search

qilingframework / qiling

A True Instrumentable Binary Emulation Framework
https://qiling.io
GNU General Public License v2.0
5.07k stars 738 forks source link

Invalid memory write, read and fetch #851

Closed QWERTYz12 closed 1 year ago

QWERTYz12 commented 3 years ago

Hello I'm trying to emulate malware files on a windows OS to get the windows API "GetProcAddress" but I am facing the issue of Invalid memory write, read and fetch for different malware files Here is my code:

import sys
import pefile
from qiling import *
from qiling.const import *
from capstone import *
from qiling.extensions import trace

def loader_pe(pe):
    entry_point = pe.OPTIONAL_HEADER.AddressOfEntryPoint
    data = pe.get_memory_mapped_image()[entry_point:]
    cs = Cs(CS_ARCH_X86, CS_MODE_32)
    cs.detail = True
    global rdbin
    rdbin = cs.disasm(data, 0x10000)
    return rdbin

def check_arch(pe):
    if pe.FILE_HEADER.Machine == 0x14c:
        bit = 32
    elif pe.FILE_HEADER.Machine == 0x8664:
        bit = 64
    print("[+] Sample is %s bit" % bit)
    return bit

def GetProcAddress(ql, addr, params, retval): 
    print(params)
    return

def stop(ql):
    print("[+] Address found")
    ql.emu_stop()

def my_sandbox(path, rootfs):
    ql = Qiling(path, rootfs, verbose=QL_VERBOSE.DISASM)  
    ql.set_api("GetProcAddress", GetProcAddress, QL_INTERCEPT.EXIT)
    ql.filter = "GetProcAddress"
    ql.run()

### Main Program ###
file = sys.argv[-1]
if __name__ == "__main__":
    exefile = sys.argv[-1]
    try:
        exe = pefile.PE(exefile)
    except OSError as e:
        print(e)
        sys.exit()
    except pefile.PEFormatError as e:
        sys.exit()
    rdbin = loader_pe(exe)
    check_arch(exe)
    my_sandbox([exefile], "examples/rootfs/x86_windows")

and this is the error for my first file (md5: 8EF2555264822D604A8AAF16D8FCEC7D):

[+] Sample is 32 bit
[+]     Profile: Default
[+]     Map GDT at 0x30000 with GDT_LIMIT=4096
[+]     Write to 0x30018 for new entry b'\x00\xf0\x00\x00\x00\xfeO\x00'
[+]     Write to 0x30028 for new entry b'\x00\xf0\x00\x00\x00\x96O\x00'
[+]     Write to 0x30070 for new entry b'\x00`\x00`\x00\xf6@\x00'
[+]     Write to 0x30078 for new entry b'\x00\x00\x00\x00\x00\xf6@\x06'
[+]     Windows Registry PATH: examples/rootfs/x86_windows\Windows\registry
[=]     Initiate stack address at 0xfffdd000
[=]     Loading .\justificante_8726.exe to 0x400000
[=]     PE entry point at 0x401314
[=]     TEB addr is 0x6000
[=]     PEB addr is 0x6044
[=]     Loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll to 0x10000000
[!]     Warnings while loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll:
[!]      - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!]      - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\kernel32.dll to 0x10175000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\kernel32.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\msvbvm60.dll to 0x10280000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\msvbvm60.dll
[+]     Done with loading .\justificante_8726.exe
Traceback (most recent call last):
  File ".\github_qiling.py", line 56, in <module>
    my_sandbox([exefile], "examples/rootfs/x86_windows")
  File ".\github_qiling.py", line 41, in my_sandbox
    ql.run()
  File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\core.py", line 755, in run
    self.os.run()
  File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\os\windows\windows.py", line 188, in run
    self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count)
  File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\core.py", line 896, in emu_start
    self.uc.emu_start(begin, end, timeout, count)
  File "C:\Users\user\Desktop\xxx\lib\site-packages\unicorn\unicorn.py", line 341, in emu_start
    raise UcError(status)
unicorn.unicorn.UcError: Invalid memory write (UC_ERR_WRITE_UNMAPPED)

Besides using this malware file, I have also tried with other files including emotet (md5: B2EA9495D718E0F672D4B274D6DF7C07) which did manage to return me with the GetProcAddress API calls but returns me with an error of invalid memory fetch :

[+] Sample is 32 bit
[+]     Profile: Default
[+]     Map GDT at 0x30000 with GDT_LIMIT=4096
[+]     Write to 0x30018 for new entry b'\x00\xf0\x00\x00\x00\xfeO\x00'
[+]     Write to 0x30028 for new entry b'\x00\xf0\x00\x00\x00\x96O\x00'
[+]     Write to 0x30070 for new entry b'\x00`\x00`\x00\xf6@\x00'
[+]     Write to 0x30078 for new entry b'\x00\x00\x00\x00\x00\xf6@\x06'
[+]     Windows Registry PATH: examples/rootfs/x86_windows\Windows\registry
[=]     Initiate stack address at 0xfffdd000
[=]     Loading .\emotet.exe to 0x400000
[=]     PE entry point at 0x41fef1
[=]     TEB addr is 0x6000
[=]     PEB addr is 0x6044
[=]     Loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll to 0x10000000
[!]     Warnings while loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll:
[!]      - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!]      - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\kernel32.dll to 0x10175000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\kernel32.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\user32.dll to 0x10280000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\user32.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\gdi32.dll to 0x10374000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\gdi32.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\comdlg32.dll to 0x103f6000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\comdlg32.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\winspool.drv to 0x10471000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\winspool.drv
[=]     Loading examples/rootfs/x86_windows\Windows\System32\advapi32.dll to 0x104c2000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\advapi32.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\comctl32.dll to 0x10562000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\comctl32.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\shlwapi.dll to 0x105e6000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\shlwapi.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\oledlg.dll to 0x1063d000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\oledlg.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\ole32.dll to 0x10659000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\ole32.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\oleaut32.dll to 0x107b5000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\oleaut32.dll
[+]     Done with loading .\emotet.exe
{'hModule': 269963264, 'lpProcName': 'FlsAlloc'}
{'hModule': 269963264, 'lpProcName': 'FlsGetValue'}
{'hModule': 269963264, 'lpProcName': 'FlsSetValue'}
{'hModule': 269963264, 'lpProcName': 'FlsFree'}
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
{'hModule': 269963264, 'lpProcName': 'DecodePointer'}
{'hModule': 269963264, 'lpProcName': 'DecodePointer'}
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
{'hModule': 269963264, 'lpProcName': 'DecodePointer'}
{'hModule': 269963264, 'lpProcName': 'IsProcessorFeaturePresent'}
Traceback (most recent call last):
  File ".\github_qiling.py", line 56, in <module>
    my_sandbox([exefile], "examples/rootfs/x86_windows")
  File ".\github_qiling.py", line 41, in my_sandbox
    ql.run()
  File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\core.py", line 755, in run
    self.os.run()
  File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\os\windows\windows.py", line 188, in run
    self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count)
  File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\core.py", line 896, in emu_start
    self.uc.emu_start(begin, end, timeout, count)
  File "C:\Users\user\Desktop\xxx\lib\site-packages\unicorn\unicorn.py", line 341, in emu_start
    raise UcError(status)
unicorn.unicorn.UcError: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED)

