qiling
qiling copied to clipboard
Published
20 hours ago •
qilingframework
qilingframework
Issue with ql.set_api ??
Describe the bug Trying to run shellcode and does not appear to be getting to the part where it runs the shellcode at all when calling via a custom python script.
Sample Code
with open(self.sample, 'rb') as f:
content = f.read()
ql = Qiling(code=content, archtype=self.arch, ostype="windows", rootfs=os.path.join(self.rootfs, self.arch + '_windows'), verbose=QL_VERBOSE.DISASM if self.verbose else QL_VERBOSE.DEBUG)
ql.set_api("LdrLoadDll", hook_LdrLoadDll)
ql.run()
@winsdkapi(cc=STDCALL)
def hook_LdrLoadDll(ql, addr, params):
print("[*] Import: library")
return 0
When ql.set_api is called
[+] Profile: default
[+] Mapping GDT at 0x30000 with limit 0x1000
[+] Loading Windows registry hive from /redacted/qiling/examples/rootfs/x86_windows/Windows/registry
[=] Initiate stack address at 0xfffdd000
[=] TEB is at 0x6000
[=] PEB is at 0x61b0
[=] LDR is at 0x6630
[=] Loading ntdll.dll ...
[+] Warnings while loading ntdll.dll:
[+] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[+] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[+] DLL preferred base address: 0x4b280000
[+] Init imports for ntdll.dll
[=] Done loading ntdll.dll
[=] Loading kernel32.dll ...
[+] DLL preferred base address: 0x6b800000
[+] Init imports for kernel32.dll
[+] Requesting imports from api-ms-win-core-rtlsupport-l1-2-0.dll
[+] Redirecting api-ms-win-core-rtlsupport-l1-2-0.dll to ntdll.dll
[+] Requesting imports from ntdll.dll
[+] Requesting imports from kernelbase.dll
[=] Loading kernelbase.dll ...
[+] DLL preferred base address: 0x10000000
[+] Init imports for kernelbase.dll
[+] Requesting imports from ntdll.dll
[+] Requesting imports from api-ms-win-eventing-provider-l1-1-0.dll
[+] Redirecting api-ms-win-eventing-provider-l1-1-0.dll to kernelbase.dll
[+] Ignoring kernelbase.dll entry point
[=] Done loading kernelbase.dll
[+] Requesting imports from api-ms-win-core-processthreads-l1-1-2.dll
[+] Redirecting api-ms-win-core-processthreads-l1-1-2.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-processthreads-l1-1-3.dll
[+] Redirecting api-ms-win-core-processthreads-l1-1-3.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-registry-l1-1-0.dll
[+] Redirecting api-ms-win-core-registry-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-heap-l1-2-0.dll
[+] Redirecting api-ms-win-core-heap-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-heap-l2-1-0.dll
[+] Redirecting api-ms-win-core-heap-l2-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-memory-l1-1-2.dll
[+] Redirecting api-ms-win-core-memory-l1-1-2.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-enclave-l1-1-0.dll
[+] Redirecting api-ms-win-core-enclave-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-handle-l1-1-0.dll
[+] Redirecting api-ms-win-core-handle-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-synch-l1-2-0.dll
[+] Redirecting api-ms-win-core-synch-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-synch-l1-2-1.dll
[+] Redirecting api-ms-win-core-synch-l1-2-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-file-l1-2-1.dll
[+] Redirecting api-ms-win-core-file-l1-2-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-file-l1-2-2.dll
[+] Redirecting api-ms-win-core-file-l1-2-2.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-delayload-l1-1-1.dll
[+] Redirecting api-ms-win-core-delayload-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-io-l1-1-1.dll
[+] Redirecting api-ms-win-core-io-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-job-l1-1-0.dll
[+] Redirecting api-ms-win-core-job-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-threadpool-legacy-l1-1-0.dll
[+] Redirecting api-ms-win-core-threadpool-legacy-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-threadpool-private-l1-1-0.dll
[+] Redirecting api-ms-win-core-threadpool-private-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-libraryloader-l1-2-2.dll
[+] Redirecting api-ms-win-core-libraryloader-l1-2-2.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-libraryloader-l1-2-0.dll
[+] Redirecting api-ms-win-core-libraryloader-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-libraryloader-l2-1-0.dll
[+] Redirecting api-ms-win-core-libraryloader-l2-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-namedpipe-l1-2-2.dll
[+] Redirecting api-ms-win-core-namedpipe-l1-2-2.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-namedpipe-l1-2-0.dll
[+] Redirecting api-ms-win-core-namedpipe-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-datetime-l1-1-1.dll
[+] Redirecting api-ms-win-core-datetime-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-datetime-l1-1-2.dll
[+] Redirecting api-ms-win-core-datetime-l1-1-2.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-sysinfo-l1-2-1.dll
[+] Redirecting api-ms-win-core-sysinfo-l1-2-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-sysinfo-l1-2-3.dll
[+] Redirecting api-ms-win-core-sysinfo-l1-2-3.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-timezone-l1-1-0.dll
[+] Redirecting api-ms-win-core-timezone-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-localization-l1-2-1.dll
[+] Redirecting api-ms-win-core-localization-l1-2-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-localization-private-l1-1-0.dll
[+] Redirecting api-ms-win-core-localization-private-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-processsnapshot-l1-1-0.dll
[+] Redirecting api-ms-win-core-processsnapshot-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-processenvironment-l1-2-0.dll
[+] Redirecting api-ms-win-core-processenvironment-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-string-l1-1-0.dll
[+] Redirecting api-ms-win-core-string-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-debug-l1-1-1.dll
[+] Redirecting api-ms-win-core-debug-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-errorhandling-l1-1-1.dll
[+] Redirecting api-ms-win-core-errorhandling-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-errorhandling-l1-1-3.dll
[+] Redirecting api-ms-win-core-errorhandling-l1-1-3.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-fibers-l1-1-1.dll
[+] Redirecting api-ms-win-core-fibers-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-util-l1-1-0.dll
[+] Redirecting api-ms-win-core-util-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-profile-l1-1-0.dll
[+] Redirecting api-ms-win-core-profile-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-security-base-l1-2-0.dll
[+] Redirecting api-ms-win-security-base-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-comm-l1-1-0.dll
[+] Redirecting api-ms-win-core-comm-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-wow64-l1-1-1.dll
[+] Redirecting api-ms-win-core-wow64-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-wow64-l1-1-0.dll
[+] Redirecting api-ms-win-core-wow64-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-realtime-l1-1-0.dll
[+] Redirecting api-ms-win-core-realtime-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-systemtopology-l1-1-1.dll
[+] Redirecting api-ms-win-core-systemtopology-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-systemtopology-l1-1-0.dll
[+] Redirecting api-ms-win-core-systemtopology-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-processtopology-l1-2-0.dll
[+] Redirecting api-ms-win-core-processtopology-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-namespace-l1-1-0.dll
[+] Redirecting api-ms-win-core-namespace-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-file-l2-1-2.dll
[+] Redirecting api-ms-win-core-file-l2-1-2.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-file-l2-1-1.dll
[+] Redirecting api-ms-win-core-file-l2-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-xstate-l2-1-0.dll
[+] Redirecting api-ms-win-core-xstate-l2-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-localization-l2-1-0.dll
[+] Redirecting api-ms-win-core-localization-l2-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-normalization-l1-1-0.dll
[+] Redirecting api-ms-win-core-normalization-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-fibers-l2-1-1.dll
[+] Redirecting api-ms-win-core-fibers-l2-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-sidebyside-l1-1-0.dll
[+] Redirecting api-ms-win-core-sidebyside-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-appcompat-l1-1-1.dll
[+] Redirecting api-ms-win-core-appcompat-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-windowserrorreporting-l1-1-0.dll
[+] Redirecting api-ms-win-core-windowserrorreporting-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-windowserrorreporting-l1-1-1.dll
[+] Redirecting api-ms-win-core-windowserrorreporting-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-console-l1-1-0.dll
[+] Redirecting api-ms-win-core-console-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-console-l2-1-0.dll
[+] Redirecting api-ms-win-core-console-l2-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-console-l3-1-0.dll
[+] Redirecting api-ms-win-core-console-l3-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-psapi-l1-1-0.dll
[+] Redirecting api-ms-win-core-psapi-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-psapi-ansi-l1-1-0.dll
[+] Redirecting api-ms-win-core-psapi-ansi-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-security-appcontainer-l1-1-0.dll
[+] Redirecting api-ms-win-security-appcontainer-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-eventing-provider-l1-1-0.dll
[+] Redirecting api-ms-win-eventing-provider-l1-1-0.dll to kernelbase.dll
[+] Ignoring kernel32.dll entry point
[=] Done loading kernel32.dll
[=] Loading user32.dll ...
