Using ql.restore to resume execution apparently leads to incomplete memory map

*Describe the bug

Complex malware that takes a long time for Qiling to emulate, so I periodically take snaphosts with ql.save, and when I meet an unhandled API, I implement it and would like to resume execution where it stopped with ql.restore.

However the stack appears mostly empty, and the memory map is missing most of the allocated heaps.

Sample Code

from qiling import *
from qiling.const import *
import traceback
import signal
import sys
from qiling.os.windows.fncc import *
from qiling.os.windows.utils import *
from qiling.os.windows.api import *

from qiling.const import QL_ARCH
from qiling.exception import *
from qiling.os.const import *
from qiling.os.windows.const import *
from qiling.os.windows.handle import *
from qiling.os.windows import structs
#file sens.dll                                                                                    14:43:54
# sens.dll: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

"""
BOOL SetProcessDEPPolicy(
  DWORD dwFlags
);
"""
@winsdkapi(cc=STDCALL)
def SetProcessDEPPolicy(ql, address, params):
    ret = 0
    print("SetProcessDEPPolicy")
    return 0

# NTSYSAPI NTSTATUS NTAPI NtSetInformatonProcess(
#   _In_      HANDLE           ProcessHandle,
#   _In_      PROCESSINFOCLASS ProcessInformationClass,
#   _In_      PVOID            ProcessInformation
#   _In_      ULONG            ProcessInformationLength
# );
@winsdkapi(cc=STDCALL, params={
    'ProcessHandle'            : HANDLE,
    'ProcessInformationClass'  : PROCESSINFOCLASS,
    'ProcessInformation'       : PVOID,
    'ProcessInformationLength' : ULONG
})
def hook_ZwSetInformationProcess(ql: Qiling, address: int, params):
    _SetInformationProcess(ql, address, params)

@winsdkapi(cc=STDCALL, params={
    'ProcessHandle'            : HANDLE,
    'ProcessInformationClass'  : PROCESSINFOCLASS,
    'ProcessInformation'       : PVOID,
    'ProcessInformationLength' : ULONG
})
def hook_NtSetInformationProcess(ql: Qiling, address: int, params):
    _SetInformationProcess(ql, address, params)

def _SetInformationProcess(ql: Qiling, address: int, params):
    return 0

ql = Qiling(["sens.dll"], "/Users/vladimir/Tools/qiling/examples/rootfs/x86_windows", libcache=True, verbose=QL_VERBOSE.DEBUG)

DLL_MAIN   = 0x00482A0E     # Adress of DLLMain function

ql.set_api("SetProcessDEPPolicy", SetProcessDEPPolicy)
ql.set_api("ZwSetInformationProcess", hook_ZwSetInformationProcess)

def sigint_handler(signum, frame):
    print('Stopping Execution for Debug')

    if not "IPython" in sys.modules:
        import IPython
        IPython.embed()

def main():
    try:
        # hinstDLL
        ql.reg.rcx = 0x00400000   # Address where Qiling loads the DLL
        # fdwReason
        ql.reg.rdx = 0x1           # DLL_PROCESS_DETACH
        # lpvReserved
        ql.reg.r8 = 0x0
        ql.run(begin=DLL_MAIN, end=DLL_MAIN+4)
    except:
        ql.save(reg=True, mem=True, cpu_context=True, os_context=True, loader=True, snapshot="snapshot.bin")
        ql.emu_stop()
        traceback.print_exc()

        if not "IPython" in sys.modules:
            import IPython
            IPython.embed()

def iprompt():
    import IPython
    IPython.embed()

def show_stack():

    for i in range(0,8*32, 4):
        print(hex(ql.stack_read(i)))

def restore_continue():
    try:

        ql.restore("snapshot.bin")
        ql.reg.eip = 0x406469
        ql.verbose = QL_VERBOSE.DISASM
        ql.run(begin=ql.reg.eip, end=DLL_MAIN)
    except:
        traceback.print_exc()

        iprompt()

if __name__ == "__main__":

    signal.signal(signal.SIGINT, sigint_handler)

    if len(sys.argv) > 0:

        if sys.argv[1] == "restore":

            restore_continue()
        else:
            main()
    else:
        main()

    iprompt()

Expected behavior I expected ql.restore to provide a healthy state where execution could safely resume.

Additional context

Crash while emulating because of ZwSetInformationProcess:

