qiling
qiling copied to clipboard
Published
20 hours ago •
qilingframework
qilingframework
Invalid memory write, read and fetch
Hello I'm trying to emulate malware files on a windows OS to get the windows API "GetProcAddress" but I am facing the issue of Invalid memory write, read and fetch for different malware files Here is my code:
import sys
import pefile
from qiling import *
from qiling.const import *
from capstone import *
from qiling.extensions import trace
def loader_pe(pe):
entry_point = pe.OPTIONAL_HEADER.AddressOfEntryPoint
data = pe.get_memory_mapped_image()[entry_point:]
cs = Cs(CS_ARCH_X86, CS_MODE_32)
cs.detail = True
global rdbin
rdbin = cs.disasm(data, 0x10000)
return rdbin
def check_arch(pe):
if pe.FILE_HEADER.Machine == 0x14c:
bit = 32
elif pe.FILE_HEADER.Machine == 0x8664:
bit = 64
print("[+] Sample is %s bit" % bit)
return bit
def GetProcAddress(ql, addr, params, retval):
print(params)
return
def stop(ql):
print("[+] Address found")
ql.emu_stop()
def my_sandbox(path, rootfs):
ql = Qiling(path, rootfs, verbose=QL_VERBOSE.DISASM)
ql.set_api("GetProcAddress", GetProcAddress, QL_INTERCEPT.EXIT)
ql.filter = "GetProcAddress"
ql.run()
### Main Program ###
file = sys.argv[-1]
if __name__ == "__main__":
exefile = sys.argv[-1]
try:
exe = pefile.PE(exefile)
except OSError as e:
print(e)
sys.exit()
except pefile.PEFormatError as e:
sys.exit()
rdbin = loader_pe(exe)
check_arch(exe)
my_sandbox([exefile], "examples/rootfs/x86_windows")
and this is the error for my first file (md5: 8EF2555264822D604A8AAF16D8FCEC7D):
[+] Sample is 32 bit
[+] Profile: Default
[+] Map GDT at 0x30000 with GDT_LIMIT=4096
[+] Write to 0x30018 for new entry b'\x00\xf0\x00\x00\x00\xfeO\x00'
[+] Write to 0x30028 for new entry b'\x00\xf0\x00\x00\x00\x96O\x00'
[+] Write to 0x30070 for new entry b'\x00`\x00`\x00\xf6@\x00'
[+] Write to 0x30078 for new entry b'\x00\x00\x00\x00\x00\xf6@\x06'
[+] Windows Registry PATH: examples/rootfs/x86_windows\Windows\registry
[=] Initiate stack address at 0xfffdd000
[=] Loading .\justificante_8726.exe to 0x400000
[=] PE entry point at 0x401314
[=] TEB addr is 0x6000
[=] PEB addr is 0x6044
[=] Loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll to 0x10000000
[!] Warnings while loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll:
[!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\kernel32.dll to 0x10175000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\kernel32.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\msvbvm60.dll to 0x10280000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\msvbvm60.dll
[+] Done with loading .\justificante_8726.exe
Traceback (most recent call last):
File ".\github_qiling.py", line 56, in <module>
my_sandbox([exefile], "examples/rootfs/x86_windows")
File ".\github_qiling.py", line 41, in my_sandbox
ql.run()
File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\core.py", line 755, in run
self.os.run()
File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\os\windows\windows.py", line 188, in run
self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count)
File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\core.py", line 896, in emu_start
self.uc.emu_start(begin, end, timeout, count)
File "C:\Users\user\Desktop\xxx\lib\site-packages\unicorn\unicorn.py", line 341, in emu_start
raise UcError(status)
unicorn.unicorn.UcError: Invalid memory write (UC_ERR_WRITE_UNMAPPED)
Besides using this malware file, I have also tried with other files including emotet (md5: B2EA9495D718E0F672D4B274D6DF7C07) which did manage to return me with the GetProcAddress API calls but returns me with an error of invalid memory fetch :
[+] Sample is 32 bit
[+] Profile: Default
[+] Map GDT at 0x30000 with GDT_LIMIT=4096
[+] Write to 0x30018 for new entry b'\x00\xf0\x00\x00\x00\xfeO\x00'
[+] Write to 0x30028 for new entry b'\x00\xf0\x00\x00\x00\x96O\x00'
[+] Write to 0x30070 for new entry b'\x00`\x00`\x00\xf6@\x00'
[+] Write to 0x30078 for new entry b'\x00\x00\x00\x00\x00\xf6@\x06'
[+] Windows Registry PATH: examples/rootfs/x86_windows\Windows\registry
[=] Initiate stack address at 0xfffdd000
[=] Loading .\emotet.exe to 0x400000
[=] PE entry point at 0x41fef1
[=] TEB addr is 0x6000
[=] PEB addr is 0x6044
[=] Loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll to 0x10000000
[!] Warnings while loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll:
[!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\kernel32.dll to 0x10175000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\kernel32.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\user32.dll to 0x10280000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\user32.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\gdi32.dll to 0x10374000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\gdi32.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\comdlg32.dll to 0x103f6000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\comdlg32.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\winspool.drv to 0x10471000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\winspool.drv
[=] Loading examples/rootfs/x86_windows\Windows\System32\advapi32.dll to 0x104c2000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\advapi32.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\comctl32.dll to 0x10562000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\comctl32.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\shlwapi.dll to 0x105e6000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\shlwapi.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\oledlg.dll to 0x1063d000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\oledlg.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\ole32.dll to 0x10659000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\ole32.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\oleaut32.dll to 0x107b5000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\oleaut32.dll
