I couldn't analyze even one software properly

I've experimented with multiple software , Each of them had separate errors. When I solved everything, I couldn't solve the errors I got right now.

Api-ms-win-crt problems

No program using these APIs could see the entry point, I did everything, I changed the files many times, there are multiple versions, I could not solve the problem.

[INFO] ['C:\\pin-3.15-98253-gb56e429b1-msvc-windows\\pin\\TestVirtu.vmp_dump.exe'] (qilingida:ql_set_rootfs) [INFO] Rootfs: C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows (qilingida:ql_start) [INFO] Custom user script: C:\Python38\qiling-master\examples\extensions\idaplugin\custom_script.py (qilingida:ql_start) [INFO] Custom env: {} (qilingida:ql_start) [+] Profile: Default [+] Map GDT at 0x30000 with GDT_LIMIT=4096 [+] Write to 0x30018 for new entry b'\x00\xf0\x00\x00\x00\xfeO\x00' [+] Write to 0x30028 for new entry b'\x00\xf0\x00\x00\x00\x96O\x00' [+] Write to 0x30070 for new entry b'\x00\x00`\x00\xf6@\x00' [+] Write to 0x30078 for new entry b'\x00\x00\x00\x00\x00\xf6@\x06' [+] Windows Registry PATH: C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\registry [=] Initiate stack address at 0xfffdd000 [=] Loading C:\pin-3.15-98253-gb56e429b1-msvc-windows\pin\TestVirtu.vmp_dump.exe to 0x11b0000 [=] PE entry point at 0x11b1318 [=] TEB addr is 0x6000 [=] PEB addr is 0x6044 [=] Loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\ntdll.dll to 0x10000000 [!] Warnings while loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\ntdll.dll: [!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8. [!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0 [=] Done with loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\ntdll.dll [=] Loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\kernel32.dll to 0x10182000 [=] Done with loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\kernel32.dll [=] Loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\vcruntime140.dll to 0x10257000 [=] Done with loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\vcruntime140.dll [=] Loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll to 0x1026b000 [!] Warnings while loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll: [!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8. [!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0 [=] Done with loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll [=] Loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dll to 0x1026f000 [!] Warnings while loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dll: [!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8. [!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0 [=] Done with loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dll [=] Loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-crt-heap-l1-1-0.dll to 0x10273000 [!] Warnings while loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-crt-heap-l1-1-0.dll: [!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8. [!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0 [=] Done with loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-crt-heap-l1-1-0.dll [=] Loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-crt-math-l1-1-0.dll to 0x10276000 [!] Warnings while loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-crt-math-l1-1-0.dll: [!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8. [!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0 [=] Done with loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-crt-math-l1-1-0.dll [=] Loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-crt-locale-l1-1-0.dll to 0x1027b000 [!] Warnings while loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-crt-locale-l1-1-0.dll: [!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8. [!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0 [=] Done with loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-crt-locale-l1-1-0.dll [+] Done with loading C:\pin-3.15-98253-gb56e429b1-msvc-windows\pin\TestVirtu.vmp_dump.exe [INFO] Qiling is initialized successfully. (qilingida:ql_start) [INFO] C:\Python38\qiling-master\examples\extensions\idaplugin (qilingida:get_user_scripts_obj) [INFO] custom_script.py (qilingida:get_user_scripts_obj) [INFO] custom_script (qilingida:get_user_scripts_obj) [INFO] Custom user script is loaded successfully. (qilingida:ql_get_user_script) [=] Context before starting emulation: [=] ah : 0000000000000000 al : 0000000000000000 ch : 0000000000000000 [=] cl : 0000000000000000 dh : 0000000000000000 dl : 0000000000000000 [=] bh : 0000000000000000 bl : 0000000000000000 ax : 0000000000000000 [=] cx : 0000000000000000 dx : 0000000000000000 bx : 0000000000000000 [=] sp : 000000000000d000 bp : 000000000000d000 si : 0000000000000000 [=] di : 0000000000000000 ip : 0000000000000000 eax : 0000000000000000 [=] ecx : 0000000000000000 edx : 0000000000000000 ebx : 0000000000000000 [=] esp : 00000000ffffd000 ebp : 00000000ffffd000 esi : 0000000000000000 [=] edi : 0000000000000000 eip : 0000000000000000 cr0 : 0000000000000011 [=] cr1 : 0000000000000000 cr2 : 0000000000000000 cr3 : 0000000000000000 [=] cr4 : 0000000000000000 cr5 : 0000000000000000 cr6 : 0000000000000000 [=] cr7 : 0000000000000000 cr8 : 0000000000000000 cr9 : 0000000000000000 [=] cr10: 0000000000000000 cr11: 0000000000000000 cr12: 0000000000000000 [=] cr13: 0000000000000000 cr14: 0000000000000000 cr15: 0000000000000000 [=] st0 : 0000000000000000 st1 : 0000000000000000 st2 : 0000000000000000 [=] st3 : 0000000000000000 st4 : 0000000000000000 st5 : 0000000000000000 [=] st6 : 0000000000000000 st7 : 0000000000000000 ef : 0000000000000000 [=] cs : 000000000000001b ss : 0000000000000028 ds : 0000000000000028 [=] es : 0000000000000028 fs : 0000000000000073 gs : 0000000000000078 [=] custom_continue hook. [=] ah : 0000000000000000 al : 0000000000000000 ch : 0000000000000000 [=] cl : 0000000000000000 dh : 0000000000000000 dl : 0000000000000000 [=] bh : 0000000000000000 bl : 0000000000000000 ax : 0000000000000000 [=] cx : 0000000000000000 dx : 0000000000000000 bx : 0000000000000000 [=] sp : 000000000000d000 bp : 000000000000d000 si : 0000000000000000 [=] di : 0000000000000000 ip : 0000000000000000 eax : 0000000000000000 [=] ecx : 0000000000000000 edx : 0000000000000000 ebx : 0000000000000000 [=] esp : 00000000ffffd000 ebp : 00000000ffffd000 esi : 0000000000000000 [=] edi : 0000000000000000 eip : 0000000000000000 cr0 : 0000000000000011 [=] cr1 : 0000000000000000 cr2 : 0000000000000000 cr3 : 0000000000000000 [=] cr4 : 0000000000000000 cr5 : 0000000000000000 cr6 : 0000000000000000 [=] cr7 : 0000000000000000 cr8 : 0000000000000000 cr9 : 0000000000000000 [=] cr10: 0000000000000000 cr11: 0000000000000000 cr12: 0000000000000000 [=] cr13: 0000000000000000 cr14: 0000000000000000 cr15: 0000000000000000 [=] st0 : 0000000000000000 st1 : 0000000000000000 st2 : 0000000000000000 [=] st3 : 0000000000000000 st4 : 0000000000000000 st5 : 0000000000000000 [=] st6 : 0000000000000000 st7 : 0000000000000000 ef : 0000000000000000 [=] cs : 000000000000001b ss : 0000000000000028 ds : 0000000000000028 [=] es : 0000000000000028 fs : 0000000000000073 gs : 0000000000000078 [+] 0x1019bf40: GetSystemTimeAsFileTime(lpSystemTimeAsFileTime = 0xffffcfe0) [+] 0x10195fb0: GetCurrentThreadId() = 0x0 [+] 0x10196820: GetCurrentProcessId() = 0x7cc [+] 0x10197fa0: QueryPerformanceCounter(lpPerformanceCount = 0xffffcfd8) = 0x0 [+] 0x1019ef90: IsProcessorFeaturePresent(ProcessorFeature = 0xa) = 0x1 [+] 0x10270b3e: _get_initial_narrow_environment() = 0x0 [+] 0x10270653: p_argv() = 0x5000a28 [+] pargc [+] 0x10270634: _pargc() = 0x5000a75 [+] 0x102745ed: malloc(size = 0x1) = 0x5000a79 [+] 0x1026c78e: acrt_iob_func(idx = 0x1) = 0x0 Hello World [+] 0x1026c801: stdio_common_vfprintf(_Options = 0x24, _Stream = 0, _Format = "Hello World \n", _Locale = 0, _ArgList = 0xffffcf9c) = 0xd [!] api system is not implemented [+] ERROR: unmapped memory access at 0x1 [x]

