qiling
qiling copied to clipboard
qilingframework
AttributeError: module 'demo' has no attribute 'QILING_IDA' AND AttributeError: 'NoneType' object has no attribute 'custom_prepare'
Ida pro SP1 (7.6.210427 Windows x64 (32-bit address size) Windows 10 22H2 qiling 1.4.6 Python 3.10.11 IDAPython v7.4.0 final (serial 0)
Trying to run qiling on example\rootfs\x86_windows\bin\x86_hello.exe with demo.py
from qiling import *
# sandbox to emulate the EXE
def my_sandbox(path, rootfs):
# setup Qiling engine
ql = Qiling(path, rootfs)
# now emulate the EXE
ql.run()
if __name__ == "__main__":
# execute Windows EXE under our rootfs
my_sandbox(["c:\\users\\internet\\qiling\\examples\\rootfs\\x86_windows\\bin\\x86_hello.exe"], "c:\\users\internet\\qiling\\examples\\rootfs\\x86_windows")
I get
Possible file format: MS-DOS executable (EXE) (C:\Users\internet\Downloads\IDAPro7.6\loaders\dos.dll)
Possible file format: Portable executable for 80386 (PE) (C:\Users\internet\Downloads\IDAPro7.6\loaders\pe.dll)
bytes pages size description
--------- ----- ---- --------------------------------------------
524288 64 8192 allocating memory for b-tree...
65536 8 8192 allocating memory for virtual array...
262144 32 8192 allocating memory for name pointers...
-----------------------------------------------------------------
851968 total memory allocated
Loading processor module C:\Users\internet\Downloads\IDAPro7.6\procs\pc.dll for metapc...Initializing processor module metapc...OK
Autoanalysis subsystem has been initialized.
Loading file 'C:\Users\internet\Downloads\x86_hello.exe' into database...
Detected file format: Portable executable for 80386 (PE)
0. Creating a new segment (00401000-00402000) ... ... OK
1. Creating a new segment (00402000-00403000) ... ... OK
2. Creating a new segment (00403000-00404000) ... ... OK
3. Creating a new segment (00404000-00405000) ... ... OK
4. Creating a new segment (00405000-00406000) ... ... OK
5. Creating a new segment (00406000-00407000) ... ... OK
6. Creating a new segment (00407000-00408000) ... ... OK
7. Creating a new segment (00408000-00409000) ... ... OK
Reading imports directory...
Assuming __cdecl calling convention by default
Plan FLIRT signature: GCC (mingw/cygwin) v3.4 runtime
main() function at 401C10, named "_main"
Type library 'mssdk_win7' loaded. Applying types...
Types applied to 28 names.
Marking typical code sequences...
Flushing buffers, please wait...ok
File 'C:\Users\internet\Downloads\x86_hello.exe' has been successfully loaded into the database.
Hex-Rays Decompiler plugin has been loaded (v7.6.0.210427)
License: xxxx
The hotkeys are F5: decompile, Ctrl-F5: decompile all.
Please check the Edit/Plugins menu for more informaton.
[INFO][qilinqida:1002] ---------------------------------------------------------------------------------------
[INFO][qilinqida:1003] Qiling Emulator Plugin For IDA, by Qiling Team. Version 1.4.7.dev0, 2020
[INFO][qilinqida:1004] Based on Qiling v1.4.7.dev0
[INFO][qilinqida:1005] Find more information about Qiling at https://qiling.io
[INFO][qilinqida:1006] ---------------------------------------------------------------------------------------
IDA is analysing the input file...
You may start to explore the input file right now.
[INFO][qilinqida:1017] UI is ready, register our menu actions.
[INFO][qilinqida:1012] Registering actions.
-------------------------------------------------------------------------------------------
Python 3.10.11 (tags/v3.10.11:7d4cc5a, Apr 5 2023, 00:38:17) [MSC v.1929 64 bit (AMD64)]
IDAPython v7.4.0 final (serial 0) (c) The IDAPython Team <[email protected]>
-------------------------------------------------------------------------------------------
Using FLIRT signature: GCC (mingw/cygwin) v3.4 runtime
Propagating type information...
