Allocate virtual memory

2026-01-11 16:46:16 +00:00 · 2024-08-19 19:50:48 +02:00
parent a6405842a2
commit 36dba82c45
2 changed files with 52 additions and 1 deletions
--- a/src/emulator/main.cpp
+++ b/src/emulator/main.cpp
@@ -11,8 +11,8 @@

 #define IA32_GS_BASE_MSR 0xC0000101

-#define STACK_ADDRESS 0x7ffffffde000
 #define STACK_SIZE 0x40000
+#define STACK_ADDRESS (0x800000000000 - STACK_SIZE)

 #define KUSD_ADDRESS 0x7ffe0000

--- a/src/emulator/syscalls.cpp
+++ b/src/emulator/syscalls.cpp
@@ -242,6 +242,54 @@ namespace

 		uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_SUCCESS);
 	}
+
+	void handle_NtAllocateVirtualMemoryEx(const unicorn& uc)
+	{
+		const auto process_handle = uc.reg(UC_X86_REG_R10);
+		const unicorn_object<uint64_t> base_address{uc, uc.reg(UC_X86_REG_RDX)};
+		const unicorn_object<uint64_t> bytes_to_allocate{uc, uc.reg(UC_X86_REG_R8)};
+		//const auto allocation_type = uc.reg<uint32_t>(UC_X86_REG_R9D);
+		const auto page_protection = static_cast<uint32_t>(uc.read_stack(5));
+
+		if (process_handle != ~0ULL)
+		{
+			uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_NOT_IMPLEMENTED);
+			return;
+		}
+
+		constexpr auto allocation_granularity = 0x10000;
+		auto allocation_bytes = bytes_to_allocate.read();
+		allocation_bytes = align_up(allocation_bytes, allocation_granularity);
+		bytes_to_allocate.write(allocation_bytes);
+
+		const auto protection = map_nt_to_unicorn_protection(page_protection);
+
+		auto allocate_anywhere = false;
+		auto allocation_base = base_address.read();
+		if (!allocation_base)
+		{
+			allocate_anywhere = true;
+			allocation_base = allocation_granularity;
+		}
+
+		bool succeeded = false;
+
+		while (true)
+		{
+			succeeded = uc_mem_map(uc, allocation_base, allocation_bytes, protection) == UC_ERR_OK;
+			if (succeeded || !allocate_anywhere)
+			{
+				break;
+			}
+
+			allocation_base += allocation_granularity;
+		}
+
+		uc.reg<uint64_t>(UC_X86_REG_RAX, succeeded
+			                                 ? STATUS_SUCCESS
+			                                 : STATUS_NOT_SUPPORTED // No idea what the correct code is
+		);
+	}
 }

 void handle_syscall(const unicorn& uc, process_context& context)
@@ -276,6 +324,9 @@ void handle_syscall(const unicorn& uc, process_context& context)
 		case 0x50:
 			handle_NtProtectVirtualMemory(uc);
 			break;
+		case 0x78:
+			handle_NtAllocateVirtualMemoryEx(uc);
+			break;
 		case 0x11A:
 			handle_NtManageHotPatch(uc);
 			break;