Lastly, i used the same code on another file (md5: 7720E0702EB7EA49045407A910484FD0) but i am faced with the error Invalid memory read (UC_ERR_READ_UNMAPPED)

[+] Sample is 32 bit
[+]     Profile: Default
[+]     Map GDT at 0x30000 with GDT_LIMIT=4096
[+]     Write to 0x30018 for new entry b'\x00\xf0\x00\x00\x00\xfeO\x00'
[+]     Write to 0x30028 for new entry b'\x00\xf0\x00\x00\x00\x96O\x00'
[+]     Write to 0x30070 for new entry b'\x00`\x00`\x00\xf6@\x00'
[+]     Write to 0x30078 for new entry b'\x00\x00\x00\x00\x00\xf6@\x06'
[+]     Windows Registry PATH: examples/rootfs/x86_windows\Windows\registry
[=]     Initiate stack address at 0xfffdd000
[=]     Loading .\11m296.exe to 0x400000
[=]     PE entry point at 0x4014e0
[=]     TEB addr is 0x6000
[=]     PEB addr is 0x6044
[=]     Loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll to 0x10000000
[!]     Warnings while loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll:
[!]      - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!]      - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\kernel32.dll to 0x10175000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\kernel32.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\advapi32.dll to 0x10280000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\advapi32.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\msvcrt.dll to 0x10320000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\msvcrt.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\shell32.dll to 0x103cc000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\shell32.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\user32.dll to 0x11016000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\user32.dll
[+]     Done with loading .\11m296.exe
Traceback (most recent call last):
  File ".\github_qiling.py", line 56, in <module>
    my_sandbox([exefile], "examples/rootfs/x86_windows")
  File ".\github_qiling.py", line 41, in my_sandbox
    ql.run()
  File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\core.py", line 755, in run
    self.os.run()
  File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\os\windows\windows.py", line 188, in run
    self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count)
  File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\core.py", line 896, in emu_start
    self.uc.emu_start(begin, end, timeout, count)
  File "C:\Users\user\Desktop\xxx\lib\site-packages\unicorn\unicorn.py", line 341, in emu_start
    raise UcError(status)
unicorn.unicorn.UcError: Invalid memory read (UC_ERR_READ_UNMAPPED)

Thanks for any help!

elicn commented 3 years ago

Unfortunately, there is not enough data to understand what went wrong. Try to disable the log filter, set verbosity to default and then post the output (or attach, if too long).

A few things to consider:

Lastly, when you quote a large piece of code in github, specify the language right after the upper backticks to enable syntax hilighting, for example:

```python
python code goes here
```
QWERTYz12 commented 3 years ago

Hi thanks for the feedback! I tried to remove GetProcAddress's argument retval but it does not work and gives me the error "GetProcAddress() takes 3 positional arguments but 4 were given" . I have also tried to remove set_api but the same error shows up. I disabled the log filter and set verbosity to default but the output error is still the same:

Netwire RAT sample (before removing set_api)

[+] Sample is 32 bit
[=]     Initiate stack address at 0xfffdd000
[=]     Loading .\justificante_8726.exe to 0x400000
[=]     PE entry point at 0x401314
[=]     TEB addr is 0x6000
[=]     PEB addr is 0x6044
[=]     Loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll to 0x10000000
[!]     Warnings while loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll:
[!]      - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!]      - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\kernel32.dll to 0x10175000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\kernel32.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\msvbvm60.dll to 0x10280000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\msvbvm60.dll
Traceback (most recent call last):
  File ".\github_qiling.py", line 56, in <module>
    my_sandbox([exefile], "examples/rootfs/x86_windows")
  File ".\github_qiling.py", line 41, in my_sandbox
    ql.run()
  File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\core.py", line 755, in run
    self.os.run()
  File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\os\windows\windows.py", line 188, in run
    self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count)
  File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\core.py", line 896, in emu_start
    self.uc.emu_start(begin, end, timeout, count)
  File "C:\Users\user\Desktop\xxx\lib\site-packages\unicorn\unicorn.py", line 341, in emu_start
    raise UcError(status)
unicorn.unicorn.UcError: Invalid memory write (UC_ERR_WRITE_UNMAPPED)

Emotet sample: (before removing set_api)

