsoleApp1\Ransom.Thanos.exe"]
af1000 af2000 1000 MEM_IMAGE MEM_RESERVE Image [Ransom_Thanos; "C:\Users\frozenkp\Documents\thanos_time\ConsoleApp1\ConsoleApp1\Ransom.Thanos.exe"]
af2000 b23000 31000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [Ransom_Thanos; "C:\Users\frozenkp\Documents\thanos_time\ConsoleApp1\ConsoleApp1\Ransom.Thanos.exe"]
b23000 b24000 1000 MEM_IMAGE MEM_RESERVE Image [Ransom_Thanos; "C:\Users\frozenkp\Documents\thanos_time\ConsoleApp1\ConsoleApp1\Ransom.Thanos.exe"]
b24000 b25000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [Ransom_Thanos; "C:\Users\frozenkp\Documents\thanos_time\ConsoleApp1\ConsoleApp1\Ransom.Thanos.exe"]
b25000 b26000 1000 MEM_IMAGE MEM_RESERVE Image [Ransom_Thanos; "C:\Users\frozenkp\Documents\thanos_time\ConsoleApp1\ConsoleApp1\Ransom.Thanos.exe"]
+ b26000 b30000 a000 MEM_FREE PAGE_NOACCESS Free
+ b30000 b31000 1000 MEM_MAPPED MEM_COMMIT PAGE_READONLY MappedFile "PageFile"
+ b31000 b40000 f000 MEM_FREE PAGE_NOACCESS Free
+ b40000 b41000 1000 MEM_MAPPED MEM_COMMIT PAGE_READONLY MappedFile "PageFile"
+ b41000 b50000 f000 MEM_FREE PAGE_NOACCESS Free
+ b50000 b60000 10000 MEM_MAPPED MEM_COMMIT PAGE_READWRITE MappedFile "PageFile"
+ b60000 b7d000 1d000 MEM_MAPPED MEM_COMMIT PAGE_READONLY Other [API Set Map]
+ b7d000 b80000 3000 MEM_FREE PAGE_NOACCESS Free
+ b80000 bb5000 35000 MEM_PRIVATE MEM_RESERVE <unknown>
bb5000 bb8000 3000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE|PAGE_GUARD <unknown>
bb8000 bc0000 8000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE <unknown> [................]
+ bc0000 bc4000 4000 MEM_MAPPED MEM_COMMIT PAGE_READONLY Other [System Default Activation Context Data]
+ bc4000 bd0000 c000 MEM_FREE PAGE_NOACCESS Free
+ bd0000 bd1000 1000 MEM_MAPPED MEM_COMMIT PAGE_READONLY Other [Activation Context Data]
+ bd1000 be0000 f000 MEM_FREE PAGE_NOACCESS Free
+ be0000 be2000 2000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE <unknown> [................]
+ be2000 bf0000 e000 MEM_FREE PAGE_NOACCESS Free
+ bf0000 bf1000 1000 MEM_MAPPED MEM_COMMIT PAGE_READONLY MappedFile "PageFile"
+ bf1000 c00000 f000 MEM_FREE PAGE_NOACCESS Free
+ c00000 c56000 56000 MEM_PRIVATE MEM_RESERVE <unknown>
c56000 c57000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE <unknown> [................]
c57000 c5a000 3000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PEB [3c2c]
c5a000 c5b000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE TEB [~0; 3c2c.31e0]
c5b000 e00000 1a5000 MEM_PRIVATE MEM_RESERVE <unknown>
+ e00000 efb000 fb000 MEM_PRIVATE MEM_RESERVE Stack [~0; 3c2c.31e0]
efb000 efd000 2000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE|PAGE_GUARD Stack [~0; 3c2c.31e0]
efd000 f00000 3000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE Stack [~0; 3c2c.31e0]
+ f00000 f01000 1000 MEM_MAPPED MEM_COMMIT PAGE_READONLY MappedFile "\Device\HarddiskVolume4\Windows\Globalization\zh-TW.nlx"
+ f01000 f90000 8f000 MEM_FREE PAGE_NOACCESS Free
+ f90000 f9e000 e000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE Heap [ID: 0; Handle: 00f90000; Type: Segment]
f9e000 108f000 f1000 MEM_PRIVATE MEM_RESERVE Heap [ID: 0; Handle: 00f90000; Type: Segment]
108f000 1090000 1000 MEM_PRIVATE MEM_RESERVE <unknown>
+ 1090000 10f0000 60000 MEM_FREE PAGE_NOACCESS Free
+ 10f0000 10f7000 7000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE <unknown> [............j...]