[x] ah : 0x0 [x] al : 0x1 [x] ch : 0xcf [x] cl : 0x9c [x] dh : 0xe0 [x] dl : 0x0 [x] bh : 0x0 [x] bl : 0x1 [x] ax : 0x1 [x] cx : 0xcf9c [x] dx : 0xe000 [x] bx : 0x1 [x] sp : 0xcfb0 [x] bp : 0xcffc [x] si : 0xa2c [x] di : 0x0 [x] ip : 0x160d [x] eax : 0x1 [x] ecx : 0xffffcf9c [x] edx : 0xffffe000 [x] ebx : 0x1 [x] esp : 0xffffcfb0 [x] ebp : 0xffffcffc [x] esi : 0x5000a2c [x] edi : 0x0 [x] eip : 0x1027160d [x] cr0 : 0x11 [x] cr1 : 0x0 [x] cr2 : 0x0 [x] cr3 : 0x0 [x] cr4 : 0x0 [x] cr5 : 0x0 [x] cr6 : 0x0 [x] cr7 : 0x0 [x] cr8 : 0x0 [x] cr9 : 0x0 [x] cr10 : 0x0 [x] cr11 : 0x0 [x] cr12 : 0x0 [x] cr13 : 0x0 [x] cr14 : 0x0 [x] cr15 : 0x0 [x] st0 : 0x0 [x] st1 : 0x0 [x] st2 : 0x0 [x] st3 : 0x0 [x] st4 : 0x0 [x] st5 : 0x0 [x] st6 : 0x0 [x] st7 : 0x0 [x] ef : 0x86 [x] cs : 0x1b [x] ss : 0x28 [x] ds : 0x28 [x] es : 0x28 [x] fs : 0x73 [x] gs : 0x78 [x]

[x] PC = 0x1027160d [x] (C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dll+0x260d) [=] Start End Perm Label Image [=] 00006000 - 0000c000 rwx [FS/GS]
[=] 00030000 - 00031000 rwx [GDT]
[=] 011b0000 - 0123f000 rwx [PE] C:\pin-3.15-98253-gb56e429b1-msvc-windows\pin\TestVirtu.vmp_dump.exe [=] 05000000 - 05001000 rwx [heap]
[=] 06000000 - 0c000000 rwx [FS/GS]
[=] 10000000 - 10182000 rwx ntdll.dll C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\ntdll.dll [=] 10182000 - 10257000 rwx kernel32.dll C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\kernel32.dll [=] 10257000 - 1026b000 rwx vcruntime140.dll C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\vcruntime140.dll [=] 1026b000 - 1026f000 rwx api-ms-win-crt-stdio-l1-1-0.dll C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll [=] 1026f000 - 10273000 rwx api-ms-win-crt-runtime-l1-1-0.dll C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dll [=] 10273000 - 10276000 rwx api-ms-win-crt-heap-l1-1-0.dll C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-crt-heap-l1-1-0.dll [=] 10276000 - 1027b000 rwx api-ms-win-crt-math-l1-1-0.dll C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-crt-math-l1-1-0.dll [=] 1027b000 - 1027e000 rwx api-ms-win-crt-locale-l1-1-0.dll C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-crt-locale-l1-1-0.dll [=] fffdd000 - ffffe000 rwx [stack]
[x] ['0x0', '0x0', '0x0', '0x0', '0x0', '0x0', '0x0', '0x0'] [=]

[=] 0x1027160d {api-ms-win-crt-runtime-l1-1-0.dll + 0x00260d} 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 add byte ptr [eax], al

add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al Traceback (most recent call last): File "G:/IDA Pro 7.5/plugins/qilingida.py", line 818, in activate self.action_handler.ql_handle_menu_action(self.action_type) File "G:/IDA Pro 7.5/plugins/qilingida.py", line 2117, in ql_handle_menu_action [x.handler() for x in self.menuitems if x.action == action] File "G:/IDA Pro 7.5/plugins/qilingida.py", line 2117, in [x.handler() for x in self.menuitems if x.action == action] File "G:/IDA Pro 7.5/plugins/qilingida.py", line 1097, in ql_continue self.qlemu.run() File "G:/IDA Pro 7.5/plugins/qilingida.py", line 934, in run self.ql.run(begin, end) File "C:\Users\You\AppData\Roaming\Python\Python38\site-packages\qiling\core.py", line 755, in run self.os.run() File "C:\Users\You\AppData\Roaming\Python\Python38\site-packages\qiling\os\windows\windows.py", line 188, in run self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count) File "C:\Users\You\AppData\Roaming\Python\Python38\site-packages\qiling\core.py", line 896, in emu_start self.uc.emu_start(begin, end, timeout, count) File "C:\Python38\lib\site-packages\unicorn\unicorn.py", line 341, in emu_start raise UcError(status) unicorn.unicorn.UcError: Invalid memory read (UC_ERR_READ_UNMAPPED)`

We all know that the kernel32 api uses the kernelbase.
The software I'm analyzing now is packaged with vmprotect maybe that's why the software doesn't work properly But if the kernel32 api is called, the kernelbase api needs to be loaded as well.

