Prepare fuzzing engine

2026-01-22 05:03:56 +00:00 · 2024-09-24 14:18:32 +02:00
parent f5b570351f
commit 10b09b8f51
45 changed files with 598 additions and 101 deletions
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -1,6 +1,7 @@
 add_subdirectory(common)
 add_subdirectory(emulator)
-add_subdirectory(unicorn_emulator)
-add_subdirectory(windows_emulator)
+add_subdirectory(unicorn-emulator)
+add_subdirectory(windows-emulator)
 add_subdirectory(sample)
+add_subdirectory(fuzzing-engine)
 add_subdirectory(fuzzer)
--- a/src/emulator/emulator.hpp
+++ b/src/emulator/emulator.hpp
@@ -142,14 +142,14 @@ private:

 	void perform_serialization(utils::buffer_serializer& buffer, const bool is_snapshot) const
 	{
-		this->serialize_memory_state(buffer, is_snapshot);
 		this->serialize_state(buffer, is_snapshot);
+		this->serialize_memory_state(buffer, is_snapshot);
 	}

 	void perform_deserialization(utils::buffer_deserializer& buffer, const bool is_snapshot)
 	{
-		this->deserialize_memory_state(buffer, is_snapshot);
 		this->deserialize_state(buffer, is_snapshot);
+		this->deserialize_memory_state(buffer, is_snapshot);
 	}

 	virtual void serialize_state(utils::buffer_serializer& buffer, bool is_snapshot) const = 0;
--- a/src/emulator/memory_manager.cpp
+++ b/src/emulator/memory_manager.cpp
@@ -113,6 +113,17 @@ void memory_manager::serialize_memory_state(utils::buffer_serializer& buffer, co

 void memory_manager::deserialize_memory_state(utils::buffer_deserializer& buffer, const bool is_snapshot)
 {
+	if (!is_snapshot)
+	{
+		for (const auto& reserved_region : this->reserved_regions_)
+		{
+			for (const auto& region : reserved_region.second.committed_regions)
+			{
+				this->unmap_memory(region.first, region.second.length);
+			}
+		}
+	}
+
 	buffer.read_map(this->reserved_regions_);

 	if (is_snapshot)
--- a/src/fuzzer/CMakeLists.txt
+++ b/src/fuzzer/CMakeLists.txt
@@ -14,7 +14,8 @@ target_precompile_headers(fuzzer PRIVATE std_include.hpp)

 target_link_libraries(fuzzer PRIVATE
  common
-  windows_emulator
+  fuzzing-engine
+  windows-emulator
 )

 momo_strip_target(fuzzer)
--- a/src/fuzzer/main.cpp
+++ b/src/fuzzer/main.cpp
@@ -1,7 +1,9 @@
 #include "std_include.hpp"

 #include <windows_emulator.hpp>
-#include <debugging/x64_gdb_stub_handler.hpp>
+#include <fuzzer.hpp>
+
+#include "utils/finally.hpp"

 bool use_gdb = false;

@@ -11,70 +13,131 @@ namespace
 	{
 		try
 		{
+			win_emu.logger.disable_output(true);
 			win_emu.emu().start_from_ip();
 		}
 		catch (...)
 		{
+			win_emu.logger.disable_output(false);
 			win_emu.logger.print(color::red, "Emulation failed at: 0x%llX\n", win_emu.emu().read_instruction_pointer());
 			throw;
 		}

+		win_emu.logger.disable_output(false);
 		win_emu.logger.print(color::red, "Emulation terminated!\n");
 	}

