Merge pull request #606 from learn-more/ql_tweaks

xwings · web-flow · commit b3136282ba84 · 2020-12-21T23:27:32.000+08:00
Some minor usability tweaks
diff --git a/.gitignore b/.gitignore
@@ -32,3 +32,5 @@ test.file
 *.o
 core
 *.perf
+examples/rootfs/x86_windows/Windows/registry
+examples/rootfs/x8664_windows/Windows/registry
diff --git a/qiling/loader/pe.py b/qiling/loader/pe.py
@@ -349,17 +349,17 @@ def __init__(self, ql):
         self.path       = self.ql.path
 
     def run(self):
-        self.init_dlls = [b"ntoskrnl.exe", b"ntdll.dll", b"kernel32.dll", b"user32.dll"]
-        self.sys_dlls = [b"ntoskrnl.exe", b"ntdll.dll", b"kernel32.dll"]
+        self.init_dlls = [b"ntdll.dll", b"kernel32.dll", b"user32.dll"]
+        self.sys_dlls = [b"ntdll.dll", b"kernel32.dll"]
         self.pe_entry_point = 0
         self.sizeOfStackReserve = 0        
 
-        if self.ql.shellcoder:
-            self.init_dlls.remove(b"ntoskrnl.exe")
-            self.sys_dlls.remove(b"ntoskrnl.exe")
-        else:
+        if not self.ql.shellcoder:
             self.pe = pefile.PE(self.path, fast_load=True)
             self.is_driver = (self.pe.OPTIONAL_HEADER.Subsystem == 1)
+            if self.is_driver:
+                self.init_dlls = [b"ntoskrnl.exe"]
+                self.sys_dlls = [b"ntoskrnl.exe"]
             
         if self.ql.archtype == QL_ARCH.X86:
             self.stack_address = int(self.ql.os.profile.get("OS32", "stack_address"), 16)
diff --git a/qiling/os/os.py b/qiling/os/os.py
@@ -92,32 +92,32 @@ def find_containing_image(self, pc):
                 return image
 
     def emu_error(self):
-        logging.info("\n")
+        logging.error("\n")
 
         for reg in self.ql.reg.register_mapping:
             if isinstance(reg, str):
                 REG_NAME = reg
                 REG_VAL = self.ql.reg.read(reg)
-                logging.info("[-] %s\t:\t 0x%x" % (REG_NAME, REG_VAL))
+                logging.error("%s\t:\t 0x%x" % (REG_NAME, REG_VAL))
 
-        logging.info("\n")
-        logging.info("[+] PC = 0x%x" % (self.ql.reg.arch_pc))
+        logging.error("\n")
+        logging.error("PC = 0x%x" % (self.ql.reg.arch_pc))
         containing_image = self.find_containing_image(self.ql.reg.arch_pc)
         if containing_image:
             offset = self.ql.reg.arch_pc - containing_image.base
-            logging.info(" (%s+0x%x)" % (containing_image.path, offset))
+            logging.error(" (%s+0x%x)" % (containing_image.path, offset))
         else:
             logging.info("\n")
         self.ql.mem.show_mapinfo()
 
         try:
             buf = self.ql.mem.read(self.ql.reg.arch_pc, 8)
-            logging.info("[+] %r" % ([hex(_) for _ in buf]))
+            logging.error("%r" % ([hex(_) for _ in buf]))
 
             logging.info("\n")
             self.disassembler(self.ql, self.ql.reg.arch_pc, 64)
         except:
-            logging.info("[!] Error: PC(0x%x) Unreachable" % self.ql.reg.arch_pc)
+            logging.error("Error: PC(0x%x) Unreachable" % self.ql.reg.arch_pc)
 
 
     def _x86_set_args(self, args):
diff --git a/qiling/os/utils.py b/qiling/os/utils.py
@@ -242,22 +242,23 @@ def disassembler(self, ql, address, size):
         insn = md.disasm(tmp, address)
         opsize = int(size)
 
-        logging.info( ("[+] 0x%x" % (address)).ljust( (self.ql.archbit // 8) + 15))
+        log_data = ("0x%x" % (address)).ljust( (self.ql.archbit // 8) + 15)
 
         temp_str = ""
         for i in tmp:
             temp_str += ("%02x " % i)
-        logging.info(temp_str.ljust(30))
+        log_data += temp_str.ljust(30)
 
         for i in insn:
-            logging.info("%s %s" % (i.mnemonic, i.op_str))
+            log_data += "%s %s" % (i.mnemonic, i.op_str)
+        logging.info(log_data)
 
         if self.ql.output == QL_OUTPUT.DUMP:
             for reg in self.ql.reg.register_mapping:
                 if isinstance(reg, str):
                     REG_NAME = reg
                     REG_VAL = self.ql.reg.read(reg)
-                    logging.debug("[-] %s\t:\t 0x%x" % (REG_NAME, REG_VAL))
+                    logging.debug("%s\t:\t 0x%x" % (REG_NAME, REG_VAL))
 
     def setup_output(self):
         if self.output_ready:
diff --git a/tests/test_pe.py b/tests/test_pe.py
@@ -365,6 +365,8 @@ def our_sandbox(path, rootfs):
 
 
     def test_pe_win_x86_sality(self):
+        if 'QL_FAST_TEST' in os.environ:
+            return
         def init_unseen_symbols(ql, address, name, ordinal, dll_name):
             ql.loader.import_symbols[address] = {"name": name, "ordinal": ordinal, "dll": dll_name.split('.')[0] }
             ql.loader.import_address_table[dll_name][name] = address