INFO] ['C:\Users\You\Desktop\release\All.vmp.exe'] (qilingida:ql_set_rootfs) [INFO] Rootfs: C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows (qilingida:ql_start) [INFO] Custom user script: C:\Python38\qiling-master\examples\extensions\idaplugin\custom_script.py (qilingida:ql_start) [INFO] Custom env: {} (qilingida:ql_start) [+] Profile: Default [+] Map GDT at 0x30000 with GDT_LIMIT=4096 [+] Write to 0x30018 for new entry b'\x00\xf0\x00\x00\x00\xfeO\x00' [+] Write to 0x30028 for new entry b'\x00\xf0\x00\x00\x00\x96O\x00' [+] Write to 0x30070 for new entry b'\x00\x00\x00\xf6@\x00' [+] Write to 0x30078 for new entry b'\x00\x00\x00\x00\x00\xf6@\x06' [+] Windows Registry PATH: C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\registry [=] Initiate stack address at 0xfffdd000 [=] Loading C:\Users\You\Desktop\release\All.vmp.exe to 0x400000 [=] PE entry point at 0x406b78 [=] TEB addr is 0x6000 [=] PEB addr is 0x6044 [=] Loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\ntdll.dll to 0x10000000 [!] Warnings while loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\ntdll.dll: [!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8. [!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0 [=] Done with loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\ntdll.dll [=] Loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\kernel32.dll to 0x10182000 [=] Done with loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\kernel32.dll [+] Done with loading C:\Users\You\Desktop\release\All.exe [INFO] Qiling is initialized successfully. (qilingida:ql_start) [INFO] C:\Python38\qiling-master\examples\extensions\idaplugin (qilingida:get_user_scripts_obj) [INFO] custom_script.py (qilingida:get_user_scripts_obj) [INFO] custom_script (qilingida:get_user_scripts_obj) [INFO] Custom user script is loaded successfully. (qilingida:ql_get_user_script) [=] Context before starting emulation: [=] ah : 0000000000000000 al : 0000000000000000 ch : 0000000000000000 [=] cl : 0000000000000000 dh : 0000000000000000 dl : 0000000000000000 [=] bh : 0000000000000000 bl : 0000000000000000 ax : 0000000000000000 [=] cx : 0000000000000000 dx : 0000000000000000 bx : 0000000000000000 [=] sp : 000000000000d000 bp : 000000000000d000 si : 0000000000000000 [=] di : 0000000000000000 ip : 0000000000000000 eax : 0000000000000000 [=] ecx : 0000000000000000 edx : 0000000000000000 ebx : 0000000000000000 [=] esp : 00000000ffffd000 ebp : 00000000ffffd000 esi : 0000000000000000 [=] edi : 0000000000000000 eip : 0000000000000000 cr0 : 0000000000000011 [=] cr1 : 0000000000000000 cr2 : 0000000000000000 cr3 : 0000000000000000 [=] cr4 : 0000000000000000 cr5 : 0000000000000000 cr6 : 0000000000000000 [=] cr7 : 0000000000000000 cr8 : 0000000000000000 cr9 : 0000000000000000 [=] cr10: 0000000000000000 cr11: 0000000000000000 cr12: 0000000000000000 [=] cr13: 0000000000000000 cr14: 0000000000000000 cr15: 0000000000000000 [=] st0 : 0000000000000000 st1 : 0000000000000000 st2 : 0000000000000000 [=] st3 : 0000000000000000 st4 : 0000000000000000 st5 : 0000000000000000 [=] st6 : 0000000000000000 st7 : 0000000000000000 ef : 0000000000000000 [=] cs : 000000000000001b ss : 0000000000000028 ds : 0000000000000028 [=] es : 0000000000000028 fs : 0000000000000073 gs : 0000000000000078 [=] custom_continue hook. [=] ah : 0000000000000000 al : 0000000000000000 ch : 0000000000000000 [=] cl : 0000000000000000 dh : 0000000000000000 dl : 0000000000000000 [=] bh : 0000000000000000 bl : 0000000000000000 ax : 0000000000000000 [=] cx : 0000000000000000 dx : 0000000000000000 bx : 0000000000000000 [=] sp : 000000000000d000 bp : 000000000000d000 si : 0000000000000000 [=] di : 0000000000000000 ip : 0000000000000000 eax : 0000000000000000 [=] ecx : 0000000000000000 edx : 0000000000000000 ebx : 0000000000000000 [=] esp : 00000000ffffd000 ebp : 00000000ffffd000 esi : 0000000000000000 [=] edi : 0000000000000000 eip : 0000000000000000 cr0 : 0000000000000011 [=] cr1 : 0000000000000000 cr2 : 0000000000000000 cr3 : 0000000000000000 [=] cr4 : 0000000000000000 cr5 : 0000000000000000 cr6 : 0000000000000000 [=] cr7 : 0000000000000000 cr8 : 0000000000000000 cr9 : 0000000000000000 [=] cr10: 0000000000000000 cr11: 0000000000000000 cr12: 0000000000000000 [=] cr13: 0000000000000000 cr14: 0000000000000000 cr15: 0000000000000000 [=] st0 : 0000000000000000 st1 : 0000000000000000 st2 : 0000000000000000 [=] st3 : 0000000000000000 st4 : 0000000000000000 st5 : 0000000000000000 [=] st6 : 0000000000000000 st7 : 0000000000000000 ef : 0000000000000000 [=] cs : 000000000000001b ss : 0000000000000028 ds : 0000000000000028 [=] es : 0000000000000028 fs : 0000000000000073 gs : 0000000000000078 [+] 0x1019bf40: GetSystemTimeAsFileTime(lpSystemTimeAsFileTime = 0xffffcfe0) [+] 0x10195fb0: GetCurrentThreadId() = 0x0 [+] 0x10196820: GetCurrentProcessId() = 0x7cc [+] 0x10197fa0: QueryPerformanceCounter(lpPerformanceCount = 0xffffcfd8) = 0x0 [+] 0x1019ef90: IsProcessorFeaturePresent(ProcessorFeature = 0xa) = 0x1 [=] Loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-core-synch-l1-2-0.dll to 0x10257000 [!] Warnings while loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-core-synch-l1-2-0.dll: [!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8. [!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0 [=] Done with loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-core-synch-l1-2-0.dll [+] 0x1019c2b0: LoadLibraryExW(lpLibFileName = "api-ms-win-core-synch-l1-2-0", hFile = 0, dwFlags = 0x800) = 0x10257000 [+] 0x1019c200: GetProcAddress(hModule = 0x10257000, lpProcName = "InitializeCriticalSectionEx") = 0x0 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x4354b8, dwSpinCount = 0xfa0) = 0x1 [=] Loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-core-fibers-l1-1-1.dll to 0x1025a000 [!] Warnings while loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-core-fibers-l1-1-1.dll: [!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8. [!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0 [=] Done with loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-core-fibers-l1-1-1.dll [+] 0x1019c2b0: LoadLibraryExW(lpLibFileName = "api-ms-win-core-fibers-l1-1-1", hFile = 0, dwFlags = 0x800) = 0x1025a000 [+] 0x1019c200: GetProcAddress(hModule = 0x1025a000, lpProcName = "FlsAlloc") = 0x0 [+] 0x1019f4b0: TlsAlloc() = 0x0 [+] 0x1019c200: GetProcAddress(hModule = 0x1025a000, lpProcName = "FlsSetValue") = 0x0 [+] 0x101970a0: TlsSetValue(dwTlsIndex = 0, lpTlsValue = 0x43548c) = 0x1 [+] 0x1019c2b0: LoadLibraryExW(lpLibFileName = "api-ms-win-core-synch-l1-2-0", hFile = 0, dwFlags = 0x800) = 0x10257000 [+] 0x1019c200: GetProcAddress(hModule = 0x10257000, lpProcName = "InitializeCriticalSectionEx") = 0x0 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x435540, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x435558, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x435570, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x435588, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x4355a0, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x4355b8, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x4355d0, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x4355e8, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x435600, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x435618, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x435630, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x435648, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x435660, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x435678, dwSpinCount = 0xfa0) = 0x1 [+] 0x1019bf90: GetProcessHeap() = 0x5000000 [+] 0x1019c2b0: LoadLibraryExW(lpLibFileName = "api-ms-win-core-fibers-l1-1-1", hFile = 0, dwFlags = 0x800) = 0x1025a000 [+] 0x1019c200: GetProcAddress(hModule = 0x1025a000, lpProcName = "FlsAlloc") = 0x0 [+] 0x1019f4b0: TlsAlloc() = 0x1 [+] 0x10197f70: GetLastError() = 0x0 [+] 0x1019c200: GetProcAddress(hModule = 0x1025a000, lpProcName = "FlsGetValue") = 0x0 [+] 0x10195f90: TlsGetValue(dwTlsIndex = 0x1) = 0x0 [+] 0x1019c200: GetProcAddress(hModule = 0x1025a000, lpProcName = "FlsSetValue") = 0x0 [+] 0x101970a0: TlsSetValue(dwTlsIndex = 0x1, lpTlsValue = 0xffffffff) = 0x1 [+] 0x1021b0fe: HeapAlloc(hHeap = 0x5000000, dwFlags = 0x8, dwBytes = 0x364) = 0x50005f0 [+] 0x101970a0: TlsSetValue(dwTlsIndex = 0x1, lpTlsValue = 0x50005f0) = 0x1 [+] 0x1021802e: EnterCriticalSection(lpCriticalSection = 0x4355b8) = 0x0 [+] 0x1021bc6b: LeaveCriticalSection(lpCriticalSection = 0x4355b8) = 0x0 [+] 0x1021802e: EnterCriticalSection(lpCriticalSection = 0x4355a0) = 0x0 [+] 0x1021bc6b: LeaveCriticalSection(lpCriticalSection = 0x4355a0) = 0x0 [+] 0x101971c0: SetLastError(dwErrCode = 0) = 0x0 [+] 0x1021802e: EnterCriticalSection(lpCriticalSection = 0x4355e8) = 0x0 [+] 0x1021802e: EnterCriticalSection(lpCriticalSection = 0x4355e8) = 0x0 [+] 0x1021b0fe: HeapAlloc(hHeap = 0x5000000, dwFlags = 0x8, dwBytes = 0xe00) = 0x5000954 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5000954, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x500098c, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x50009c4, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x50009fc, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5000a34, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5000a6c, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5000aa4, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5000adc, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5000b14, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5000b4c, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5000b84, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5000bbc, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5000bf4, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5000c2c, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5000c64, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5000c9c, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5000cd4, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5000d0c, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5000d44, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5000d7c, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5000db4, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5000dec, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5000e24, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5000e5c, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5000e94, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5000ecc, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5000f04, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5000f3c, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5000f74, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5000fac, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5000fe4, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x500101c, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5001054, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x500108c, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x50010c4, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x50010fc, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5001134, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x500116c, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x50011a4, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x50011dc, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5001214, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x500124c, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5001284, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x50012bc, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x50012f4, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x500132c, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5001364, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x500139c, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x50013d4, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x500140c, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5001444, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x500147c, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x50014b4, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x50014ec, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5001524, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x500155c, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5001594, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x50015cc, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5001604, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x500163c, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5001674, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x50016ac, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x50016e4, dwSpinCount = 0xfa0) = 0x1 [+] 0x101ab760: InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x500171c, dwSpinCount = 0xfa0) = 0x1 [+] 0x1021bc6b: LeaveCriticalSection(lpCriticalSection = 0x4355e8) = 0x0 [+] Writing Windows object StartupInfo [+] Writing to 4294954776 with value b'A\x00\x00\x00' [+] Writing to 4294954780 with value b'\x00\x00\x00\x00' [+] Writing to 4294954784 with value b'0\xc9\xc3\x00' [+] Writing to 4294954788 with value b'\x00\x00\x00\x00' [+] Writing to 4294954792 with value b'\x00\x00\x00\x00' [+] Writing to 4294954796 with value b'\x00\x00\x00\x00' [+] Writing to 4294954800 with value b'd\x00\x00\x00' [+] Writing to 4294954804 with value b'd\x00\x00\x00' [+] Writing to 4294954808 with value b'\x84\x00\x00\x00' [+] Writing to 4294954812 with value b'\x80\x00\x00\x00' [+] Writing to 4294954816 with value b'\xff\x00\x00\x00' [+] Writing to 4294954820 with value b'@\x00\x00\x00' [+] Writing to 4294954824 with value b'\x01\x00' [+] Writing to 4294954826 with value b'\x00\x00' [+] Writing to 4294954828 with value b'\x00\x00\x00\x00' [+] Writing to 4294954832 with value b'\xf6\xff\xff\xff' [+] Writing to 4294954836 with value b'\xf5\xff\xff\xff' [+] Writing to 4294954840 with value b'\xf4\xff\xff\xff' [+] 0x1019fb30: GetStartupInfoW(lpStartupInfo = 0xffffcf18) = 0x0 [+] 0x1019fa70: GetStdHandle(nStdHandle = 0xfffffff6) = 0xfffffff6 [+] 0x101abb10: GetFileType(hFile = 0xfffffff6) = 0x2 [+] 0x1019fa70: GetStdHandle(nStdHandle = 0xfffffff5) = 0xfffffff5 [+] 0x101abb10: GetFileType(hFile = 0xfffffff5) = 0x2 [+] 0x1019fa70: GetStdHandle(nStdHandle = 0xfffffff4) = 0xfffffff4 [+] 0x101abb10: GetFileType(hFile = 0xfffffff4) = 0x2 [+] 0x1021bc6b: LeaveCriticalSection(lpCriticalSection = 0x4355e8) = 0x0 [+] 0x1019ff50: GetCommandLineA() = 0x5001754 [+] 0x1019ff90: GetCommandLineW() = 0x5001785 [+] 0x10195f90: TlsGetValue(dwTlsIndex = 0x1) = 0x50005f0 [+] 0x1021802e: EnterCriticalSection(lpCriticalSection = 0x4355b8) = 0x0 [+] 0x1021bc6b: LeaveCriticalSection(lpCriticalSection = 0x4355b8) = 0x0 [+] 0x1019d730: GetACP() = 0x1b5 [+] 0x1021b0fe: HeapAlloc(hHeap = 0x5000000, dwFlags = 0, dwBytes = 0x220) = 0x50017e5 [+] 0x1019fb80: IsValidCodePage(CodePage = 0x1b5) = 0x1 [+] 0x1019f620: GetCPInfo(CodePage = 0x1b5, lpCPInfo = 0xffffcf38) = 0x1 [+] 0x1019f620: GetCPInfo(CodePage = 0x1b5, lpCPInfo = 0xffffc800) = 0x1 [+] 0x101971a0: MultiByteToWideChar(CodePage = 0x1b5, dwFlags = 0x1, lpMultiByteStr = " \x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f<\x07", cbMultiByte = 0x100, lpWideCharStr = 0, cchWideChar = 0) = 0x106 [+] 0x101971a0: MultiByteToWideChar(CodePage = 0x1b5, dwFlags = 0x1, lpMultiByteStr = " \x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^`abcdefghijklmnopqrstuvwxyz{|}~\x7f<\x07", cbMultiByte = 0x100, lpWideCharStr = 0xffffc598, cchWideChar = 0x106) = 0x106 [+] 0x1019c2d0: GetStringTypeW(dwInfoType = 0x1, lpSrcStr = 0xffffc598, cchSrc = 0x106, lpCharType = 0xffffc814) = 0x1 [+] 0x101971a0: MultiByteToWideChar(CodePage = 0x1b5, dwFlags = 0x1, lpMultiByteStr = " \x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^abcdefghijklmnopqrstuvwxyz{|}~\x7f<\x07", cbMultiByte = 0x100, lpWideCharStr = 0, cchWideChar = 0) = 0x106 [+] 0x101971a0: MultiByteToWideChar(CodePage = 0x1b5, dwFlags = 0x1, lpMultiByteStr = " \x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_abcdefghijklmnopqrstuvwxyz{|}~\x7f<\x07", cbMultiByte = 0x100, lpWideCharStr = 0xffffc548, cchWideChar = 0x106) = 0x106 [=] Loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-core-localization-l1-2-1.dll to 0x1025d000 [!] Warnings while loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-core-localization-l1-2-1.dll: [!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8. [!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0 [=] Done with loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86windows\Windows\System32\api-ms-win-core-localization-l1-2-1.dll [+] 0x1019c2b0: LoadLibraryExW(lpLibFileName = "api-ms-win-core-localization-l1-2-1", hFile = 0, dwFlags = 0x800) = 0x1025d000 [+] 0x1019c200: GetProcAddress(hModule = 0x1025d000, lpProcName = "LCMapStringEx") = 0x0 [+] 0x1019c200: GetProcAddress(hModule = 0x1025d000, lpProcName = "LocaleNameToLCID") = 0x0 [+] 0x1019f2c0: LCMapStringW(Locale = 0, dwMapFlags = 0x100, lpSrcStr = " \x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^abcdefghijklmnopqrstuvwxyz{|}~\x7f<\x07", cchSrc = 0x106, lpDestStr = 0, cchDest = 0) = 0x106 [+] 0x1019f2c0: LCMapStringW(Locale = 0, dwMapFlags = 0x100, lpSrcStr = " \x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_abcdefghijklmnopqrstuvwxyz{|}~\x7f<\x07", cchSrc = 0x106, lpDestStr = 0xffffc328, cchDest = 0x106) = 0x106 [+] 0x10197f80: WideCharToMultiByte(CodePage = 0x1b5, dwFlags = 0, lpWideCharStr = " \x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f<\x07", cchWideChar = 0x106, lpMultiByteStr = 0xffffcd14, cbMultiByte = 0x100, lpDefaultChar = 0, lpUsedDefaultChar = 0) = 0x106 [+] 0x101971a0: MultiByteToWideChar(CodePage = 0x1b5, dwFlags = 0x1, lpMultiByteStr = "<\x07", cbMultiByte = 0x2, lpWideCharStr = 0, cchWideChar = 0) = 0x6 [+] 0x101971a0: MultiByteToWideChar(CodePage = 0x1b5, dwFlags = 0x1, lpMultiByteStr = "<\x07", cbMultiByte = 0x2, lpWideCharStr = 0xffffc768, cchWideChar = 0x6) = 0x6 [+] 0x1019f2c0: LCMapStringW(Locale = 0, dwMapFlags = 0x200, lpSrcStr = "<\x07", cchSrc = 0x6, lpDestStr = 0, cchDest = 0) = 0x6 [+] 0x1019f2c0: LCMapStringW(Locale = 0, dwMapFlags = 0x200, lpSrcStr = "<\x07", cchSrc = 0x6, lpDestStr = 0xffffc748, cchDest = 0x6) = 0x6 [+] 0x10197f80: WideCharToMultiByte(CodePage = 0x1b5, dwFlags = 0, lpWideCharStr = "<\x07", cchWideChar = 0x6, lpMultiByteStr = 0xffffcc14, cbMultiByte = 0x100, lpDefaultChar = 0, lpUsedDefaultChar = 0) = 0x6 [+] 0x1021802e: EnterCriticalSection(lpCriticalSection = 0x4355b8) = 0x0 [+] 0x1021bc6b: LeaveCriticalSection(lpCriticalSection = 0x4355b8) = 0x0 [+] 0x1021802e: EnterCriticalSection(lpCriticalSection = 0x435570) = 0x0 [+] 0x1021b0fe: HeapAlloc(hHeap = 0x5000000, dwFlags = 0, dwBytes = 0x80) = 0x5001b45 [+] 0x1021bc6b: LeaveCriticalSection(lpCriticalSection = 0x435570) = 0x0 [+] 0x1019eea0: GetModuleFileNameW(hModule = 0, lpFilename = 0xffffcd5c, nSize = 0x105) = 0x60 [+] 0x1019c2b0: LoadLibraryExW(lpLibFileName = "kernel32", hFile = 0, dwFlags = 0x800) = 0x10182000 [+] 0x1019c200: GetProcAddress(hModule = 0x10182000, lpProcName = "AreFileApisANSI") = 0x101a4a90 [!] api AreFileApisANSI is not implemented [+] ERROR: unmapped memory access at 0x6b8809c4 [x]

