Lightemerald/windows-user-space-emulator
2
0
Fork 0
mirror of https://github.com/momo5502/emulator.git synced 2026-01-20 20:23:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

Log crafted out-of-line sycalls (#42)

Browse Source
This commit is contained in:
Maurice Heumann
2025-01-03 17:34:43 +01:00
committed by GitHub
parent efca592c05 912e9c9379
commit 40369d50d7
3 changed files with 43 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
src/analyzer/main.cpp
View File

@@ -3,7 +3,7 @@
#include <windows_emulator.hpp>
#include <debugging/win_x64_gdb_stub_handler.hpp>
//#define CONCISE_EMULATOR_OUTPUT
#define CONCISE_EMULATOR_OUTPUT
#include "object_watching.hpp"
@@ -124,39 +124,41 @@ namespace
auto read_handler = [&, section](const uint64_t address, size_t, uint64_t)
{
const auto rip = win_emu.emu().read_instruction_pointer();
if (rip >= section.region.start && rip < section.region.start + section.
region.length)
if (win_emu.process().module_manager.find_by_address(rip) != win_emu.process().executable)
{
return;
}
#ifdef CONCISE_EMULATOR_OUTPUT
static uint64_t count{0};
++count;
if (count > 100 && count % 10000 != 0) return;
static uint64_t count{0};
++count;
if (count > 100 && count % 10000 != 0) return;
#endif
win_emu.logger.print(
color::green,
"Reading from executable section %s: 0x%llX at 0x%llX\n",
section.name.c_str(), address, rip);
}
win_emu.logger.print(
color::green,
"Reading from executable section %s at 0x%llX via 0x%llX\n",
section.name.c_str(), address, rip);
};
const auto write_handler = [&, section](const uint64_t address, size_t, uint64_t)
{
const auto rip = win_emu.emu().read_instruction_pointer();
if (rip >= section.region.start && rip < section.region.start + section.
region.length)
if (win_emu.process().module_manager.find_by_address(rip) != win_emu.process().executable)
{
return;
}
#ifdef CONCISE_EMULATOR_OUTPUT
static uint64_t count{0};
++count;
if (count > 100 && count % 10000 != 0) return;
static uint64_t count{0};
++count;
if (count > 100 && count % 10000 != 0) return;
#endif
win_emu.logger.print(
color::cyan,
"Writing to executable section %s: 0x%llX at 0x%llX\n",
section.name.c_str(), address, rip);
}
win_emu.logger.print(
color::blue,
"Writing to executable section %s at 0x%llX via 0x%llX\n",
section.name.c_str(), address, rip);
};
win_emu.emu().hook_memory_read(section.region.start, section.region.length, std::move(read_handler));

25
src/windows-emulator/syscall_dispatcher.cpp
View File

@@ -100,13 +100,26 @@ void syscall_dispatcher::dispatch(windows_emulator& win_emu)
}
else
{
const auto rsp = c.emu.read_stack_pointer();
const auto return_address = c.emu.read_memory<uint64_t>(rsp);
const auto* mod_name = context.module_manager.find_name(return_address);
const auto* previous_mod = context.module_manager.find_by_address(context.previous_ip);
if (previous_mod == mod)
{
const auto rsp = c.emu.read_stack_pointer();
const auto return_address = c.emu.read_memory<uint64_t>(rsp);
const auto* mod_name = context.module_manager.find_name(return_address);
win_emu.logger.print(color::dark_gray, "Executing syscall: %s (0x%X) at 0x%llX via 0x%llX (%s)\n",
entry->second.name.c_str(),
syscall_id, address, return_address, mod_name);
win_emu.logger.print(color::dark_gray, "Executing syscall: %s (0x%X) at 0x%llX via 0x%llX (%s) %lld\n",
entry->second.name.c_str(),
syscall_id, address, return_address, mod_name, c.proc.executed_instructions);
}
else
{
win_emu.logger.print(color::blue,
"Crafted out-of-line syscall: %s (0x%X) at 0x%llX (%s) via 0x%llX (%s)\n",
entry->second.name.c_str(),
syscall_id,
address, mod ? mod->name.c_str() : "<N/A>", context.previous_ip,
previous_mod ? previous_mod->name.c_str() : "<N/A>");
}
}
entry->second.handler(c);

2
src/windows-emulator/windows_emulator.cpp
View File

@@ -820,7 +820,7 @@ void windows_emulator::setup_hooks()
const auto rip = this->emu().read_instruction_pointer();
printf("Interrupt: %i 0x%llX\n", interrupt, rip);
if (this->fuzzing)
if (this->fuzzing || true) // TODO: Fix
{
this->process().exception_rip = rip;
this->emu().stop();