pypy3 qunpack.py                                      0:28:56
[+] Profile: Default
[+] Map GDT at 0x30000 with GDT_LIMIT=4096
[+] Write to 0x30018 for new entry b'\x00\xf0\x00\x00\x00\xfeO\x00'
[+] Write to 0x30028 for new entry b'\x00\xf0\x00\x00\x00\x96O\x00'
[+] Write to 0x30070 for new entry b'\x00`\x00`\x00\xf6@\x00'
[+] Write to 0x30078 for new entry b'\x00\x00\x00\x00\x00\xf6@\x06'
[+] Windows Registry PATH: /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/registry
[=] Initiate stack address at 0xfffdd000
[=] Loading sens.dll to 0x400000
[=] PE entry point at 0x482a0e
[+] Setting up DllMain args
[+] Writing 0x00400000 (IMAGE_BASE) to [ESP+4](0xFFFFD004)
[+] Writing 0x01 (DLL_PROCESS_ATTACH) to [ESP+8](0xFFFFD008)
[=] TEB addr is 0x6000
[=] PEB addr is 0x6044
[=] Loading /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/ntdll.dll ...
[=] Loaded /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/ntdll.dll from cache
[=] Done with loading /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/ntdll.dll
[=] Loading /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/kernel32.dll ...
[=] Loaded /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/kernel32.dll from cache
[=] Done with loading /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/kernel32.dll
[=] Loading /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/user32.dll ...
[=] Loaded /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/user32.dll from cache
[=] Done with loading /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/user32.dll
[=] Loading /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/advapi32.dll ...
[=] Loaded /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/advapi32.dll from cache
[=] Done with loading /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/advapi32.dll
[=] Loading /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/oleaut32.dll ...
[=] Loaded /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/oleaut32.dll from cache
[=] Done with loading /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/oleaut32.dll
[+] Done with loading sens.dll
[+] 0x6b820bd0: LoadLibraryA(lpLibFileName = "kernel32.dll") = 0x6b800000
[+] 0x6b820900: GetModuleFileNameW(hModule = 0x400000, lpFilename = 0xffffcbd4, nSize = 0x104) = 0x42
[+] 0x6b823140: CreateFileW(lpFileName = "C:\\Users\\Qiling\\Desktop\\sens.dll", dwDesiredAccess = 0x80000000, dwShareMode = 0x3, lpSecurityAttributes = 0, dwCreationDisposition = 0x3, dwFlagsAndAttributes = 0x80, hTemplateFile = 0) = -0x1
[+] 0x6b8204c0: VirtualProtect(lpAddress = 0x401000, dwSize = 0xa474, flNewProtect = 0x40, lpflOldProtect = 0xffffcfd4) = 0x1
[+] 0x6b8204c0: VirtualProtect(lpAddress = 0x410000, dwSize = 0x4f, flNewProtect = 0x4, lpflOldProtect = 0xffffcfd4) = 0x1
[+] 0x6b820460: LocalAlloc(uFlags = 0, uBytes = 0xf4d8) = 0x50005dc
[+] 0x6b81f530: LocalFree(hMem = 0x50005dc) = 0x0
[+] 0x6b820460: LocalAlloc(uFlags = 0, uBytes = 0xf4d8) = 0x500fab4
[+] 0x6b81f530: LocalFree(hMem = 0x500fab4) = 0x0
[+] 0x6b820460: LocalAlloc(uFlags = 0, uBytes = 0xf4d8) = 0x501ef8c
[+] 0x6b81f530: LocalFree(hMem = 0x501ef8c) = 0x0
[+] 0x6b820460: LocalAlloc(uFlags = 0, uBytes = 0xf4d8) = 0x502e464
[+] 0x6b81f530: LocalFree(hMem = 0x502e464) = 0x0
[+] 0x6b820460: LocalAlloc(uFlags = 0, uBytes = 0xf4d8) = 0x503d93c
[+] 0x6b81f530: LocalFree(hMem = 0x503d93c) = 0x0
[+] 0x6b820460: LocalAlloc(uFlags = 0, uBytes = 0x68) = 0x50005dc
[+] 0x6b820bd0: LoadLibraryA(lpLibFileName = "kernel32.dll") = 0x6b800000
[+] 0x6b820bd0: LoadLibraryA(lpLibFileName = "NTDLL") = 0x4b280000
[+] 0x6b820bd0: LoadLibraryA(lpLibFileName = "NTDLL") = 0x4b280000
[+] 0x6b820bd0: LoadLibraryA(lpLibFileName = "NTDLL") = 0x4b280000
[+] 0x6b820bd0: LoadLibraryA(lpLibFileName = "NTDLL") = 0x4b280000
[+] 0x6b820bd0: LoadLibraryA(lpLibFileName = "NTDLL") = 0x4b280000
[+] 0x6b820bd0: LoadLibraryA(lpLibFileName = "NTDLL") = 0x4b280000
[+] 0x6b820bd0: LoadLibraryA(lpLibFileName = "NTDLL") = 0x4b280000
[+] 0x6b820bd0: LoadLibraryA(lpLibFileName = "user32.dll") = 0x69e00000
[+] 0x6b820bd0: LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x4c300000
[+] 0x6b820bd0: LoadLibraryA(lpLibFileName = "oleaut32.dll") = 0x10000000
[+] 0x6b8204c0: VirtualProtect(lpAddress = 0x401000, dwSize = 0xa474, flNewProtect = 0x20, lpflOldProtect = 0xffffcfd4) = 0x1
[+] 0x6b8204c0: VirtualProtect(lpAddress = 0x410000, dwSize = 0x4f, flNewProtect = 0x2, lpflOldProtect = 0xffffcfd4) = 0x1
[+] 0x6b821140: TlsAlloc() = 0x0
[+] 0x6b820460: LocalAlloc(uFlags = 0x40, uBytes = 0x8) = 0x500fab4
[+] 0x6b81dfb0: TlsSetValue(dwTlsIndex = 0, lpTlsValue = 0x500fab4) = 0x1
[+] 0x6b81df20: TlsGetValue(dwTlsIndex = 0) = 0x500fab4
[+] 0x69e8e500: GetKeyboardType(nTypeFlag = 0) = 0x7
[+] 0x69e8e500: GetKeyboardType(nTypeFlag = 0x1) = 0x0
[+] 0x6b821ee0: GetCommandLineA() = 0x501ef8c
[+] Writing Windows object StartupInfo
[+] Writing to 4294954776 with value b'A\x00\x00\x00'
[+] Writing to 4294954780 with value b'\x00\x00\x00\x00'
[+] Writing to 4294954784 with value b'0\xc9\xc3\x00'
[+] Writing to 4294954788 with value b'\x00\x00\x00\x00'
[+] Writing to 4294954792 with value b'\x00\x00\x00\x00'
[+] Writing to 4294954796 with value b'\x00\x00\x00\x00'
[+] Writing to 4294954800 with value b'd\x00\x00\x00'
[+] Writing to 4294954804 with value b'd\x00\x00\x00'
[+] Writing to 4294954808 with value b'\x84\x00\x00\x00'
[+] Writing to 4294954812 with value b'\x80\x00\x00\x00'
[+] Writing to 4294954816 with value b'\xff\x00\x00\x00'
[+] Writing to 4294954820 with value b'@\x00\x00\x00'
[+] Writing to 4294954824 with value b'\x01\x00'
[+] Writing to 4294954826 with value b'\x00\x00'
[+] Writing to 4294954828 with value b'\x00\x00\x00\x00'
[+] Writing to 4294954832 with value b'\xf6\xff\xff\xff'
[+] Writing to 4294954836 with value b'\xf5\xff\xff\xff'
[+] Writing to 4294954840 with value b'\xf4\xff\xff\xff'
[+] 0x6b820c80: GetStartupInfoA(lpStartupInfo = 0xffffcf18) = 0x0
[+] 0x6b821970: GetVersion() = 0x40004
[+] 0x6b821970: GetVersion() = 0x40004
[+] 0x6b8189d0: GetThreadLocale() = 0xc00
[+] 0x6b818410: GetLocaleInfoA(Locale = 0xc00, LCType = 0x1004, lpLCData = 0xffffcf51, cchData = 0x7) = 0x0
[+] 0x6b81df10: GetCurrentThreadId() = 0x0
[+] 0x6b81df40: QueryPerformanceCounter(lpPerformanceCount = 0xffffcf44) = 0x0
[+] 0x6b8223a0: GetTickCount() = 0x30d40
[+] 0x6b820a60: GetModuleHandleA(lpModuleName = "Kernel32.dll") = 0x6b800000
[+] 0x6b81f550: GetProcAddress(hModule = 0x6b800000, lpProcName = "SetProcessDEPPolicy") = 0x6b818920
SetProcessDEPPolicy
[+] 0x6b818920: SetProcessDEPPolicy() = 0x0
[+] 0x6b820a60: GetModuleHandleA(lpModuleName = "ntdll.dll") = 0x4b280000
[+] 0x6b81f550: GetProcAddress(hModule = 0x4b280000, lpProcName = "NtSetInformationProcess") = 0x4b2f2b70
[+] 0x6b822e80: GetCurrentProcess() = 0x7cc
[+] 0x4b2f2b70: ZwSetInformationProcess(ProcessHandle = 0x7cc, ProcessInformationClass = 0x22, ProcessInformation = 0xffffcf30, ProcessInformationLength = 0x4)
[+] ERROR: unmapped memory access at 0x5
[x] CPU Context:
[x] ah  : 0x0
[x] al  : 0x0
[x] ch  : 0x0
[x] cl  : 0xcf
[x] dh  : 0xd0
[x] dl  : 0x28
[x] bh  : 0x0
[x] bl  : 0xc
[x] ax  : 0x0
[x] cx  : 0xcf
[x] dx  : 0xd028
[x] bx  : 0xc
[x] sp  : 0xcf4c
[x] bp  : 0xcf60
[x] si  : 0xd630
[x] di  : 0x11bd
[x] ip  : 0x5
[x] eax : 0x0
[x] ecx : 0xcf
[x] edx : 0x40d028
[x] ebx : 0xc
[x] esp : 0xffffcf4c
[x] ebp : 0xffffcf60
[x] esi : 0x40d630
[x] edi : 0x4011bd
[x] eip : 0x5
[x] cr0 : 0x11
[x] cr1 : 0x0
[x] cr2 : 0x0
[x] cr3 : 0x0
[x] cr4 : 0x0
[x] cr5 : 0x0
[x] cr6 : 0x0
[x] cr7 : 0x0
[x] cr8 : 0x0
[x] cr9 : 0x0
[x] cr10    : 0x0
[x] cr11    : 0x0
[x] cr12    : 0x0
[x] cr13    : 0x0
[x] cr14    : 0x0
[x] cr15    : 0x0
[x] st0 : 0x0
[x] st1 : 0x0
[x] st2 : 0x0
[x] st3 : 0x0
[x] st4 : 0x0
[x] st5 : 0x0
[x] st6 : 0x0
[x] st7 : 0x0
[x] ef  : 0x86
[x] cs  : 0x1b
[x] ss  : 0x28
[x] ds  : 0x28
[x] es  : 0x28
[x] fs  : 0x73
[x] gs  : 0x78
[x] PC = 0x00000005 (unreachable)