[+] DLL preferred base address: 0x6ba80000
[+] Init imports for user32.dll
[+] Requesting imports from win32u.dll
[=] Loading win32u.dll ...
[+] Warnings while loading win32u.dll:
[+] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[+] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[+] DLL preferred base address: 0x10000000
[+] DLL preferred base address is taken, loading to: 0x101d0000
[+] Init imports for win32u.dll
[+] Requesting imports from ntdll.dll
[=] Done loading win32u.dll
[+] Requesting imports from ntdll.dll
[+] Requesting imports from api-ms-win-core-localization-l1-2-1.dll
[+] Redirecting api-ms-win-core-localization-l1-2-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-registry-l1-1-0.dll
[+] Redirecting api-ms-win-core-registry-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-heap-l2-1-0.dll
[+] Redirecting api-ms-win-core-heap-l2-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-libraryloader-l1-2-0.dll
[+] Redirecting api-ms-win-core-libraryloader-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-synch-l1-2-0.dll
[+] Redirecting api-ms-win-core-synch-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-string-l1-1-0.dll
[+] Redirecting api-ms-win-core-string-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-sysinfo-l1-2-1.dll
[+] Redirecting api-ms-win-core-sysinfo-l1-2-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-processthreads-l1-1-2.dll
[+] Redirecting api-ms-win-core-processthreads-l1-1-2.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-security-base-l1-2-0.dll
[+] Redirecting api-ms-win-security-base-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-errorhandling-l1-1-1.dll
[+] Redirecting api-ms-win-core-errorhandling-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-string-l2-1-0.dll
[+] Redirecting api-ms-win-core-string-l2-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-processenvironment-l1-2-0.dll
[+] Redirecting api-ms-win-core-processenvironment-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-file-l1-2-1.dll
[+] Redirecting api-ms-win-core-file-l1-2-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-handle-l1-1-0.dll
[+] Redirecting api-ms-win-core-handle-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-memory-l1-1-2.dll
[+] Redirecting api-ms-win-core-memory-l1-1-2.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-profile-l1-1-0.dll
[+] Redirecting api-ms-win-core-profile-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-heap-l1-2-0.dll
[+] Redirecting api-ms-win-core-heap-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-eventing-provider-l1-1-0.dll
[+] Redirecting api-ms-win-eventing-provider-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-privateprofile-l1-1-1.dll
[!] Failed to resolve api-ms-win-core-privateprofile-l1-1-1.dll
[+] Requesting imports from api-ms-win-core-atoms-l1-1-0.dll
[!] Failed to resolve api-ms-win-core-atoms-l1-1-0.dll
[+] Requesting imports from api-ms-win-core-heap-obsolete-l1-1-0.dll
[!] Failed to resolve api-ms-win-core-heap-obsolete-l1-1-0.dll
[+] Requesting imports from api-ms-win-core-string-obsolete-l1-1-0.dll
[+] Redirecting api-ms-win-core-string-obsolete-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-localization-obsolete-l1-3-0.dll
[+] Redirecting api-ms-win-core-localization-obsolete-l1-3-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-stringansi-l1-1-0.dll