[+] Done with loading .\emotet.exe
{'hModule': 269963264, 'lpProcName': 'FlsAlloc'}
{'hModule': 269963264, 'lpProcName': 'FlsGetValue'}
{'hModule': 269963264, 'lpProcName': 'FlsSetValue'}
{'hModule': 269963264, 'lpProcName': 'FlsFree'}
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
{'hModule': 269963264, 'lpProcName': 'DecodePointer'}
{'hModule': 269963264, 'lpProcName': 'DecodePointer'}
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
{'hModule': 269963264, 'lpProcName': 'DecodePointer'}
{'hModule': 269963264, 'lpProcName': 'IsProcessorFeaturePresent'}
Traceback (most recent call last):
File ".\github_qiling.py", line 56, in <module>
my_sandbox([exefile], "examples/rootfs/x86_windows")
File ".\github_qiling.py", line 41, in my_sandbox
ql.run()
File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\core.py", line 755, in run
self.os.run()
File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\os\windows\windows.py", line 188, in run
self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count)
File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\core.py", line 896, in emu_start
self.uc.emu_start(begin, end, timeout, count)
File "C:\Users\user\Desktop\xxx\lib\site-packages\unicorn\unicorn.py", line 341, in emu_start
raise UcError(status)
unicorn.unicorn.UcError: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED)
Lastly, i used the same code on another file (md5: 7720E0702EB7EA49045407A910484FD0) but i am faced with the error Invalid memory read (UC_ERR_READ_UNMAPPED)
[+] Sample is 32 bit
[+] Profile: Default
[+] Map GDT at 0x30000 with GDT_LIMIT=4096
[+] Write to 0x30018 for new entry b'\x00\xf0\x00\x00\x00\xfeO\x00'
[+] Write to 0x30028 for new entry b'\x00\xf0\x00\x00\x00\x96O\x00'
[+] Write to 0x30070 for new entry b'\x00`\x00`\x00\xf6@\x00'
[+] Write to 0x30078 for new entry b'\x00\x00\x00\x00\x00\xf6@\x06'
[+] Windows Registry PATH: examples/rootfs/x86_windows\Windows\registry
[=] Initiate stack address at 0xfffdd000
[=] Loading .\11m296.exe to 0x400000
[=] PE entry point at 0x4014e0
[=] TEB addr is 0x6000
[=] PEB addr is 0x6044
[=] Loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll to 0x10000000
[!] Warnings while loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll:
[!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\kernel32.dll to 0x10175000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\kernel32.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\advapi32.dll to 0x10280000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\advapi32.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\msvcrt.dll to 0x10320000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\msvcrt.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\shell32.dll to 0x103cc000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\shell32.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\user32.dll to 0x11016000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\user32.dll
[+] Done with loading .\11m296.exe
Traceback (most recent call last):
File ".\github_qiling.py", line 56, in <module>
my_sandbox([exefile], "examples/rootfs/x86_windows")
File ".\github_qiling.py", line 41, in my_sandbox
ql.run()
File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\core.py", line 755, in run
self.os.run()
File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\os\windows\windows.py", line 188, in run
self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count)
File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\core.py", line 896, in emu_start
self.uc.emu_start(begin, end, timeout, count)
File "C:\Users\user\Desktop\xxx\lib\site-packages\unicorn\unicorn.py", line 341, in emu_start
raise UcError(status)
unicorn.unicorn.UcError: Invalid memory read (UC_ERR_READ_UNMAPPED)
Thanks for any help!
Unfortunately, there is not enough data to understand what went wrong. Try to disable the log filter, set verbosity to default and then post the output (or attach, if too long).
A few things to consider:
- Did you try to emit
GetProcAddress's argumentretval? Does it make any sense? - What happens if you don't
set_api, does it work?
Lastly, when you quote a large piece of code in github, specify the language right after the upper backticks to enable syntax hilighting, for example:
```python python code goes here ```
Hi thanks for the feedback! I tried to remove GetProcAddress's argument retval but it does not work and gives me the error "GetProcAddress() takes 3 positional arguments but 4 were given" . I have also tried to remove set_api but the same error shows up. I disabled the log filter and set verbosity to default but the output error is still the same:
Netwire RAT sample (before removing set_api)
[+] Sample is 32 bit
[=] Initiate stack address at 0xfffdd000
[=] Loading .\justificante_8726.exe to 0x400000
[=] PE entry point at 0x401314
[=] TEB addr is 0x6000
[=] PEB addr is 0x6044
[=] Loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll to 0x10000000
[!] Warnings while loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll:
[!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\kernel32.dll to 0x10175000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\kernel32.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\msvbvm60.dll to 0x10280000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\msvbvm60.dll
Traceback (most recent call last):
