Lightemerald/windows-user-space-emulator
2
0
Fork 0
mirror of https://github.com/momo5502/emulator.git synced 2026-01-19 03:33:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

Finish unicorn isolation

Browse Source
This commit is contained in:
momo5502
2024-08-21 18:58:29 +02:00
parent 024e837ad9
commit 48f9217d0b
12 changed files with 878 additions and 590 deletions
Download Patch File Download Diff File Expand all files Collapse all files

316
src/windows_emulator/syscalls.cpp
View File

@@ -3,10 +3,10 @@
namespace
{
void handle_NtQueryPerformanceCounter(const unicorn& uc)
void handle_NtQueryPerformanceCounter(x64_emulator& emu)
{
const emulator_object<LARGE_INTEGER> performance_counter{uc, uc.reg(UC_X86_REG_R10)};
const emulator_object<LARGE_INTEGER> performance_frequency{uc, uc.reg(UC_X86_REG_RDX)};
const emulator_object<LARGE_INTEGER> performance_counter{emu, emu.reg(x64_register::r10)};
const emulator_object<LARGE_INTEGER> performance_frequency{emu, emu.reg(x64_register::rdx)};
try
{
@@ -26,45 +26,45 @@ namespace
});
}
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_SUCCESS);
emu.reg<uint64_t>(x64_register::rax, STATUS_SUCCESS);
}
catch (...)
{
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_ACCESS_VIOLATION);
emu.reg<uint64_t>(x64_register::rax, STATUS_ACCESS_VIOLATION);
}
}
void handle_NtManageHotPatch(const unicorn& uc)
void handle_NtManageHotPatch(x64_emulator& emu)
{
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_NOT_SUPPORTED);
emu.reg<uint64_t>(x64_register::rax, STATUS_NOT_SUPPORTED);
}
void handle_NtOpenKey(const unicorn& uc)
void handle_NtOpenKey(x64_emulator& emu)
{
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_NOT_SUPPORTED);
emu.reg<uint64_t>(x64_register::rax, STATUS_NOT_SUPPORTED);
}
void handle_NtCreateIoCompletion(const unicorn& uc)
void handle_NtCreateIoCompletion(x64_emulator& emu)
{
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_NOT_SUPPORTED);
emu.reg<uint64_t>(x64_register::rax, STATUS_NOT_SUPPORTED);
}
void handle_NtTraceEvent(const unicorn& uc)
void handle_NtTraceEvent(x64_emulator& emu)
{
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_NOT_SUPPORTED);
emu.reg<uint64_t>(x64_register::rax, STATUS_NOT_SUPPORTED);
}
void handle_NtCreateEvent(const unicorn& uc, process_context& context)
void handle_NtCreateEvent(x64_emulator& emu, process_context& context)
{
const emulator_object<uint64_t> event_handle{uc, uc.reg(UC_X86_REG_R10)};
const auto object_attributes = uc.reg(UC_X86_REG_R8);
const auto event_type = uc.reg<EVENT_TYPE>(UC_X86_REG_R9D);
const auto initial_state = static_cast<BOOLEAN>(uc.read_stack(5));
const emulator_object<uint64_t> event_handle{emu, emu.reg(x64_register::r10)};
const auto object_attributes = emu.reg(x64_register::r8);
const auto event_type = emu.reg<EVENT_TYPE>(x64_register::r9d);
const auto initial_state = static_cast<BOOLEAN>(emu.read_stack(5));
if (object_attributes)
{
puts("Unsupported object attributes");
uc.stop();
emu.stop();
return;
}
@@ -75,34 +75,34 @@ namespace
static_assert(sizeof(EVENT_TYPE) == sizeof(uint32_t));
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_SUCCESS);
emu.reg<uint64_t>(x64_register::rax, STATUS_SUCCESS);
}
void handle_NtQueryVirtualMemory(const unicorn& uc, const process_context& context)
void handle_NtQueryVirtualMemory(x64_emulator& emu, const process_context& context)
{
const auto process_handle = uc.reg(UC_X86_REG_R10);
const auto base_address = uc.reg(UC_X86_REG_RDX);
const auto info_class = uc.reg<uint32_t>(UC_X86_REG_R8D);
const auto memory_information = uc.reg(UC_X86_REG_R9);
const auto memory_information_length = static_cast<uint32_t>(uc.read_stack(5));
const emulator_object<uint32_t> return_length{uc, uc.read_stack(6)};
const auto process_handle = emu.reg(x64_register::r10);
const auto base_address = emu.reg(x64_register::rdx);
const auto info_class = emu.reg<uint32_t>(x64_register::r8d);
const auto memory_information = emu.reg(x64_register::r9);