[=] Memory map:
[=] Start      End        Perm    Label          Image
[=] 00006000 - 0000c000   rwx     [FS/GS]
[=] 00030000 - 00031000   rwx     [GDT]
[=] 00400000 - 00488000   rwx     [PE]           sens.dll
[=] 05000000 - 05001000   rwx     [heap]
[=] 05001000 - 05011000   rwx     [heap]
[=] 05011000 - 05021000   rwx     [heap]
[=] 05021000 - 05031000   rwx     [heap]
[=] 05031000 - 05041000   rwx     [heap]
[=] 05041000 - 05051000   rwx     [heap]
[=] 06000000 - 0c000000   rwx     [FS/GS]
[=] 10000000 - 10096000   rwx     oleaut32.dll   /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/oleaut32.dll
[=] 4b280000 - 4b423000   rwx     ntdll.dll      /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/ntdll.dll
[=] 4c300000 - 4c37a000   rwx     advapi32.dll   /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/advapi32.dll
[=] 69e00000 - 69f96000   rwx     user32.dll     /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/user32.dll
[=] 6b800000 - 6b8e5000   rwx     kernel32.dll   /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/kernel32.dll
[=] fffdd000 - ffffe000   rwx     [stack]
Traceback (most recent call last):
  File "qunpack.py", line 88, in <module>
    ql.run(begin=DLL_MAIN, end=DLL_MAIN+4)
  File "/usr/local/Cellar/pypy3/7.3.5_1/libexec/site-packages/qiling/core.py", line 728, in run
    self.os.run()
  File "/usr/local/Cellar/pypy3/7.3.5_1/libexec/site-packages/qiling/os/windows/windows.py", line 179, in run
    self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count)
  File "/usr/local/Cellar/pypy3/7.3.5_1/libexec/site-packages/qiling/core.py", line 875, in emu_start
    self.uc.emu_start(begin, end, timeout, count)
  File "/usr/local/Cellar/pypy3/7.3.5_1/libexec/site-packages/unicorn/unicorn.py", line 341, in emu_start
    raise UcError(status)
unicorn.unicorn.UcError: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED)