File ".\github_qiling.py", line 56, in <module>
my_sandbox([exefile], "examples/rootfs/x86_windows")
File ".\github_qiling.py", line 41, in my_sandbox
ql.run()
File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\core.py", line 755, in run
self.os.run()
File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\os\windows\windows.py", line 188, in run
self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count)
File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\core.py", line 896, in emu_start
self.uc.emu_start(begin, end, timeout, count)
File "C:\Users\user\Desktop\xxx\lib\site-packages\unicorn\unicorn.py", line 341, in emu_start
raise UcError(status)
unicorn.unicorn.UcError: Invalid memory write (UC_ERR_WRITE_UNMAPPED)
Emotet sample: (before removing set_api)
[+] Sample is 32 bit
[=] Initiate stack address at 0xfffdd000
[=] Loading .\emotet.exe to 0x400000
[=] PE entry point at 0x41fef1
[=] TEB addr is 0x6000
[=] PEB addr is 0x6044
[=] Loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll to 0x10000000
[!] Warnings while loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll:
[!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\kernel32.dll to 0x10175000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\kernel32.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\user32.dll to 0x10280000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\user32.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\gdi32.dll to 0x10374000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\gdi32.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\comdlg32.dll to 0x103f6000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\comdlg32.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\winspool.drv to 0x10471000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\winspool.drv
[=] Loading examples/rootfs/x86_windows\Windows\System32\advapi32.dll to 0x104c2000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\advapi32.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\comctl32.dll to 0x10562000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\comctl32.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\shlwapi.dll to 0x105e6000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\shlwapi.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\oledlg.dll to 0x1063d000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\oledlg.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\ole32.dll to 0x10659000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\ole32.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\oleaut32.dll to 0x107b5000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\oleaut32.dll
{'hModule': 269963264, 'lpProcName': 'FlsAlloc'}
[=] GetProcAddress(hModule = 0x10175000, lpProcName = "FlsAlloc") = 0x10189efb
{'hModule': 269963264, 'lpProcName': 'FlsGetValue'}
[=] GetProcAddress(hModule = 0x10175000, lpProcName = "FlsGetValue") = 0x10186252
{'hModule': 269963264, 'lpProcName': 'FlsSetValue'}
[=] GetProcAddress(hModule = 0x10175000, lpProcName = "FlsSetValue") = 0x101891d8
{'hModule': 269963264, 'lpProcName': 'FlsFree'}
[=] GetProcAddress(hModule = 0x10175000, lpProcName = "FlsFree") = 0x1018856f
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
[=] GetProcAddress(hModule = 0x10175000, lpProcName = "EncodePointer") = 0x1023eaee
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
[=] GetProcAddress(hModule = 0x10175000, lpProcName = "EncodePointer") = 0x1023eaee
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
[=] GetProcAddress(hModule = 0x10175000, lpProcName = "EncodePointer") = 0x1023eaee
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
[=] GetProcAddress(hModule = 0x10175000, lpProcName = "EncodePointer") = 0x1023eaee
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
[=] GetProcAddress(hModule = 0x10175000, lpProcName = "EncodePointer") = 0x1023eaee
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
[=] GetProcAddress(hModule = 0x10175000, lpProcName = "EncodePointer") = 0x1023eaee
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
[=] GetProcAddress(hModule = 0x10175000, lpProcName = "EncodePointer") = 0x1023eaee
{'hModule': 269963264, 'lpProcName': 'DecodePointer'}
[=] GetProcAddress(hModule = 0x10175000, lpProcName = "DecodePointer") = 0x1023ea18
{'hModule': 269963264, 'lpProcName': 'DecodePointer'}
[=] GetProcAddress(hModule = 0x10175000, lpProcName = "DecodePointer") = 0x1023ea18
{'hModule': 269963264, 'lpProcName': 'EncodePointer'}
[=] GetProcAddress(hModule = 0x10175000, lpProcName = "EncodePointer") = 0x1023eaee
{'hModule': 269963264, 'lpProcName': 'DecodePointer'}
[=] GetProcAddress(hModule = 0x10175000, lpProcName = "DecodePointer") = 0x1023ea18
{'hModule': 269963264, 'lpProcName': 'IsProcessorFeaturePresent'}
[=] GetProcAddress(hModule = 0x10175000, lpProcName = "IsProcessorFeaturePresent") = 0x1018a205
Traceback (most recent call last):
File ".\github_qiling.py", line 56, in <module>
my_sandbox([exefile], "examples/rootfs/x86_windows")
File ".\github_qiling.py", line 41, in my_sandbox
ql.run()
File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\core.py", line 755, in run
self.os.run()
File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\os\windows\windows.py", line 188, in run
self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count)
File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\core.py", line 896, in emu_start
self.uc.emu_start(begin, end, timeout, count)
File "C:\Users\user\Desktop\xxx\lib\site-packages\unicorn\unicorn.py", line 341, in emu_start
raise UcError(status)
unicorn.unicorn.UcError: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED)