const auto memory_information_length = static_cast<uint32_t>(emu.read_stack(5));
const emulator_object<uint32_t> return_length{emu, emu.read_stack(6)};
if (process_handle != ~0ULL)
{
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_NOT_IMPLEMENTED);
emu.reg<uint64_t>(x64_register::rax, STATUS_NOT_IMPLEMENTED);
return;
}
if (info_class == MemoryWorkingSetExInformation)
{
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_NOT_IMPLEMENTED);
emu.reg<uint64_t>(x64_register::rax, STATUS_NOT_IMPLEMENTED);
return;
}
if (info_class != MemoryImageInformation)
{
printf("Unsupported memory info class: %X\n", info_class);
uc.stop();
emu.stop();
return;
}
@@ -113,18 +113,18 @@ namespace
if (memory_information_length != sizeof(MEMORY_IMAGE_INFORMATION))
{
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_BUFFER_OVERFLOW);
emu.reg<uint64_t>(x64_register::rax, STATUS_BUFFER_OVERFLOW);
return;
}
if (!is_within_start_and_length(base_address, context.ntdll.image_base, context.ntdll.size_of_image))
{
puts("Bad image request");
uc.stop();
emu.stop();
return;
}
const emulator_object<MEMORY_IMAGE_INFORMATION> info{uc, memory_information};
const emulator_object<MEMORY_IMAGE_INFORMATION> info{emu, memory_information};
info.access([&](MEMORY_IMAGE_INFORMATION& image_info)
{
@@ -132,20 +132,20 @@ namespace
image_info.SizeOfImage = context.ntdll.size_of_image;
});
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_SUCCESS);
emu.reg<uint64_t>(x64_register::rax, STATUS_SUCCESS);
}
void handle_NtQuerySystemInformation(const unicorn& uc)
void handle_NtQuerySystemInformation(x64_emulator& emu)
{
const auto info_class = uc.reg<uint32_t>(UC_X86_REG_R10D);
const auto system_information = uc.reg(UC_X86_REG_RDX);
const auto system_information_length = uc.reg<uint32_t>(UC_X86_REG_R8D);
const emulator_object<uint32_t> return_length{uc, uc.reg(UC_X86_REG_R9)};
const auto info_class = emu.reg<uint32_t>(x64_register::r10d);
const auto system_information = emu.reg(x64_register::rdx);
const auto system_information_length = emu.reg<uint32_t>(x64_register::r8d);
const emulator_object<uint32_t> return_length{emu, emu.reg(x64_register::r9)};
if (info_class == SystemFlushInformation
|| info_class == SystemHypervisorSharedPageInformation)
{
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_NOT_SUPPORTED);
emu.reg<uint64_t>(x64_register::rax, STATUS_NOT_SUPPORTED);
return;
}
@@ -158,11 +158,11 @@ namespace
if (system_information_length != sizeof(SYSTEM_NUMA_INFORMATION))
{
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_BUFFER_TOO_SMALL);
emu.reg<uint64_t>(x64_register::rax, STATUS_BUFFER_TOO_SMALL);
return;
}
const emulator_object<SYSTEM_NUMA_INFORMATION> info_obj{uc, system_information};
const emulator_object<SYSTEM_NUMA_INFORMATION> info_obj{emu, system_information};
info_obj.access([&](SYSTEM_NUMA_INFORMATION& info)
{
@@ -172,14 +172,14 @@ namespace
info.Pad[0] = 0xFFF;
});
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_SUCCESS);
emu.reg<uint64_t>(x64_register::rax, STATUS_SUCCESS);
return;
}
if (info_class != SystemBasicInformation && info_class != SystemEmulationBasicInformation)
{
printf("Unsupported system info class: %X\n", info_class);
uc.stop();
emu.stop();
return;
}
@@ -190,11 +190,11 @@ namespace
if (system_information_length != sizeof(SYSTEM_BASIC_INFORMATION))
{
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_BUFFER_TOO_SMALL);
emu.reg<uint64_t>(x64_register::rax, STATUS_BUFFER_TOO_SMALL);
return;
}
const emulator_object<SYSTEM_BASIC_INFORMATION> info{uc, system_information};
const emulator_object<SYSTEM_BASIC_INFORMATION> info{emu, system_information};
info.access([&](SYSTEM_BASIC_INFORMATION& basic_info)
{
@@ -210,23 +210,23 @@ namespace
basic_info.NumberOfProcessors = 1;
});
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_SUCCESS);
emu.reg<uint64_t>(x64_register::rax, STATUS_SUCCESS);
}
void handle_NtQuerySystemInformationEx(const unicorn& uc)
void handle_NtQuerySystemInformationEx(x64_emulator& emu)
