cdong1012 / contiunpacker Goto Github PK

View Code? Open in Web Editor NEW

8.0 2.0 5.0 228 KB

An automatic unpacker for a Conti sample

Python 100.00%

contiunpacker's Introduction

ContiUnpacker

An automatic unpacker for a Conti sample

Context

This was inspired by James Bennett's blog post on how to programmatically unpack malware.
This unpacker unpacks this specific Conti ransomware I found on MalwareBazaar.

Requirement

Python 3
Speakeasy

How it works

The unpacker uses the Speakeasy Emulation Framework to run and unpack the sample.
When I manually unpacked this, I noticed that the sample called VirtualAlloc to allocate memory, wrote the unpacked PE file to it, and called VirtualProtect on the .text region before executing it.
From this, I halted the simulation at the first VirtualProtect call, dumped the PE file out, and mapped it accordingly to fix the IAT.

Usage

Running with Command Prompt

python ContiUnpacker.py -f conti.dll -o <output_file>

Image

Note

Please don't actually run this malware I included unless you know what you're doing. I'm not responsible if you end up encrypting your machine!

Also, I noticed that the function calls are a bit different on Speakeasy emulator compared to when running on x64dbg. During the VirtualProtect call, everything should technically be written into the allocated memory already, but that's not the case...

Apparently, only parts of the .rdata section is written, so the dumped executable won't be able to run.

I can't figure out why this is happening because Speakeasy is pretty weird, so this unpacker does not work 100%.

However, I'll still keep it here in case anyone wants to refer to this when writing their own unpacker using Speakeasy!

Acknowledgement

James T. Bennett - https://www.fireeye.com/blog/threat-research/2020/12/using-speakeasy-emulation-framework-programmatically-to-unpack-malware.html

FireEye's Speakeasy Emulation Framework - https://github.com/fireeye/speakeasy

contiunpacker's People

Contributors

Stargazers

Watchers

Forkers

cybermonitor willdawnlll xelentra1 mrvn2018 jemik

contiunpacker's Issues

kernel32.dll not found

Hi, I try to unpack a Conti sample with this project.

But I find that there is something wrong with Speakeasy.

I use an Ubuntu 21.04 server and here is the log.

Could you please help me fix this?

Thanks.