+	void forward_emulator(windows_emulator& win_emu)
+	{
+		win_emu.emu().hook_memory_execution(0x140001000, 1, [&](uint64_t, size_t, uint64_t)
+		{
+			win_emu.emu().stop();
+		});
+
+		run_emulation(win_emu);
+	}
+
+	std::vector<std::unique_ptr<windows_emulator>> prepare_emulators(const size_t count,
+	                                                                 const windows_emulator& base_emulator)
+	{
+		std::vector<std::unique_ptr<windows_emulator>> emulators{};
+
+		utils::buffer_serializer serializer{};
+		base_emulator.serialize(serializer);
+
+		for (size_t i = 0; i < count; ++i)
+		{
+			auto emu = std::make_unique<windows_emulator>();
+			utils::buffer_deserializer deserializer{serializer.get_buffer()};
+
+			emu->deserialize(deserializer);
+			//emu->save_snapshot();
+
+			emulators.push_back(std::move(emu));
+		}
+
+		return emulators;
+	}
+
+	struct my_fuzzer_handler : fuzzer::fuzzing_handler
+	{
+		const std::vector<std::unique_ptr<windows_emulator>>* emulators{};
+		std::atomic_size_t active_emu{0};
+		std::atomic_bool stop_fuzzing{false};
+
+		fuzzer::execution_result execute(std::span<const uint8_t> data,
+		                                 const std::function<fuzzer::coverage_functor>& coverage_handler) override
+		{
+			puts("Running...");
+			const auto emu_index = ++active_emu;
+			auto& emu = *emulators->at(emu_index % emulators->size());
+
+			utils::buffer_serializer serializer{};
+			emu.serialize(serializer);
+
+			const auto _ = utils::finally([&]
+			{
+				utils::buffer_deserializer deserializer{serializer.get_buffer()};
+				emu.deserialize(deserializer);
+			});
+
+			//emu.restore_snapshot();
+
+			auto* h = emu.emu().hook_edge_generation([&](const basic_block& current_block,
+			                                             const basic_block&)
+			{
+				coverage_handler(current_block.address);
+			});
+
+			const auto __ = utils::finally([&]
+			{
+				emu.emu().delete_hook(h);
+			});
+
+			const auto memory = emu.emu().allocate_memory(page_align_up(std::max(data.size(), 1ULL)),
+			                                              memory_permission::read_write);
+			emu.emu().write_memory(memory, data.data(), data.size());
+
+			emu.emu().reg(x64_register::rcx, memory);
+			emu.emu().reg<uint64_t>(x64_register::rdx, data.size());
+
+			try
+			{
+				run_emulation(emu);
+				return fuzzer::execution_result::success;
+			}
+			catch (...)
+			{
+				stop_fuzzing = true;
+				return fuzzer::execution_result::error;
+			}
+		}
+
+		bool stop() override
+		{
+			return stop_fuzzing;
+		}
+	};
+
+	void run_fuzzer(const windows_emulator& base_emulator)
+	{
+		const auto concurrency = 1ULL; //std::thread::hardware_concurrency();
+		const auto emulators = prepare_emulators(concurrency, base_emulator);
+
+		my_fuzzer_handler handler{};
+		handler.emulators = &emulators;
+
+		fuzzer::run(handler, concurrency);
+	}
+
 	void run(const std::string_view application)
 	{
 		windows_emulator win_emu{
 			application, {}
 		};

-		//watch_system_objects(win_emu);
-		win_emu.buffer_stdout = true;
-		//win_emu.verbose_calls = true;
-
-		const auto& exe = *win_emu.process().executable;
-
-		const auto text_start = exe.image_base + 0x1000;
-		const auto text_end = exe.image_base + 0x52000;
-		constexpr auto scan_size = 0x100;
-
-		win_emu.emu().hook_memory_read(text_start, scan_size, [&](const uint64_t address, size_t, uint64_t)
-		{
-			const auto rip = win_emu.emu().read_instruction_pointer();
-			if (rip >= text_start && rip < text_end)
-			{
-				win_emu.logger.print(color::green, "Reading from executable .text: 0x%llX at 0x%llX\n", address, rip);
-			}
-		});
-
-		/*win_emu.add_syscall_hook([&]
-		{
-			const auto syscall_id = win_emu.emu().reg(x64_register::eax);
-			const auto syscall_name = win_emu.dispatcher().get_syscall_name(syscall_id);
-
-			if (syscall_name != "NtQueryInformationProcess")
-			{
-				return instruction_hook_continuation::run_instruction;
-			}
-
-			const auto info_class = win_emu.emu().reg(x64_register::rdx);
-			if (info_class != ProcessImageFileNameWin32)
-			{
-				return instruction_hook_continuation::run_instruction;
-			}
-
-			win_emu.logger.print(color::pink, "Patching NtQueryInformationProcess...\n");
-
-			const auto data = win_emu.emu().reg(x64_register::r8);
-
-			emulator_allocator data_allocator{win_emu.emu(), data, 0x100};
-			data_allocator.make_unicode_string(
-				L"C:\\Users\\mauri\\source\\repos\\lul\\x64\\Release\\lul.exe");
-			win_emu.emu().reg(x64_register::rax, STATUS_SUCCESS);
-			return instruction_hook_continuation::skip_instruction;
-		});*/
-
-		run_emulation(win_emu);
+		forward_emulator(win_emu);
+		run_fuzzer(win_emu);
 	}
 }