{
const auto info_class = uc.reg<uint32_t>(UC_X86_REG_R10D);
const auto input_buffer = uc.reg(UC_X86_REG_RDX);
const auto input_buffer_length = uc.reg<uint32_t>(UC_X86_REG_R8D);
const auto system_information = uc.reg(UC_X86_REG_R9);
const auto system_information_length = static_cast<uint32_t>(uc.read_stack(5));
const emulator_object<uint32_t> return_length{uc, uc.read_stack(6)};
const auto info_class = emu.reg<uint32_t>(x64_register::r10d);
const auto input_buffer = emu.reg(x64_register::rdx);
const auto input_buffer_length = emu.reg<uint32_t>(x64_register::r8d);
const auto system_information = emu.reg(x64_register::r9);
const auto system_information_length = static_cast<uint32_t>(emu.read_stack(5));
const emulator_object<uint32_t> return_length{emu, emu.read_stack(6)};
if (info_class == SystemFlushInformation
|| info_class == SystemFeatureConfigurationInformation
|| info_class == SystemFeatureConfigurationSectionInformation)
{
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_NOT_SUPPORTED);
emu.reg<uint64_t>(x64_register::rax, STATUS_NOT_SUPPORTED);
return;
}
@@ -234,7 +234,7 @@ namespace
{
void* buffer = calloc(1, input_buffer_length);
void* res_buff = calloc(1, system_information_length);
uc_mem_read(uc, input_buffer, buffer, input_buffer_length);
emu.read_memory(input_buffer, buffer, input_buffer_length);
uint64_t code = 0;
@@ -247,20 +247,20 @@ namespace
if (code == 0)
{
uc_mem_write(uc, system_information, res_buff, return_length.read());
emu.write_memory(system_information, res_buff, return_length.read());
}
free(buffer);
free(res_buff);
uc.reg<uint64_t>(UC_X86_REG_RAX, code);
emu.reg<uint64_t>(x64_register::rax, code);
return;
}
if (info_class != SystemBasicInformation && info_class != SystemEmulationBasicInformation)
{
printf("Unsupported system info ex class: %X\n", info_class);
uc.stop();
emu.stop();
return;
}
@@ -271,11 +271,11 @@ namespace
if (system_information_length != sizeof(SYSTEM_BASIC_INFORMATION))
{
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_BUFFER_TOO_SMALL);
emu.reg<uint64_t>(x64_register::rax, STATUS_BUFFER_TOO_SMALL);
return;
}
const emulator_object<SYSTEM_BASIC_INFORMATION> info{uc, system_information};
const emulator_object<SYSTEM_BASIC_INFORMATION> info{emu, system_information};
info.access([&](SYSTEM_BASIC_INFORMATION& basic_info)
{
@@ -291,27 +291,27 @@ namespace
basic_info.NumberOfProcessors = 1;
});
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_SUCCESS);
emu.reg<uint64_t>(x64_register::rax, STATUS_SUCCESS);
}
void handle_NtQueryProcessInformation(const unicorn& uc)
void handle_NtQueryProcessInformation(x64_emulator& emu)
{
const auto process_handle = uc.reg<uint64_t>(UC_X86_REG_R10);
const auto info_class = uc.reg<uint32_t>(UC_X86_REG_EDX);
const auto process_information = uc.reg(UC_X86_REG_R8);
const auto process_information_length = uc.reg<uint32_t>(UC_X86_REG_R9D);
const emulator_object<uint32_t> return_length{uc, uc.read_stack(5)};
const auto process_handle = emu.reg<uint64_t>(x64_register::r10);
const auto info_class = emu.reg<uint32_t>(x64_register::edx);
const auto process_information = emu.reg(x64_register::r8);
const auto process_information_length = emu.reg<uint32_t>(x64_register::r9d);
const emulator_object<uint32_t> return_length{emu, emu.read_stack(5)};
if (process_handle != ~0ULL)
{
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_NOT_IMPLEMENTED);
emu.reg<uint64_t>(x64_register::rax, STATUS_NOT_IMPLEMENTED);
return;
}
if (info_class != ProcessCookie)
{
printf("Unsupported process info class: %X\n", info_class);
uc.stop();
emu.stop();
return;
}
@@ -322,27 +322,27 @@ namespace
if (process_information_length != sizeof(uint32_t))
{
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_BUFFER_OVERFLOW);
emu.reg<uint64_t>(x64_register::rax, STATUS_BUFFER_OVERFLOW);
return;
}
const emulator_object<uint32_t> info{uc, process_information};
const emulator_object<uint32_t> info{emu, process_information};