Function argument information has been propagated
The initial autoanalysis has been finished.
[INFO][qilinqida:2066] ['C:\\Users\\internet\\Downloads\\x86_hello.exe']
[INFO][qilinqida:1032] Rootfs: C:\Users\internet\qiling\examples\rootfs
[INFO][qilinqida:1033] Custom user script: C:\Users\internet\qiling\examples\demo.py
[INFO][qilinqida:1034] Custom env: {}
[+] Profile: default
[+] Mapping GDT at 0x30000 with limit 0x1000
[+] Loading Windows registry hive from C:\Users\internet\qiling\examples\rootfs\Windows\registry
[=] Initiate stack address at 0xfffdd000
[=] Loading C:\Users\internet\Downloads\x86_hello.exe to 0x400000
[=] PE entry point at 0x401280
[=] TEB is at 0x6000
[=] PEB is at 0x61b0
[=] LDR is at 0x6630
[=] Loading ntdll.dll ...
[+] Warnings while loading ntdll.dll:
[+] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[+] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[+] - Failed parsing FunctionEntry of UNWIND_INFO at 16b85c: 'Chained function entry cannot be changed'
[+] - Failed parsing FunctionEntry of UNWIND_INFO at 16b898: 'Chained function entry cannot be changed'
[+] DLL preferred base address: 0x180000000
[+] DLL preferred base address exceeds memory upper bound, loading to: 0x10000000
[+] Init imports for ntdll.dll
[=] Done loading ntdll.dll
[=] Loading kernel32.dll ...
[+] DLL preferred base address: 0x180000000
[+] DLL preferred base address exceeds memory upper bound, loading to: 0x10200000
[+] Init imports for kernel32.dll
[+] Requesting imports from api-ms-win-core-rtlsupport-l1-1-0.dll
[+] Redirecting api-ms-win-core-rtlsupport-l1-1-0.dll to ntdll.dll
[+] Requesting imports from ntdll.dll
[+] Requesting imports from kernelbase.dll
[=] Loading kernelbase.dll ...
[+] DLL preferred base address: 0x180000000
[+] DLL preferred base address exceeds memory upper bound, loading to: 0x102d0000
[+] Init imports for kernelbase.dll
[+] Requesting imports from ntdll.dll
[+] Requesting imports from api-ms-win-eventing-provider-l1-1-0.dll
[+] Redirecting api-ms-win-eventing-provider-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-apiquery-l1-1-0.dll
[+] Redirecting api-ms-win-core-apiquery-l1-1-0.dll to ntdll.dll
[+] Requesting imports from api-ms-win-core-apiquery-l1-1-1.dll
[+] Redirecting api-ms-win-core-apiquery-l1-1-1.dll to ntdll.dll
[+] Ignoring kernelbase.dll entry point
[=] Done loading kernelbase.dll
[+] Requesting imports from api-ms-win-core-processthreads-l1-1-0.dll
[+] Redirecting api-ms-win-core-processthreads-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-processthreads-l1-1-3.dll
[+] Redirecting api-ms-win-core-processthreads-l1-1-3.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-processthreads-l1-1-2.dll
[+] Redirecting api-ms-win-core-processthreads-l1-1-2.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-processthreads-l1-1-1.dll
[+] Redirecting api-ms-win-core-processthreads-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-registry-l1-1-0.dll
[+] Redirecting api-ms-win-core-registry-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-heap-l1-1-0.dll
[+] Redirecting api-ms-win-core-heap-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-heap-l2-1-0.dll
[+] Redirecting api-ms-win-core-heap-l2-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-memory-l1-1-1.dll
[+] Redirecting api-ms-win-core-memory-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-memory-l1-1-0.dll
[+] Redirecting api-ms-win-core-memory-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-memory-l1-1-2.dll
[+] Redirecting api-ms-win-core-memory-l1-1-2.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-handle-l1-1-0.dll
[+] Redirecting api-ms-win-core-handle-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-synch-l1-1-0.dll
[+] Redirecting api-ms-win-core-synch-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-synch-l1-2-1.dll
[+] Redirecting api-ms-win-core-synch-l1-2-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-synch-l1-2-0.dll
[+] Redirecting api-ms-win-core-synch-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-file-l1-1-0.dll
[+] Redirecting api-ms-win-core-file-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-file-l1-2-0.dll
[+] Redirecting api-ms-win-core-file-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-file-l1-2-2.dll
[+] Redirecting api-ms-win-core-file-l1-2-2.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-file-l1-2-1.dll
[+] Redirecting api-ms-win-core-file-l1-2-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-delayload-l1-1-0.dll