[+] Sample is 32 bit
[=]     Initiate stack address at 0xfffdd000
[=]     Loading .\emotet.exe to 0x400000
[=]     PE entry point at 0x41fef1
[=]     TEB addr is 0x6000
[=]     PEB addr is 0x6044
[=]     Loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll to 0x10000000
[!]     Warnings while loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll:
[!]      - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!]      - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\kernel32.dll to 0x10175000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\kernel32.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\user32.dll to 0x10280000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\user32.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\gdi32.dll to 0x10374000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\gdi32.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\comdlg32.dll to 0x103f6000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\comdlg32.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\winspool.drv to 0x10471000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\winspool.drv
[=]     Loading examples/rootfs/x86_windows\Windows\System32\advapi32.dll to 0x104c2000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\advapi32.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\comctl32.dll to 0x10562000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\comctl32.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\shlwapi.dll to 0x105e6000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\shlwapi.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\oledlg.dll to 0x1063d000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\oledlg.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\ole32.dll to 0x10659000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\ole32.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\oleaut32.dll to 0x107b5000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\oleaut32.dll
{'hModule': 269963264, 'lpProcName': 'FlsAlloc'}
[=]     GetProcAddress(hModule = 0x10175000, lpProcName = "FlsAlloc") = 0x10189efb
{'hModule': 269963264, 'lpProcName': 'FlsGetValue'}
[=]     GetProcAddress(hModule = 0x10175000, lpProcName = "FlsGetValue") = 0x10186252
{'hModule': 269963264, 'lpProcName': 'FlsSetValue'}
[=]     GetProcAddress(hModule = 0x10175000, lpProcName = "FlsSetValue") = 0x101891d8
{'hModule': 269963264, 'lpProcName': 'FlsFree'}
[=]     GetProcAddress(hModule = 0x10175000, lpProcName = "FlsFree") = 0x1018856f
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
[=]     GetProcAddress(hModule = 0x10175000, lpProcName = "EncodePointer") = 0x1023eaee
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
[=]     GetProcAddress(hModule = 0x10175000, lpProcName = "EncodePointer") = 0x1023eaee
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
[=]     GetProcAddress(hModule = 0x10175000, lpProcName = "EncodePointer") = 0x1023eaee
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
[=]     GetProcAddress(hModule = 0x10175000, lpProcName = "EncodePointer") = 0x1023eaee
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
[=]     GetProcAddress(hModule = 0x10175000, lpProcName = "EncodePointer") = 0x1023eaee
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
[=]     GetProcAddress(hModule = 0x10175000, lpProcName = "EncodePointer") = 0x1023eaee
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
[=]     GetProcAddress(hModule = 0x10175000, lpProcName = "EncodePointer") = 0x1023eaee
{'hModule': 269963264, 'lpProcName': 'DecodePointer'}
[=]     GetProcAddress(hModule = 0x10175000, lpProcName = "DecodePointer") = 0x1023ea18
{'hModule': 269963264, 'lpProcName': 'DecodePointer'}
[=]     GetProcAddress(hModule = 0x10175000, lpProcName = "DecodePointer") = 0x1023ea18
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
[=]     GetProcAddress(hModule = 0x10175000, lpProcName = "EncodePointer") = 0x1023eaee
{'hModule': 269963264, 'lpProcName': 'DecodePointer'}
[=]     GetProcAddress(hModule = 0x10175000, lpProcName = "DecodePointer") = 0x1023ea18
{'hModule': 269963264, 'lpProcName': 'IsProcessorFeaturePresent'}
[=]     GetProcAddress(hModule = 0x10175000, lpProcName = "IsProcessorFeaturePresent") = 0x1018a205
Traceback (most recent call last):
  File ".\github_qiling.py", line 56, in <module>
    my_sandbox([exefile], "examples/rootfs/x86_windows")
  File ".\github_qiling.py", line 41, in my_sandbox
    ql.run()
  File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\core.py", line 755, in run
    self.os.run()
  File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\os\windows\windows.py", line 188, in run
    self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count)
  File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\core.py", line 896, in emu_start
    self.uc.emu_start(begin, end, timeout, count)
  File "C:\Users\user\Desktop\xxx\lib\site-packages\unicorn\unicorn.py", line 341, in emu_start
    raise UcError(status)
unicorn.unicorn.UcError: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED)

And sorry for the bad syntax code earlier. Here is my python code:

import sys
import pefile
from qiling import *
from qiling.const import *
from capstone import *

def loader_pe(pe):
    entry_point = pe.OPTIONAL_HEADER.AddressOfEntryPoint
    data = pe.get_memory_mapped_image()[entry_point:]
    cs = Cs(CS_ARCH_X86, CS_MODE_32)
    cs.detail = True
    global rdbin
    rdbin = cs.disasm(data, 0x10000)
    return rdbin

def check_arch(pe):
    if pe.FILE_HEADER.Machine == 0x14c:
        bit = 32
    elif pe.FILE_HEADER.Machine == 0x8664:
        bit = 64
    print("[+] Sample is %s bit" % bit)
    return bit

def GetProcAddress(ql, addr, params,retval): 
    print(params)
    return

def my_sandbox(path, rootfs):
    ql = Qiling(path, rootfs, verbose=QL_VERBOSE.DEFAULT)  
    ql.set_api("GetProcAddress", GetProcAddress, QL_INTERCEPT.EXIT)
    ql.filter = "GetProcAddress"
    ql.run()

### Main Program ###
file = sys.argv[-1]
if __name__ == "__main__":
    exefile = sys.argv[-1]
    try:
        exe = pefile.PE(exefile)
    except OSError as e:
        print(e)
        sys.exit()
    except pefile.PEFormatError as e:
        sys.exit()
    rdbin = loader_pe(exe)
    check_arch(exe)
    my_sandbox([exefile], "examples/rootfs/x86_windows")

If i removed set_api, I was able to see more debug output but the same error shows up: Netwire RAT sample:

[+] Sample is 32 bit
[=]     Initiate stack address at 0xfffdd000
[=]     Loading .\justificante_8726.exe to 0x400000
[=]     PE entry point at 0x401314
[=]     TEB addr is 0x6000
[=]     PEB addr is 0x6044
[=]     Loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll to 0x10000000
[!]     Warnings while loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll:
[!]      - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!]      - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\kernel32.dll to 0x10175000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\kernel32.dll
[=]     Loading examples/rootfs/x86_windows\Windows\System32\msvbvm60.dll to 0x10280000
[=]     Done with loading examples/rootfs/x86_windows\Windows\System32\msvbvm60.dll
[!]     api ThunRTMain is not implemented
[x]