--- a/src/fuzzing-engine/CMakeLists.txt
+++ b/src/fuzzing-engine/CMakeLists.txt
@@ -0,0 +1,21 @@
+file(GLOB_RECURSE SRC_FILES CONFIGURE_DEPENDS
+  *.cpp
+  *.hpp
+  *.rc
+)
+
+list(SORT SRC_FILES)
+
+add_library(fuzzing-engine ${SRC_FILES})
+
+momo_assign_source_group(${SRC_FILES})
+
+target_link_libraries(fuzzing-engine PRIVATE
+  common
+)
+
+target_include_directories(fuzzing-engine INTERFACE
+    "${CMAKE_CURRENT_LIST_DIR}"
+)
+
+momo_strip_target(fuzzing-engine)
--- a/src/fuzzing-engine/fuzzer.cpp
+++ b/src/fuzzing-engine/fuzzer.cpp
@@ -0,0 +1,114 @@
+#include "fuzzer.hpp"
+#include "input_generator.hpp"
+
+namespace fuzzer
+{
+	namespace
+	{
+		class fuzzing_context
+		{
+		public:
+			fuzzing_context(input_generator& generator, fuzzing_handler& handler)
+				: generator(generator)
+				  , handler(handler)
+			{
+			}
+
+			void stop()
+			{
+				this->stop_ = true;
+			}
+
+			bool should_stop()
+			{
+				if (this->stop_)
+				{
+					return true;
+				}
+
+				if (!handler.stop())
+				{
+					return false;
+				}
+
+				this->stop_ = true;
+				return true;
+			}
+
+			input_generator& generator;
+			fuzzing_handler& handler;
+
+		private:
+			std::atomic_bool stop_{false};
+		};
+
+		void perform_fuzzing_iteration(const fuzzing_context& context)
+		{
+			context.generator.access_input([&](const std::span<const uint8_t> input)
+			{
+				uint64_t score{0};
+				context.handler.execute(input, [&](uint64_t)
+				{
+					++score;
+				});
+
+				return score;
+			});
+		}
+
+		void worker(fuzzing_context& context)
+		{
+			while (!context.should_stop())
+			{
+				perform_fuzzing_iteration(context);
+			}
+		}
+
+		struct worker_pool
+		{
+			fuzzing_context* context_{nullptr};
+			std::vector<std::thread> workers_{};
+
+			worker_pool(fuzzing_context& context, const size_t concurrency)
+				: context_(&context)
+			{
+				this->workers_.reserve(concurrency);
+
+				for (size_t i = 0; i < concurrency; ++i)
+				{
+					this->workers_.emplace_back([&context]
+					{
+						worker(context);
+					});
+				}
+			}
+
+			~worker_pool()
+			{
+				if (this->workers_.empty())
+				{
+					return;
+				}
+
+				this->context_->stop();
+
+				for (auto& w : this->workers_)
+				{
+					w.join();
+				}
+			}
+		};
+	}
+
+	void run(fuzzing_handler& handler, const size_t concurrency)
+	{
+		input_generator generator{};
+		fuzzing_context context{generator, handler};
+		worker_pool pool{context, concurrency};
+
+		while (!context.should_stop())
+		{
+			std::this_thread::sleep_for(std::chrono::seconds{1});
+		}
+	}
+}
--- a/src/fuzzing-engine/fuzzer.hpp
+++ b/src/fuzzing-engine/fuzzer.hpp
@@ -0,0 +1,31 @@
+#pragma once
+#include <span>
+#include <thread>
+#include <cstdint>
+#include <functional>
+
+namespace fuzzer
+{
+	using coverage_functor = void(uint64_t address);
+
+	enum class execution_result
+	{
+		success,
+		error,
+	};
+
+	struct fuzzing_handler
+	{
+		virtual ~fuzzing_handler() = default;
+
+		virtual execution_result execute(std::span<const uint8_t> data,
+		                                 const std::function<coverage_functor>& coverage_handler) = 0;
+
+		virtual bool stop()
+		{
+			return false;
+		}
+	};
+
+	void run(fuzzing_handler& handler, size_t concurrency = std::thread::hardware_concurrency());
+}
--- a/src/fuzzing-engine/input_generator.cpp
+++ b/src/fuzzing-engine/input_generator.cpp
@@ -0,0 +1,93 @@
+#include "input_generator.hpp"
+
+namespace fuzzer
+{
+	namespace
+	{
+		constexpr size_t MAX_TOP_SCORER = 20;
+
+		void mutate_input(random_generator& rng, std::vector<uint8_t>& input)
+		{
+			if (input.empty() || rng.get(10) == 0)
+			{
+				const auto new_bytes = rng.get_geometric<size_t>() + 1;
+				input.resize(input.size() + new_bytes);
+			}
+			else if (rng.get(10) == 0)
+			{
+				const auto remove_bytes = rng.get_geometric<size_t>() % input.size();
+				input.resize(input.size() - remove_bytes);
+			}
+
+			const auto mutations = (rng.get_geometric<size_t>() + 1) % input.size();
+
+
+			for (size_t i = 0; i < mutations; ++i)
+			{
+				const auto index = rng.get<size_t>(input.size());
+				input[index] = rng.get<uint8_t>();
+			}
+		}
+	}
+
+	input_generator::input_generator() = default;
+
+	std::vector<uint8_t> input_generator::generate_next_input()
+	{
+		std::vector<uint8_t> input{};
+		std::unique_lock lock{this->mutex_};
+