info.write(0x01234567);
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_SUCCESS);
emu.reg<uint64_t>(x64_register::rax, STATUS_SUCCESS);
}
void handle_NtProtectVirtualMemory(const unicorn& uc)
void handle_NtProtectVirtualMemory(x64_emulator& emu)
{
const auto process_handle = uc.reg(UC_X86_REG_R10);
const emulator_object<uint64_t> base_address{uc, uc.reg(UC_X86_REG_RDX)};
const emulator_object<uint32_t> bytes_to_protect{uc, uc.reg(UC_X86_REG_R8)};
const auto protection = uc.reg<uint32_t>(UC_X86_REG_R9D);
const emulator_object<uint32_t> old_protection{uc, uc.read_stack(5)};
const auto process_handle = emu.reg(x64_register::r10);
const emulator_object<uint64_t> base_address{emu, emu.reg(x64_register::rdx)};
const emulator_object<uint32_t> bytes_to_protect{emu, emu.reg(x64_register::r8)};
const auto protection = emu.reg<uint32_t>(x64_register::r9d);
const emulator_object<uint32_t> old_protection{emu, emu.read_stack(5)};
if (process_handle != ~0ULL)
{
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_NOT_IMPLEMENTED);
emu.reg<uint64_t>(x64_register::rax, STATUS_NOT_IMPLEMENTED);
return;
}
@@ -352,27 +352,27 @@ namespace
const auto size = page_align_up(bytes_to_protect.read());
bytes_to_protect.write(static_cast<uint32_t>(size));
const auto current_uc_protection = get_memory_protection(uc, address);
const auto current_protection = map_unicorn_to_nt_protection(current_uc_protection);
const auto current_uc_protection = get_memory_protection(emu, address);
const auto current_protection = map_emulator_to_nt_protection(current_uc_protection);
old_protection.write(current_protection);
const auto requested_protection = map_nt_to_unicorn_protection(protection);
uce(uc_mem_protect(uc, address, size, requested_protection));
const auto requested_protection = map_nt_to_emulator_protection(protection);
emu.protect_memory(address, size, requested_protection);
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_SUCCESS);
emu.reg<uint64_t>(x64_register::rax, STATUS_SUCCESS);
}
void handle_NtAllocateVirtualMemory(const unicorn& uc)
void handle_NtAllocateVirtualMemory(x64_emulator& emu)
{
const auto process_handle = uc.reg(UC_X86_REG_R10);
const emulator_object<uint64_t> base_address{uc, uc.reg(UC_X86_REG_RDX)};
const emulator_object<uint64_t> bytes_to_allocate{uc, uc.reg(UC_X86_REG_R9)};
//const auto allocation_type = uc.reg<uint32_t>(UC_X86_REG_R9D);
const auto page_protection = static_cast<uint32_t>(uc.read_stack(6));
const auto process_handle = emu.reg(x64_register::r10);
const emulator_object<uint64_t> base_address{emu, emu.reg(x64_register::rdx)};
const emulator_object<uint64_t> bytes_to_allocate{emu, emu.reg(x64_register::r9)};
//const auto allocation_type =emu.reg<uint32_t>(x64_register::r9d);
const auto page_protection = static_cast<uint32_t>(emu.read_stack(6));
if (process_handle != ~0ULL)
{
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_NOT_IMPLEMENTED);
emu.reg<uint64_t>(x64_register::rax, STATUS_NOT_IMPLEMENTED);
return;
}
@@ -381,7 +381,7 @@ namespace
//allocation_bytes = align_up(allocation_bytes, allocation_granularity);
//bytes_to_allocate.write(allocation_bytes);
const auto protection = map_nt_to_unicorn_protection(page_protection);
const auto protection = map_nt_to_emulator_protection(page_protection);
auto allocate_anywhere = false;
auto allocation_base = base_address.read();
@@ -390,9 +390,9 @@ namespace
allocate_anywhere = true;
allocation_base = allocation_granularity;
}
else if (is_memory_allocated(uc, allocation_base))
else if (is_memory_allocated(emu, allocation_base))
{
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_SUCCESS);
emu.reg<uint64_t>(x64_register::rax, STATUS_SUCCESS);
return;
}
@@ -400,34 +400,42 @@ namespace
while (true)
{
succeeded = uc_mem_map(uc, allocation_base, allocation_bytes, protection) == UC_ERR_OK;
if (succeeded || !allocate_anywhere)
try
{
emu.map_memory(allocation_base, allocation_bytes, protection);
succeeded = true;
break;
}
catch (...)
