Closed frozenkp closed 3 years ago
Hmm.. I think this is related to the risk of overlapping the heap. Let's try to push the heap base address a little bit further and give it another try.
Edit qiling/profiles/windows.ql
and look for the [OS32]
section.
Under that section change the value of heap_address
from its default 0x5000000
to 0x70000000
(note the additional 0
).
No other change needed, just save the file and re-run.
Hi, isn't libraries are loaded one by one on dll_address = 0x10000000
?
I think that we should load msvbvm60.dll
into its base address 0x66000000
.
Edit qiling/profiles/windows.ql and look for the [OS32] section. Under that section change the value of heap_address from its default 0x5000000 to 0x70000000 (note the additional 0). No other change needed, just save the file and re-run.
This move space for it, but the dll still be mapped on the same address. Is there any way to map it to the specific address?
Yes, you are right. I read the code the refers to PE loading and didn't notice DLL files are handled differently.
As opposed to regular PE files, DLLs ImageBase
property is not taken into acount and they are loaded to the same address every time. Let me see if I can qpply a quick patch.
The fix has been merged to the dev
branch.
Pull the latest changes and let me know if it works.
@elicn It works perfectly now. Thanks a lot. I really appreciate that.
Describe the bug We found that msvbvm60.dll uses several hard-coded addresses in its instructions. These addresses are based on the base address recorded in the dll header, and the base address should be
0x66000000
. I read the code inloader/pe.py
. Theload_dll
function maps each dll one by one from0x10000000
.Here are the logs. Please look at instructions and machine codes in
0x102b2c96
,0x102b2c9b
, and0x102b2cbc
.Sample Code nope
Expected behavior The msvbvm60.dll should be mapped to
0x66000000
, instead of0x10288000
.Screenshots Here is disasm of
sym.MSVBVM60.DLL_ThunRTMain
using radare2.DLL header:
Additional context Add any other context about the problem here.