root@server01:~/ContiUnpacker# python3 ContiUnpacker.py -f sample -o output
* exec: module_entry
0x41c774: 'KERNEL32.GetSystemTimeAsFileTime(0x1211fc8)' -> None
0x41c783: 'KERNEL32.GetCurrentThreadId()' -> 0x434
0x41c78c: 'KERNEL32.GetCurrentProcessId()' -> 0x420
0x41c799: 'KERNEL32.QueryPerformanceCounter(0x1211fc0)' -> 0x1
0x41c386: 'KERNEL32.IsProcessorFeaturePresent("PF_XMMI64_INSTRUCTIONS_AVAILABLE")' -> 0x1
0x41ce10: 'KERNEL32.LoadLibraryExW("api-ms-win-core-synch-l1-2-0", 0x0, "LOAD_LIBRARY_SEARCH_SYSTEM32")' -> 0x77000000
0x41cedf: 'KERNEL32.GetProcAddress(0x77000000, "InitializeCriticalSectionEx")' -> 0xfeee0000
0x41cfec: 'kernel32.InitializeCriticalSectionEx(0x430508, 0xfa0, 0x0)' -> 0x1
0x41ce10: 'KERNEL32.LoadLibraryExW("api-ms-win-core-fibers-l1-1-1", 0x0, "LOAD_LIBRARY_SEARCH_SYSTEM32")' -> 0x77000000
0x41cedf: 'KERNEL32.GetProcAddress(0x77000000, "FlsAlloc")' -> 0xfeee0001
0x41cf32: 'kernel32.FlsAlloc(0x41ccfa)' -> 0x0
0x41cedf: 'KERNEL32.GetProcAddress(0x77000000, "FlsSetValue")' -> 0xfeee0002
0x41cfab: 'kernel32.FlsSetValue(0x0, 0x4304e0)' -> 0x1
0x421247: 'KERNEL32.LoadLibraryExW("api-ms-win-core-synch-l1-2-0", 0x0, "LOAD_LIBRARY_SEARCH_SYSTEM32")' -> 0x77000000
0x42131c: 'KERNEL32.GetProcAddress(0x77000000, "InitializeCriticalSectionEx")' -> 0xfeee0000
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x4306e8, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x430700, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x430718, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x430730, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x430748, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x430760, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x430778, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x430790, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x4307a8, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x4307c0, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x4307d8, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x4307f0, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x430808, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x430820, 0xfa0, 0x0)' -> 0x1
0x4215eb: 'KERNEL32.GetProcessHeap()' -> 0x4600
0x421247: 'KERNEL32.LoadLibraryExW("api-ms-win-core-fibers-l1-1-1", 0x0, "LOAD_LIBRARY_SEARCH_SYSTEM32")' -> 0x77000000
0x42131c: 'KERNEL32.GetProcAddress(0x77000000, "FlsAlloc")' -> 0xfeee0001
0x4213de: 'kernel32.FlsAlloc(0x41f7d5)' -> 0x1
0x41fa70: 'KERNEL32.GetLastError()' -> 0x0
0x42131c: 'KERNEL32.GetProcAddress(0x77000000, "FlsGetValue")' -> 0xfeee0003
0x42145c: 'kernel32.FlsGetValue(0x1)' -> 0x0
0x42131c: 'KERNEL32.GetProcAddress(0x77000000, "FlsSetValue")' -> 0xfeee0002
0x42149e: 'kernel32.FlsSetValue(0x1, 0xffffffff)' -> 0x1
0x41fd04: 'KERNEL32.HeapAlloc(0x4600, 0x8, 0x364)' -> 0x4620
0x42149e: 'kernel32.FlsSetValue(0x1, 0x4620)' -> 0x1
0x41fbb6: 'KERNEL32.EnterCriticalSection(0x430760)' -> None
0x41fbfe: 'KERNEL32.LeaveCriticalSection(0x430760)' -> None
0x41fbb6: 'KERNEL32.EnterCriticalSection(0x430748)' -> None
0x41fbfe: 'KERNEL32.LeaveCriticalSection(0x430748)' -> None
0x41fb0e: 'KERNEL32.SetLastError(0x0)' -> None
0x41fbb6: 'KERNEL32.EnterCriticalSection(0x430790)' -> None
0x41fbb6: 'KERNEL32.EnterCriticalSection(0x430790)' -> None
0x41fd04: 'KERNEL32.HeapAlloc(0x4600, 0x8, 0xe00)' -> 0x7000