[x]     ah      :        0x0
[x]     al      :        0x0
[x]     ch      :        0x0
[x]     cl      :        0x0
[x]     dh      :        0x0
[x]     dl      :        0x0
[x]     bh      :        0x0
[x]     bl      :        0x0
[x]     ax      :        0x0
[x]     cx      :        0x0
[x]     dx      :        0x0
[x]     bx      :        0x0
[x]     sp      :        0xcf84
[x]     bp      :        0xcff4
[x]     si      :        0x1428
[x]     di      :        0x0
[x]     ip      :        0x35cf
[x]     eax     :        0x0
[x]     ecx     :        0x0
[x]     edx     :        0x0
[x]     ebx     :        0x0
[x]     esp     :        0xffffcf84
[x]     ebp     :        0xffffcff4
[x]     esi     :        0x401428
[x]     edi     :        0x0
[x]     eip     :        0x102835cf
[x]     cr0     :        0x11
[x]     cr1     :        0x0
[x]     cr2     :        0x0
[x]     cr3     :        0x0
[x]     cr4     :        0x0
[x]     cr5     :        0x0
[x]     cr6     :        0x0
[x]     cr7     :        0x0
[x]     cr8     :        0x0
[x]     cr9     :        0x0
[x]     cr10    :        0x0
[x]     cr11    :        0x0
[x]     cr12    :        0x0
[x]     cr13    :        0x0
[x]     cr14    :        0x0
[x]     cr15    :        0x0
[x]     st0     :        0x0
[x]     st1     :        0x0
[x]     st2     :        0x0
[x]     st3     :        0x0
[x]     st4     :        0x0
[x]     st5     :        0x0
[x]     st6     :        0x0
[x]     st7     :        0x0
[x]     ef      :        0x84
[x]     cs      :        0x1b
[x]     ss      :        0x28
[x]     ds      :        0x28
[x]     es      :        0x28
[x]     fs      :        0x73
[x]     gs      :        0x78
[x]

[x]     PC = 0x102835cf
[x]      (examples/rootfs/x86_windows\Windows\System32\msvbvm60.dll+0x35cf)
[=]     Start      End        Perm    Label          Image
[=]     00006000 - 0000c000   rwx     [FS/GS]
[=]     00030000 - 00031000   rwx     [GDT]
[=]     00400000 - 004b0000   rwx     [PE]           .\justificante_8726.exe
[=]     05000000 - 05001000   rwx     [heap]
[=]     06000000 - 0c000000   rwx     [FS/GS]
[=]     10000000 - 10175000   rwx     ntdll.dll      examples/rootfs/x86_windows\Windows\System32\ntdll.dll
[=]     10175000 - 10280000   rwx     kernel32.dll   examples/rootfs/x86_windows\Windows\System32\kernel32.dll
[=]     10280000 - 103d3000   rwx     msvbvm60.dll   examples/rootfs/x86_windows\Windows\System32\msvbvm60.dll
[=]     fffdd000 - ffffe000   rwx     [stack]
[x]     ['0x89', '0x35', '0x70', '0xe8', '0xa4', '0x72', '0x83', '0x65']
[=]

[=]     0x102835cf {msvbvm60.dll         + 0x0035cf}   89 35 70 e8 a4 72 83 65 fc 00 8d 45 a0 50 ff 15 a0 10 94 72 0f b7 45 d0 a3 6c e8 a4 72 ff 35 d8 e7 a4 72 56 be 70 e4
a4 72 8b ce 90 e8 5c 00 00 00 89 45 e4 85 c0 0f 8c 0f c4 01 00 6a 00 6a 00 mov dword ptr [0x72a4e870], esi
> and dword ptr [ebp - 4], 0
> lea eax, [ebp - 0x60]
> push eax
> call dword ptr [0x729410a0]
> movzx eax, word ptr [ebp - 0x30]
> mov dword ptr [0x72a4e86c], eax
> push dword ptr [0x72a4e7d8]
> push esi
> mov esi, 0x72a4e470
> mov ecx, esi
> nop
> call 0x1028365c
> mov dword ptr [ebp - 0x1c], eax
> test eax, eax
> jl 0x1029fa1a
> push 0
> push 0
Traceback (most recent call last):
  File ".\github_qiling.py", line 56, in <module>
    my_sandbox([exefile], "examples/rootfs/x86_windows")
  File ".\github_qiling.py", line 41, in my_sandbox
    ql.run()
  File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\core.py", line 755, in run
    self.os.run()
  File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\os\windows\windows.py", line 188, in run
    self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count)
  File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\core.py", line 896, in emu_start
    self.uc.emu_start(begin, end, timeout, count)
  File "C:\Users\user\Desktop\xxx\lib\site-packages\unicorn\unicorn.py", line 341, in emu_start
    raise UcError(status)
unicorn.unicorn.UcError: Invalid memory write (UC_ERR_WRITE_UNMAPPED)

Emotet sample: 

