Merge branch 'qilingframework:dev' into dev

Author: cla7aye15I4nd

qiling/os/windows/dlls/ntdll.py

@@ -93,7 +93,7 @@ def _QueryInformationProcess(ql: Qiling, address: int, params):
 def hook_ZwQueryInformationProcess(ql: Qiling, address: int, params):
     # TODO have no idea if is cdecl or stdcall
 
-    _QueryInformationProcess(ql, address, params)
+    return _QueryInformationProcess(ql, address, params)
 
 # __kernel_entry NTSTATUS NtQueryInformationProcess(
 #   IN HANDLE           ProcessHandle,
@@ -112,7 +112,7 @@ def hook_ZwQueryInformationProcess(ql: Qiling, address: int, params):
 def hook_NtQueryInformationProcess(ql: Qiling, address: int, params):
     # TODO have no idea if is cdecl or stdcall
 
-    _QueryInformationProcess(ql, address, params)
+    return _QueryInformationProcess(ql, address, params)
 
 def _QuerySystemInformation(ql: Qiling, address: int, params):
     siClass = params["SystemInformationClass"]

qiling/os/windows/thread.py

@@ -84,16 +84,17 @@ def create(self, func_addr, func_params, status):
         stack_size = 1024
         new_stack = self.ql.os.heap.alloc(stack_size) + stack_size
 
+        self.saved_context = self.ql.reg.save()
+
+        # set return address, parameters
         if self.ql.archtype == QL_ARCH.X86:
             self.ql.mem.write(new_stack - 4, self.ql.pack32(self.ql.os.thread_manager.THREAD_RET_ADDR))
             self.ql.mem.write(new_stack, self.ql.pack32(func_params))
         elif self.ql.archtype == QL_ARCH.X8664:
             self.ql.mem.write(new_stack - 8, self.ql.pack64(self.ql.os.thread_manager.THREAD_RET_ADDR))
-            self.ql.mem.write(new_stack, self.ql.pack64(func_params))
-
-        # set eip, ebp, esp
-        self.saved_context = self.ql.reg.save()
+            self.saved_context["rcx"] = func_params
 
+        # set eip/rip, ebp/rbp, esp/rsp
         if self.ql.archtype == QL_ARCH.X86:
             self.saved_context["eip"] = func_addr
             self.saved_context["ebp"] = new_stack - 4

tests/test_pe.py

@@ -16,7 +16,10 @@
 from qiling.os.windows.fncc import *
 from qiling.os.windows.utils import *
 from qiling.os.mapper import QlFsMappedObject
+# This is intended.
+# See https://stackoverflow.com/questions/8804830/python-multiprocessing-picklingerror-cant-pickle-type-function
 import multiprocess as mb
+import traceback
 
 # On Windows, the CPython GC is too conservative and may hold too
 # many Unicorn objects (nearly 16GB) until free-ing them which may
@@ -33,7 +36,8 @@ def _run_test(self, results):
         try:
             results['result'] = self._test()
         except Exception as e:
-            results['exception'] = e
+            tb = traceback.format_exc()
+            results['exception'] = tb
             results['result'] = False
 
     def run(self):
@@ -45,7 +49,7 @@ def run(self):
             if "exception" not in results:
                 return results['result']
             else:
-                raise results['exception']
+                raise RuntimeError(f"\n\nGot an exception during subprocess:\n\n{results['exception']}")
 
 
 class TestOut: