-
Notifications
You must be signed in to change notification settings - Fork 742
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improvements and fixes for Windows and PE #1118
Conversation
For some reason PE tests run fine on a Linux / WSL host, but fail on Windows. Edit: as expected, that was a path canonicalization error; fixed now. |
The Windows sality test keeps failing due to a Local runs on both Ubuntu WSL and an updated Windows finish successfully, so it may indicate that the [Note that |
@0ssigeno maybe you have some idea ? |
@xwings can you update the VM and re-create the snapshot? That might help. |
@elicn the Windows 2019 server is running on fresh image each run. More info on this https://github.com/actions/virtual-environments/blob/main/images/win/Windows2019-Readme.md . Current build is OS Version: 10.0.17763 Build 2686 which is up-to-date. I did a run on newer Windows Server 2022. Tests took nearly 2 hrs to complete. If you need a copy of the dll from these images, I can port it out for you to test. |
Thanks @chfl4gs. As for the long running time, that is because |
Sure. will move to 2022 runner while waiting for |
@xwings: @chfl4gs: |
@chfl4gs will you be able to change the pefile clone install and not pip3 ? |
Once Qiling dependencies are modified to pull latest |
sure, i will fix it ASAP. |
@elicn updated the pefile to latest. Do you want run a test before we merge ? |
@xwings |
This PR introduces a lot of improvements and bugfixes to the Windows OS and PE Loader.
Changelog highlights:
QlOsStats
from utils to its own moduleQlWinStats
objectOpportunistic DLL loading: loading DLLs recursively solves many "unimplemented API" issues (such as #377), but has its own caveats. To let DLL initialize properly their
DllMain
function is called and executed on a best-effort basis: many of them are bound to fail sooner or later due to some unimplemented API, and Qiling will resume with loading other DLLs as soon as it happens.Long DLL relocation time: Qiling is using the
pefile
module to parse and handle PE files. That module has a known issue with very long relocation durations for large DLL files (e.g. the 64 bits version ofkernelbase.dll
, which could take up to ~3 minutes to relocate; see erocarrera/pefile#266 and erocarrera/pefile#344). Until thepefile
incorporates the fixes a waiting animation has been implemented to show Qiling is still alive - but waiting for relocation to complete (the animation will not appear on non-tty log streams).Additional changes:
"KERNELBASE.DLL"
will be found although it is stored as"KernelBase.dll"
on the host)