[=]     InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x447078, dwSpinCount = 0xfa0) = 0x1
[=]     InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x447090, dwSpinCount = 0xfa0) = 0x1
[=]     InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x4470a8, dwSpinCount = 0xfa0) = 0x1
[=]     InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x4470c0, dwSpinCount = 0xfa0) = 0x1
[=]     InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x4470d8, dwSpinCount = 0xfa0) = 0x1
[=]     InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x4470f0, dwSpinCount = 0xfa0) = 0x1
[=]     InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x447108, dwSpinCount = 0xfa0) = 0x1
[=]     InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x447120, dwSpinCount = 0xfa0) = 0x1
[=]     InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x447138, dwSpinCount = 0xfa0) = 0x1
[=]     InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x447150, dwSpinCount = 0xfa0) = 0x1
[=]     InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x447168, dwSpinCount = 0xfa0) = 0x1
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     GetModuleHandleW(lpModuleName = "KERNEL32.DLL") = 0x10175000
[=]     GetProcAddress(hModule = 0x10175000, lpProcName = "DecodePointer") = 0x1023ea18
[=]     DecodePointer(Ptr = 0x10189efb) = 0x10189efb
[=]     FlsAlloc(lpCallback = 0x424a51) = 0x0
[=]     HeapAlloc(hHeap = 0x5000b8c, dwFlags = 0x8, dwBytes = 0x214) = 0x5001b8c
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x0
[=]     GetModuleHandleW(lpModuleName = "KERNEL32.DLL") = 0x10175000
[=]     GetProcAddress(hModule = 0x10175000, lpProcName = "DecodePointer") = 0x1023ea18
[=]     DecodePointer(Ptr = 0x101891d8) = 0x101891d8
[=]     FlsSetValue(dwFlsIndex = 0, lpFlsData = 0x5001b8c) = 0x1
[=]     GetModuleHandleW(lpModuleName = "KERNEL32.DLL") = 0x10175000
[=]     GetProcAddress(hModule = 0x10175000, lpProcName = "EncodePointer") = 0x1023eaee
[=]     GetProcAddress(hModule = 0x10175000, lpProcName = "DecodePointer") = 0x1023ea18
[=]     EnterCriticalSection(lpCriticalSection = 0x447108) = 0x0
[=]     InterlockedIncrement(Target = 0x4427d0) = 0x0
[=]     LeaveCriticalSection(lpCriticalSection = 0x447108) = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x4470f0) = 0x0
[=]     InterlockedIncrement(Target = 0x442d00) = 0x1
[=]     InterlockedIncrement(Target = 0x44327c) = 0x0
[=]     LeaveCriticalSection(lpCriticalSection = 0x4470f0) = 0x0
[=]     GetCurrentThreadId() = 0x0
[=]     GetStartupInfoA(lpStartupInfo = 0xffffcf18) = 0x0
[=]     HeapAlloc(hHeap = 0x5000b8c, dwFlags = 0x8, dwBytes = 0x800) = 0x5001da0
[=]     GetStdHandle(nStdHandle = 0xfffffff6) = 0xfffffff6
[=]     GetFileType(hFile = 0xfffffff6) = 0x2
[=]     InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5001dac, dwSpinCount = 0xfa0) = 0x1
[=]     GetStdHandle(nStdHandle = 0xfffffff5) = 0xfffffff5
[=]     GetFileType(hFile = 0xfffffff5) = 0x2
[=]     InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5001dec, dwSpinCount = 0xfa0) = 0x1
[=]     GetStdHandle(nStdHandle = 0xfffffff4) = 0xfffffff4
[=]     GetFileType(hFile = 0xfffffff4) = 0x2
[=]     InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5001e2c, dwSpinCount = 0xfa0) = 0x1
[=]     SetHandleCount(uNumber = 0x20) = 0x20
[=]     GetCommandLineA() = 0x50025a0
[=]     GetEnvironmentStringsW() = 0x50025c4
[=]     WideCharToMultiByte(CodePage = 0, dwFlags = 0, lpWideCharStr = "", cchWideChar = 0x1, lpMultiByteStr = 0, cbMultiByte = 0, lpDefaultChar = 0, lpUsedDefaultChar = 0) = 0x2
[=]     HeapAlloc(hHeap = 0x5000b8c, dwFlags = 0, dwBytes = 0x2) = 0x50025c6
[=]     WideCharToMultiByte(CodePage = 0, dwFlags = 0, lpWideCharStr = "", cchWideChar = 0x1, lpMultiByteStr = 0x50025c6, cbMultiByte = 0x2, lpDefaultChar = 0, lpUsedDefaultChar = 0) = 0x2
[=]     FreeEnvironmentStringsW(penv = 0x50025c4) = 0x1
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x447108) = 0x0
[=]     LeaveCriticalSection(lpCriticalSection = 0x447108) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetACP() = 0x1b5
[=]     HeapAlloc(hHeap = 0x5000b8c, dwFlags = 0, dwBytes = 0x220) = 0x50025c8
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     IsValidCodePage(CodePage = 0x1b5) = 0x1
[=]     GetCPInfo(CodePage = 0x1b5, lpCPInfo = 0xffffcef8) = 0x1
[=]     GetCPInfo(CodePage = 0x1b5, lpCPInfo = 0xffffc9c4) = 0x1
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetStringTypeW(dwInfoType = 0x1, lpSrcStr = 0x437d2c, cchSrc = 0x1, lpCharType = 0xffffc954) = 0x1
[=]     MultiByteToWideChar(CodePage = 0x1b5, dwFlags = 0x1, lpMultiByteStr = " \x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7fP\x10$BB\'\x05)D%\x05 \x02", cbMultiByte = 0x100, lpWideCharStr = 0, cchWideChar = 0) = 0x11c
[=]     MultiByteToWideChar(CodePage = 0x1b5, dwFlags = 0x1, lpMultiByteStr = " \x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7fP\x10$BB\'\x05)D%\x05 \x02", cbMultiByte = 0x100, lpWideCharStr = 0xffffc708, cchWideChar = 0x11c) = 0x11c
[=]     GetStringTypeW(dwInfoType = 0x1, lpSrcStr = 0xffffc708, cchSrc = 0x11c, lpCharType = 0xffffc9d8) = 0x1
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     LCMapStringW(Locale = 0, dwMapFlags = 0x100, lpSrcStr = "", cchSrc = 0x1, lpDestStr = 0, cchDest = 0) = 0x2
[=]     MultiByteToWideChar(CodePage = 0x1b5, dwFlags = 0x1, lpMultiByteStr = " \x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7fP\x10$BB\'\x05)D%\x05 \x02", cbMultiByte = 0x100, lpWideCharStr = 0, cchWideChar = 0) = 0x11c
[=]     MultiByteToWideChar(CodePage = 0x1b5, dwFlags = 0x1, lpMultiByteStr = " \x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7fP\x10$BB\'\x05)D%\x05 \x02", cbMultiByte = 0x100, lpWideCharStr = 0xffffc6d8, cchWideChar = 0x11c) = 0x11c
[=]     LCMapStringW(Locale = 0, dwMapFlags = 0x100, lpSrcStr = " \x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7fP\x10$BB\'\x05)D%\x05 \x02", cchSrc = 0x11c, lpDestStr = 0, cchDest = 0) = 0x11c
[=]     LCMapStringW(Locale = 0, dwMapFlags = 0x100, lpSrcStr = " \x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7fP\x10$BB\'\x05)D%\x05 \x02", cchSrc = 0x11c, lpDestStr = 0xffffc498, cchDest = 0x11c) = 0x11c
[=]     WideCharToMultiByte(CodePage = 0x1b5, dwFlags = 0, lpWideCharStr = " \x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7fP\x10$BB\'\x05)D%\x05 \x02", cchWideChar = 0x11c, lpMultiByteStr = 0xffffccd8, cbMultiByte = 0x100, lpDefaultChar = 0, lpUsedDefaultChar = 0) = 0x11c
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     MultiByteToWideChar(CodePage = 0x1b5, dwFlags = 0x1, lpMultiByteStr = "P\x10$BB'\x05)D%\x05 \x02", cbMultiByte = 0x2, lpWideCharStr = 0, cchWideChar = 0) = 0x1c
[=]     MultiByteToWideChar(CodePage = 0x1b5, dwFlags = 0x1, lpMultiByteStr = "P\x10$BB'\x05)D%\x05 \x02", cbMultiByte = 0x2, lpWideCharStr = 0xffffc8f8, cchWideChar = 0x1c) = 0x1c
[=]     LCMapStringW(Locale = 0, dwMapFlags = 0x200, lpSrcStr = "P\x10$BB'\x05)D%\x05 \x02", cchSrc = 0x1c, lpDestStr = 0, cchDest = 0) = 0x1c
[=]     LCMapStringW(Locale = 0, dwMapFlags = 0x200, lpSrcStr = "P\x10$BB'\x05)D%\x05 \x02", cchSrc = 0x1c, lpDestStr = 0xffffc8b8, cchDest = 0x1c) = 0x1c
[=]     WideCharToMultiByte(CodePage = 0x1b5, dwFlags = 0, lpWideCharStr = "P\x10$BB'\x05)D%\x05 \x02", cchWideChar = 0x1c, lpMultiByteStr = 0xffffcbd8, cbMultiByte = 0x100, lpDefaultChar = 0, lpUsedDefaultChar = 0) = 0x1c
[=]     InterlockedDecrement(Target = 0x4427d0) = 0xffffffff
[=]     InterlockedIncrement(Target = 0x50025c8) = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x447108) = 0x0
[=]     InterlockedDecrement(Target = 0x4427d0) = 0xfffffffe
[=]     InterlockedIncrement(Target = 0x50025c8) = 0x0
[=]     LeaveCriticalSection(lpCriticalSection = 0x447108) = 0x0
[=]     GetModuleFileNameA(hModule = 0, lpFilename = 0x4474a8, nSize = 0x104) = 0x23
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     HeapAlloc(hHeap = 0x5000b8c, dwFlags = 0, dwBytes = 0x2b) = 0x50027e8
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     HeapAlloc(hHeap = 0x5000b8c, dwFlags = 0x8, dwBytes = 0x4) = 0x5002813
[=]     HeapFree(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x50025c6) = 0x1
[=]     GetModuleHandleA(lpModuleName = "KERNEL32") = 0x10175000
[=]     GetProcAddress(hModule = 0x10175000, lpProcName = "IsProcessorFeaturePresent") = 0x1018a205
[=]     IsProcessorFeaturePresent(ProcessorFeature = 0) = 0x1
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x42b679) = 0x42b679
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x42ad60) = 0x42ad60
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x42ad14) = 0x42ad14
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x42ad4d) = 0x42ad4d
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x42acb6) = 0x42acb6
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x42b679) = 0x42b679
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x42b5f1) = 0x42b5f1
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x42acd2) = 0x42acd2
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x42ac34) = 0x42ac34
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x42abc1) = 0x42abc1
[=]     HeapAlloc(hHeap = 0x5000b8c, dwFlags = 0x8, dwBytes = 0x80) = 0x5002817
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x5002817) = 0x5002817
[=]     HeapAlloc(hHeap = 0x5000b8c, dwFlags = 0x8, dwBytes = 0x800) = 0x5002897
[=]     SetUnhandledExceptionFilter(lpTopLevelExceptionFilter = 0x427a9a) = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x5002817) = 0x5002817
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x5002817) = 0x5002817
[=]     HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x42838d) = 0x42838d
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x500281b) = 0x500281b
[=]     LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x5002817) = 0x5002817
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x500281b) = 0x500281b