Attempt to resume execution:

 python3 qunpack.py restore                                                                                             12:23:08
[+] Profile: Default
[+] Map GDT at 0x30000 with GDT_LIMIT=4096
[+] Write to 0x30018 for new entry b'\x00\xf0\x00\x00\x00\xfeO\x00'
[+] Write to 0x30028 for new entry b'\x00\xf0\x00\x00\x00\x96O\x00'
[+] Write to 0x30070 for new entry b'\x00`\x00`\x00\xf6@\x00'
[+] Write to 0x30078 for new entry b'\x00\x00\x00\x00\x00\xf6@\x06'
[+] Windows Registry PATH: /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/registry
[=] Initiate stack address at 0xfffdd000
[=] Loading sens.dll to 0x400000
[=] PE entry point at 0x482a0e
[+] Setting up DllMain args
[+] Writing 0x00400000 (IMAGE_BASE) to [ESP+4](0xFFFFD004)
[+] Writing 0x01 (DLL_PROCESS_ATTACH) to [ESP+8](0xFFFFD008)
[=] TEB addr is 0x6000
[=] PEB addr is 0x6044
[=] Loading /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/ntdll.dll ...
[=] Loaded /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/ntdll.dll from cache
[=] Done with loading /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/ntdll.dll
[=] Loading /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/kernel32.dll ...
[=] Loaded /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/kernel32.dll from cache
[=] Done with loading /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/kernel32.dll
[=] Loading /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/user32.dll ...
[=] Loaded /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/user32.dll from cache
[=] Done with loading /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/user32.dll
[=] Loading /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/advapi32.dll ...
[=] Loaded /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/advapi32.dll from cache
[=] Done with loading /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/advapi32.dll
[=] Loading /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/oleaut32.dll ...
[=] Loaded /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/oleaut32.dll from cache
[=] Done with loading /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/oleaut32.dll
[+] Done with loading sens.dll
[=] 00406469 [[PE]                 + 0x006469]  00 00                         add                  byte ptr [eax], al
[+] ERROR: unmapped memory access at 0x0
[x] CPU Context:
[x] ah  : 0x0
[x] al  : 0x0
[x] ch  : 0x0
[x] cl  : 0x0
[x] dh  : 0x0
[x] dl  : 0x0
[x] bh  : 0x0
[x] bl  : 0x0
[x] ax  : 0x0
[x] cx  : 0x0
[x] dx  : 0x0
[x] bx  : 0x0
[x] sp  : 0xd000
[x] bp  : 0xd000
[x] si  : 0x0
[x] di  : 0x0
[x] ip  : 0x6469
[x] eax : 0x0
[x] ecx : 0x0
[x] edx : 0x0
[x] ebx : 0x0
[x] esp : 0xffffd000
[x] ebp : 0xffffd000
[x] esi : 0x0
[x] edi : 0x0
[x] eip : 0x406469
[x] cr0 : 0x11
[x] cr1 : 0x0
[x] cr2 : 0x0
[x] cr3 : 0x0
[x] cr4 : 0x0
[x] cr5 : 0x0
[x] cr6 : 0x0
[x] cr7 : 0x0
[x] cr8 : 0x0
[x] cr9 : 0x0
[x] cr10    : 0x0
[x] cr11    : 0x0
[x] cr12    : 0x0
[x] cr13    : 0x0
[x] cr14    : 0x0
[x] cr15    : 0x0
[x] st0 : 0x0
[x] st1 : 0x0
[x] st2 : 0x0
[x] st3 : 0x0
[x] st4 : 0x0
[x] st5 : 0x0
[x] st6 : 0x0
[x] st7 : 0x0
[x] ef  : 0x0
[x] cs  : 0x1b
[x] ss  : 0x28
[x] ds  : 0x28
[x] es  : 0x28
[x] fs  : 0x73
[x] gs  : 0x78
[x] Hexdump:
[x] 00 00 00 00 00 00 00 00
[x] Disassembly:
[=] 00406469 [[PE]                 + 0x006469]  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
[x] PC = 0x00406469 (sens.dll + 0x6469)

[=] Memory map:
[=] Start      End        Perm    Label          Image
[=] 00006000 - 0000c000   rwx     [FS/GS]
[=] 00030000 - 00031000   rwx     [GDT]
[=] 00400000 - 00488000   rwx     [PE]           sens.dll
[=] 05000000 - 05001000   rwx     [heap]
[=] 06000000 - 0c000000   rwx     [FS/GS]
[=] 10000000 - 10096000   rwx     oleaut32.dll   /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/oleaut32.dll
[=] 4b280000 - 4b423000   rwx     ntdll.dll      /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/ntdll.dll
[=] 4c300000 - 4c37a000   rwx     advapi32.dll   /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/advapi32.dll
[=] 69e00000 - 69f96000   rwx     user32.dll     /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/user32.dll
[=] 6b800000 - 6b8e5000   rwx     kernel32.dll   /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/kernel32.dll
[=] fffdd000 - ffffe000   rwx     [stack]
Traceback (most recent call last):
  File "qunpack.py", line 107, in restore_continue
    ql.run(begin=ql.reg.eip, end=DLL_MAIN)
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/qiling/core.py", line 728, in run
    self.os.run()
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/qiling/os/windows/windows.py", line 179, in run
    self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count)
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/qiling/core.py", line 875, in emu_start
    self.uc.emu_start(begin, end, timeout, count)
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/unicorn/unicorn.py", line 341, in emu_start
    raise UcError(status)
unicorn.unicorn.UcError: Invalid memory read (UC_ERR_READ_UNMAPPED)

right after the crash, pre-restore:

In [21]: ql.mem.show_mapinfo()
[=] Start      End        Perm    Label          Image
[=] 00006000 - 0000c000   rwx     [FS/GS]
[=] 00030000 - 00031000   rwx     [GDT]
[=] 00400000 - 00488000   rwx     [PE]           sens.dll
[=] 05000000 - 05001000   rwx     [heap]
[=] 05001000 - 05011000   rwx     [heap]
[=] 05011000 - 05021000   rwx     [heap]
[=] 05021000 - 05031000   rwx     [heap]
[=] 05031000 - 05041000   rwx     [heap]
[=] 05041000 - 05051000   rwx     [heap]
[=] 06000000 - 0c000000   rwx     [FS/GS]
[=] 10000000 - 10096000   rwx     oleaut32.dll   /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/oleaut32.dll
[=] 4b280000 - 4b423000   rwx     ntdll.dll      /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/ntdll.dll
[=] 4c300000 - 4c37a000   rwx     advapi32.dll   /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/advapi32.dll
[=] 69e00000 - 69f96000   rwx     user32.dll     /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/user32.dll
[=] 6b800000 - 6b8e5000   rwx     kernel32.dll   /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/kernel32.dll
[=] fffdd000 - ffffe000   rwx     [stack]

In [22]:

with ql.restore

In [7]: ql.mem.show_mapinfo()
[=] Start      End        Perm    Label          Image
[=] 00006000 - 0000c000   rwx     [FS/GS]
[=] 00030000 - 00031000   rwx     [GDT]
[=] 00400000 - 00488000   rwx     [PE]           sens.dll
[=] 05000000 - 05001000   rwx     [heap]
[=] 06000000 - 0c000000   rwx     [FS/GS]
[=] 10000000 - 10096000   rwx     oleaut32.dll   /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/oleaut32.dll
[=] 4b280000 - 4b423000   rwx     ntdll.dll      /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/ntdll.dll
[=] 4c300000 - 4c37a000   rwx     advapi32.dll   /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/advapi32.dll
[=] 69e00000 - 69f96000   rwx     user32.dll     /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/user32.dll
[=] 6b800000 - 6b8e5000   rwx     kernel32.dll   /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/kernel32.dll
[=] fffdd000 - ffffe000   rwx     [stack]

In [8]:

and the good stack:

In [20]: for i in range(0,8*32, 4):
    ...:     print(hex(ql.stack_read(i)))
    ...:
    ...:
0xffffced0
0x46
0x46
0x46
0x43bed3
0x46
0xda90e815
0x46
0x46
0x40120a
0xffffce6c
...

and the bad stack (with restore):

In [9]: hex(ql.reg.eip)
Out[9]: '0x406469'

In [10]: for i in range(0,8*32, 4):
    ...:
    ...:     print(hex(ql.stack_read(i)))
    ...:
0x0
0x400000
0x1
0x0
0x0
0x0
....