[+] Redirecting api-ms-win-core-stringansi-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-windowserrorreporting-l1-1-0.dll
[+] Redirecting api-ms-win-core-windowserrorreporting-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-sidebyside-l1-1-0.dll
[+] Redirecting api-ms-win-core-sidebyside-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-kernel32-private-l1-1-1.dll
[!] Failed to resolve api-ms-win-core-kernel32-private-l1-1-1.dll
[+] Requesting imports from kernelbase.dll
[+] Requesting imports from api-ms-win-core-kernel32-legacy-l1-1-1.dll
[+] Redirecting api-ms-win-core-kernel32-legacy-l1-1-1.dll to kernelbase.dll
[+] Error in loading function FindResourceExA (api-ms-win-core-kernel32-legacy-l1-1-1.dll), probably misdirected
[+] Requesting imports from api-ms-win-core-appinit-l1-1-0.dll
[+] Redirecting api-ms-win-core-appinit-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from gdi32.dll
[=] Loading gdi32.dll ...
[+] DLL preferred base address: 0x4d500000
[+] Init imports for gdi32.dll
[+] Requesting imports from api-ms-win-core-heap-l2-1-0.dll
[+] Redirecting api-ms-win-core-heap-l2-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-libraryloader-l1-2-0.dll
[+] Redirecting api-ms-win-core-libraryloader-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-profile-l1-1-0.dll
[+] Redirecting api-ms-win-core-profile-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-processthreads-l1-1-2.dll
[+] Redirecting api-ms-win-core-processthreads-l1-1-2.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-sysinfo-l1-2-1.dll
[+] Redirecting api-ms-win-core-sysinfo-l1-2-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-errorhandling-l1-1-1.dll
[+] Redirecting api-ms-win-core-errorhandling-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-gdi-internal-uap-l1-1-0.dll
[!] Failed to resolve api-ms-win-gdi-internal-uap-l1-1-0.dll
[+] Requesting imports from ntdll.dll
[+] Requesting imports from api-ms-win-core-delayload-l1-1-1.dll
[+] Redirecting api-ms-win-core-delayload-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-apiquery-l1-1-0.dll
[+] Redirecting api-ms-win-core-apiquery-l1-1-0.dll to ntdll.dll
[+] Ignoring gdi32.dll entry point (blacklisted)
[=] Done loading gdi32.dll
[+] Requesting imports from api-ms-win-core-delayload-l1-1-1.dll
[+] Redirecting api-ms-win-core-delayload-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-apiquery-l1-1-0.dll
[+] Redirecting api-ms-win-core-apiquery-l1-1-0.dll to ntdll.dll
[=] Calling user32.dll DllMain at 0x6baab3d0
[!] api UserClientDllInitialize (user32) is not implemented
[+] 0x100f2790: GetSystemTimeAsFileTime(lpSystemTimeAsFileTime = 0xffffdfbc)
[x] Error encountered while running user32.dll DllMain, bailing
[=] Done loading user32.dll
When setting the verbose mode to disasm it never gets to the shellcode - the assembly dump is from user32 and kernelbase.
When ql.set_api is commented out
[+] Profile: default
[+] Mapping GDT at 0x30000 with limit 0x1000
[+] Loading Windows registry hive from /redacted/qiling/examples/rootfs/x86_windows/Windows/registry
[=] Initiate stack address at 0xfffdd000
[=] TEB is at 0x6000
[=] PEB is at 0x61b0
[=] LDR is at 0x6630
[=] Loading ntdll.dll ...
[+] Warnings while loading ntdll.dll:
[+] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[+] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[+] DLL preferred base address: 0x4b280000
[+] Init imports for ntdll.dll
[=] Done loading ntdll.dll
[=] Loading kernel32.dll ...