[x] ah : 0x4a [x] al : 0x90 [x] ch : 0x4a [x] cl : 0x90 [x] dh : 0x0 [x] dl : 0x0 [x] bh : 0x0 [x] bl : 0x1 [x] ax : 0x4a90 [x] cx : 0x4a90 [x] dx : 0x0 [x] bx : 0x1 [x] sp : 0xcd1c [x] bp : 0xcd38 [x] si : 0x4a90 [x] di : 0x0 [x] ip : 0x4a90 [x] eax : 0x101a4a90 [x] ecx : 0x101a4a90 [x] edx : 0x0 [x] ebx : 0x1 [x] esp : 0xffffcd1c [x] ebp : 0xffffcd38 [x] esi : 0x101a4a90 [x] edi : 0x0 [x] eip : 0x101a4a90 [x] cr0 : 0x11 [x] cr1 : 0x0 [x] cr2 : 0x0 [x] cr3 : 0x0 [x] cr4 : 0x0 [x] cr5 : 0x0 [x] cr6 : 0x0 [x] cr7 : 0x0 [x] cr8 : 0x0 [x] cr9 : 0x0 [x] cr10 : 0x0 [x] cr11 : 0x0 [x] cr12 : 0x0 [x] cr13 : 0x0 [x] cr14 : 0x0 [x] cr15 : 0x0 [x] st0 : 0x0 [x] st1 : 0x0 [x] st2 : 0x0 [x] st3 : 0x0 [x] st4 : 0x0 [x] st5 : 0x0 [x] st6 : 0x0 [x] st7 : 0x0 [x] ef : 0x4 [x] cs : 0x1b [x] ss : 0x28 [x] ds : 0x28 [x] es : 0x28 [x] fs : 0x73 [x] gs : 0x78 [x]