And sorry for the bad syntax code earlier. Here is my python code:
import sys
import pefile
from qiling import *
from qiling.const import *
from capstone import *
def loader_pe(pe):
entry_point = pe.OPTIONAL_HEADER.AddressOfEntryPoint
data = pe.get_memory_mapped_image()[entry_point:]
cs = Cs(CS_ARCH_X86, CS_MODE_32)
cs.detail = True
global rdbin
rdbin = cs.disasm(data, 0x10000)
return rdbin
def check_arch(pe):
if pe.FILE_HEADER.Machine == 0x14c:
bit = 32
elif pe.FILE_HEADER.Machine == 0x8664:
bit = 64
print("[+] Sample is %s bit" % bit)
return bit
def GetProcAddress(ql, addr, params,retval):
print(params)
return
def my_sandbox(path, rootfs):
ql = Qiling(path, rootfs, verbose=QL_VERBOSE.DEFAULT)
ql.set_api("GetProcAddress", GetProcAddress, QL_INTERCEPT.EXIT)
ql.filter = "GetProcAddress"
ql.run()
### Main Program ###
file = sys.argv[-1]
if __name__ == "__main__":
exefile = sys.argv[-1]
try:
exe = pefile.PE(exefile)
except OSError as e:
print(e)
sys.exit()
except pefile.PEFormatError as e:
sys.exit()
rdbin = loader_pe(exe)
check_arch(exe)
my_sandbox([exefile], "examples/rootfs/x86_windows")
If i removed set_api, I was able to see more debug output but the same error shows up: Netwire RAT sample:
[+] Sample is 32 bit
[=] Initiate stack address at 0xfffdd000
[=] Loading .\justificante_8726.exe to 0x400000
[=] PE entry point at 0x401314
[=] TEB addr is 0x6000
[=] PEB addr is 0x6044
[=] Loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll to 0x10000000
[!] Warnings while loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll:
[!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\ntdll.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\kernel32.dll to 0x10175000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\kernel32.dll
[=] Loading examples/rootfs/x86_windows\Windows\System32\msvbvm60.dll to 0x10280000
[=] Done with loading examples/rootfs/x86_windows\Windows\System32\msvbvm60.dll
[!] api ThunRTMain is not implemented
[x]
[x] ah : 0x0
[x] al : 0x0
[x] ch : 0x0
[x] cl : 0x0
[x] dh : 0x0
[x] dl : 0x0
[x] bh : 0x0
[x] bl : 0x0
[x] ax : 0x0
[x] cx : 0x0
[x] dx : 0x0
[x] bx : 0x0
[x] sp : 0xcf84
[x] bp : 0xcff4
[x] si : 0x1428
[x] di : 0x0
[x] ip : 0x35cf
[x] eax : 0x0
[x] ecx : 0x0
[x] edx : 0x0
[x] ebx : 0x0
[x] esp : 0xffffcf84
[x] ebp : 0xffffcff4
[x] esi : 0x401428
[x] edi : 0x0
[x] eip : 0x102835cf
[x] cr0 : 0x11
[x] cr1 : 0x0
[x] cr2 : 0x0
[x] cr3 : 0x0
[x] cr4 : 0x0
[x] cr5 : 0x0
[x] cr6 : 0x0
[x] cr7 : 0x0
[x] cr8 : 0x0
[x] cr9 : 0x0
[x] cr10 : 0x0
[x] cr11 : 0x0
[x] cr12 : 0x0
[x] cr13 : 0x0
[x] cr14 : 0x0
[x] cr15 : 0x0
[x] st0 : 0x0
[x] st1 : 0x0
[x] st2 : 0x0
[x] st3 : 0x0
[x] st4 : 0x0
[x] st5 : 0x0
[x] st6 : 0x0
[x] st7 : 0x0
[x] ef : 0x84
[x] cs : 0x1b
[x] ss : 0x28
[x] ds : 0x28
[x] es : 0x28
[x] fs : 0x73
[x] gs : 0x78
[x]
[x] PC = 0x102835cf
[x] (examples/rootfs/x86_windows\Windows\System32\msvbvm60.dll+0x35cf)
[=] Start End Perm Label Image
[=] 00006000 - 0000c000 rwx [FS/GS]
[=] 00030000 - 00031000 rwx [GDT]
[=] 00400000 - 004b0000 rwx [PE] .\justificante_8726.exe
[=] 05000000 - 05001000 rwx [heap]
[=] 06000000 - 0c000000 rwx [FS/GS]
[=] 10000000 - 10175000 rwx ntdll.dll examples/rootfs/x86_windows\Windows\System32\ntdll.dll
[=] 10175000 - 10280000 rwx kernel32.dll examples/rootfs/x86_windows\Windows\System32\kernel32.dll
[=] 10280000 - 103d3000 rwx msvbvm60.dll examples/rootfs/x86_windows\Windows\System32\msvbvm60.dll
[=] fffdd000 - ffffe000 rwx [stack]
[x] ['0x89', '0x35', '0x70', '0xe8', '0xa4', '0x72', '0x83', '0x65']
[=]
[=] 0x102835cf {msvbvm60.dll + 0x0035cf} 89 35 70 e8 a4 72 83 65 fc 00 8d 45 a0 50 ff 15 a0 10 94 72 0f b7 45 d0 a3 6c e8 a4 72 ff 35 d8 e7 a4 72 56 be 70 e4
a4 72 8b ce 90 e8 5c 00 00 00 89 45 e4 85 c0 0f 8c 0f c4 01 00 6a 00 6a 00 mov dword ptr [0x72a4e870], esi
> and dword ptr [ebp - 4], 0
> lea eax, [ebp - 0x60]
> push eax
> call dword ptr [0x729410a0]
> movzx eax, word ptr [ebp - 0x30]
> mov dword ptr [0x72a4e86c], eax
> push dword ptr [0x72a4e7d8]
> push esi
> mov esi, 0x72a4e470
> mov ecx, esi
> nop
> call 0x1028365c
> mov dword ptr [ebp - 0x1c], eax
> test eax, eax
> jl 0x1029fa1a
> push 0
> push 0
Traceback (most recent call last):
File ".\github_qiling.py", line 56, in <module>
my_sandbox([exefile], "examples/rootfs/x86_windows")
File ".\github_qiling.py", line 41, in my_sandbox
ql.run()
File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\core.py", line 755, in run
self.os.run()
File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\os\windows\windows.py", line 188, in run
self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count)
File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\core.py", line 896, in emu_start
self.uc.emu_start(begin, end, timeout, count)
File "C:\Users\user\Desktop\xxx\lib\site-packages\unicorn\unicorn.py", line 341, in emu_start
raise UcError(status)
unicorn.unicorn.UcError: Invalid memory write (UC_ERR_WRITE_UNMAPPED)
Emotet sample:
[=] InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x447078, dwSpinCount = 0xfa0) = 0x1
[=] InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x447090, dwSpinCount = 0xfa0) = 0x1
[=] InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x4470a8, dwSpinCount = 0xfa0) = 0x1
[=] InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x4470c0, dwSpinCount = 0xfa0) = 0x1
[=] InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x4470d8, dwSpinCount = 0xfa0) = 0x1
[=] InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x4470f0, dwSpinCount = 0xfa0) = 0x1
[=] InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x447108, dwSpinCount = 0xfa0) = 0x1
[=] InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x447120, dwSpinCount = 0xfa0) = 0x1