[+] DLL preferred base address: 0x6b800000
[+] Init imports for kernel32.dll
[+] Requesting imports from api-ms-win-core-rtlsupport-l1-2-0.dll
[+] Redirecting api-ms-win-core-rtlsupport-l1-2-0.dll to ntdll.dll
[+] Requesting imports from ntdll.dll
[+] Requesting imports from kernelbase.dll
[=] Loading kernelbase.dll ...
[+] DLL preferred base address: 0x10000000
[+] Init imports for kernelbase.dll
[+] Requesting imports from ntdll.dll
[+] Requesting imports from api-ms-win-eventing-provider-l1-1-0.dll
[+] Redirecting api-ms-win-eventing-provider-l1-1-0.dll to kernelbase.dll
[+] Ignoring kernelbase.dll entry point
[=] Done loading kernelbase.dll
[+] Requesting imports from api-ms-win-core-processthreads-l1-1-2.dll
[+] Redirecting api-ms-win-core-processthreads-l1-1-2.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-processthreads-l1-1-3.dll
[+] Redirecting api-ms-win-core-processthreads-l1-1-3.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-registry-l1-1-0.dll
[+] Redirecting api-ms-win-core-registry-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-heap-l1-2-0.dll
[+] Redirecting api-ms-win-core-heap-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-heap-l2-1-0.dll
[+] Redirecting api-ms-win-core-heap-l2-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-memory-l1-1-2.dll
[+] Redirecting api-ms-win-core-memory-l1-1-2.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-enclave-l1-1-0.dll
[+] Redirecting api-ms-win-core-enclave-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-handle-l1-1-0.dll
[+] Redirecting api-ms-win-core-handle-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-synch-l1-2-0.dll
[+] Redirecting api-ms-win-core-synch-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-synch-l1-2-1.dll
[+] Redirecting api-ms-win-core-synch-l1-2-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-file-l1-2-1.dll
[+] Redirecting api-ms-win-core-file-l1-2-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-file-l1-2-2.dll
[+] Redirecting api-ms-win-core-file-l1-2-2.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-delayload-l1-1-1.dll
[+] Redirecting api-ms-win-core-delayload-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-io-l1-1-1.dll
[+] Redirecting api-ms-win-core-io-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-job-l1-1-0.dll
[+] Redirecting api-ms-win-core-job-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-threadpool-legacy-l1-1-0.dll
[+] Redirecting api-ms-win-core-threadpool-legacy-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-threadpool-private-l1-1-0.dll
[+] Redirecting api-ms-win-core-threadpool-private-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-libraryloader-l1-2-2.dll
[+] Redirecting api-ms-win-core-libraryloader-l1-2-2.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-libraryloader-l1-2-0.dll
[+] Redirecting api-ms-win-core-libraryloader-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-libraryloader-l2-1-0.dll
[+] Redirecting api-ms-win-core-libraryloader-l2-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-namedpipe-l1-2-2.dll
[+] Redirecting api-ms-win-core-namedpipe-l1-2-2.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-namedpipe-l1-2-0.dll
[+] Redirecting api-ms-win-core-namedpipe-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-datetime-l1-1-1.dll
[+] Redirecting api-ms-win-core-datetime-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-datetime-l1-1-2.dll
[+] Redirecting api-ms-win-core-datetime-l1-1-2.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-sysinfo-l1-2-1.dll
[+] Redirecting api-ms-win-core-sysinfo-l1-2-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-sysinfo-l1-2-3.dll
[+] Redirecting api-ms-win-core-sysinfo-l1-2-3.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-timezone-l1-1-0.dll
[+] Redirecting api-ms-win-core-timezone-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-localization-l1-2-1.dll
[+] Redirecting api-ms-win-core-localization-l1-2-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-localization-private-l1-1-0.dll
[+] Redirecting api-ms-win-core-localization-private-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-processsnapshot-l1-1-0.dll
[+] Redirecting api-ms-win-core-processsnapshot-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-processenvironment-l1-2-0.dll