[+] Redirecting api-ms-win-core-delayload-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-io-l1-1-0.dll
[+] Redirecting api-ms-win-core-io-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-io-l1-1-1.dll
[+] Redirecting api-ms-win-core-io-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-job-l1-1-0.dll
[+] Redirecting api-ms-win-core-job-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-threadpool-legacy-l1-1-0.dll
[+] Redirecting api-ms-win-core-threadpool-legacy-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-threadpool-private-l1-1-0.dll
[+] Redirecting api-ms-win-core-threadpool-private-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-largeinteger-l1-1-0.dll
[+] Redirecting api-ms-win-core-largeinteger-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-libraryloader-l1-2-2.dll
[+] Redirecting api-ms-win-core-libraryloader-l1-2-2.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-libraryloader-l1-2-0.dll
[+] Redirecting api-ms-win-core-libraryloader-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-libraryloader-l1-2-1.dll
[+] Redirecting api-ms-win-core-libraryloader-l1-2-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-libraryloader-l2-1-0.dll
[+] Redirecting api-ms-win-core-libraryloader-l2-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-namedpipe-l1-2-2.dll
[+] Redirecting api-ms-win-core-namedpipe-l1-2-2.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-namedpipe-l1-1-0.dll
[+] Redirecting api-ms-win-core-namedpipe-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-namedpipe-l1-2-1.dll
[+] Redirecting api-ms-win-core-namedpipe-l1-2-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-datetime-l1-1-0.dll
[+] Redirecting api-ms-win-core-datetime-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-datetime-l1-1-1.dll
[+] Redirecting api-ms-win-core-datetime-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-datetime-l1-1-2.dll
[+] Redirecting api-ms-win-core-datetime-l1-1-2.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-sysinfo-l1-2-0.dll
[+] Redirecting api-ms-win-core-sysinfo-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-sysinfo-l1-1-0.dll
[+] Redirecting api-ms-win-core-sysinfo-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-sysinfo-l1-2-3.dll
[+] Redirecting api-ms-win-core-sysinfo-l1-2-3.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-sysinfo-l1-2-1.dll
[+] Redirecting api-ms-win-core-sysinfo-l1-2-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-timezone-l1-1-0.dll
[+] Redirecting api-ms-win-core-timezone-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-localization-l1-2-0.dll
[+] Redirecting api-ms-win-core-localization-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-processsnapshot-l1-1-0.dll
[+] Redirecting api-ms-win-core-processsnapshot-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-processenvironment-l1-1-0.dll
[+] Redirecting api-ms-win-core-processenvironment-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-processenvironment-l1-2-0.dll
[+] Redirecting api-ms-win-core-processenvironment-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-string-l1-1-0.dll
[+] Redirecting api-ms-win-core-string-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-debug-l1-1-1.dll
[+] Redirecting api-ms-win-core-debug-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-debug-l1-1-0.dll
[+] Redirecting api-ms-win-core-debug-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-errorhandling-l1-1-0.dll
[+] Redirecting api-ms-win-core-errorhandling-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-errorhandling-l1-1-3.dll
[+] Redirecting api-ms-win-core-errorhandling-l1-1-3.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-fibers-l1-1-0.dll
[+] Redirecting api-ms-win-core-fibers-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-util-l1-1-0.dll
[+] Redirecting api-ms-win-core-util-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-profile-l1-1-0.dll
[+] Redirecting api-ms-win-core-profile-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-security-base-l1-1-0.dll
[+] Redirecting api-ms-win-security-base-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-security-base-l1-2-0.dll
[+] Redirecting api-ms-win-security-base-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-security-appcontainer-l1-1-0.dll
[+] Redirecting api-ms-win-security-appcontainer-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-comm-l1-1-0.dll
[+] Redirecting api-ms-win-core-comm-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-realtime-l1-1-0.dll