[x] PC = 0x101a4a90 [x] (C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\kernel32.dll+0x22a90) [=] Start End Perm Label Image [=] 00006000 - 0000c000 rwx [FS/GS]
[=] 00030000 - 00031000 rwx [GDT]
[=] 00400000 - 004c9000 rwx [PE] C:\Users\You\Desktop\release\All.exe [=] 05000000 - 05001000 rwx [heap]
[=] 05001000 - 05002000 rwx [heap]
[=] 06000000 - 0c000000 rwx [FS/GS]
[=] 10000000 - 10182000 rwx ntdll.dll C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\ntdll.dll [=] 10182000 - 10257000 rwx kernel32.dll C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\kernel32.dll [=] 10257000 - 1025a000 rwx api-ms-win-core-synch-l1-2-0.dll C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-core-synch-l1-2-0.dll [=] 1025a000 - 1025d000 rwx api-ms-win-core-fibers-l1-1-1.dll C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-core-fibers-l1-1-1.dll [=] 1025d000 - 10260000 rwx api-ms-win-core-localization-l1-2-1.dll C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\api-ms-win-core-localization-l1-2-1.dll [=] fffdd000 - ffffe000 rwx [stack]
[x] ['0xff', '0x25', '0xc4', '0x9', '0x88', '0x6b', '0xcc', '0xcc'] [=]

[=] 0x101a4a90 {kernel32.dll + 0x022a90} ff 25 c4 09 88 6b cc cc cc cc cc cc cc cc cc cc 8b ff 55 8b ec 5d ff 25 54 16 88 6b cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b ff 55 8b ec 5d ff 25 c4 16 88 6b cc cc cc cc jmp dword ptr [0x6b8809c4]

int3 int3 int3 int3 int3 int3 int3 int3 int3 int3 mov edi, edi push ebp mov ebp, esp pop ebp jmp dword ptr [0x6b881654] int3 int3 int3 int3 int3 int3 int3 int3 int3 int3 int3 int3 int3 int3 int3 int3 int3 int3 int3 int3 mov edi, edi push ebp mov ebp, esp pop ebp jmp dword ptr [0x6b8816c4] int3 int3 int3 int3 Traceback (most recent call last): File "G:/IDA Pro 7.5/plugins/qilingida.py", line 818, in activate self.action_handler.ql_handle_menu_action(self.action_type) File "G:/IDA Pro 7.5/plugins/qilingida.py", line 2117, in ql_handle_menu_action [x.handler() for x in self.menuitems if x.action == action] File "G:/IDA Pro 7.5/plugins/qilingida.py", line 2117, in [x.handler() for x in self.menuitems if x.action == action] File "G:/IDA Pro 7.5/plugins/qilingida.py", line 1097, in ql_continue self.qlemu.run() File "G:/IDA Pro 7.5/plugins/qilingida.py", line 934, in run self.ql.run(begin, end) File "C:\Users\You\AppData\Roaming\Python\Python38\site-packages\qiling\core.py", line 755, in run self.os.run() File "C:\Users\You\AppData\Roaming\Python\Python38\site-packages\qiling\os\windows\windows.py", line 188, in run self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count) File "C:\Users\You\AppData\Roaming\Python\Python38\site-packages\qiling\core.py", line 896, in emu_start self.uc.emu_start(begin, end, timeout, count) File "C:\Python38\lib\site-packages\unicorn\unicorn.py", line 341, in emu_start raise UcError(status) unicorn.unicorn.UcError: Invalid memory read (UC_ERR_READ_UNMAPPED)

This time I spoiled myself and thought I'd analyze a driver. I don't understand exactly what caused the error this time. All I'm guessing is "mov rdi, [r14+800h]" no memory in r14+800 partition , I still deserve proper analysis