[+] Redirecting api-ms-win-core-processenvironment-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-string-l1-1-0.dll
[+] Redirecting api-ms-win-core-string-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-debug-l1-1-1.dll
[+] Redirecting api-ms-win-core-debug-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-errorhandling-l1-1-1.dll
[+] Redirecting api-ms-win-core-errorhandling-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-errorhandling-l1-1-3.dll
[+] Redirecting api-ms-win-core-errorhandling-l1-1-3.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-fibers-l1-1-1.dll
[+] Redirecting api-ms-win-core-fibers-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-util-l1-1-0.dll
[+] Redirecting api-ms-win-core-util-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-profile-l1-1-0.dll
[+] Redirecting api-ms-win-core-profile-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-security-base-l1-2-0.dll
[+] Redirecting api-ms-win-security-base-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-comm-l1-1-0.dll
[+] Redirecting api-ms-win-core-comm-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-wow64-l1-1-1.dll
[+] Redirecting api-ms-win-core-wow64-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-wow64-l1-1-0.dll
[+] Redirecting api-ms-win-core-wow64-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-realtime-l1-1-0.dll
[+] Redirecting api-ms-win-core-realtime-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-systemtopology-l1-1-1.dll
[+] Redirecting api-ms-win-core-systemtopology-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-systemtopology-l1-1-0.dll
[+] Redirecting api-ms-win-core-systemtopology-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-processtopology-l1-2-0.dll
[+] Redirecting api-ms-win-core-processtopology-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-namespace-l1-1-0.dll
[+] Redirecting api-ms-win-core-namespace-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-file-l2-1-2.dll
[+] Redirecting api-ms-win-core-file-l2-1-2.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-file-l2-1-1.dll
[+] Redirecting api-ms-win-core-file-l2-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-xstate-l2-1-0.dll
[+] Redirecting api-ms-win-core-xstate-l2-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-localization-l2-1-0.dll
[+] Redirecting api-ms-win-core-localization-l2-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-normalization-l1-1-0.dll
[+] Redirecting api-ms-win-core-normalization-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-fibers-l2-1-1.dll
[+] Redirecting api-ms-win-core-fibers-l2-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-sidebyside-l1-1-0.dll
[+] Redirecting api-ms-win-core-sidebyside-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-appcompat-l1-1-1.dll
[+] Redirecting api-ms-win-core-appcompat-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-windowserrorreporting-l1-1-0.dll
[+] Redirecting api-ms-win-core-windowserrorreporting-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-windowserrorreporting-l1-1-1.dll
[+] Redirecting api-ms-win-core-windowserrorreporting-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-console-l1-1-0.dll
[+] Redirecting api-ms-win-core-console-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-console-l2-1-0.dll
[+] Redirecting api-ms-win-core-console-l2-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-console-l3-1-0.dll
[+] Redirecting api-ms-win-core-console-l3-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-psapi-l1-1-0.dll
[+] Redirecting api-ms-win-core-psapi-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-psapi-ansi-l1-1-0.dll
[+] Redirecting api-ms-win-core-psapi-ansi-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-security-appcontainer-l1-1-0.dll
[+] Redirecting api-ms-win-security-appcontainer-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-eventing-provider-l1-1-0.dll
[+] Redirecting api-ms-win-eventing-provider-l1-1-0.dll to kernelbase.dll
[+] Ignoring kernel32.dll entry point
[=] Done loading kernel32.dll
[=] Loading user32.dll ...
[+] DLL preferred base address: 0x6ba80000
[+] Init imports for user32.dll
[+] Requesting imports from win32u.dll
[=] Loading win32u.dll ...