[=]     HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x43317f) = 0x43317f
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x500281f) = 0x500281f
[=]     LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x5002817) = 0x5002817
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x500281f) = 0x500281f
[=]     HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x433189) = 0x433189
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x5002823) = 0x5002823
[=]     LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x5002817) = 0x5002817
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x5002823) = 0x5002823
[=]     HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x4331e5) = 0x4331e5
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x5002827) = 0x5002827
[=]     LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     InitializeCriticalSection(lpCriticalSection = 0x447714) = 0x1
[=]     EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x5002817) = 0x5002817
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x5002827) = 0x5002827
[=]     HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x4331ef) = 0x4331ef
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x500282b) = 0x500282b
[=]     LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     TlsAlloc() = 0x1
[=]     InitializeCriticalSection(lpCriticalSection = 0x446974) = 0x1
[=]     EnterCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=]     GlobalAlloc(uFlags = 0x2, dwBytes = 0x100) = 0x5003097
[=]     GlobalLock(hMem = 0x5003097) = 0x5003097
[=]     LeaveCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0x1) = 0x0
[=]     LeaveCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=]     LocalAlloc(uFlags = 0x40, uBytes = 0x104) = 0x5003197
[=]     EnterCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0x1) = 0x0
[=]     LocalAlloc(uFlags = 0x40, uBytes = 0x10) = 0x500329b
[=]     LocalAlloc(uFlags = 0, uBytes = 0x8) = 0x50032ab
[=]     TlsSetValue(dwTlsIndex = 0x1, lpTlsValue = 0x500329b) = 0x1
[=]     LeaveCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=]     InitializeCriticalSection(lpCriticalSection = 0x446b30) = 0x1
[=]     EnterCriticalSection(lpCriticalSection = 0x446b30) = 0x0
[=]     InitializeCriticalSection(lpCriticalSection = 0x446b18) = 0x1
[=]     LeaveCriticalSection(lpCriticalSection = 0x446b30) = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x446b18) = 0x0
[=]     LocalAlloc(uFlags = 0x40, uBytes = 0x8c) = 0x50032b3
[=]     HeapAlloc(hHeap = 0x5000b8c, dwFlags = 0, dwBytes = 0x1011) = 0x500333f
[=]     HeapAlloc(hHeap = 0x5000b8c, dwFlags = 0, dwBytes = 0xc) = 0x5004350
[=]     LocalAlloc(uFlags = 0x40, uBytes = 0x188) = 0x500435c
[=]     HeapAlloc(hHeap = 0x5000b8c, dwFlags = 0, dwBytes = 0x1d) = 0x50044e4
[=]     LocalAlloc(uFlags = 0x40, uBytes = 0x64) = 0x5004501
[=]     HeapAlloc(hHeap = 0x5000b8c, dwFlags = 0, dwBytes = 0x1d) = 0x5004565
[=]     LocalAlloc(uFlags = 0x40, uBytes = 0x14) = 0x5004582
[=]     HeapAlloc(hHeap = 0x5000b8c, dwFlags = 0, dwBytes = 0x1c) = 0x5004596
[=]     LeaveCriticalSection(lpCriticalSection = 0x446b18) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x447108) = 0x0
[=]     LeaveCriticalSection(lpCriticalSection = 0x447108) = 0x0
[=]     GetLastError() = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     SetLastError(dwErrCode = 0) = 0x0
[=]     GetACP() = 0x1b5
[=]     EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x5002817) = 0x5002817
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x500282b) = 0x500282b
[=]     HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x431a5a) = 0x431a5a
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x500282f) = 0x500282f
[=]     LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0x1) = 0x500329b
[=]     LeaveCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0x1) = 0x500329b
[=]     LeaveCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=]     GetCursorPos(lpPoint = 0x50031e3) = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0x1) = 0x500329b
[=]     LeaveCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=]     LeaveCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0x1) = 0x500329b
[=]     LeaveCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=]     LocalAlloc(uFlags = 0x40, uBytes = 0x54) = 0x50045b2
[=]     EnterCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0x1) = 0x500329b
[=]     LocalReAlloc(hMem = 0x50032ab, uBytes = 0xc, uFlags = 0x2) = 0x5004606
[=]     TlsSetValue(dwTlsIndex = 0x1, lpTlsValue = 0x500329b) = 0x1
[=]     LeaveCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=]     GetCurrentThread() = 0x0
[=]     GetCurrentThreadId() = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x5002817) = 0x5002817
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x500282f) = 0x500282f
[=]     HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x433140) = 0x433140
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x5002833) = 0x5002833
[=]     LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x5002817) = 0x5002817
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x5002833) = 0x5002833
[=]     HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x43314a) = 0x43314a
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x5002837) = 0x5002837
[=]     LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x5002817) = 0x5002817
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x5002837) = 0x5002837
[=]     HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x433154) = 0x433154
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x500283b) = 0x500283b
[=]     LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x5002817) = 0x5002817
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x500283b) = 0x500283b
[=]     HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x43315e) = 0x43315e
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x500283f) = 0x500283f
[=]     LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x5002817) = 0x5002817
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x500283f) = 0x500283f
[=]     HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x433169) = 0x433169
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x5002843) = 0x5002843
[=]     LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x5002817) = 0x5002817
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x5002843) = 0x5002843
[=]     HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x433174) = 0x433174
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x5002847) = 0x5002847
[=]     LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x5002817) = 0x5002817
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x5002847) = 0x5002847
[=]     HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x433193) = 0x433193
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x500284b) = 0x500284b
[=]     LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     RegisterWindowMessageA(lpString = "commctrl_DragListMsg") = 0xd10c
[=]     EnterCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0x1) = 0x500329b
[=]     LeaveCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=]     LocalAlloc(uFlags = 0x40, uBytes = 0x104) = 0x5004612
[=]     EnterCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0x1) = 0x500329b
[=]     LeaveCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x5002817) = 0x5002817
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x500284b) = 0x500284b
[=]     HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x43319d) = 0x43319d
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x500284f) = 0x500284f
[=]     LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0x1) = 0x500329b
[=]     LeaveCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x5002817) = 0x5002817
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x500284f) = 0x500284f
[=]     HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x4331a7) = 0x4331a7
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x5002853) = 0x5002853
[=]     LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0x1) = 0x500329b
[=]     LeaveCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x5002817) = 0x5002817
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x5002853) = 0x5002853
[=]     HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x4331b1) = 0x4331b1
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x5002857) = 0x5002857
[=]     LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0x1) = 0x500329b
[=]     LeaveCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x5002817) = 0x5002817
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x5002857) = 0x5002857
[=]     HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x4331bb) = 0x4331bb
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x500285b) = 0x500285b
[=]     LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x5002817) = 0x5002817
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x500285b) = 0x500285b
[=]     HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x4331c5) = 0x4331c5
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x500285f) = 0x500285f
[=]     LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x5002817) = 0x5002817
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     DecodePointer(Ptr = 0x500285f) = 0x500285f
[=]     HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x4331d0) = 0x4331d0
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=]     FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=]     EncodePointer(Ptr = 0x5002863) = 0x5002863
[=]     LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=]     GetSystemMetrics(nIndex = 0xb) = 0x20
[=]     GetSystemMetrics(nIndex = 0xc) = 0x20
[=]     GetSystemMetrics(nIndex = 0x2) = 0x4
[=]     GetSystemMetrics(nIndex = 0x3) = 0x12c
[=]     GetDC(hWnd = 0) = 0xd10c
[=]     GetDeviceCaps() = 0x1
[=]     GetDeviceCaps() = 0x1
[=]     ReleaseDC(hWnd = 0, hDC = 0xd10c) = 0x1
[x]