[=] InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x447138, dwSpinCount = 0xfa0) = 0x1
[=] InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x447150, dwSpinCount = 0xfa0) = 0x1
[=] InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x447168, dwSpinCount = 0xfa0) = 0x1
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] GetModuleHandleW(lpModuleName = "KERNEL32.DLL") = 0x10175000
[=] GetProcAddress(hModule = 0x10175000, lpProcName = "DecodePointer") = 0x1023ea18
[=] DecodePointer(Ptr = 0x10189efb) = 0x10189efb
[=] FlsAlloc(lpCallback = 0x424a51) = 0x0
[=] HeapAlloc(hHeap = 0x5000b8c, dwFlags = 0x8, dwBytes = 0x214) = 0x5001b8c
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x0
[=] GetModuleHandleW(lpModuleName = "KERNEL32.DLL") = 0x10175000
[=] GetProcAddress(hModule = 0x10175000, lpProcName = "DecodePointer") = 0x1023ea18
[=] DecodePointer(Ptr = 0x101891d8) = 0x101891d8
[=] FlsSetValue(dwFlsIndex = 0, lpFlsData = 0x5001b8c) = 0x1
[=] GetModuleHandleW(lpModuleName = "KERNEL32.DLL") = 0x10175000
[=] GetProcAddress(hModule = 0x10175000, lpProcName = "EncodePointer") = 0x1023eaee
[=] GetProcAddress(hModule = 0x10175000, lpProcName = "DecodePointer") = 0x1023ea18
[=] EnterCriticalSection(lpCriticalSection = 0x447108) = 0x0
[=] InterlockedIncrement(Target = 0x4427d0) = 0x0
[=] LeaveCriticalSection(lpCriticalSection = 0x447108) = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x4470f0) = 0x0
[=] InterlockedIncrement(Target = 0x442d00) = 0x1
[=] InterlockedIncrement(Target = 0x44327c) = 0x0
[=] LeaveCriticalSection(lpCriticalSection = 0x4470f0) = 0x0
[=] GetCurrentThreadId() = 0x0
[=] GetStartupInfoA(lpStartupInfo = 0xffffcf18) = 0x0
[=] HeapAlloc(hHeap = 0x5000b8c, dwFlags = 0x8, dwBytes = 0x800) = 0x5001da0
[=] GetStdHandle(nStdHandle = 0xfffffff6) = 0xfffffff6
[=] GetFileType(hFile = 0xfffffff6) = 0x2
[=] InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5001dac, dwSpinCount = 0xfa0) = 0x1
[=] GetStdHandle(nStdHandle = 0xfffffff5) = 0xfffffff5
[=] GetFileType(hFile = 0xfffffff5) = 0x2
[=] InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5001dec, dwSpinCount = 0xfa0) = 0x1
[=] GetStdHandle(nStdHandle = 0xfffffff4) = 0xfffffff4
[=] GetFileType(hFile = 0xfffffff4) = 0x2
[=] InitializeCriticalSectionAndSpinCount(lpCriticalSection = 0x5001e2c, dwSpinCount = 0xfa0) = 0x1
[=] SetHandleCount(uNumber = 0x20) = 0x20
[=] GetCommandLineA() = 0x50025a0
[=] GetEnvironmentStringsW() = 0x50025c4
[=] WideCharToMultiByte(CodePage = 0, dwFlags = 0, lpWideCharStr = "", cchWideChar = 0x1, lpMultiByteStr = 0, cbMultiByte = 0, lpDefaultChar = 0, lpUsedDefaultChar = 0) = 0x2
[=] HeapAlloc(hHeap = 0x5000b8c, dwFlags = 0, dwBytes = 0x2) = 0x50025c6
[=] WideCharToMultiByte(CodePage = 0, dwFlags = 0, lpWideCharStr = "", cchWideChar = 0x1, lpMultiByteStr = 0x50025c6, cbMultiByte = 0x2, lpDefaultChar = 0, lpUsedDefaultChar = 0) = 0x2
[=] FreeEnvironmentStringsW(penv = 0x50025c4) = 0x1
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x447108) = 0x0
[=] LeaveCriticalSection(lpCriticalSection = 0x447108) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetACP() = 0x1b5
[=] HeapAlloc(hHeap = 0x5000b8c, dwFlags = 0, dwBytes = 0x220) = 0x50025c8
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] IsValidCodePage(CodePage = 0x1b5) = 0x1
[=] GetCPInfo(CodePage = 0x1b5, lpCPInfo = 0xffffcef8) = 0x1
[=] GetCPInfo(CodePage = 0x1b5, lpCPInfo = 0xffffc9c4) = 0x1
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetStringTypeW(dwInfoType = 0x1, lpSrcStr = 0x437d2c, cchSrc = 0x1, lpCharType = 0xffffc954) = 0x1
[=] MultiByteToWideChar(CodePage = 0x1b5, dwFlags = 0x1, lpMultiByteStr = " \x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7fP\x10$BB\'\x05)D%\x05 \x02", cbMultiByte = 0x100, lpWideCharStr = 0, cchWideChar = 0) = 0x11c
[=] MultiByteToWideChar(CodePage = 0x1b5, dwFlags = 0x1, lpMultiByteStr = " \x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7fP\x10$BB\'\x05)D%\x05 \x02", cbMultiByte = 0x100, lpWideCharStr = 0xffffc708, cchWideChar = 0x11c) = 0x11c
[=] GetStringTypeW(dwInfoType = 0x1, lpSrcStr = 0xffffc708, cchSrc = 0x11c, lpCharType = 0xffffc9d8) = 0x1
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] LCMapStringW(Locale = 0, dwMapFlags = 0x100, lpSrcStr = "", cchSrc = 0x1, lpDestStr = 0, cchDest = 0) = 0x2
[=] MultiByteToWideChar(CodePage = 0x1b5, dwFlags = 0x1, lpMultiByteStr = " \x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7fP\x10$BB\'\x05)D%\x05 \x02", cbMultiByte = 0x100, lpWideCharStr = 0, cchWideChar = 0) = 0x11c
[=] MultiByteToWideChar(CodePage = 0x1b5, dwFlags = 0x1, lpMultiByteStr = " \x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7fP\x10$BB\'\x05)D%\x05 \x02", cbMultiByte = 0x100, lpWideCharStr = 0xffffc6d8, cchWideChar = 0x11c) = 0x11c
[=] LCMapStringW(Locale = 0, dwMapFlags = 0x100, lpSrcStr = " \x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7fP\x10$BB\'\x05)D%\x05 \x02", cchSrc = 0x11c, lpDestStr = 0, cchDest = 0) = 0x11c
[=] LCMapStringW(Locale = 0, dwMapFlags = 0x100, lpSrcStr = " \x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7fP\x10$BB\'\x05)D%\x05 \x02", cchSrc = 0x11c, lpDestStr = 0xffffc498, cchDest = 0x11c) = 0x11c
[=] WideCharToMultiByte(CodePage = 0x1b5, dwFlags = 0, lpWideCharStr = " \x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7fP\x10$BB\'\x05)D%\x05 \x02", cchWideChar = 0x11c, lpMultiByteStr = 0xffffccd8, cbMultiByte = 0x100, lpDefaultChar = 0, lpUsedDefaultChar = 0) = 0x11c
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] MultiByteToWideChar(CodePage = 0x1b5, dwFlags = 0x1, lpMultiByteStr = "P\x10$BB'\x05)D%\x05 \x02", cbMultiByte = 0x2, lpWideCharStr = 0, cchWideChar = 0) = 0x1c