{
if (!allocate_anywhere)
{
break;
}
allocation_base += allocation_granularity;
allocation_base += allocation_granularity;
}
}
base_address.write(allocation_base);
uc.reg<uint64_t>(UC_X86_REG_RAX, succeeded
? STATUS_SUCCESS
: STATUS_NOT_SUPPORTED // No idea what the correct code is
emu.reg<uint64_t>(x64_register::rax, succeeded
? STATUS_SUCCESS
: STATUS_NOT_SUPPORTED // No idea what the correct code is
);
}
void handle_NtAllocateVirtualMemoryEx(const unicorn& uc)
void handle_NtAllocateVirtualMemoryEx(x64_emulator& emu)
{
const auto process_handle = uc.reg(UC_X86_REG_R10);
const emulator_object<uint64_t> base_address{uc, uc.reg(UC_X86_REG_RDX)};
const emulator_object<uint64_t> bytes_to_allocate{uc, uc.reg(UC_X86_REG_R8)};
//const auto allocation_type = uc.reg<uint32_t>(UC_X86_REG_R9D);
const auto page_protection = static_cast<uint32_t>(uc.read_stack(5));
const auto process_handle = emu.reg(x64_register::r10);
const emulator_object<uint64_t> base_address{emu, emu.reg(x64_register::rdx)};
const emulator_object<uint64_t> bytes_to_allocate{emu, emu.reg(x64_register::r8)};
//const auto allocation_type =emu.reg<uint32_t>(x64_register::r9d);
const auto page_protection = static_cast<uint32_t>(emu.read_stack(5));
if (process_handle != ~0ULL)
{
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_NOT_IMPLEMENTED);
emu.reg<uint64_t>(x64_register::rax, STATUS_NOT_IMPLEMENTED);
return;
}
@@ -436,7 +444,7 @@ namespace
//allocation_bytes = align_up(allocation_bytes, allocation_granularity);
//bytes_to_allocate.write(allocation_bytes);
const auto protection = map_nt_to_unicorn_protection(page_protection);
const auto protection = map_nt_to_emulator_protection(page_protection);
auto allocate_anywhere = false;
auto allocation_base = base_address.read();
@@ -445,9 +453,9 @@ namespace
allocate_anywhere = true;
allocation_base = allocation_granularity;
}
else if (is_memory_allocated(uc, allocation_base))
else if (is_memory_allocated(emu, allocation_base))
{
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_SUCCESS);
emu.reg<uint64_t>(x64_register::rax, STATUS_SUCCESS);
return;
}
@@ -455,51 +463,69 @@ namespace
while (true)
{
succeeded = uc_mem_map(uc, allocation_base, allocation_bytes, protection) == UC_ERR_OK;
if (succeeded || !allocate_anywhere)
try
{
emu.map_memory(allocation_base, allocation_bytes, protection);
succeeded = true;
break;
}
catch (...)
