You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
The LDR table is wrong when loading windows shellcode.
The first record is not process image.
I find it's same as #1043 that was closed:
LDR sequence error
InLoadOrderLinks= ntdll, kernel32, ...
InMemoryOrderLinks= ntdll,kernel32, ...
InInitializationOrderLinks= ntdll, kernel32, ... (no process entry)
The correct order should be
InLoadOrderLinks= process, ntdll, kernel32, ...
InMemoryOrderLinks= process, ntdll, kernel32, ...
InInitializationOrderLinks= ntdll, kernel32, ... (no process entry)
Sample Code
get kernel32 base by from PEB and InLoadOrderModuleList
fromqilingimportQilingfromqiling.constimport*'''40000 64A130000000 mov eax, dword ptr fs:[30] ; PEB40006 8B400C mov eax, dword ptr [eax+0c] ; PEB_LDR_DATA40009 8B400C mov eax, dword ptr [eax+0c] ; InLoadOrderModuleList, record of process image4000C 8B00 mov eax, dword ptr [eax] ; next module, record of ntdll4000E 8B00 mov eax, dword ptr [eax] ; next module, record of kernel3240010 8B4018 mov eax, dword ptr [eax+18] ; base of kernel3240013 C3 ret ; at last $EAX = base of kernel32'''shellcode=bytes.fromhex('64a1300000008b400c8b400c8b008b008b4018c3')
ql=Qiling(code=shellcode, archtype=QL_ARCH.X86, ostype=QL_OS.WINDOWS,
rootfs='examples/rootfs/x86_windows', verbose=QL_VERBOSE.DEBUG)
# ret, $eax should = base addr of kernel32.dll ql.debugger="qdb:0x40013"ql.run()
Expected behavior
The first entry of LDR should be process image while loading windows shellcode.
Describe the bug
The LDR table is wrong when loading windows shellcode.
The first record is not process image.
I find it's same as #1043 that was closed:
Sample Code
get kernel32 base by from PEB and InLoadOrderModuleList
Expected behavior
The first entry of LDR should be process image while loading windows shellcode.
Additional context
I checked the source code and found that when normal PE files are loaded, PE image is added to ldr first, while shellcode is not.
https://github.com/qilingframework/qiling/blob/master/qiling/loader/pe.py#L772
The text was updated successfully, but these errors were encountered: