qiling
qiling copied to clipboard
qilingframework
Fix bug: DLL address still use ImageBase address in spite of changing lib_base.
… lib_base
Checklist
Which kind of PR do you create?
- [ x ] This PR only contains minor fixes.
- [ ] This PR contains major feature update.
- [ ] This PR introduces a new function/api for Qiling Framework.
Coding convention?
- [ x ] The new code conforms to Qiling Framework naming convention.
- [ ] The imports are arranged properly.
- [ ] Essential comments are added.
- [ ] The reference of the new code is pointed out.
Extra tests?
- [ x ] No extra tests are needed for this PR.
- [ ] I have added enough tests for this PR.
- [ ] Tests will be added after some discussion and review.
Changelog?
- [ ] This PR doesn't need to update Changelog.
- [ x ] Changelog will be updated after some proper review.
- [ ] Changelog has been updated in my PR.
Target branch?
- [ x ] The target branch is dev branch.
One last thing
- [ x ] I have read the contribution guide
There are some test with fixed based DLL address. Will you be able to update the test ?
I updated test_pe.py to check the fix of lib address relocation. And I also update 2 fixes as below:
- Implement PE loader to load all of the DLLs recursively when PE loaded.
- Implement PE loader to be able to load API DLL (like api-ms-xxxx.dll).
I added a sample PE file for the test. So Should I send a pull request to https://github.com/qilingframework/rootfs/tree/master?
I updated test_pe.py to check the fix of lib address relocation. And I also update 2 fixes as below:
- Implement PE loader to load all of the DLLs recursively when PE loaded.
- Implement PE loader to be able to load API DLL (like api-ms-xxxx.dll).
I added a sample PE file for the test. So Should I send a pull request to https://github.com/qilingframework/rootfs/tree/master?
Yes. If there is a new exe, you need to update rootfs
OK, I sent the pull request of rootfs. And fix some code to pass the test
OK, I updated examples/scripts/dllscollector.bat to copy only needed DLL.
I see, but the result was unexpected for me because the test took only 1638s on my laptop PC. I think the reason why the test is so long is below:
- All DLLs are loaded at first even if some DLLs may not be used.
- DLL reload_image() may take quite long
Since I think these fixes are needed because emulation fails when DLL's address is not resolved, I have another solution to solve the problem.
- Make resolve_dll_address function that resolves address when emulator encounters unmapped address.
- Register the function to hook_address.
If u r OK, I'll try to update.
1638s is one test or all test ?
The test is being done from github CI, so i guess we need to make that as benchmark.
I guess your idea is fine. We need to fix CI result. Else gonna be bad if we need to spend 4 hours for each test. Since currently only 10min for all test.
It took 1638s to finish all the tests. OK, I'll try to fix it. Please be patient.
I'm sorry for late the response. I update these files to load dll dynamically. But the problem still remained because the reason why take quite so long is to relocate some dlls such as shell32.dll (see below log.). So I add libcache=True in all_tests of test_pe.py.
>>> timeit.timeit("import pefile;pefile.PE('qiling/examples/rootfs/x86_windows/Windows/System32/shell32.dll').relocate_image(0x7fff00000)", number=1) 205.60229980000076
I checked the time dramatically reduced in my PC when libcache is enabled.
- previous ver:1638s
- new version(libcache off): 1000s
- new version(libcache on): 80s)
Could you mind if I ask you to run the workflow? Or should I do something to proceed with the workflow?
Sorry too late. I removed the conflict. So could you please run the workflow?
Hi @nacayoshi00,
Based on the recent changes made to dev branch, could you please test to see whether this PR is still relevant?