{
succeeded = false;
if (!allocate_anywhere)
{
break;
}
allocation_base += allocation_granularity;
allocation_base += allocation_granularity;
}
}
base_address.write(allocation_base);
uc.reg<uint64_t>(UC_X86_REG_RAX, succeeded
? STATUS_SUCCESS
: STATUS_NOT_SUPPORTED // No idea what the correct code is
emu.reg<uint64_t>(x64_register::rax, succeeded
? STATUS_SUCCESS
: STATUS_NOT_SUPPORTED // No idea what the correct code is
);
}
void handle_NtFreeVirtualMemory(const unicorn& uc)
void handle_NtFreeVirtualMemory(x64_emulator& emu)
{
const auto process_handle = uc.reg(UC_X86_REG_R10);
const emulator_object<uint64_t> base_address{uc, uc.reg(UC_X86_REG_RDX)};
const emulator_object<uint64_t> bytes_to_allocate{uc, uc.reg(UC_X86_REG_R8)};
const auto process_handle = emu.reg(x64_register::r10);
const emulator_object<uint64_t> base_address{emu, emu.reg(x64_register::rdx)};
const emulator_object<uint64_t> bytes_to_allocate{emu, emu.reg(x64_register::r8)};
if (process_handle != ~0ULL)
{
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_NOT_IMPLEMENTED);
emu.reg<uint64_t>(x64_register::rax, STATUS_NOT_IMPLEMENTED);
return;
}
const auto allocation_base = base_address.read();
const auto allocation_size = bytes_to_allocate.read();
const auto succeeded = uc_mem_unmap(uc, allocation_base, allocation_size) == UC_ERR_OK;
bool succeeded = false;
try
{
emu.unmap_memory(allocation_base, allocation_size);
succeeded = true;
}
catch (...)
{
succeeded = false;
}
uc.reg<uint64_t>(UC_X86_REG_RAX, succeeded
? STATUS_SUCCESS
: STATUS_NOT_SUPPORTED // No idea what the correct code is
emu.reg<uint64_t>(x64_register::rax, succeeded
? STATUS_SUCCESS
: STATUS_NOT_SUPPORTED // No idea what the correct code is
);
}
}
void handle_syscall(x64_emulator& emu, process_context& context)
{
const auto address = uc.reg(UC_X86_REG_RIP);
const auto syscall_id = uc.reg<uint32_t>(UC_X86_REG_EAX);
const auto address = emu.reg(x64_register::rip);
const auto syscall_id = emu.reg<uint32_t>(x64_register::eax);
printf("Handling syscall: %X (%llX)\n", syscall_id, address);
@@ -508,56 +534,56 @@ void handle_syscall(x64_emulator& emu, process_context& context)
switch (syscall_id)
{
case 0x12:
handle_NtOpenKey(uc);
handle_NtOpenKey(emu);
break;
case 0x18:
handle_NtAllocateVirtualMemory(uc);
handle_NtAllocateVirtualMemory(emu);
break;
case 0x1E:
handle_NtFreeVirtualMemory(uc);
handle_NtFreeVirtualMemory(emu);
break;
case 0x19:
handle_NtQueryProcessInformation(uc);
handle_NtQueryProcessInformation(emu);
break;
case 0x23:
handle_NtQueryVirtualMemory(uc, context);
handle_NtQueryVirtualMemory(emu, context);
break;
case 0x31:
handle_NtQueryPerformanceCounter(uc);
handle_NtQueryPerformanceCounter(emu);
break;
case 0x36:
handle_NtQuerySystemInformation(uc);
handle_NtQuerySystemInformation(emu);
break;
case 0x48:
handle_NtCreateEvent(uc, context);
handle_NtCreateEvent(emu, context);
break;
case 0x50:
handle_NtProtectVirtualMemory(uc);
handle_NtProtectVirtualMemory(emu);
break;
case 0x5E:
handle_NtTraceEvent(uc);
handle_NtTraceEvent(emu);
break;
case 0x78:
handle_NtAllocateVirtualMemoryEx(uc);
handle_NtAllocateVirtualMemoryEx(emu);
break;
case 0xB2:
handle_NtCreateIoCompletion(uc);
handle_NtCreateIoCompletion(emu);
break;
case 0x11A:
handle_NtManageHotPatch(uc);
handle_NtManageHotPatch(emu);
break;
case 0x16E:
handle_NtQuerySystemInformationEx(uc);
handle_NtQuerySystemInformationEx(emu);
break;
default:
printf("Unhandled syscall: %X\n", syscall_id);
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_NOT_IMPLEMENTED);
uc.stop();
emu.reg<uint64_t>(x64_register::rax, STATUS_NOT_IMPLEMENTED);
emu.stop();
break;
}
}
catch (...)
{
uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_UNSUCCESSFUL);
emu.reg<uint64_t>(x64_register::rax, STATUS_UNSUCCESSFUL);
}
}