[INFO] ['C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\Testvmp.sys'] (qilingida:ql_set_rootfs) [INFO] Rootfs: C:\Python38\qiling-master\examples\scripts\examples\rootfs\x8664_windows (qilingida:ql_start) [INFO] Custom user script: C:\Python38\qiling-master\examples\extensions\idaplugin\custom_script.py (qilingida:ql_start) [INFO] Custom env: {} (qilingida:ql_start) [+] Profile: Default [+] Windows Registry PATH: C:\Python38\qiling-master\examples\scripts\examples\rootfs\x8664_windows\Windows\registry [=] Initiate stack address at 0x7ffffffde000 [=] Loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\Testvmp.sys to 0x10000 [=] PE entry point at 0x6a548 [=] Driver object addr is 0x6000000 [=] Registry path addr is 0x6000150 [=] EPROCESS is is 0x6000160 [=] KI_USER_SHARED_DATA is 0xfffff78000000000 [+] Setting up DriverEntry args [+] Setting RCX (arg1) to 6000000 (PDRIVER_OBJECT) [+] Setting RDX (arg2) to 6000150 (PUNICODE_STRING) [=] Loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x8664_windows\Windows\System32\ntdll.dll to 0x7ffff0000000 [!] Warnings while loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x8664_windows\Windows\System32\ntdll.dll: [!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8. [!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0 [=] Done with loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x8664_windows\Windows\System32\ntdll.dll [=] Loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x8664_windows\Windows\System32\kernel32.dll to 0x7ffff01d1000 [=] Done with loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x8664_windows\Windows\System32\kernel32.dll [=] Loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x8664_windows\Windows\System32\ntoskrnl.exe to 0x7ffff027c000 [=] Done with loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x8664_windows\Windows\System32\ntoskrnl.exe [=] Loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x8664_windows\Windows\System32\fltmgr.sys to 0x7ffff0a9c000 [=] Done with loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x8664_windows\Windows\System32\fltmgr.sys [+] Done with loading C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\Testvmp.sys [INFO] Qiling is initialized successfully. (qilingida:ql_start) [INFO] C:\Python38\qiling-master\examples\extensions\idaplugin (qilingida:get_user_scripts_obj) [INFO] custom_script.py (qilingida:get_user_scripts_obj) [INFO] custom_script (qilingida:get_user_scripts_obj) [INFO] Custom user script is loaded successfully. (qilingida:ql_get_user_script) [=] Context before starting emulation: [=] ah : 0000000000000000 al : 0000000000000000 ch : 0000000000000000 [=] cl : 0000000000000000 dh : 0000000000000001 dl : 0000000000000050 [=] bh : 0000000000000000 bl : 0000000000000000 ax : 0000000000000000 [=] cx : 0000000000000000 dx : 0000000000000150 bx : 0000000000000000 [=] sp : 000000000000d000 bp : 000000000000d000 si : 0000000000000000 [=] di : 0000000000000000 ip : 0000000000000000 eax : 0000000000000000 [=] ecx : 0000000006000000 edx : 0000000006000150 ebx : 0000000000000000 [=] esp : 000000000001d000 ebp : 000000000001d000 esi : 0000000000000000 [=] edi : 0000000000000000 eip : 0000000000000000 rax : 0000000000000000 [=] rbx : 0000000000000000 rcx : 0000000006000000 rdx : 0000000006000150 [=] rsi : 0000000000000000 rdi : 0000000000000000 rbp : 000080000001d000 [=] rsp : 000080000001d000 r8 : 0000000000000000 r9 : 0000000000000000 [=] r10 : 0000000000000000 r11 : 0000000000000000 r12 : 0000000000000000 [=] r13 : 0000000000000000 r14 : 0000000000000000 r15 : 0000000000000000 [=] rip : 0000000000000000 cr0 : 0000000000000011 cr1 : 0000000000000000 [=] cr2 : 0000000000000000 cr3 : 0000000000000000 cr4 : 00000000000006f8 [=] cr5 : 0000000000000000 cr6 : 0000000000000000 cr7 : 0000000000000000 [=] cr8 : 0000000000000000 cr9 : 0000000000000000 cr10: 0000000000000000 [=] cr11: 0000000000000000 cr12: 0000000000000000 cr13: 0000000000000000 [=] cr14: 0000000000000000 cr15: 0000000000000000 st0 : 0000000000000000 [=] st1 : 0000000000000000 st2 : 0000000000000000 st3 : 0000000000000000 [=] st4 : 0000000000000000 st5 : 0000000000000000 st6 : 0000000000000000 [=] st7 : 0000000000000000 ef : 0000000000000000 cs : 0000000000000000 [=] ss : 0000000000000000 ds : 0000000000000000 es : 0000000000000000 [=] fs : 0000000000000000 gs : 0000000000000000 r8b : 0000000000000000 [=] r9b : 0000000000000000 r10b: 0000000000000000 r11b: 0000000000000000 [=] r12b: 0000000000000000 r13b: 0000000000000000 r14b: 0000000000000000 [=] r15b: 0000000000000000 r8w : 0000000000000000 r9w : 0000000000000000 [=] r10w: 0000000000000000 r11w: 0000000000000000 r12w: 0000000000000000 [=] r13w: 0000000000000000 r14w: 0000000000000000 r15w: 0000000000000000 [=] r8d : 0000000000000000 r9d : 0000000000000000 r10d: 0000000000000000 [=] r11d: 0000000000000000 r12d: 0000000000000000 r13d: 0000000000000000 [=] r14d: 0000000000000000 r15d: 0000000000000000 fsbase: 0000000000000000 [=] gsbase: 0000000006000000 [=] custom_continue hook. [=] ah : 0000000000000000 al : 0000000000000000 ch : 0000000000000000 [=] cl : 0000000000000000 dh : 0000000000000001 dl : 0000000000000050 [=] bh : 0000000000000000 bl : 0000000000000000 ax : 0000000000000000 [=] cx : 0000000000000000 dx : 0000000000000150 bx : 0000000000000000 [=] sp : 000000000000d000 bp : 000000000000d000 si : 0000000000000000 [=] di : 0000000000000000 ip : 0000000000000000 eax : 0000000000000000 [=] ecx : 0000000006000000 edx : 0000000006000150 ebx : 0000000000000000 [=] esp : 000000000001d000 ebp : 000000000001d000 esi : 0000000000000000 [=] edi : 0000000000000000 eip : 0000000000000000 rax : 0000000000000000 [=] rbx : 0000000000000000 rcx : 0000000006000000 rdx : 0000000006000150 [=] rsi : 0000000000000000 rdi : 0000000000000000 rbp : 000080000001d000 [=] rsp : 000080000001d000 r8 : 0000000000000000 r9 : 0000000000000000 [=] r10 : 0000000000000000 r11 : 0000000000000000 r12 : 0000000000000000 [=] r13 : 0000000000000000 r14 : 0000000000000000 r15 : 0000000000000000 [=] rip : 0000000000000000 cr0 : 0000000000000011 cr1 : 0000000000000000 [=] cr2 : 0000000000000000 cr3 : 0000000000000000 cr4 : 00000000000006f8 [=] cr5 : 0000000000000000 cr6 : 0000000000000000 cr7 : 0000000000000000 [=] cr8 : 0000000000000000 cr9 : 0000000000000000 cr10: 0000000000000000 [=] cr11: 0000000000000000 cr12: 0000000000000000 cr13: 0000000000000000 [=] cr14: 0000000000000000 cr15: 0000000000000000 st0 : 0000000000000000 [=] st1 : 0000000000000000 st2 : 0000000000000000 st3 : 0000000000000000 [=] st4 : 0000000000000000 st5 : 0000000000000000 st6 : 0000000000000000 [=] st7 : 0000000000000000 ef : 0000000000000000 cs : 0000000000000000 [=] ss : 0000000000000000 ds : 0000000000000000 es : 0000000000000000 [=] fs : 0000000000000000 gs : 0000000000000000 r8b : 0000000000000000 [=] r9b : 0000000000000000 r10b: 0000000000000000 r11b: 0000000000000000 [=] r12b: 0000000000000000 r13b: 0000000000000000 r14b: 0000000000000000 [=] r15b: 0000000000000000 r8w : 0000000000000000 r9w : 0000000000000000 [=] r10w: 0000000000000000 r11w: 0000000000000000 r12w: 0000000000000000 [=] r13w: 0000000000000000 r14w: 0000000000000000 r15w: 0000000000000000 [=] r8d : 0000000000000000 r9d : 0000000000000000 r10d: 0000000000000000 [=] r11d: 0000000000000000 r12d: 0000000000000000 r13d: 0000000000000000 [=] r14d: 0000000000000000 r15d: 0000000000000000 fsbase: 0000000000000000 [=] gsbase: 0000000006000000 [!] api RtlWriteRegistryValue is not implemented [+] ERROR: unmapped memory access at 0x800 [x]