[+] Redirecting api-ms-win-core-realtime-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-wow64-l1-1-1.dll
[+] Redirecting api-ms-win-core-wow64-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-wow64-l1-1-0.dll
[+] Redirecting api-ms-win-core-wow64-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-wow64-l1-1-3.dll
[+] Redirecting api-ms-win-core-wow64-l1-1-3.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-systemtopology-l1-1-1.dll
[+] Redirecting api-ms-win-core-systemtopology-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-systemtopology-l1-1-0.dll
[+] Redirecting api-ms-win-core-systemtopology-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-processtopology-l1-1-0.dll
[+] Redirecting api-ms-win-core-processtopology-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-namespace-l1-1-0.dll
[+] Redirecting api-ms-win-core-namespace-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-file-l2-1-2.dll
[+] Redirecting api-ms-win-core-file-l2-1-2.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-file-l2-1-0.dll
[+] Redirecting api-ms-win-core-file-l2-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-file-l2-1-3.dll
[+] Redirecting api-ms-win-core-file-l2-1-3.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-file-l2-1-1.dll
[+] Redirecting api-ms-win-core-file-l2-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-xstate-l2-1-0.dll
[+] Redirecting api-ms-win-core-xstate-l2-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-xstate-l2-1-1.dll
[+] Redirecting api-ms-win-core-xstate-l2-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-localization-l2-1-0.dll
[+] Redirecting api-ms-win-core-localization-l2-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-normalization-l1-1-0.dll
[+] Redirecting api-ms-win-core-normalization-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-fibers-l2-1-0.dll
[+] Redirecting api-ms-win-core-fibers-l2-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-fibers-l2-1-1.dll
[+] Redirecting api-ms-win-core-fibers-l2-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-localization-private-l1-1-0.dll
[+] Redirecting api-ms-win-core-localization-private-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-sidebyside-l1-1-0.dll
[+] Redirecting api-ms-win-core-sidebyside-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-appcompat-l1-1-0.dll
[+] Redirecting api-ms-win-core-appcompat-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-windowserrorreporting-l1-1-0.dll
[+] Redirecting api-ms-win-core-windowserrorreporting-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-windowserrorreporting-l1-1-3.dll
[+] Redirecting api-ms-win-core-windowserrorreporting-l1-1-3.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-windowserrorreporting-l1-1-1.dll
[+] Redirecting api-ms-win-core-windowserrorreporting-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-windowserrorreporting-l1-1-2.dll
[+] Redirecting api-ms-win-core-windowserrorreporting-l1-1-2.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-console-l1-1-0.dll
[+] Redirecting api-ms-win-core-console-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-console-l1-2-0.dll
[+] Redirecting api-ms-win-core-console-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-console-l1-2-1.dll
[+] Redirecting api-ms-win-core-console-l1-2-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-console-l2-1-0.dll
[+] Redirecting api-ms-win-core-console-l2-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-console-l2-2-0.dll
[+] Redirecting api-ms-win-core-console-l2-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-console-l3-2-0.dll
[+] Redirecting api-ms-win-core-console-l3-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-psapi-l1-1-0.dll
[+] Redirecting api-ms-win-core-psapi-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-psapi-ansi-l1-1-0.dll
[+] Redirecting api-ms-win-core-psapi-ansi-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-eventing-provider-l1-1-0.dll
[+] Redirecting api-ms-win-eventing-provider-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-apiquery-l1-1-0.dll
[+] Redirecting api-ms-win-core-apiquery-l1-1-0.dll to ntdll.dll
[+] Requesting imports from api-ms-win-core-delayload-l1-1-1.dll
[+] Redirecting api-ms-win-core-delayload-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-appcompat-l1-1-1.dll
[+] Redirecting api-ms-win-core-appcompat-l1-1-1.dll to kernelbase.dll
[+] Ignoring kernel32.dll entry point
[=] Done loading kernel32.dll
[=] Loading mscoree.dll ...