[=] MultiByteToWideChar(CodePage = 0x1b5, dwFlags = 0x1, lpMultiByteStr = "P\x10$BB'\x05)D%\x05 \x02", cbMultiByte = 0x2, lpWideCharStr = 0xffffc8f8, cchWideChar = 0x1c) = 0x1c
[=] LCMapStringW(Locale = 0, dwMapFlags = 0x200, lpSrcStr = "P\x10$BB'\x05)D%\x05 \x02", cchSrc = 0x1c, lpDestStr = 0, cchDest = 0) = 0x1c
[=] LCMapStringW(Locale = 0, dwMapFlags = 0x200, lpSrcStr = "P\x10$BB'\x05)D%\x05 \x02", cchSrc = 0x1c, lpDestStr = 0xffffc8b8, cchDest = 0x1c) = 0x1c
[=] WideCharToMultiByte(CodePage = 0x1b5, dwFlags = 0, lpWideCharStr = "P\x10$BB'\x05)D%\x05 \x02", cchWideChar = 0x1c, lpMultiByteStr = 0xffffcbd8, cbMultiByte = 0x100, lpDefaultChar = 0, lpUsedDefaultChar = 0) = 0x1c
[=] InterlockedDecrement(Target = 0x4427d0) = 0xffffffff
[=] InterlockedIncrement(Target = 0x50025c8) = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x447108) = 0x0
[=] InterlockedDecrement(Target = 0x4427d0) = 0xfffffffe
[=] InterlockedIncrement(Target = 0x50025c8) = 0x0
[=] LeaveCriticalSection(lpCriticalSection = 0x447108) = 0x0
[=] GetModuleFileNameA(hModule = 0, lpFilename = 0x4474a8, nSize = 0x104) = 0x23
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] HeapAlloc(hHeap = 0x5000b8c, dwFlags = 0, dwBytes = 0x2b) = 0x50027e8
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] HeapAlloc(hHeap = 0x5000b8c, dwFlags = 0x8, dwBytes = 0x4) = 0x5002813
[=] HeapFree(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x50025c6) = 0x1
[=] GetModuleHandleA(lpModuleName = "KERNEL32") = 0x10175000
[=] GetProcAddress(hModule = 0x10175000, lpProcName = "IsProcessorFeaturePresent") = 0x1018a205
[=] IsProcessorFeaturePresent(ProcessorFeature = 0) = 0x1
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x42b679) = 0x42b679
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x42ad60) = 0x42ad60
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x42ad14) = 0x42ad14
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x42ad4d) = 0x42ad4d
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x42acb6) = 0x42acb6
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x42b679) = 0x42b679
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x42b5f1) = 0x42b5f1
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x42acd2) = 0x42acd2
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x42ac34) = 0x42ac34
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x42abc1) = 0x42abc1
[=] HeapAlloc(hHeap = 0x5000b8c, dwFlags = 0x8, dwBytes = 0x80) = 0x5002817
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x5002817) = 0x5002817
[=] HeapAlloc(hHeap = 0x5000b8c, dwFlags = 0x8, dwBytes = 0x800) = 0x5002897
[=] SetUnhandledExceptionFilter(lpTopLevelExceptionFilter = 0x427a9a) = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x5002817) = 0x5002817
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x5002817) = 0x5002817
[=] HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x42838d) = 0x42838d
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x500281b) = 0x500281b
[=] LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x5002817) = 0x5002817
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x500281b) = 0x500281b
[=] HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x43317f) = 0x43317f
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x500281f) = 0x500281f
[=] LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x5002817) = 0x5002817
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x500281f) = 0x500281f
[=] HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x433189) = 0x433189
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x5002823) = 0x5002823
[=] LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x5002817) = 0x5002817
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x5002823) = 0x5002823
[=] HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x4331e5) = 0x4331e5
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x5002827) = 0x5002827
[=] LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] InitializeCriticalSection(lpCriticalSection = 0x447714) = 0x1
[=] EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x5002817) = 0x5002817
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x5002827) = 0x5002827
[=] HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x4331ef) = 0x4331ef
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x500282b) = 0x500282b
[=] LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] TlsAlloc() = 0x1
[=] InitializeCriticalSection(lpCriticalSection = 0x446974) = 0x1
[=] EnterCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=] GlobalAlloc(uFlags = 0x2, dwBytes = 0x100) = 0x5003097
[=] GlobalLock(hMem = 0x5003097) = 0x5003097
[=] LeaveCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=] TlsGetValue(dwTlsIndex = 0x1) = 0x0
[=] LeaveCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=] LocalAlloc(uFlags = 0x40, uBytes = 0x104) = 0x5003197
[=] EnterCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=] TlsGetValue(dwTlsIndex = 0x1) = 0x0
[=] LocalAlloc(uFlags = 0x40, uBytes = 0x10) = 0x500329b
[=] LocalAlloc(uFlags = 0, uBytes = 0x8) = 0x50032ab
[=] TlsSetValue(dwTlsIndex = 0x1, lpTlsValue = 0x500329b) = 0x1
[=] LeaveCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=] InitializeCriticalSection(lpCriticalSection = 0x446b30) = 0x1
[=] EnterCriticalSection(lpCriticalSection = 0x446b30) = 0x0
[=] InitializeCriticalSection(lpCriticalSection = 0x446b18) = 0x1
[=] LeaveCriticalSection(lpCriticalSection = 0x446b30) = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x446b18) = 0x0
[=] LocalAlloc(uFlags = 0x40, uBytes = 0x8c) = 0x50032b3