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7000, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7038, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7070, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x70a8, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x70e0, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7118, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7150, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7188, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x71c0, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x71f8, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7230, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7268, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x72a0, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x72d8, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7310, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7348, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7380, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x73b8, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x73f0, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7428, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7460, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7498, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x74d0, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7508, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7540, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7578, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x75b0, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x75e8, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7620, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7658, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7690, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x76c8, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7700, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7738, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7770, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x77a8, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x77e0, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7818, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7850, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7888, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x78c0, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x78f8, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7930, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7968, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x79a0, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x79d8, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7a10, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7a48, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7a80, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7ab8, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7af0, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7b28, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7b60, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7b98, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7bd0, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7c08, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7c40, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7c78, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7cb0, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7ce8, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7d20, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7d58, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7d90, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x7dc8, 0xfa0, 0x0)' -> 0x1
0x41fbfe: 'KERNEL32.LeaveCriticalSection(0x430790)' -> None
0x421612: 'KERNEL32.GetStartupInfoW(0x1211f00)' -> None
0x421708: 'KERNEL32.GetStdHandle(0xfffffff6)' -> 0xf001
0x42171a: 'KERNEL32.GetFileType(0xf001)' -> 0x1
0x421708: 'KERNEL32.GetStdHandle(0xfffffff5)' -> 0xf002
0x42171a: 'KERNEL32.GetFileType(0xf002)' -> 0x1
0x421708: 'KERNEL32.GetStdHandle(0xfffffff4)' -> 0xf003
0x42171a: 'KERNEL32.GetFileType(0xf003)' -> 0x1
