From 2d23abc9e55bfab6f6861e458ee2d0c26eb68d9b Mon Sep 17 00:00:00 2001 From: momo5502 Date: Sat, 31 Aug 2024 17:37:30 +0200 Subject: [PATCH] More fixes and progress --- src/windows_emulator/main.cpp | 16 ----- src/windows_emulator/module_mapper.cpp | 27 +++++++- src/windows_emulator/syscalls.cpp | 91 ++++++++++++++++---------- 3 files changed, 84 insertions(+), 50 deletions(-) diff --git a/src/windows_emulator/main.cpp b/src/windows_emulator/main.cpp index afcd9ed3..a262edb2 100644 --- a/src/windows_emulator/main.cpp +++ b/src/windows_emulator/main.cpp @@ -575,22 +575,6 @@ namespace (void)entry1; (void)entry2; - std::unordered_map export_remap{}; - for (const auto& symbol : context.ntdll.exports) - { - export_remap.try_emplace(symbol.address, symbol.name); - } - - for (const auto& exp : export_remap) - { - auto name = exp.second; - emu->hook_memory_execution(exp.first, 0, - [n = std::move(name)](const uint64_t address, const size_t) - { - printf("Executing function: %s (%llX)\n", n.c_str(), address); - }); - } - syscall_dispatcher dispatcher{context.ntdll.exports}; emu->hook_instruction(x64_hookable_instructions::syscall, [&] diff --git a/src/windows_emulator/module_mapper.cpp b/src/windows_emulator/module_mapper.cpp index d5e25a73..86259535 100644 --- a/src/windows_emulator/module_mapper.cpp +++ b/src/windows_emulator/module_mapper.cpp @@ -142,6 +142,27 @@ namespace } } + void hook_exports(emulator& emu, const mapped_binary& binary, const std::filesystem::path& file) + { + const auto filename = file.filename().string(); + + std::unordered_map export_remap{}; + for (const auto& symbol : binary.exports) + { + export_remap.try_emplace(symbol.address, symbol.name); + } + + for (const auto& exp : export_remap) + { + auto name = exp.second; + emu.hook_memory_execution(exp.first, 0, + [n = std::move(name), filename](const uint64_t address, const size_t) + { + printf("Executing function: %s - %s (%llX)\n",filename.c_str(), n.c_str(), address); + }); + } + } + mapped_binary map_module(x64_emulator& emu, const std::vector& module_data, const std::string& name) { @@ -194,5 +215,9 @@ std::optional map_file(x64_emulator& emu, const std::filesystem:: return {}; } - return map_module(emu, data, file.generic_string()); + auto binary = map_module(emu, data, file.generic_string()); + + hook_exports(emu, binary, file); + + return binary; } diff --git a/src/windows_emulator/syscalls.cpp b/src/windows_emulator/syscalls.cpp index 955d0b88..fbed44ec 100644 --- a/src/windows_emulator/syscalls.cpp +++ b/src/windows_emulator/syscalls.cpp @@ -18,6 +18,7 @@ namespace constexpr uint64_t KNOWN_DLLS_DIRECTORY = DIRECTORY_BIT | PSEUDO_BIT | 0x1337; constexpr uint64_t KNOWN_DLLS_SYMLINK = SYMLINK_BIT | PSEUDO_BIT | 0x1337; + constexpr uint64_t SHARED_SECTION = FILE_BIT | PSEUDO_BIT | 0x1337; uint64_t get_syscall_argument(x64_emulator& emu, const size_t index) { @@ -403,6 +404,39 @@ namespace const ACCESS_MASK /*desired_access*/, const emulator_object object_attributes) { + const auto attributes = object_attributes.read(); + + auto filename = read_unicode_string(c.emu, attributes.ObjectName); + printf("Open section: %S\n", filename.c_str()); + + if (filename == L"\\Windows\\SharedSection") + { + section_handle.write(SHARED_SECTION); + return STATUS_SUCCESS; + } + + if (reinterpret_cast(attributes.RootDirectory) != KNOWN_DLLS_DIRECTORY) + { + puts("Unsupported section"); + c.emu.stop(); + return STATUS_NOT_SUPPORTED; + } + + + if (filename.starts_with(L"api-ms-")) + { + filename = L"C:\\WINDOWS\\System32\\downlevel\\" + filename; + } + else + { + filename = L"C:\\WINDOWS\\System32\\" + filename; + } + + if (!std::filesystem::exists(filename)) + { + return STATUS_FILE_INVALID; + } + uint32_t index = 1; for (;; ++index) { @@ -414,40 +448,9 @@ namespace section_handle.write(index | FILE_BIT); - auto status = STATUS_SUCCESS; - std::wstring filename{}; - object_attributes.access([&](const OBJECT_ATTRIBUTES& attributes) - { - if (reinterpret_cast(attributes.RootDirectory) != KNOWN_DLLS_DIRECTORY) - { - status = STATUS_NOT_SUPPORTED; - return; - } - - filename = read_unicode_string(c.emu, attributes.ObjectName); - if (filename.starts_with(L"api-ms-")) - { - filename = L"C:\\WINDOWS\\System32\\downlevel\\" + filename; - } - else - { - filename = L"C:\\WINDOWS\\System32\\" + filename; - } - }); - - if (status != STATUS_SUCCESS) - { - return status; - } - - if (!std::filesystem::exists(filename)) - { - return STATUS_FILE_INVALID; - } - c.proc.files.try_emplace(index, std::move(filename)); - return status; + return STATUS_SUCCESS; } NTSTATUS handle_NtMapViewOfSection(const syscall_context& c, uint64_t section_handle, uint64_t process_handle, @@ -562,11 +565,33 @@ namespace const emulator_object return_length) { if (info_class == SystemFlushInformation - || info_class == SystemHypervisorSharedPageInformation) + || info_class == SystemHypervisorSharedPageInformation + ) { return STATUS_NOT_SUPPORTED; } + if (info_class == SystemRangeStartInformation) + { + if (return_length) + { + return_length.write(sizeof(SYSTEM_RANGE_START_INFORMATION)); + } + + if (system_information_length != sizeof(SYSTEM_RANGE_START_INFORMATION)) + { + return STATUS_BUFFER_TOO_SMALL; + } + + const emulator_object info_obj{c.emu, system_information}; + + info_obj.access([&](SYSTEM_RANGE_START_INFORMATION& info) + { + info.SystemRangeStart = 0xFFFF800000000000; + }); + + return STATUS_SUCCESS; + } if (info_class == SystemNumaProcessorMap) { if (return_length)