[+] Warnings while loading win32u.dll:
[+] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[+] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[+] DLL preferred base address: 0x10000000
[+] DLL preferred base address is taken, loading to: 0x101d0000
[+] Init imports for win32u.dll
[+] Requesting imports from ntdll.dll
[=] Done loading win32u.dll
[+] Requesting imports from ntdll.dll
[+] Requesting imports from api-ms-win-core-localization-l1-2-1.dll
[+] Redirecting api-ms-win-core-localization-l1-2-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-registry-l1-1-0.dll
[+] Redirecting api-ms-win-core-registry-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-heap-l2-1-0.dll
[+] Redirecting api-ms-win-core-heap-l2-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-libraryloader-l1-2-0.dll
[+] Redirecting api-ms-win-core-libraryloader-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-synch-l1-2-0.dll
[+] Redirecting api-ms-win-core-synch-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-string-l1-1-0.dll
[+] Redirecting api-ms-win-core-string-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-sysinfo-l1-2-1.dll
[+] Redirecting api-ms-win-core-sysinfo-l1-2-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-processthreads-l1-1-2.dll
[+] Redirecting api-ms-win-core-processthreads-l1-1-2.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-security-base-l1-2-0.dll
[+] Redirecting api-ms-win-security-base-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-errorhandling-l1-1-1.dll
[+] Redirecting api-ms-win-core-errorhandling-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-string-l2-1-0.dll
[+] Redirecting api-ms-win-core-string-l2-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-processenvironment-l1-2-0.dll
[+] Redirecting api-ms-win-core-processenvironment-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-file-l1-2-1.dll
[+] Redirecting api-ms-win-core-file-l1-2-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-handle-l1-1-0.dll
[+] Redirecting api-ms-win-core-handle-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-memory-l1-1-2.dll
[+] Redirecting api-ms-win-core-memory-l1-1-2.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-profile-l1-1-0.dll
[+] Redirecting api-ms-win-core-profile-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-heap-l1-2-0.dll
[+] Redirecting api-ms-win-core-heap-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-eventing-provider-l1-1-0.dll
[+] Redirecting api-ms-win-eventing-provider-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-privateprofile-l1-1-1.dll
[!] Failed to resolve api-ms-win-core-privateprofile-l1-1-1.dll
[+] Requesting imports from api-ms-win-core-atoms-l1-1-0.dll
[!] Failed to resolve api-ms-win-core-atoms-l1-1-0.dll
[+] Requesting imports from api-ms-win-core-heap-obsolete-l1-1-0.dll
[!] Failed to resolve api-ms-win-core-heap-obsolete-l1-1-0.dll
[+] Requesting imports from api-ms-win-core-string-obsolete-l1-1-0.dll
[+] Redirecting api-ms-win-core-string-obsolete-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-localization-obsolete-l1-3-0.dll
[+] Redirecting api-ms-win-core-localization-obsolete-l1-3-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-stringansi-l1-1-0.dll
[+] Redirecting api-ms-win-core-stringansi-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-windowserrorreporting-l1-1-0.dll
[+] Redirecting api-ms-win-core-windowserrorreporting-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-sidebyside-l1-1-0.dll
[+] Redirecting api-ms-win-core-sidebyside-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-kernel32-private-l1-1-1.dll
[!] Failed to resolve api-ms-win-core-kernel32-private-l1-1-1.dll
[+] Requesting imports from kernelbase.dll
[+] Requesting imports from api-ms-win-core-kernel32-legacy-l1-1-1.dll
[+] Redirecting api-ms-win-core-kernel32-legacy-l1-1-1.dll to kernelbase.dll
[+] Error in loading function FindResourceExA (api-ms-win-core-kernel32-legacy-l1-1-1.dll), probably misdirected
[+] Requesting imports from api-ms-win-core-appinit-l1-1-0.dll
[+] Redirecting api-ms-win-core-appinit-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from gdi32.dll
[=] Loading gdi32.dll ...