[x] ah : 0xcf [x] al : 0x0 [x] ch : 0x0 [x] cl : 0x0 [x] dh : 0xce [x] dl : 0xc0 [x] bh : 0x0 [x] bl : 0x0 [x] ax : 0xcf00 [x] cx : 0x0 [x] dx : 0xcec0 [x] bx : 0x0 [x] sp : 0xce48 [x] bp : 0xcea1 [x] si : 0xcf38 [x] di : 0x0 [x] ip : 0x6856 [x] eax : 0x1cf00 [x] ecx : 0x0 [x] edx : 0x5cec0 [x] ebx : 0x0 [x] esp : 0x1ce48 [x] ebp : 0x1cea1 [x] esi : 0x1cf38 [x] edi : 0x0 [x] eip : 0xf0706856 [x] rax : 0x80000001cf00 [x] rbx : 0x0 [x] rcx : 0x0 [x] rdx : 0x5cec0 [x] rsi : 0x80000001cf38 [x] rdi : 0x0 [x] rbp : 0x80000001cea1 [x] rsp : 0x80000001ce48 [x] r8 : 0x46701 [x] r9 : 0x80000001cf38 [x] r10 : 0x0 [x] r11 : 0x80000001d000 [x] r12 : 0x1 [x] r13 : 0x0 [x] r14 : 0x0 [x] r15 : 0x5cec0 [x] rip : 0x7ffff0706856 [x] cr0 : 0x11 [x] cr1 : 0x0 [x] cr2 : 0x0 [x] cr3 : 0x0 [x] cr4 : 0x6f8 [x] cr5 : 0x0 [x] cr6 : 0x0 [x] cr7 : 0x0 [x] cr8 : 0x0 [x] cr9 : 0x0 [x] cr10 : 0x0 [x] cr11 : 0x0 [x] cr12 : 0x0 [x] cr13 : 0x0 [x] cr14 : 0x0 [x] cr15 : 0x0 [x] st0 : 0x0 [x] st1 : 0x0 [x] st2 : 0x0 [x] st3 : 0x0 [x] st4 : 0x0 [x] st5 : 0x0 [x] st6 : 0x0 [x] st7 : 0x0 [x] ef : 0x97 [x] cs : 0x0 [x] ss : 0x0 [x] ds : 0x0 [x] es : 0x0 [x] fs : 0x0 [x] gs : 0x0 [x] r8b : 0x1 [x] r9b : 0x38 [x] r10b : 0x0 [x] r11b : 0x0 [x] r12b : 0x1 [x] r13b : 0x0 [x] r14b : 0x0 [x] r15b : 0xc0 [x] r8w : 0x6701 [x] r9w : 0xcf38 [x] r10w : 0x0 [x] r11w : 0xd000 [x] r12w : 0x1 [x] r13w : 0x0 [x] r14w : 0x0 [x] r15w : 0xcec0 [x] r8d : 0x46701 [x] r9d : 0x1cf38 [x] r10d : 0x0 [x] r11d : 0x1d000 [x] r12d : 0x1 [x] r13d : 0x0 [x] r14d : 0x0 [x] r15d : 0x5cec0 [x] fsbase : 0x0 [x] gsbase : 0x6000000 [x]

[x] PC = 0x7ffff0706856 [x] (C:\Python38\qiling-master\examples\scripts\examples\rootfs\x8664_windows\Windows\System32\ntoskrnl.exe+0x48a856) [=] Start End Perm Label Image [=] 00010000 - 001aa000 rwx [PE] C:\Python38\qiling-master\examples\scripts\examples\rootfs\x86_windows\Windows\System32\Testvmp.sys [=] 06000000 - 07400000 rwx [GS]
[=] 500000000 - 500001000 rwx [heap]
[=] 7ffff0000000 - 7ffff01d1000 rwx ntdll.dll C:\Python38\qiling-master\examples\scripts\examples\rootfs\x8664_windows\Windows\System32\ntdll.dll [=] 7ffff01d1000 - 7ffff027c000 rwx kernel32.dll C:\Python38\qiling-master\examples\scripts\examples\rootfs\x8664_windows\Windows\System32\kernel32.dll [=] 7ffff027c000 - 7ffff0a9c000 rwx ntoskrnl.exe C:\Python38\qiling-master\examples\scripts\examples\rootfs\x8664_windows\Windows\System32\ntoskrnl.exe [=] 7ffff0a9c000 - 7ffff0afe000 rwx fltmgr.sys C:\Python38\qiling-master\examples\scripts\examples\rootfs\x8664_windows\Windows\System32\fltmgr.sys [=] 7ffffffde000 - 80000001e000 rwx [stack]
[x] ['0x49', '0x8b', '0xbe', '0x0', '0x8', '0x0', '0x0', '0x48'] [=]

[=] 0x00007ffff0706856 {ntoskrnl.exe + 0x48a856} 49 8b be 00 08 00 00 48 8b cf ff 47 14 e8 78 52 cc ff 45 33 ed 48 8b c8 48 85 c0 0f 84 48 01 00 00 41 8b 46 24 89 01 48 89 4d ef 48 85 c9 0f 84 74 31 12 00 c7 45 e7 00 00 0c 02 85 db 74 3b 83 mov rdi, qword ptr [r14 + 0x800]

mov rcx, rdi inc dword ptr [rdi + 0x14] call 0x7ffff03cbae0 xor r13d, r13d mov rcx, rax test rax, rax je 0x7ffff07069bf mov eax, dword ptr [r14 + 0x24] mov dword ptr [rcx], eax mov qword ptr [rbp - 0x11], rcx test rcx, rcx je 0x7ffff08299fe mov dword ptr [rbp - 0x19], 0x20c0000 test ebx, ebx je 0x7ffff07068d0 Traceback (most recent call last): File "G:/IDA Pro 7.5/plugins/qilingida.py", line 818, in activate self.action_handler.ql_handle_menu_action(self.action_type) File "G:/IDA Pro 7.5/plugins/qilingida.py", line 2117, in ql_handle_menu_action [x.handler() for x in self.menuitems if x.action == action] File "G:/IDA Pro 7.5/plugins/qilingida.py", line 2117, in [x.handler() for x in self.menuitems if x.action == action] File "G:/IDA Pro 7.5/plugins/qilingida.py", line 1097, in ql_continue self.qlemu.run() File "G:/IDA Pro 7.5/plugins/qilingida.py", line 934, in run self.ql.run(begin, end) File "C:\Users\You\AppData\Roaming\Python\Python38\site-packages\qiling\core.py", line 755, in run self.os.run() File "C:\Users\You\AppData\Roaming\Python\Python38\site-packages\qiling\os\windows\windows.py", line 188, in run self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count) File "C:\Users\You\AppData\Roaming\Python\Python38\site-packages\qiling\core.py", line 896, in emu_start self.uc.emu_start(begin, end, timeout, count) File "C:\Python38\lib\site-packages\unicorn\unicorn.py", line 341, in emu_start raise UcError(status) unicorn.unicorn.UcError: Invalid memory read (UC_ERR_READ_UNMAPPED)

Windows version : Windows 10 1607 x64 IDA PRO 7.5 200728 Python 3.8

It has been my dream for this plugin to work properly

qilingframework / qiling

I couldn't analyze even one software properly #836