As suggested on the Telegram group chat, I added emu_error before saving the snapshot and after restoring:

before saving, at the moment of a crash:

sens.dll:UNKNOWN @ 0x428d1d
:: 0x428d1d:    push    dword ptr [esp + 0x44]
sens.dll:UNKNOWN @ 0x428d21
:: 0x428d21:    ret 0x4c
[!] api ExpandEnvironmentStringsA is not implemented
[+] ERROR: unmapped memory access at 0xa6aa8
[x] CPU Context:
[x] ah  : 0x54
[x] al  : 0xd0
[x] ch  : 0x0
[x] cl  : 0x30
[x] dh  : 0x0
[x] dl  : 0x8
[x] bh  : 0xcf
[x] bl  : 0xbc
[x] ax  : 0x54d0
[x] cx  : 0x30
[x] dx  : 0x8
[x] bx  : 0xcfbc
[x] sp  : 0xce28
[x] bp  : 0xcf3c
[x] si  : 0xd65c
[x] di  : 0xcfec
[x] ip  : 0x6aa8
[x] eax : 0x4054d0
[x] ecx : 0x30
[x] edx : 0x8
[x] ebx : 0xffffcfbc
[x] esp : 0xffffce28
[x] ebp : 0xffffcf3c
[x] esi : 0x40d65c
[x] edi : 0xffffcfec
[x] eip : 0xa6aa8
[x] cr0 : 0x11
[x] cr1 : 0x0
[x] cr2 : 0x0
[x] cr3 : 0x0
[x] cr4 : 0x0
[x] cr5 : 0x0
[x] cr6 : 0x0
[x] cr7 : 0x0
[x] cr8 : 0x0
[x] cr9 : 0x0
[x] cr10    : 0x0
[x] cr11    : 0x0
[x] cr12    : 0x0
[x] cr13    : 0x0
[x] cr14    : 0x0
[x] cr15    : 0x0
[x] st0 : 0x0
[x] st1 : 0x0
[x] st2 : 0x0
[x] st3 : 0x0
[x] st4 : 0x0
[x] st5 : 0x0
[x] st6 : 0x0
[x] st7 : 0x0
[x] ef  : 0x2
[x] cs  : 0x1b
[x] ss  : 0x28
[x] ds  : 0x28
[x] es  : 0x28
[x] fs  : 0x73
[x] gs  : 0x78
[x] PC = 0x000a6aa8 (unreachable)

[=] Memory map:
[=] Start      End        Perm    Label          Image
[=] 00006000 - 0000c000   rwx     [FS/GS]
[=] 00030000 - 00031000   rwx     [GDT]
[=] 00400000 - 00488000   rwx     [PE]           sens.dll
[=] 05000000 - 05001000   rwx     [heap]
[=] 05001000 - 05011000   rwx     [heap]
[=] 05011000 - 05021000   rwx     [heap]
[=] 05021000 - 05031000   rwx     [heap]
[=] 05031000 - 05041000   rwx     [heap]
[=] 05041000 - 05051000   rwx     [heap]
[=] 05051000 - 05151000   rwx     [heap]
[=] 06000000 - 0c000000   rwx     [FS/GS]
[=] 10000000 - 10096000   rwx     oleaut32.dll   /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/oleaut32.dll
[=] 4b280000 - 4b423000   rwx     ntdll.dll      /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/ntdll.dll
[=] 4c300000 - 4c37a000   rwx     advapi32.dll   /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/advapi32.dll
[=] 69e00000 - 69f96000   rwx     user32.dll     /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/user32.dll
[=] 6b800000 - 6b8e5000   rwx     kernel32.dll   /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/kernel32.dll
[=] fffdd000 - ffffe000   rwx     [stack]
[x] CPU Context:
[x] ah  : 0x54
[x] al  : 0xd0
[x] ch  : 0x0
[x] cl  : 0x30
[x] dh  : 0x0
[x] dl  : 0x8
[x] bh  : 0xcf
[x] bl  : 0xbc
[x] ax  : 0x54d0
[x] cx  : 0x30
[x] dx  : 0x8
[x] bx  : 0xcfbc
[x] sp  : 0xce28
[x] bp  : 0xcf3c
[x] si  : 0xd65c
[x] di  : 0xcfec
[x] ip  : 0x6aa8
[x] eax : 0x4054d0
[x] ecx : 0x30
[x] edx : 0x8
[x] ebx : 0xffffcfbc
[x] esp : 0xffffce28
[x] ebp : 0xffffcf3c
[x] esi : 0x40d65c
[x] edi : 0xffffcfec
[x] eip : 0xa6aa8
[x] cr0 : 0x11
[x] cr1 : 0x0
[x] cr2 : 0x0
[x] cr3 : 0x0
[x] cr4 : 0x0
[x] cr5 : 0x0
[x] cr6 : 0x0
[x] cr7 : 0x0
[x] cr8 : 0x0
[x] cr9 : 0x0
[x] cr10    : 0x0
[x] cr11    : 0x0
[x] cr12    : 0x0
[x] cr13    : 0x0
[x] cr14    : 0x0
[x] cr15    : 0x0
[x] st0 : 0x0
[x] st1 : 0x0
[x] st2 : 0x0
[x] st3 : 0x0
[x] st4 : 0x0
[x] st5 : 0x0
[x] st6 : 0x0
[x] st7 : 0x0
[x] ef  : 0x2
[x] cs  : 0x1b
[x] ss  : 0x28
[x] ds  : 0x28
[x] es  : 0x28
[x] fs  : 0x73
[x] gs  : 0x78
[x] PC = 0x000a6aa8 (unreachable)