0x41fbfe: 'KERNEL32.LeaveCriticalSection(0x430790)' -> None
0x420f51: 'KERNEL32.GetCommandLineA()' -> 0x7f00
0x420f5c: 'KERNEL32.GetCommandLineW()' -> 0x7f20
0x42145c: 'kernel32.FlsGetValue(0x1)' -> 0x4620
0x41fbb6: 'KERNEL32.EnterCriticalSection(0x430760)' -> None
0x41fbfe: 'KERNEL32.LeaveCriticalSection(0x430760)' -> None
0x420845: 'KERNEL32.GetACP()' -> 0x4e4
0x41f580: 'KERNEL32.HeapAlloc(0x4600, 0x0, 0x220)' -> 0x8000
0x420ccc: 'KERNEL32.IsValidCodePage(0x4e4)' -> 0x1
0x420d0e: 'KERNEL32.GetCPInfo(0x4e4, 0x1211f20)' -> 0x1
0x42090b: 'KERNEL32.GetCPInfo(0x4e4, 0x12117e8)' -> 0x1
0x420fda: 'KERNEL32.MultiByteToWideChar(0x4e4, 0x1, " \x01\x02\x03\x04\x05\x06\x07\x08\t\\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0¡¢£¤¥¦§¨©ª«¬\xad®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿØK\x92c8\x1f!\x01þ\x0cB", 0x100, 0x0, 0x0)' -> 0x10c
0x420fda: 'KERNEL32.MultiByteToWideChar(0x4e4, 0x1, 0x1211dfc, 0x100, 0x1211578, 0x10c)' -> 0x100
0x422581: 'KERNEL32.GetStringTypeW(0x1, 0x1211578, 0x100, 0x12117fc)' -> 0x1
0x420fda: 'KERNEL32.MultiByteToWideChar(0x4e4, 0x1, " \x01\x02\x03\x04\x05\x06\x07\x08\t\\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0¡¢£¤¥¦§¨©ª«¬\xad®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿØK\x92c8\x1f!\x01þ\x0cB", 0x100, 0x0, 0x0)' -> 0x10c
0x420fda: 'KERNEL32.MultiByteToWideChar(0x4e4, 0x1, 0x1211dfc, 0x100, 0x1211528, 0x10c)' -> 0x100
0x421247: 'KERNEL32.LoadLibraryExW("api-ms-win-core-localization-l1-2-1", 0x0, "LOAD_LIBRARY_SEARCH_SYSTEM32")' -> 0x77000000
0x42131c: 'KERNEL32.GetProcAddress(0x77000000, "LCMapStringEx")' -> 0xfeee0004
0x42152c: 'kernel32.LCMapStringEx(0x0, 0x100, 0x1211528, 0x10c, 0x0, 0x0, 0x0, 0x0, 0x0)' -> 0x10c
0x42152c: 'kernel32.LCMapStringEx(0x0, 0x100, 0x1211528, 0x10c, 0x1211308, 0x10c, 0x0, 0x0, 0x0)' -> 0x10c
0x421088: 'KERNEL32.WideCharToMultiByte(0x4e4, 0x0, 0x1211308, 0x10c, 0x1211cfc, 0x100, 0x0, 0x0)' -> 0x100
0x420fda: 'KERNEL32.MultiByteToWideChar(0x4e4, 0x1, "", 0x1, 0x0, 0x0)' -> 0x1
0x420fda: 'KERNEL32.MultiByteToWideChar(0x4e4, 0x1, 0x1211dfc, 0x1, 0x1211758, 0x1)' -> 0x1
0x42152c: 'kernel32.LCMapStringEx(0x0, 0x200, 0x1211758, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0)' -> 0x1
0x42152c: 'kernel32.LCMapStringEx(0x0, 0x200, 0x1211758, 0x1, 0x1211748, 0x1, 0x0, 0x0, 0x0)' -> 0x1
0x421088: 'KERNEL32.WideCharToMultiByte(0x4e4, 0x0, 0x1211748, 0x1, 0x1211bfc, 0x100, 0x0, 0x0)' -> 0x100
0x41fbb6: 'KERNEL32.EnterCriticalSection(0x430760)' -> None
0x41fbfe: 'KERNEL32.LeaveCriticalSection(0x430760)' -> None
0x41fbb6: 'KERNEL32.EnterCriticalSection(0x430718)' -> None
0x41f580: 'KERNEL32.HeapAlloc(0x4600, 0x0, 0x80)' -> 0x8230
0x41fbfe: 'KERNEL32.LeaveCriticalSection(0x430718)' -> None
0x420679: 'KERNEL32.GetModuleFileNameW(0x0, "C:\\Windows\\system32\\53b1c1b2f41a7fc300e97d036e57539453ff82001dd3f6abf07f4896b1f9ca22-Conti", 0x105)' -> 0x5a
0x421247: 'KERNEL32.LoadLibraryExW("kernel32", 0x0, "LOAD_LIBRARY_SEARCH_SYSTEM32")' -> 0x77000000
0x42131c: 'KERNEL32.GetProcAddress(0x77000000, "AreFileApisANSI")' -> 0xfeee0005
0x4213a5: 'kernel32.AreFileApisANSI()' -> 0x1
0x421088: 'KERNEL32.WideCharToMultiByte(0x0, 0x0, 0x1211d44, 0xffffffff, 0x0, 0x0, 0x0, 0x0)' -> 0x5b
0x421088: 'KERNEL32.WideCharToMultiByte(0x0, 0x0, 0x1211d44, 0xffffffff, 0x4305a0, 0x104, 0x0, 0x0)' -> 0x104
0x41fd04: 'KERNEL32.HeapAlloc(0x4600, 0x8, 0x2a)' -> 0x82c0
0x41c805: 'KERNEL32.InitializeSListHead(0x4304c8)' -> None
0x41f919: 'KERNEL32.GetLastError()' -> 0x0
0x42145c: 'kernel32.FlsGetValue(0x1)' -> 0x4620
0x41f9b7: 'KERNEL32.SetLastError(0x0)' -> None
0x4210d3: 'KERNEL32.GetEnvironmentStringsW()' -> 0x82f0
0x421088: 'KERNEL32.WideCharToMultiByte(0x0, 0x0, 0x82f0, 0xd3, 0x0, 0x0, 0x0, 0x0)' -> 0xd3
0x41f580: 'KERNEL32.HeapAlloc(0x4600, 0x0, 0xd3)' -> 0x84a0