[+] DLL preferred base address: 0x180000000
[+] DLL preferred base address exceeds memory upper bound, loading to: 0x105d0000
[+] Init imports for mscoree.dll
[+] Requesting imports from kernel32.dll
[=] Calling mscoree.dll DllMain at 0x105fbd50
[x] Error encountered while running mscoree.dll DllMain, bailing
[=] Done loading mscoree.dll
[=] Loading ucrtbase.dll ...
[+] DLL preferred base address: 0x180000000
[+] DLL preferred base address exceeds memory upper bound, loading to: 0x10640000
[+] Init imports for ucrtbase.dll
[+] Requesting imports from api-ms-win-core-errorhandling-l1-1-0.dll
[+] Redirecting api-ms-win-core-errorhandling-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-heap-l1-1-0.dll
[+] Redirecting api-ms-win-core-heap-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-processthreads-l1-1-0.dll
[+] Redirecting api-ms-win-core-processthreads-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-libraryloader-l1-1-0.dll
[+] Redirecting api-ms-win-core-libraryloader-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-synch-l1-1-0.dll
[+] Redirecting api-ms-win-core-synch-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-debug-l1-1-0.dll
[+] Redirecting api-ms-win-core-debug-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-processenvironment-l1-1-0.dll
[+] Redirecting api-ms-win-core-processenvironment-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-file-l1-1-0.dll
[+] Redirecting api-ms-win-core-file-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-string-l1-1-0.dll
[+] Redirecting api-ms-win-core-string-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-localization-l1-2-0.dll
[+] Redirecting api-ms-win-core-localization-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-datetime-l1-1-0.dll
[+] Redirecting api-ms-win-core-datetime-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-sysinfo-l1-1-0.dll
[+] Redirecting api-ms-win-core-sysinfo-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-rtlsupport-l1-1-0.dll
[+] Redirecting api-ms-win-core-rtlsupport-l1-1-0.dll to ntdll.dll
[+] Requesting imports from api-ms-win-core-processthreads-l1-1-1.dll
[+] Redirecting api-ms-win-core-processthreads-l1-1-1.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-console-l1-1-0.dll
[+] Redirecting api-ms-win-core-console-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-handle-l1-1-0.dll
[+] Redirecting api-ms-win-core-handle-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-file-l1-2-0.dll
[+] Redirecting api-ms-win-core-file-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-namedpipe-l1-1-0.dll
[+] Redirecting api-ms-win-core-namedpipe-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-timezone-l1-1-0.dll
[+] Redirecting api-ms-win-core-timezone-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-file-l2-1-0.dll
[+] Redirecting api-ms-win-core-file-l2-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-synch-l1-2-0.dll
[+] Redirecting api-ms-win-core-synch-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-profile-l1-1-0.dll
[+] Redirecting api-ms-win-core-profile-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-memory-l1-1-0.dll
[+] Redirecting api-ms-win-core-memory-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-util-l1-1-0.dll
[+] Redirecting api-ms-win-core-util-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-interlocked-l1-1-0.dll
[+] Redirecting api-ms-win-core-interlocked-l1-1-0.dll to kernelbase.dll
[=] Done loading ucrtbase.dll
[+] Init imports for C:\Users\internet\Downloads\x86_hello.exe
[+] Requesting imports from kernel32.dll
[+] Requesting imports from msvcrt.dll
[=] Loading msvcrt.dll ...
[+] DLL preferred base address: 0x110100000
[+] DLL preferred base address exceeds memory upper bound, loading to: 0x10740000
[+] Init imports for msvcrt.dll
[+] Requesting imports from ntdll.dll
[+] Requesting imports from api-ms-win-core-console-l1-1-0.dll
[+] Redirecting api-ms-win-core-console-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-console-l1-2-0.dll
[+] Redirecting api-ms-win-core-console-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-datetime-l1-1-0.dll
[+] Redirecting api-ms-win-core-datetime-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-debug-l1-1-0.dll
[+] Redirecting api-ms-win-core-debug-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-errorhandling-l1-1-0.dll
[+] Redirecting api-ms-win-core-errorhandling-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-fibers-l1-1-0.dll
[+] Redirecting api-ms-win-core-fibers-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-file-l1-1-0.dll
[+] Redirecting api-ms-win-core-file-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-handle-l1-1-0.dll
[+] Redirecting api-ms-win-core-handle-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-heap-l1-1-0.dll
[+] Redirecting api-ms-win-core-heap-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-localization-l1-2-0.dll
[+] Redirecting api-ms-win-core-localization-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-libraryloader-l1-2-0.dll
[+] Redirecting api-ms-win-core-libraryloader-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-memory-l1-1-0.dll
[+] Redirecting api-ms-win-core-memory-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-namedpipe-l1-1-0.dll
[+] Redirecting api-ms-win-core-namedpipe-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-processenvironment-l1-1-0.dll
[+] Redirecting api-ms-win-core-processenvironment-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-processthreads-l1-1-0.dll
[+] Redirecting api-ms-win-core-processthreads-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-profile-l1-1-0.dll
[+] Redirecting api-ms-win-core-profile-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-string-l1-1-0.dll
[+] Redirecting api-ms-win-core-string-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-synch-l1-1-0.dll
[+] Redirecting api-ms-win-core-synch-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-synch-l1-2-0.dll
[+] Redirecting api-ms-win-core-synch-l1-2-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-sysinfo-l1-1-0.dll
[+] Redirecting api-ms-win-core-sysinfo-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from api-ms-win-core-util-l1-1-0.dll
[+] Redirecting api-ms-win-core-util-l1-1-0.dll to kernelbase.dll
[+] Requesting imports from kernelbase.dll
[=] Done loading msvcrt.dll
[+] Error in loading function __p__environ (msvcrt.dll)
[+] Error in loading function __p__fmode (msvcrt.dll)
[+] Done loading C:\Users\internet\Downloads\x86_hello.exe
[INFO][(unknown file):0] Qiling is initialized successfully.
[INFO][(unknown file):0] C:\Users\internet\qiling\examples
[INFO][(unknown file):0] demo.py
[INFO][(unknown file):0] demo
[ERROR][(unknown file):0]
Traceback (most recent call last):
File "C:/Users/internet/Downloads/IDAPro7.6/plugins/qilinqida.py", line 2032, in get_user_scripts_obj
cls = getattr(module, classname)
AttributeError: module 'demo' has no attribute 'QILING_IDA'
[INFO][(unknown file):0] Custom user script not found.
Traceback (most recent call last):
File "C:/Users/internet/Downloads/IDAPro7.6/plugins/qilinqida.py", line 810, in activate
self.action_handler.ql_handle_menu_action(self.action_type)
File "C:/Users/internet/Downloads/IDAPro7.6/plugins/qilinqida.py", line 2098, in ql_handle_menu_action
[x.handler() for x in self.menuitems if x.action == action]
File "C:/Users/internet/Downloads/IDAPro7.6/plugins/qilinqida.py", line 2098, in <listcomp>
[x.handler() for x in self.menuitems if x.action == action]
File "C:/Users/internet/Downloads/IDAPro7.6/plugins/qilinqida.py", line 1045, in ql_start
self.userobj.custom_prepare(self.qlemu.ql)
AttributeError: 'NoneType' object has no attribute 'custom_prepare'
What do I wrong? Thank you.
Yes. Basically it was an issue with the rootfs path. It needs to be set to something like C:\Users\internet\qiling\examples\rootfs\x8664_windows Don't forget to populate system paths with Windows system files from an installed Windows64
Use a slighty modified version of C:\Users\internet\qiling\examples\extensions\idaplugin\custom_script.py because Python3 extensions has evolved...