+		if (!this->top_scorer_.empty())
+		{
+			const auto index = this->rng.get<size_t>() % this->top_scorer_.size();
+			input = this->top_scorer_[index].data;
+		}
+
+		mutate_input(this->rng, input);
+
+		return input;
+	}
+
+	void input_generator::access_input(const std::function<input_handler>& handler)
+	{
+		auto next_input = this->generate_next_input();
+		const auto score = handler(next_input);
+		this->store_input_entry({std::move(next_input), score});
+	}
+
+	void input_generator::store_input_entry(input_entry entry)
+	{
+		std::unique_lock lock{this->mutex_};
+
+		if (entry.score < this->lowest_score && this->rng.get(40) != 0)
+		{
+			return;
+		}
+
+		const auto score = entry.score;
+
+		if (this->top_scorer_.size() < MAX_TOP_SCORER)
+		{
+			this->top_scorer_.emplace_back(std::move(entry));
+		}
+		else
+		{
+			const auto index = this->rng.get<size_t>() % this->top_scorer_.size();
+			this->top_scorer_[index] = std::move(entry);
+		}
+
+		this->lowest_score = score;
+		if (score < this->lowest_score)
+		{
+			return;
+		}
+
+		for (const auto& e : this->top_scorer_)
+		{
+			if (e.score < this->lowest_score)
+			{
+				this->lowest_score = e.score;
+			}
+		}
+	}
+}
--- a/src/fuzzing-engine/input_generator.hpp
+++ b/src/fuzzing-engine/input_generator.hpp
@@ -0,0 +1,38 @@
+#pragma once
+#include <mutex>
+#include <vector>
+#include <optional>
+#include <functional>
+
+#include "random_generator.hpp"
+
+namespace fuzzer
+{
+	using input_score = uint64_t;
+	using input_handler = input_score(std::span<const uint8_t>);
+
+	struct input_entry
+	{
+		std::vector<uint8_t> data{};
+		input_score score{};
+	};
+
+	class input_generator
+	{
+	public:
+		input_generator();
+
+		void access_input(const std::function<input_handler>& handler);
+
+	private:
+		std::mutex mutex_{};
+		random_generator rng{};
+
+		std::vector<input_entry> top_scorer_{};
+		input_score lowest_score{0};
+
+		std::vector<uint8_t> generate_next_input();
+
+		void store_input_entry(input_entry entry);
+	};
+}
--- a/src/fuzzing-engine/random_generator.cpp
+++ b/src/fuzzing-engine/random_generator.cpp
@@ -0,0 +1,34 @@
+#include "random_generator.hpp"
+
+namespace fuzzer
+{
+	random_generator::random_generator()
+		: rng_(std::random_device()())
+	{
+	}
+
+	std::mt19937::result_type random_generator::generate_number()
+	{
+		return this->distribution_(this->rng_);
+	}
+
+	void random_generator::fill(void* data, const size_t size)
+	{
+		this->fill(std::span(static_cast<uint8_t*>(data), size));
+	}
+
+	void random_generator::fill(std::span<uint8_t> data)
+	{
+		size_t i = 0;
+		while (i < data.size())
+		{
+			const auto number = this->generate_number();
+
+			const auto remaining_data = data.size() - i;
+			const auto data_to_fill = std::min(remaining_data, sizeof(number));
+
+			memcpy(data.data() + i, &number, data_to_fill);
+			i += data_to_fill;
+		}
+	}
+}
--- a/src/fuzzing-engine/random_generator.hpp
+++ b/src/fuzzing-engine/random_generator.hpp
@@ -0,0 +1,69 @@
+#pragma once
+#include <span>
+#include <random>
+#include <cstdint>
+
+namespace fuzzer
+{
+	class random_generator
+	{
+	public:
+		random_generator();
+
+		void fill(std::span<uint8_t> data);
+		void fill(void* data, size_t size);
+
+		template <typename T>
+			requires(std::is_trivially_copyable_v<T>)
+		T get()
+		{
+			T value{};
+			this->fill(&value, sizeof(value));
+			return value;
+		}
+
+		template <typename T>
+		T get(const T& max)
+		{
+			return this->get<T>() % max;
+		}
+
+		template <typename T>
+		T get(T min, T max)
+		{
+			if (max < min)
+			{
+				std::swap(max, min);
+			}
+
+			const auto diff = max - min;
+
+			return (this->get<T>() % diff) + min;
+		}
+
+		template <typename T>
+		T get_geometric()
+		{
+			T value{0};
+
+			while (this->get<bool>())
+			{
+				++value;
+			}
+
+			return value;
+		}
+
+	private:
+		std::mt19937 rng_;
+		std::uniform_int_distribution<std::mt19937::result_type> distribution_{};
+
+		std::mt19937::result_type generate_number();
+	};
+
+	template <>
+	inline bool random_generator::get<bool>()
+	{
+		return (this->generate_number() & 1) != 0;
+	}
+}
--- a/src/sample/CMakeLists.txt
+++ b/src/sample/CMakeLists.txt
@@ -15,7 +15,7 @@ target_precompile_headers(sample PRIVATE std_include.hpp)
 target_link_libraries(sample PRIVATE
  common
  reflect
-  windows_emulator
+  windows-emulator
 )

