From 2022513bbe86c87362f55c540114ba2796101383 Mon Sep 17 00:00:00 2001
From: momo5502 <mauriceheumann@gmail.com>
Date: Fri, 6 Sep 2024 19:44:35 +0200
Subject: [PATCH] Fix stack alignment

---
 src/windows_emulator/main.cpp            | 24 ++++++++++++++++++------
 src/windows_emulator/process_context.hpp |  2 ++
 src/windows_emulator/syscalls.cpp        | 16 +++++++++++++---
 3 files changed, 33 insertions(+), 9 deletions(-)

diff --git a/src/windows_emulator/main.cpp b/src/windows_emulator/main.cpp
index ec5b7fd8..12a2fcb1 100644
--- a/src/windows_emulator/main.cpp
+++ b/src/windows_emulator/main.cpp
@@ -135,6 +135,13 @@ namespace
 		return {emu, new_sp};
 	}
 
+	void unalign_stack(x64_emulator& emu)
+	{
+		auto sp = emu.reg(x64_register::rsp);
+		sp = align_down(sp - 0x10, 0x10) + 8;
+		emu.reg(x64_register::rsp, sp);
+	}
+
 	void setup_stack(x64_emulator& emu, const uint64_t stack_base, const size_t stack_size)
 	{
 		emu.allocate_memory(stack_base, stack_size, memory_permission::read_write);
@@ -701,6 +708,7 @@ namespace
 		emu.reg(x64_register::rcx, reinterpret_cast<uint64_t>(pointers.ExceptionRecord));
 		emu.reg(x64_register::rdx, reinterpret_cast<uint64_t>(pointers.ContextRecord));
 		emu.reg(x64_register::rip, dispatcher);
+		unalign_stack(emu);
 	}
 
 	void dispatch_access_violation(x64_emulator& emu, uint64_t dispatcher, const uint64_t address,
@@ -716,7 +724,7 @@ namespace
 
 		auto context = setup_context(*emu);
 
-		context.executable = *map_file(*emu, R"(C:\Users\mauri\Desktop\ConsoleApplication6.exe)");
+		context.executable = *map_file(*emu, R"(C:\Users\Maurice\Desktop\ConsoleApplication6.exe)");
 
 		context.peb.access([&](PEB& peb)
 		{
@@ -753,7 +761,7 @@ namespace
 
 		emu->hook_interrupt([&](int interrupt)
 		{
-			printf("Interrupt: %i\n", interrupt);
+			printf("Interrupt: %i %llX\n", interrupt, emu->read_instruction_pointer());
 		});
 
 		emu->hook_memory_violation([&](const uint64_t address, const size_t size, const memory_operation operation,
@@ -781,11 +789,11 @@ namespace
 				watch_object(*emu, context.process_params);
 				watch_object(*emu, context.kusd);
 				*/
-		/*emu->hook_memory_execution(0, std::numeric_limits<size_t>::max(), [&](const uint64_t address, const size_t)
+		emu->hook_memory_execution(0, std::numeric_limits<size_t>::max(), [&](const uint64_t address, const size_t)
 		{
-			if (address == 0x1800D52F4)
+			if (!context.verbose)
 			{
-				//emu->stop();
+				return;
 			}
 
 			printf(
@@ -794,11 +802,13 @@ namespace
 				emu->reg(x64_register::rax), emu->reg(x64_register::rbx), emu->reg(x64_register::rcx),
 				emu->reg(x64_register::rdx), emu->reg(x64_register::r8), emu->reg(x64_register::r9),
 				emu->reg(x64_register::rdi), emu->reg(x64_register::rsi));
-		});*/
+		});
 
 		CONTEXT ctx{};
 		ctx.ContextFlags = CONTEXT_ALL;
 
+		unalign_stack(*emu);
+
 		context_frame::save(*emu, ctx);
 
 		ctx.Rip = rtl_user_thread_start;
@@ -807,6 +817,8 @@ namespace
 		const auto ctx_obj = allocate_object_on_stack<CONTEXT>(*emu);
 		ctx_obj.write(ctx);
 
+		unalign_stack(*emu);
+
 		emu->reg(x64_register::rcx, ctx_obj.value());
 		emu->reg(x64_register::rdx, context.ntdll.image_base);
 		emu->reg(x64_register::rip, ldr_initialize_thunk);
diff --git a/src/windows_emulator/process_context.hpp b/src/windows_emulator/process_context.hpp
index 4ac38f66..192dd778 100644
--- a/src/windows_emulator/process_context.hpp
+++ b/src/windows_emulator/process_context.hpp
@@ -51,4 +51,6 @@ struct process_context
 	std::map<uint32_t, HANDLE> os_handles{};
 	std::map<uint32_t, std::wstring> files{};
 	emulator_allocator gs_segment{};
+
+	bool verbose{false};
 };
diff --git a/src/windows_emulator/syscalls.cpp b/src/windows_emulator/syscalls.cpp
index f58dbb16..a1d8d9f5 100644
--- a/src/windows_emulator/syscalls.cpp
+++ b/src/windows_emulator/syscalls.cpp
@@ -123,23 +123,33 @@ namespace
 		return resolve_argument<T>(emu, index++);
 	}
 
-	void write_status(const syscall_context& c, const NTSTATUS status)
+	void write_status(const syscall_context& c, const NTSTATUS status, const uint64_t initial_ip)
 	{
 		if (c.write_status)
 		{
 			c.emu.reg<uint64_t>(x64_register::rax, static_cast<uint64_t>(status));
 		}
+
+		const auto new_ip = c.emu.read_instruction_pointer();
+		if (initial_ip != new_ip)
+		{
+			c.emu.reg(x64_register::rip, new_ip - 2);
+		}
 	}
 
 	void forward(const syscall_context& c, NTSTATUS (*handler)())
 	{
+		const auto ip = c.emu.read_instruction_pointer();
+
 		const auto ret = handler();
-		write_status(c, ret);
+		write_status(c, ret, ip);
 	}
 
 	template <typename... Args>
 	void forward(const syscall_context& c, NTSTATUS (*handler)(const syscall_context&, Args...))
 	{
+		const auto ip = c.emu.read_instruction_pointer();
+
 		size_t index = 0;
 		std::tuple<const syscall_context&, Args...> func_args
 		{
@@ -148,7 +158,7 @@ namespace
 		};
 
 		const auto ret = std::apply(handler, std::move(func_args));
-		write_status(c, ret);
+		write_status(c, ret, ip);
 	}
 
 	NTSTATUS handle_NtQueryPerformanceCounter(const syscall_context&,