0x421088: 'KERNEL32.WideCharToMultiByte(0x0, 0x0, 0x82f0, 0xd3, 0x84a0, 0xd3, 0x0, 0x0)' -> 0xd3
0x421141: 'KERNEL32.FreeEnvironmentStringsW(0x82f0)' -> 0x1
0x41fd04: 'KERNEL32.HeapAlloc(0x4600, 0x8, 0x8)' -> 0x8580
0x41fd04: 'KERNEL32.HeapAlloc(0x4600, 0x8, 0xd2)' -> 0x8590
0x41f5b2: 'KERNEL32.HeapFree(0x4600, 0x0, 0x84a0)' -> 0x1
0x41fd04: 'KERNEL32.HeapAlloc(0x4600, 0x8, 0x800)' -> 0x8670
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x42e668, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x42e6a0, 0xfa0, 0x0)' -> 0x1
0x4214e3: 'kernel32.InitializeCriticalSectionEx(0x42e6d8, 0xfa0, 0x0)' -> 0x1
0x4251c3: 'KERNEL32.IsProcessorFeaturePresent("PF_XMMI64_INSTRUCTIONS_AVAILABLE")' -> 0x1
0x41c6b0: 'KERNEL32.SetUnhandledExceptionFilter(0x41c6b1)' -> 0x0
0x41fbb6: 'KERNEL32.EnterCriticalSection(0x430718)' -> None
0x41fbfe: 'KERNEL32.LeaveCriticalSection(0x430718)' -> None
0x41c649: 'KERNEL32.GetStartupInfoW(0x1211f64)' -> None
0x41f580: 'KERNEL32.HeapAlloc(0x4600, 0x0, 0x1000)' -> 0x3f2000
0x404f0c: 'kernel32.LoadLibraryA("Kernel32.dll")' -> 0x77000000
0x4010a2: 'kernel32.LoadLibraryA("kernel32.dll")' -> 0x77000000
0x401123: 'kernel32.LoadLibraryA("ws2_32.dll")' -> 0x78c00000
0x4011b5: 'kernel32.LoadLibraryA("Advapi32.dll")' -> 0x78000000
0x401230: 'kernel32.LoadLibraryA("ntdll.dll")' -> 0x7c000000
0x4012c2: 'kernel32.LoadLibraryA("Rstrtmgr.dll")' -> 0x0
0x40133e: 'kernel32.LoadLibraryA("Ole32.dll")' -> 0x65500000
0x4013ca: 'kernel32.LoadLibraryA("OleAut32.dll")' -> 0x5f800000
0x401451: 'kernel32.LoadLibraryA("Netapi32.dll")' -> 0x54400000
0x4014da: 'kernel32.LoadLibraryA("Iphlpapi.dll")' -> 0x0
0x40154c: 'kernel32.LoadLibraryA("Shlwapi.dll")' -> 0x67000000
0x4015d4: 'kernel32.LoadLibraryA("Shell32.dll")' -> 0x69000000
0x4017fe: 'kernel32.LoadLibraryA("kernel32.dll")' -> 0x77000000
0x404f0c: 'kernel32.LoadLibraryA("Kernel32.dll")' -> 0x77000000
0x401821: 'kernel32.GetModuleFileNameW(0x77000000, "C:\\Windows\\system32\\kernel32.dll", 0x104)' -> 0x20
0x404f0c: 'kernel32.LoadLibraryA("Kernel32.dll")' -> 0x77000000
0x401850: Error while calling API handler for kernel32.CreateFileW:
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/dist-packages/speakeasy_emulator-1.5.6-py3.8.egg/speakeasy/windows/winemu.py", line 1168, in handle_import_func
    rv = self.api.call_api_func(mod, func, argv, ctx=default_ctx)
  File "/usr/local/lib/python3.8/dist-packages/speakeasy_emulator-1.5.6-py3.8.egg/speakeasy/winenv/api/winapi.py", line 77, in call_api_func
    return func(mod, self.emu, argv, ctx)
  File "/usr/local/lib/python3.8/dist-packages/speakeasy_emulator-1.5.6-py3.8.egg/speakeasy/winenv/api/usermode/kernel32.py", line 3347, in CreateFile
    hnd = self.file_open(target, create=False)
  File "/usr/local/lib/python3.8/dist-packages/speakeasy_emulator-1.5.6-py3.8.egg/speakeasy/winenv/api/api.py", line 261, in file_open
    return self.emu.file_open(path, create)
  File "/usr/local/lib/python3.8/dist-packages/speakeasy_emulator-1.5.6-py3.8.egg/speakeasy/windows/winemu.py", line 212, in file_open
    return self.fileman.file_open(path, create)
  File "/usr/local/lib/python3.8/dist-packages/speakeasy_emulator-1.5.6-py3.8.egg/speakeasy/windows/fileman.py", line 418, in file_open
    raise FileSystemEmuError('File path not found: %s' % (real_path))
speakeasy.errors.FileSystemEmuError: File path not found: /usr/local/lib/python3.8/dist-packages/speakeasy_emulator-1.5.6-py3.8.egg/speakeasy/windows/../winenv/decoys/x86/kernel32.dll
0x77000318: module_entry: Caught error: File path not found: /usr/local/lib/python3.8/dist-packages/speakeasy_emulator-1.5.6-py3.8.egg/speakeasy/windows/../winenv/decoys/x86/kernel32.dll

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.