 set_property(GLOBAL PROPERTY VS_STARTUP_PROJECT sample)
--- a/src/unicorn-emulator/CMakeLists.txt
+++ b/src/unicorn-emulator/CMakeLists.txt
@@ -0,0 +1,16 @@
+file(GLOB_RECURSE SRC_FILES CONFIGURE_DEPENDS
+  *.cpp
+  *.hpp
+  *.rc
+)
+
+list(SORT SRC_FILES)
+
+add_library(unicorn-emulator SHARED ${SRC_FILES})
+
+target_include_directories(unicorn-emulator INTERFACE
+    "${CMAKE_CURRENT_LIST_DIR}"
+)
+
+target_link_libraries(unicorn-emulator PUBLIC emulator)
+target_link_libraries(unicorn-emulator PRIVATE unicorn)
--- a/src/unicorn-emulator/function_wrapper.hpp
+++ b/src/unicorn-emulator/function_wrapper.hpp
--- a/src/unicorn-emulator/object.hpp
+++ b/src/unicorn-emulator/object.hpp
--- a/src/unicorn-emulator/unicorn.hpp
+++ b/src/unicorn-emulator/unicorn.hpp
--- a/src/unicorn-emulator/unicorn_hook.hpp
+++ b/src/unicorn-emulator/unicorn_hook.hpp
--- a/src/unicorn-emulator/unicorn_memory_regions.hpp
+++ b/src/unicorn-emulator/unicorn_memory_regions.hpp
--- a/src/unicorn-emulator/unicorn_x64_emulator.cpp
+++ b/src/unicorn-emulator/unicorn_x64_emulator.cpp
--- a/src/unicorn-emulator/unicorn_x64_emulator.hpp
+++ b/src/unicorn-emulator/unicorn_x64_emulator.hpp
--- a/src/unicorn_emulator/CMakeLists.txt
+++ b/src/unicorn_emulator/CMakeLists.txt
@@ -1,16 +0,0 @@
-file(GLOB_RECURSE SRC_FILES CONFIGURE_DEPENDS
-  *.cpp
-  *.hpp
-  *.rc
-)
-
-list(SORT SRC_FILES)
-
-add_library(unicorn_emulator SHARED ${SRC_FILES})
-
-target_include_directories(unicorn_emulator INTERFACE
-    "${CMAKE_CURRENT_LIST_DIR}"
-)
-
-target_link_libraries(unicorn_emulator PUBLIC emulator)
-target_link_libraries(unicorn_emulator PRIVATE unicorn)
--- a/src/windows-emulator/CMakeLists.txt
+++ b/src/windows-emulator/CMakeLists.txt
@@ -0,0 +1,30 @@
+file(GLOB_RECURSE SRC_FILES CONFIGURE_DEPENDS
+  *.cpp
+  *.hpp
+  *.rc
+)
+
+list(SORT SRC_FILES)
+
+add_library(windows-emulator ${SRC_FILES})
+
+momo_assign_source_group(${SRC_FILES})
+
+target_precompile_headers(windows-emulator PRIVATE std_include.hpp)
+
+target_link_libraries(windows-emulator PRIVATE
+  common
+  unicorn-emulator
+  mini-gdbstub
+)
+
+target_link_libraries(windows-emulator PUBLIC
+  emulator
+  phnt::phnt
+)
+
+target_include_directories(windows-emulator INTERFACE
+    "${CMAKE_CURRENT_LIST_DIR}"
+)
+
+momo_strip_target(windows-emulator)
--- a/src/windows-emulator/context_frame.cpp
+++ b/src/windows-emulator/context_frame.cpp
--- a/src/windows-emulator/context_frame.hpp
+++ b/src/windows-emulator/context_frame.hpp
--- a/src/windows-emulator/debugging/gdb_stub.cpp
+++ b/src/windows-emulator/debugging/gdb_stub.cpp
--- a/src/windows-emulator/debugging/gdb_stub.hpp
+++ b/src/windows-emulator/debugging/gdb_stub.hpp
--- a/src/windows-emulator/debugging/x64_gdb_stub_handler.hpp
+++ b/src/windows-emulator/debugging/x64_gdb_stub_handler.hpp
--- a/src/windows-emulator/emulator_utils.hpp
+++ b/src/windows-emulator/emulator_utils.hpp
--- a/src/windows-emulator/handles.hpp
+++ b/src/windows-emulator/handles.hpp
--- a/src/windows-emulator/logger.cpp
+++ b/src/windows-emulator/logger.cpp
@@ -85,6 +85,11 @@ namespace