[=] Memory map:
[=] Start      End        Perm    Label          Image
[=] 00006000 - 0000c000   rwx     [FS/GS]
[=] 00030000 - 00031000   rwx     [GDT]
[=] 00400000 - 00488000   rwx     [PE]           sens.dll
[=] 05000000 - 05001000   rwx     [heap]
[=] 05001000 - 05011000   rwx     [heap]
[=] 05011000 - 05021000   rwx     [heap]
[=] 05021000 - 05031000   rwx     [heap]
[=] 05031000 - 05041000   rwx     [heap]
[=] 05041000 - 05051000   rwx     [heap]
[=] 05051000 - 05151000   rwx     [heap]
[=] 06000000 - 0c000000   rwx     [FS/GS]
[=] 10000000 - 10096000   rwx     oleaut32.dll   /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/oleaut32.dll
[=] 4b280000 - 4b423000   rwx     ntdll.dll      /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/ntdll.dll
[=] 4c300000 - 4c37a000   rwx     advapi32.dll   /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/advapi32.dll
[=] 69e00000 - 69f96000   rwx     user32.dll     /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/user32.dll
[=] 6b800000 - 6b8e5000   rwx     kernel32.dll   /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/kernel32.dll
[=] fffdd000 - ffffe000   rwx     [stack]
Traceback (most recent call last):
  File "qunpack.py", line 161, in main
    ql.run(begin=DLL_MAIN, end=DLL_MAIN+4)
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/qiling/core.py", line 728, in run
    self.os.run()
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/qiling/os/windows/windows.py", line 179, in run
    self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count)
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/qiling/core.py", line 875, in emu_start
    self.uc.emu_start(begin, end, timeout, count)
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/unicorn/unicorn.py", line 341, in emu_start
    raise UcError(status)
unicorn.unicorn.UcError: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED)
Python 3.8.7 (v3.8.7:6503f05dd5, Dec 21 2020, 12:45:15)
Type 'copyright', 'credits' or 'license' for more information
IPython 7.22.0 -- An enhanced Interactive Python. Type '?' for help.

In [1]:

after restoring

 python3 qunpack.py restore                                                                                             
[+] Profile: Default
[+] Map GDT at 0x30000 with GDT_LIMIT=4096
[+] Write to 0x30018 for new entry b'\x00\xf0\x00\x00\x00\xfeO\x00'
[+] Write to 0x30028 for new entry b'\x00\xf0\x00\x00\x00\x96O\x00'
[+] Write to 0x30070 for new entry b'\x00`\x00`\x00\xf6@\x00'
[+] Write to 0x30078 for new entry b'\x00\x00\x00\x00\x00\xf6@\x06'
[+] Windows Registry PATH: /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/registry
[=] Initiate stack address at 0xfffdd000
[=] Loading sens.dll to 0x400000
[=] PE entry point at 0x482a0e
[+] Setting up DllMain args
[+] Writing 0x00400000 (IMAGE_BASE) to [ESP+4](0xFFFFD004)
[+] Writing 0x01 (DLL_PROCESS_ATTACH) to [ESP+8](0xFFFFD008)
[=] TEB addr is 0x6000
[=] PEB addr is 0x6044
[=] Loading /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/ntdll.dll ...
[=] Loaded /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/ntdll.dll from cache
[=] Done with loading /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/ntdll.dll
[=] Loading /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/kernel32.dll ...
[=] Loaded /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/kernel32.dll from cache
[=] Done with loading /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/kernel32.dll
[=] Loading /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/user32.dll ...
[=] Loaded /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/user32.dll from cache
[=] Done with loading /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/user32.dll
[=] Loading /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/advapi32.dll ...
[=] Loaded /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/advapi32.dll from cache
[=] Done with loading /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/advapi32.dll
[=] Loading /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/oleaut32.dll ...
[=] Loaded /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/oleaut32.dll from cache
[=] Done with loading /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/oleaut32.dll
[+] Done with loading sens.dll
[x] CPU Context:
[x] ah  : 0x0
[x] al  : 0x0
[x] ch  : 0x0
[x] cl  : 0x0
[x] dh  : 0x0
[x] dl  : 0x0
[x] bh  : 0x0
[x] bl  : 0x0
[x] ax  : 0x0
[x] cx  : 0x0
[x] dx  : 0x0
[x] bx  : 0x0
[x] sp  : 0xd000
[x] bp  : 0xd000
[x] si  : 0x0
[x] di  : 0x0
[x] ip  : 0x0
[x] eax : 0x0
[x] ecx : 0x0
[x] edx : 0x0
[x] ebx : 0x0
[x] esp : 0xffffd000
[x] ebp : 0xffffd000
[x] esi : 0x0
[x] edi : 0x0
[x] eip : 0x0
[x] cr0 : 0x11
[x] cr1 : 0x0
[x] cr2 : 0x0
[x] cr3 : 0x0
[x] cr4 : 0x0
[x] cr5 : 0x0
[x] cr6 : 0x0
[x] cr7 : 0x0
[x] cr8 : 0x0
[x] cr9 : 0x0
[x] cr10    : 0x0
[x] cr11    : 0x0
[x] cr12    : 0x0
[x] cr13    : 0x0
[x] cr14    : 0x0
[x] cr15    : 0x0
[x] st0 : 0x0
[x] st1 : 0x0
[x] st2 : 0x0
[x] st3 : 0x0
[x] st4 : 0x0
[x] st5 : 0x0
[x] st6 : 0x0
[x] st7 : 0x0
[x] ef  : 0x0
[x] cs  : 0x1b
[x] ss  : 0x28
[x] ds  : 0x28
[x] es  : 0x28
[x] fs  : 0x73
[x] gs  : 0x78
[x] PC = 0x00000000 (unreachable)