[x]     ah      :        0x0
[x]     al      :        0x1
[x]     ch      :        0x6b
[x]     cl      :        0x90
[x]     dh      :        0x46
[x]     dl      :        0x12
[x]     bh      :        0xd1
[x]     bl      :        0xc
[x]     ax      :        0x1
[x]     cx      :        0x6b90
[x]     dx      :        0x4612
[x]     bx      :        0xd10c
[x]     sp      :        0xcf44
[x]     bp      :        0xcf6c
[x]     si      :        0x5a
[x]     di      :        0xd10c
[x]     ip      :        0x58
[x]     eax     :        0x1
[x]     ecx     :        0x446b90
[x]     edx     :        0x5004612
[x]     ebx     :        0xd10c
[x]     esp     :        0xffffcf44
[x]     ebp     :        0xffffcf6c
[x]     esi     :        0x5a
[x]     edi     :        0xd10c
[x]     eip     :        0x58
[x]     cr0     :        0x11
[x]     cr1     :        0x0
[x]     cr2     :        0x0
[x]     cr3     :        0x0
[x]     cr4     :        0x0
[x]     cr5     :        0x0
[x]     cr6     :        0x0
[x]     cr7     :        0x0
[x]     cr8     :        0x0
[x]     cr9     :        0x0
[x]     cr10    :        0x0
[x]     cr11    :        0x0
[x]     cr12    :        0x0
[x]     cr13    :        0x0
[x]     cr14    :        0x0
[x]     cr15    :        0x0
[x]     st0     :        0x0
[x]     st1     :        0x0
[x]     st2     :        0x0
[x]     st3     :        0x0
[x]     st4     :        0x0
[x]     st5     :        0x0
[x]     st6     :        0x0
[x]     st7     :        0x0
[x]     ef      :        0x6
[x]     cs      :        0x1b
[x]     ss      :        0x28
[x]     ds      :        0x28
[x]     es      :        0x28
[x]     fs      :        0x73
[x]     gs      :        0x78
[x]