 void logger::print(const color c, const char* message, ...) const
 {
+	if (this->disable_output_)
+	{
+		return;
+	}
+
 	va_list ap;
 	va_start(ap, message);

--- a/src/windows-emulator/logger.hpp
+++ b/src/windows-emulator/logger.hpp
@@ -48,4 +48,12 @@ public:
 	{
 		this->print(color::gray, message, args...);
 	}
+
+	void disable_output(const bool value)
+	{
+		this->disable_output_ = value;
+	}
+
+private:
+	bool disable_output_{false};
 };
--- a/src/windows-emulator/memory_utils.hpp
+++ b/src/windows-emulator/memory_utils.hpp
--- a/src/windows-emulator/module/mapped_module.hpp
+++ b/src/windows-emulator/module/mapped_module.hpp
--- a/src/windows-emulator/module/module_manager.cpp
+++ b/src/windows-emulator/module/module_manager.cpp
--- a/src/windows-emulator/module/module_manager.hpp
+++ b/src/windows-emulator/module/module_manager.hpp
--- a/src/windows-emulator/module/module_mapping.cpp
+++ b/src/windows-emulator/module/module_mapping.cpp
--- a/src/windows-emulator/module/module_mapping.hpp
+++ b/src/windows-emulator/module/module_mapping.hpp
--- a/src/windows-emulator/process_context.hpp
+++ b/src/windows-emulator/process_context.hpp
--- a/src/windows-emulator/std_include.hpp
+++ b/src/windows-emulator/std_include.hpp
--- a/src/windows-emulator/syscalls.cpp
+++ b/src/windows-emulator/syscalls.cpp
@@ -1211,7 +1211,15 @@ namespace
 		                       aligned_start + aligned_length, get_permission_string(requested_protection).c_str());