[+] DLL preferred base address: 0x4d500000
[+] Init imports for gdi32.dll
[+] Requesting imports from api-ms-win-core-heap-l2-1-0.dll
[+] Redirecting api-ms-win-core-heap-l2-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-libraryloader-l1-2-0.dll
[+] Redirecting api-ms-win-core-libraryloader-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-profile-l1-1-0.dll
[+] Redirecting api-ms-win-core-profile-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-processthreads-l1-1-2.dll
[+] Redirecting api-ms-win-core-processthreads-l1-1-2.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-sysinfo-l1-2-1.dll
[+] Redirecting api-ms-win-core-sysinfo-l1-2-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-errorhandling-l1-1-1.dll
[+] Redirecting api-ms-win-core-errorhandling-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-gdi-internal-uap-l1-1-0.dll
[!] Failed to resolve api-ms-win-gdi-internal-uap-l1-1-0.dll
[+] Requesting imports from ntdll.dll
[+] Requesting imports from api-ms-win-core-delayload-l1-1-1.dll
[+] Redirecting api-ms-win-core-delayload-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-apiquery-l1-1-0.dll
[+] Redirecting api-ms-win-core-apiquery-l1-1-0.dll to ntdll.dll
[+] Ignoring gdi32.dll entry point (blacklisted)
[=] Done loading gdi32.dll
[+] Requesting imports from api-ms-win-core-delayload-l1-1-1.dll
[+] Redirecting api-ms-win-core-delayload-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-apiquery-l1-1-0.dll
[+] Redirecting api-ms-win-core-apiquery-l1-1-0.dll to ntdll.dll
[=] Calling user32.dll DllMain at 0x6baab3d0
[!] api UserClientDllInitialize (user32) is not implemented
[+] 0x100f2790: GetSystemTimeAsFileTime(lpSystemTimeAsFileTime = 0xffffdfbc)
[x] Error encountered while running user32.dll DllMain, bailing
[=] Done loading user32.dll
[!] api LdrLoadDll (ntdll) is not implemented
When verbose mode is set to disasm, it does get to the shellcode like expected - just like it does when using qltool. Best I can tell the additional work performed when set_api is used is triggering the error.
Additional context
Called using qltool
qltool code --arch x86 --filename ../rundll32_00840000.bin --rootfs examples/rootfs/x86_windows --os windows --format bin
Load BIN from FILE
[=] Initiate stack address at 0xfffdd000
[=] TEB is at 0x6000
[=] PEB is at 0x61b0
[=] LDR is at 0x6630
[=] Loading ntdll.dll ...
[=] Done loading ntdll.dll
[=] Loading kernel32.dll ...
[=] Loading kernelbase.dll ...
[=] Done loading kernelbase.dll
[=] Done loading kernel32.dll
[=] Loading user32.dll ...
[=] Loading win32u.dll ...
[=] Done loading win32u.dll
[!] Failed to resolve api-ms-win-core-privateprofile-l1-1-1.dll
[!] Failed to resolve api-ms-win-core-atoms-l1-1-0.dll
[!] Failed to resolve api-ms-win-core-heap-obsolete-l1-1-0.dll
[!] Failed to resolve api-ms-win-core-kernel32-private-l1-1-1.dll
[=] Loading gdi32.dll ...
[!] Failed to resolve api-ms-win-gdi-internal-uap-l1-1-0.dll
[=] Done loading gdi32.dll
[=] Calling user32.dll DllMain at 0x6baab3d0
[!] api UserClientDllInitialize (user32) is not implemented
[=] GetSystemTimeAsFileTime(lpSystemTimeAsFileTime = 0xffffdfbc)
[x] Error encountered while running user32.dll DllMain, bailing
[=] Done loading user32.dll
[!] api LdrLoadDll (ntdll) is not implemented
[=] memset(dest = 0xffffde50, c = 0, count = 0x50) = 0xffffde50
Hi there.
There are a few missing parts in your script that could help us determine the source of the issue. Please replace any references like self.arch etc. with the actual values that you use, and note that ql.set_api no longer exists; it is ql.os.set_api now.
Please re-try with the corrected script, and let us know if something has changed. If possible, please attach the corrected script and the shellcode you are trying to run.