10f7000 1100000 9000 MEM_PRIVATE MEM_RESERVE <unknown>
+ 1100000 11c9000 c9000 MEM_MAPPED MEM_COMMIT PAGE_READONLY MappedFile "\Device\HarddiskVolume4\Windows\System32\locale.nls"
+ 11c9000 1330000 167000 MEM_FREE PAGE_NOACCESS Free
+ 1330000 1333000 3000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE Heap [ID: 1; Handle: 01330000; Type: Segment]
1333000 133f000 c000 MEM_PRIVATE MEM_RESERVE Heap [ID: 1; Handle: 01330000; Type: Segment]
133f000 1340000 1000 MEM_PRIVATE MEM_RESERVE <unknown>
+ 1340000 723b0000 71070000 MEM_FREE PAGE_NOACCESS Free
+ 723b0000 723b1000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [MSCOREE; "C:\WINDOWS\SysWOW64\MSCOREE.DLL"]
723b1000 723f7000 46000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [MSCOREE; "C:\WINDOWS\SysWOW64\MSCOREE.DLL"]
723f7000 723fb000 4000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [MSCOREE; "C:\WINDOWS\SysWOW64\MSCOREE.DLL"]
723fb000 72402000 7000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [MSCOREE; "C:\WINDOWS\SysWOW64\MSCOREE.DLL"]
+ 72402000 73bd0000 17ce000 MEM_FREE PAGE_NOACCESS Free
+ 73bd0000 73bd1000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [apphelp; "C:\WINDOWS\SysWOW64\apphelp.dll"]
73bd1000 73c4d000 7c000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [apphelp; "C:\WINDOWS\SysWOW64\apphelp.dll"]
73c4d000 73c4f000 2000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [apphelp; "C:\WINDOWS\SysWOW64\apphelp.dll"]
73c4f000 73c6f000 20000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [apphelp; "C:\WINDOWS\SysWOW64\apphelp.dll"]
+ 73c6f000 772f0000 3681000 MEM_FREE PAGE_NOACCESS Free
+ 772f0000 772f1000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [KERNEL32; "C:\WINDOWS\SysWOW64\KERNEL32.dll"]
772f1000 77300000 f000 MEM_IMAGE MEM_RESERVE Image [KERNEL32; "C:\WINDOWS\SysWOW64\KERNEL32.dll"]
77300000 77364000 64000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [KERNEL32; "C:\WINDOWS\SysWOW64\KERNEL32.dll"]
77364000 77370000 c000 MEM_IMAGE MEM_RESERVE Image [KERNEL32; "C:\WINDOWS\SysWOW64\KERNEL32.dll"]
77370000 7739a000 2a000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [KERNEL32; "C:\WINDOWS\SysWOW64\KERNEL32.dll"]
7739a000 773a0000 6000 MEM_IMAGE MEM_RESERVE Image [KERNEL32; "C:\WINDOWS\SysWOW64\KERNEL32.dll"]
773a0000 773a1000 1000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [KERNEL32; "C:\WINDOWS\SysWOW64\KERNEL32.dll"]
773a1000 773b0000 f000 MEM_IMAGE MEM_RESERVE Image [KERNEL32; "C:\WINDOWS\SysWOW64\KERNEL32.dll"]
773b0000 773b1000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [KERNEL32; "C:\WINDOWS\SysWOW64\KERNEL32.dll"]
773b1000 773c0000 f000 MEM_IMAGE MEM_RESERVE Image [KERNEL32; "C:\WINDOWS\SysWOW64\KERNEL32.dll"]
773c0000 773c1000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [KERNEL32; "C:\WINDOWS\SysWOW64\KERNEL32.dll"]
773c1000 773d0000 f000 MEM_IMAGE MEM_RESERVE Image [KERNEL32; "C:\WINDOWS\SysWOW64\KERNEL32.dll"]
773d0000 773d5000 5000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [KERNEL32; "C:\WINDOWS\SysWOW64\KERNEL32.dll"]
773d5000 773e0000 b000 MEM_IMAGE MEM_RESERVE Image [KERNEL32; "C:\WINDOWS\SysWOW64\KERNEL32.dll"]
+ 773e0000 77af0000 710000 MEM_FREE PAGE_NOACCESS Free
+ 77af0000 77af1000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [KERNELBASE; "C:\WINDOWS\SysWOW64\KERNELBASE.dll"]
77af1000 77cc8000 1d7000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [KERNELBASE; "C:\WINDOWS\SysWOW64\KERNELBASE.dll"]
77cc8000 77ccb000 3000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [KERNELBASE; "C:\WINDOWS\SysWOW64\KERNELBASE.dll"]
77ccb000 77ccc000 1000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image [KERNELBASE; "C:\WINDOWS\SysWOW64\KERNELBASE.dll"]
77ccc000 77d04000 38000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [KERNELBASE; "C:\WINDOWS\SysWOW64\KERNELBASE.dll"]
+ 77d04000 77e10000 10c000 MEM_FREE PAGE_NOACCESS Free
+ 77e10000 77e11000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY <unknown> [MZ..............]