 		memory_permission old_protection_value{};
-		c.emu.protect_memory(aligned_start, aligned_length, requested_protection, &old_protection_value);
+
+		try
+		{
+			c.emu.protect_memory(aligned_start, aligned_length, requested_protection, &old_protection_value);
+		}
+		catch (...)
+		{
+			return STATUS_INVALID_ADDRESS;
+		}

 		const auto current_protection = map_emulator_to_nt_protection(old_protection_value);
 		old_protection.write(current_protection);
--- a/src/windows-emulator/syscalls.hpp
+++ b/src/windows-emulator/syscalls.hpp
--- a/src/windows-emulator/windows_emulator.cpp
+++ b/src/windows-emulator/windows_emulator.cpp
--- a/src/windows-emulator/windows_emulator.hpp
+++ b/src/windows-emulator/windows_emulator.hpp
--- a/src/windows_emulator/CMakeLists.txt
+++ b/src/windows_emulator/CMakeLists.txt
@@ -1,30 +0,0 @@
-file(GLOB_RECURSE SRC_FILES CONFIGURE_DEPENDS
-  *.cpp
-  *.hpp
-  *.rc
-)
-
-list(SORT SRC_FILES)
-
-add_library(windows_emulator ${SRC_FILES})
-
-momo_assign_source_group(${SRC_FILES})
-
-target_precompile_headers(windows_emulator PRIVATE std_include.hpp)
-
-target_link_libraries(windows_emulator PRIVATE
-  common
-  unicorn_emulator
-  mini-gdbstub
-)
-
-target_link_libraries(windows_emulator PUBLIC
-  emulator
-  phnt::phnt
-)
-
-target_include_directories(windows_emulator INTERFACE
-    "${CMAKE_CURRENT_LIST_DIR}"
-)
-
-momo_strip_target(windows_emulator)