[=] HeapAlloc(hHeap = 0x5000b8c, dwFlags = 0, dwBytes = 0x1011) = 0x500333f
[=] HeapAlloc(hHeap = 0x5000b8c, dwFlags = 0, dwBytes = 0xc) = 0x5004350
[=] LocalAlloc(uFlags = 0x40, uBytes = 0x188) = 0x500435c
[=] HeapAlloc(hHeap = 0x5000b8c, dwFlags = 0, dwBytes = 0x1d) = 0x50044e4
[=] LocalAlloc(uFlags = 0x40, uBytes = 0x64) = 0x5004501
[=] HeapAlloc(hHeap = 0x5000b8c, dwFlags = 0, dwBytes = 0x1d) = 0x5004565
[=] LocalAlloc(uFlags = 0x40, uBytes = 0x14) = 0x5004582
[=] HeapAlloc(hHeap = 0x5000b8c, dwFlags = 0, dwBytes = 0x1c) = 0x5004596
[=] LeaveCriticalSection(lpCriticalSection = 0x446b18) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x447108) = 0x0
[=] LeaveCriticalSection(lpCriticalSection = 0x447108) = 0x0
[=] GetLastError() = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] SetLastError(dwErrCode = 0) = 0x0
[=] GetACP() = 0x1b5
[=] EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x5002817) = 0x5002817
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x500282b) = 0x500282b
[=] HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x431a5a) = 0x431a5a
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x500282f) = 0x500282f
[=] LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=] TlsGetValue(dwTlsIndex = 0x1) = 0x500329b
[=] LeaveCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=] TlsGetValue(dwTlsIndex = 0x1) = 0x500329b
[=] LeaveCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=] GetCursorPos(lpPoint = 0x50031e3) = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=] TlsGetValue(dwTlsIndex = 0x1) = 0x500329b
[=] LeaveCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=] LeaveCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=] TlsGetValue(dwTlsIndex = 0x1) = 0x500329b
[=] LeaveCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=] LocalAlloc(uFlags = 0x40, uBytes = 0x54) = 0x50045b2
[=] EnterCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=] TlsGetValue(dwTlsIndex = 0x1) = 0x500329b
[=] LocalReAlloc(hMem = 0x50032ab, uBytes = 0xc, uFlags = 0x2) = 0x5004606
[=] TlsSetValue(dwTlsIndex = 0x1, lpTlsValue = 0x500329b) = 0x1
[=] LeaveCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=] GetCurrentThread() = 0x0
[=] GetCurrentThreadId() = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x5002817) = 0x5002817
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x500282f) = 0x500282f
[=] HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x433140) = 0x433140
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x5002833) = 0x5002833
[=] LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x5002817) = 0x5002817
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x5002833) = 0x5002833
[=] HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x43314a) = 0x43314a
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x5002837) = 0x5002837
[=] LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x5002817) = 0x5002817
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x5002837) = 0x5002837
[=] HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x433154) = 0x433154
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x500283b) = 0x500283b
[=] LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x5002817) = 0x5002817
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x500283b) = 0x500283b
[=] HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x43315e) = 0x43315e
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x500283f) = 0x500283f
[=] LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x5002817) = 0x5002817
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x500283f) = 0x500283f
[=] HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x433169) = 0x433169
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x5002843) = 0x5002843
[=] LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x5002817) = 0x5002817
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x5002843) = 0x5002843
[=] HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x433174) = 0x433174
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x5002847) = 0x5002847
[=] LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x5002817) = 0x5002817
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x5002847) = 0x5002847
[=] HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x433193) = 0x433193
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x500284b) = 0x500284b
[=] LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] RegisterWindowMessageA(lpString = "commctrl_DragListMsg") = 0xd10c
[=] EnterCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=] TlsGetValue(dwTlsIndex = 0x1) = 0x500329b
[=] LeaveCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=] LocalAlloc(uFlags = 0x40, uBytes = 0x104) = 0x5004612
[=] EnterCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=] TlsGetValue(dwTlsIndex = 0x1) = 0x500329b
[=] LeaveCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x5002817) = 0x5002817
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x500284b) = 0x500284b
[=] HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x43319d) = 0x43319d
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x500284f) = 0x500284f
[=] LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=] TlsGetValue(dwTlsIndex = 0x1) = 0x500329b
[=] LeaveCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x5002817) = 0x5002817
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x500284f) = 0x500284f
[=] HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x4331a7) = 0x4331a7
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x5002853) = 0x5002853
[=] LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=] TlsGetValue(dwTlsIndex = 0x1) = 0x500329b