from __future__ import annotations
from typing import TYPE_CHECKING, List
if TYPE_CHECKING:
from qiling import Qiling
from qiling.core_hooks_types import HookRet
class QILING_IDA:
def _show_context(self, ql: Qiling):
registers = tuple(ql.arch.regs.register_mapping.keys())
grouping = 4
for idx in range(0, len(registers), grouping):
ql.log.info('\t'.join(f'{r:5s}: {ql.arch.regs.read(r):016x}' for r in registers[idx:idx + grouping]))
def custom_prepare(self, ql: Qiling) -> None:
ql.log.info('Context before starting emulation:')
self._show_context(ql)
def custom_continue(self, ql: Qiling) -> List[HookRet]:
ql.log.info('custom_continue hook')
self._show_context(ql)
return []
def custom_step(self, ql: Qiling) -> List[HookRet]:
def step_hook(ql: Qiling, addr: int, size: int):
ql.log.info(f'Executing: {addr:#x}')
self._show_context(ql)
ql.log.info('custom_step hook')
return [ql.hook_code(step_hook)]
def custom_execute_selection(self, ql: Qiling) -> List[HookRet]:
ql.log.info('custom_execute_selection hook')
return []
[INFO][qilingida:1008] ---------------------------------------------------------------------------------------
[INFO][qilingida:1009] Qiling Emulator Plugin For IDA, by Qiling Team. Version 1.4.8, 2020
[INFO][qilingida:1010] Based on Qiling v1.4.8
[INFO][qilingida:1011] Find more information about Qiling at https://qiling.io
[INFO][qilingida:1012] ---------------------------------------------------------------------------------------
[INFO][qilingida:1023] UI is ready, register our menu actions.
[INFO][qilingida:1018] Registering actions.
---------------------------------------------------------------------------------------------
Python 3.10.11 (tags/v3.10.11:7d4cc5a, Apr 5 2023, 00:38:17) [MSC v.1929 64 bit (AMD64)]
IDAPython 64-bit v7.4.0 final (serial 0) (c) The IDAPython Team <[email protected]>
---------------------------------------------------------------------------------------------
[INFO][(unknown file):0] ['C:\\Users\\internet\\qiling\\examples\\rootfs\\x8664_windows\\bin\\argv.exe']
[INFO][(unknown file):0] Rootfs: C:\Users\internet\qiling\examples\rootfs\x8664_windows
[INFO][(unknown file):0] Custom user script: C:\Users\internet\qiling\examples\extensions\idaplugin\custom_script.py
[INFO][(unknown file):0] Custom env: {}
[+] Profile: default
[+] Mapping GDT at 0x30000 with limit 0x1000
[+] Loading Windows registry hive from C:\Users\internet\qiling\examples\rootfs\x8664_windows\Windows\registry
[=] Initiate stack address at 0x7ffffffde000
[=] Loading C:\Users\internet\qiling\examples\rootfs\x8664_windows\bin\argv.exe to 0x140000000
[=] PE entry point at 0x140001374
[=] TEB is at 0x6000000
[=] PEB is at 0x60001f0
[=] LDR is at 0x60009c0
[=] Loading ntdll.dll ...
[+] Warnings while loading ntdll.dll:
[+] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.
[+] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0
[+] - Failed parsing FunctionEntry of UNWIND_INFO at 16b85c: 'Chained function entry cannot be changed'
[+] - Failed parsing FunctionEntry of UNWIND_INFO at 16b898: 'Chained function entry cannot be changed'
[+] DLL preferred base address: 0x180000000
[+] Parsed 4882 exception directory entries
[+] Init imports for ntdll.dll
[=] Done loading ntdll.dll
[=] Loading kernelbase.dll ...
[+] DLL preferred base address: 0x180000000
[+] DLL preferred base address is taken, loading to: 0x180200000
[+] Parsed 5488 exception directory entries
[+] Forwarding symbol kernelbase.dll.b'_local_unwind' to ntdll.dll.b'_local_unwind': Resolved symbol to (0x18008d6e0)
[+] Forwarding symbol kernelbase.dll.b'__misaligned_access' to ntdll.dll.b'__misaligned_access': Resolved symbol to (0x1800808c0)
[+] Forwarding symbol kernelbase.dll.b'__chkstk' to ntdll.dll.b'__chkstk': Resolved symbol to (0x1800a27a0)
[+] Forwarding symbol kernelbase.dll.b'__C_specific_handler' to ntdll.dll.b'__C_specific_handler': Resolved symbol to (0x18008cdb0)
...