[=] Memory map:
[=] Start      End        Perm    Label          Image
[=] 00006000 - 0000c000   rwx     [FS/GS]
[=] 00030000 - 00031000   rwx     [GDT]
[=] 00400000 - 00488000   rwx     [PE]           sens.dll
[=] 05000000 - 05001000   rwx     [heap]
[=] 06000000 - 0c000000   rwx     [FS/GS]
[=] 10000000 - 10096000   rwx     oleaut32.dll   /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/oleaut32.dll
[=] 4b280000 - 4b423000   rwx     ntdll.dll      /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/ntdll.dll
[=] 4c300000 - 4c37a000   rwx     advapi32.dll   /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/advapi32.dll
[=] 69e00000 - 69f96000   rwx     user32.dll     /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/user32.dll
[=] 6b800000 - 6b8e5000   rwx     kernel32.dll   /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/kernel32.dll
[=] fffdd000 - ffffe000   rwx     [stack]
[=] 00428d21 [[PE]                 + 0x028d21]  00 00                         add                  byte ptr [eax], al
[+] ERROR: unmapped memory access at 0x0
[x] CPU Context:
[x] ah  : 0x0
[x] al  : 0x0
[x] ch  : 0x0
[x] cl  : 0x0
[x] dh  : 0x0
[x] dl  : 0x0
[x] bh  : 0x0
[x] bl  : 0x0
[x] ax  : 0x0
[x] cx  : 0x0
[x] dx  : 0x0
[x] bx  : 0x0
[x] sp  : 0xd000
[x] bp  : 0xd000
[x] si  : 0x0
[x] di  : 0x0
[x] ip  : 0x8d21
[x] eax : 0x0
[x] ecx : 0x0
[x] edx : 0x0
[x] ebx : 0x0
[x] esp : 0xffffd000
[x] ebp : 0xffffd000
[x] esi : 0x0
[x] edi : 0x0
[x] eip : 0x428d21
[x] cr0 : 0x11
[x] cr1 : 0x0
[x] cr2 : 0x0
[x] cr3 : 0x0
[x] cr4 : 0x0
[x] cr5 : 0x0
[x] cr6 : 0x0
[x] cr7 : 0x0
[x] cr8 : 0x0
[x] cr9 : 0x0
[x] cr10    : 0x0
[x] cr11    : 0x0
[x] cr12    : 0x0
[x] cr13    : 0x0
[x] cr14    : 0x0
[x] cr15    : 0x0
[x] st0 : 0x0
[x] st1 : 0x0
[x] st2 : 0x0
[x] st3 : 0x0
[x] st4 : 0x0
[x] st5 : 0x0
[x] st6 : 0x0
[x] st7 : 0x0
[x] ef  : 0x0
[x] cs  : 0x1b
[x] ss  : 0x28
[x] ds  : 0x28
[x] es  : 0x28
[x] fs  : 0x73
[x] gs  : 0x78
[x] Hexdump:
[x] 00 00 00 00 00 00 00 00
[x] Disassembly:
[=] 00428d21 [[PE]                 + 0x028d21]  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
> add                  byte ptr [eax], al
[x] PC = 0x00428d21 (sens.dll + 0x28d21)

[=] Memory map:
[=] Start      End        Perm    Label          Image
[=] 00006000 - 0000c000   rwx     [FS/GS]
[=] 00030000 - 00031000   rwx     [GDT]
[=] 00400000 - 00488000   rwx     [PE]           sens.dll
[=] 05000000 - 05001000   rwx     [heap]
[=] 06000000 - 0c000000   rwx     [FS/GS]
[=] 10000000 - 10096000   rwx     oleaut32.dll   /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/oleaut32.dll
[=] 4b280000 - 4b423000   rwx     ntdll.dll      /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/ntdll.dll
[=] 4c300000 - 4c37a000   rwx     advapi32.dll   /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/advapi32.dll
[=] 69e00000 - 69f96000   rwx     user32.dll     /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/user32.dll
[=] 6b800000 - 6b8e5000   rwx     kernel32.dll   /Users/vladimir/Tools/qiling/examples/rootfs/x86_windows/Windows/System32/kernel32.dll
[=] fffdd000 - ffffe000   rwx     [stack]
Traceback (most recent call last):
  File "qunpack.py", line 214, in restore_continue
    ql.run(begin=ql.reg.eip, end=DLL_MAIN)
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/qiling/core.py", line 728, in run
    self.os.run()
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/qiling/os/windows/windows.py", line 179, in run
    self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count)
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/qiling/core.py", line 875, in emu_start
    self.uc.emu_start(begin, end, timeout, count)
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/unicorn/unicorn.py", line 341, in emu_start
    raise UcError(status)
unicorn.unicorn.UcError: Invalid memory read (UC_ERR_READ_UNMAPPED)

qilingframework / qiling

Using ql.restore to resume execution apparently leads to incomplete memory map #938