[=] LeaveCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x5002817) = 0x5002817
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x5002853) = 0x5002853
[=] HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x4331b1) = 0x4331b1
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x5002857) = 0x5002857
[=] LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=] TlsGetValue(dwTlsIndex = 0x1) = 0x500329b
[=] LeaveCriticalSection(lpCriticalSection = 0x446974) = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x5002817) = 0x5002817
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x5002857) = 0x5002857
[=] HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x4331bb) = 0x4331bb
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x500285b) = 0x500285b
[=] LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x5002817) = 0x5002817
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x500285b) = 0x500285b
[=] HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x4331c5) = 0x4331c5
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x500285f) = 0x500285f
[=] LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] EnterCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x5002817) = 0x5002817
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] DecodePointer(Ptr = 0x500285f) = 0x500285f
[=] HeapSize(hHeap = 0x5000b8c, dwFlags = 0, lpMem = 0x5002817) = 0x80
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x4331d0) = 0x4331d0
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] TlsGetValue(dwTlsIndex = 0) = 0x10186252
[=] FlsGetValue(dwFlsIndex = 0) = 0x5001b8c
[=] EncodePointer(Ptr = 0x5002863) = 0x5002863
[=] LeaveCriticalSection(lpCriticalSection = 0x4470c0) = 0x0
[=] GetSystemMetrics(nIndex = 0xb) = 0x20
[=] GetSystemMetrics(nIndex = 0xc) = 0x20
[=] GetSystemMetrics(nIndex = 0x2) = 0x4
[=] GetSystemMetrics(nIndex = 0x3) = 0x12c
[=] GetDC(hWnd = 0) = 0xd10c
[=] GetDeviceCaps() = 0x1
[=] GetDeviceCaps() = 0x1
[=] ReleaseDC(hWnd = 0, hDC = 0xd10c) = 0x1
[x]
[x] ah : 0x0
[x] al : 0x1
[x] ch : 0x6b
[x] cl : 0x90
[x] dh : 0x46
[x] dl : 0x12
[x] bh : 0xd1
[x] bl : 0xc
[x] ax : 0x1
[x] cx : 0x6b90
[x] dx : 0x4612
[x] bx : 0xd10c
[x] sp : 0xcf44
[x] bp : 0xcf6c
[x] si : 0x5a
[x] di : 0xd10c
[x] ip : 0x58
[x] eax : 0x1
[x] ecx : 0x446b90
[x] edx : 0x5004612
[x] ebx : 0xd10c
[x] esp : 0xffffcf44
[x] ebp : 0xffffcf6c
[x] esi : 0x5a
[x] edi : 0xd10c
[x] eip : 0x58
[x] cr0 : 0x11
[x] cr1 : 0x0
[x] cr2 : 0x0
[x] cr3 : 0x0
[x] cr4 : 0x0
[x] cr5 : 0x0
[x] cr6 : 0x0
[x] cr7 : 0x0
[x] cr8 : 0x0
[x] cr9 : 0x0
[x] cr10 : 0x0
[x] cr11 : 0x0
[x] cr12 : 0x0
[x] cr13 : 0x0
[x] cr14 : 0x0
[x] cr15 : 0x0
[x] st0 : 0x0
[x] st1 : 0x0
[x] st2 : 0x0
[x] st3 : 0x0
[x] st4 : 0x0
[x] st5 : 0x0
[x] st6 : 0x0
[x] st7 : 0x0
[x] ef : 0x6
[x] cs : 0x1b
[x] ss : 0x28
[x] ds : 0x28
[x] es : 0x28
[x] fs : 0x73
[x] gs : 0x78
[x]
[x] PC = 0x58
[=]
[=] Start End Perm Label Image
[=] 00006000 - 0000c000 rwx [FS/GS]
[=] 00030000 - 00031000 rwx [GDT]
[=] 00400000 - 0045a000 rwx [PE] .\emotet.exe
[=] 05000000 - 05001000 rwx [heap]
[=] 05001000 - 05002000 rwx [heap]
[=] 05002000 - 05003000 rwx [heap]
[=] 05003000 - 05004000 rwx [heap]
[=] 05004000 - 05006000 rwx [heap]
[=] 06000000 - 0c000000 rwx [FS/GS]
[=] 10000000 - 10175000 rwx ntdll.dll examples/rootfs/x86_windows\Windows\System32\ntdll.dll
[=] 10175000 - 10280000 rwx kernel32.dll examples/rootfs/x86_windows\Windows\System32\kernel32.dll
[=] 10280000 - 10374000 rwx user32.dll examples/rootfs/x86_windows\Windows\System32\user32.dll
[=] 10374000 - 103f6000 rwx gdi32.dll examples/rootfs/x86_windows\Windows\System32\gdi32.dll
[=] 103f6000 - 10471000 rwx comdlg32.dll examples/rootfs/x86_windows\Windows\System32\comdlg32.dll
[=] 10471000 - 104c2000 rwx winspool.drv examples/rootfs/x86_windows\Windows\System32\winspool.drv
[=] 104c2000 - 10562000 rwx advapi32.dll examples/rootfs/x86_windows\Windows\System32\advapi32.dll
[=] 10562000 - 105e6000 rwx comctl32.dll examples/rootfs/x86_windows\Windows\System32\comctl32.dll
[=] 105e6000 - 1063d000 rwx shlwapi.dll examples/rootfs/x86_windows\Windows\System32\shlwapi.dll
[=] 1063d000 - 10659000 rwx oledlg.dll examples/rootfs/x86_windows\Windows\System32\oledlg.dll
[=] 10659000 - 107b5000 rwx ole32.dll examples/rootfs/x86_windows\Windows\System32\ole32.dll
[=] 107b5000 - 10844000 rwx oleaut32.dll examples/rootfs/x86_windows\Windows\System32\oleaut32.dll
[=] fffdd000 - ffffe000 rwx [stack]
[x] Error: PC(0x58) Unreachable
Traceback (most recent call last):
File ".\github_qiling.py", line 56, in <module>
my_sandbox([exefile], "examples/rootfs/x86_windows")
File ".\github_qiling.py", line 41, in my_sandbox
ql.run()
File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\core.py", line 755, in run
self.os.run()
File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\os\windows\windows.py", line 188, in run
self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count)
File "C:\Users\user\Desktop\xxx\lib\site-packages\qiling\core.py", line 896, in emu_start
self.uc.emu_start(begin, end, timeout, count)
File "C:\Users\user\Desktop\xxx\lib\site-packages\unicorn\unicorn.py", line 341, in emu_start
raise UcError(status)
unicorn.unicorn.UcError: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED)
I said "emit" retval, not "omit" - but that's find. It is emitted by the log anyway.
I suspect your copy of msvbvm60.dll is corrupted or not a 32-bit DLL. Can you post its md5sum?
Hi, thanks for the reply! The md5 hash of msvbvm60.dll is 5343a19c618bc515ceb1695586c6c137
I have a strong reason to believe this one is related to #852
Please pull the latest changes from dev branch and let us know if the problem still persists.