77e11000 77e14000 3000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ <unknown> [................]
77e14000 77e15000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY <unknown> [.P.w.....P.w....]
77e15000 77e16000 1000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE <unknown> [.....S..E..tP...]
77e16000 77e17000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY <unknown> [.........D..0...]
77e17000 77e18000 1000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ <unknown> [..p.w3...A......]
77e18000 77e1a000 2000 MEM_IMAGE MEM_COMMIT PAGE_READONLY <unknown> [................]
+ 77e1a000 77e20000 6000 MEM_FREE PAGE_NOACCESS Free
+ 77e20000 77e21000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [ntdll; "ntdll.dll"]
77e21000 77f43000 122000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [ntdll; "ntdll.dll"]
77f43000 77f49000 6000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [ntdll; "ntdll.dll"]
77f49000 77fc3000 7a000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [ntdll; "ntdll.dll"]
+ 77fc3000 7f520000 755d000 MEM_FREE PAGE_NOACCESS Free
+ 7f520000 7f525000 5000 MEM_MAPPED MEM_COMMIT PAGE_READONLY Other [Read Only Shared Memory]
7f525000 7f620000 fb000 MEM_MAPPED MEM_RESERVE MappedFile "PageFile"
+ 7f620000 7f628000 8000 MEM_PRIVATE MEM_RESERVE <unknown>
7f628000 7f629000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE <unknown> [................]
+ 7f629000 7f630000 7000 MEM_FREE PAGE_NOACCESS Free
+ 7f630000 7f631000 1000 MEM_PRIVATE MEM_RESERVE <unknown>
7f631000 7f632000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE <unknown> [................]
+ 7f632000 7f640000 e000 MEM_FREE PAGE_NOACCESS Free
+ 7f640000 7f650000 10000 MEM_PRIVATE MEM_RESERVE <unknown>
7f650000 7f651000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE <unknown> [................]
+ 7f651000 7f660000 f000 MEM_FREE PAGE_NOACCESS Free
+ 7f660000 7f661000 1000 MEM_PRIVATE MEM_RESERVE <unknown>
7f661000 7f662000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE <unknown> [................]
+ 7f662000 7f670000 e000 MEM_FREE PAGE_NOACCESS Free
+ 7f670000 7f671000 1000 MEM_MAPPED MEM_COMMIT PAGE_READONLY MappedFile "PageFile"
+ 7f671000 7f680000 f000 MEM_FREE PAGE_NOACCESS Free
+ 7f680000 7f6b3000 33000 MEM_MAPPED MEM_COMMIT PAGE_READONLY Other [NLS Tables]
+ 7f6b3000 7ffe0000 92d000 MEM_FREE PAGE_NOACCESS Free
+ 7ffe0000 7ffe1000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READONLY Other [User Shared Data]
+ 7ffe1000 7ffec000 b000 MEM_FREE PAGE_NOACCESS Free
+ 7ffec000 7ffed000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READONLY <unknown> [.........4.b....]
+ 7ffed000 7fff0000 3000 MEM_FREE PAGE_NOACCESS Free I searched through the code and found that _CorExeMain has a hook, but it is unimplemented (see: qiling/qiling/os/windows/dlls/mscoree.py). That explains why all registers (including eip) appear to be zeroed out upon entering the function.
Try commenting out the hook along with the decorator above it and give it another run.
frozenkp
commented
3 years ago That's it!! It works now. I really appreciate your help very much.
Describe the bug When I ran a x86 windows dotnet malware with qiling, it showed "Error: PC(0x0) Unreachable". I printed out the instruction using
hook_code. It seemed to be crashed inmscoree.dll->_CorExeMain().Sample Code
Expected behavior I expect that I can see the full trace of the malware.
Screenshots
Additional context Here are the first few lines of
_CorExeMain(). It seemed that it is crashed inmov edi, ediorpush esi. I've checked the value ofediis 0, and the value ofespis0xffffd004when reachingmov edi, edi.