[x]     PC = 0x58
[=]

[=]     Start      End        Perm    Label          Image
[=]     00006000 - 0000c000   rwx     [FS/GS]
[=]     00030000 - 00031000   rwx     [GDT]
[=]     00400000 - 0045a000   rwx     [PE]           .\emotet.exe
[=]     05000000 - 05001000   rwx     [heap]
[=]     05001000 - 05002000   rwx     [heap]
[=]     05002000 - 05003000   rwx     [heap]
[=]     05003000 - 05004000   rwx     [heap]
[=]     05004000 - 05006000   rwx     [heap]
[=]     06000000 - 0c000000   rwx     [FS/GS]
[=]     10000000 - 10175000   rwx     ntdll.dll      examples/rootfs/x86_windows\Windows\System32\ntdll.dll
[=]     10175000 - 10280000   rwx     kernel32.dll   examples/rootfs/x86_windows\Windows\System32\kernel32.dll
[=]     10280000 - 10374000   rwx     user32.dll     examples/rootfs/x86_windows\Windows\System32\user32.dll
[=]     10374000 - 103f6000   rwx     gdi32.dll      examples/rootfs/x86_windows\Windows\System32\gdi32.dll
[=]     103f6000 - 10471000   rwx     comdlg32.dll   examples/rootfs/x86_windows\Windows\System32\comdlg32.dll
[=]     10471000 - 104c2000   rwx     winspool.drv   examples/rootfs/x86_windows\Windows\System32\winspool.drv
[=]     104c2000 - 10562000   rwx     advapi32.dll   examples/rootfs/x86_windows\Windows\System32\advapi32.dll
[=]     10562000 - 105e6000   rwx     comctl32.dll   examples/rootfs/x86_windows\Windows\System32\comctl32.dll
[=]     105e6000 - 1063d000   rwx     shlwapi.dll    examples/rootfs/x86_windows\Windows\System32\shlwapi.dll
[=]     1063d000 - 10659000   rwx     oledlg.dll     examples/rootfs/x86_windows\Windows\System32\oledlg.dll
[=]     10659000 - 107b5000   rwx     ole32.dll      examples/rootfs/x86_windows\Windows\System32\ole32.dll
[=]     107b5000 - 10844000   rwx     oleaut32.dll   examples/rootfs/x86_windows\Windows\System32\oleaut32.dll
[=]     fffdd000 - ffffe000   rwx     [stack]
[x]     Error: PC(0x58) Unreachable
Traceback (most recent call last):
  File ".\github_qiling.py", line 56, in <module>
    my_sandbox([exefile], "examples/rootfs/x86_windows")
  File ".\github_qiling.py", line 41, in my_sandbox
    ql.run()
  File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\core.py", line 755, in run
    self.os.run()
  File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\os\windows\windows.py", line 188, in run
    self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count)
  File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\core.py", line 896, in emu_start
    self.uc.emu_start(begin, end, timeout, count)
  File "C:\Users\user\Desktop\xxx\lib\site-packages\unicorn\unicorn.py", line 341, in emu_start
    raise UcError(status)
unicorn.unicorn.UcError: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED)
elicn commented 3 years ago

I said "emit" retval, not "omit" - but that's find. It is emitted by the log anyway. I suspect your copy of msvbvm60.dll is corrupted or not a 32-bit DLL. Can you post its md5sum?

QWERTYz12 commented 3 years ago

Hi, thanks for the reply! The md5 hash of msvbvm60.dll is 5343a19c618bc515ceb1695586c6c137

elicn commented 3 years ago

I have a strong reason to believe this one is related to #852 Please pull the latest changes from dev branch and let us know if the problem still persists.

xwings commented 1 year ago

Issue should be solved with #852, I will close this issue for now.