diff --git a/src/analyzer/main.cpp b/src/analyzer/main.cpp index 5e3539d1..7df70c43 100644 --- a/src/analyzer/main.cpp +++ b/src/analyzer/main.cpp @@ -15,6 +15,10 @@ namespace void watch_system_objects(windows_emulator& win_emu, const bool cache_logging) { + (void)win_emu; + (void)cache_logging; + +#ifdef OS_WINDOWS watch_object(win_emu, *win_emu.current_thread().teb, cache_logging); watch_object(win_emu, win_emu.process().peb, cache_logging); watch_object(win_emu, emulator_object{win_emu.emu(), kusd_mmio::address()}, cache_logging); @@ -37,6 +41,7 @@ namespace params_hook = watch_object(win_emu, obj, cache_logging); } }); +#endif } void run_emulation(windows_emulator& win_emu, const analysis_options& options) diff --git a/src/common/platform/file_management.hpp b/src/common/platform/file_management.hpp index 2ae4960f..48c42332 100644 --- a/src/common/platform/file_management.hpp +++ b/src/common/platform/file_management.hpp @@ -58,6 +58,8 @@ #define FILE_NON_DIRECTORY_FILE 0x00000040 #define FILE_CREATE_TREE_CONNECTION 0x00000080 +#define FILE_ATTRIBUTE_NORMAL 0x00000080 + #define PS_ATTRIBUTE_NUMBER_MASK 0x0000ffff #define PS_ATTRIBUTE_THREAD 0x00010000 // may be used with thread creation #define PS_ATTRIBUTE_INPUT 0x00020000 // input only @@ -178,17 +180,6 @@ typedef enum _FILE_INFORMATION_CLASS FileMaximumInformation } FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS; -#ifndef OS_WINDOWS -typedef enum _SECURITY_IMPERSONATION_LEVEL { - SecurityAnonymous, - SecurityIdentification, - SecurityImpersonation, - SecurityDelegation -} SECURITY_IMPERSONATION_LEVEL, *PSECURITY_IMPERSONATION_LEVEL; - - -#endif - typedef enum _OBJECT_INFORMATION_CLASS { ObjectBasicInformation, // q: OBJECT_BASIC_INFORMATION diff --git a/src/common/platform/process.hpp b/src/common/platform/process.hpp index f5784778..9f04c1d7 100644 --- a/src/common/platform/process.hpp +++ b/src/common/platform/process.hpp @@ -679,6 +679,55 @@ struct TOKEN_USER64 { SID_AND_ATTRIBUTES64 User; }; +struct TOKEN_BNO_ISOLATION_INFORMATION64 { + EmulatorTraits::PVOID IsolationPrefix; + BOOLEAN IsolationEnabled; +}; + +struct TOKEN_MANDATORY_LABEL64 { + SID_AND_ATTRIBUTES64 Label; +}; + +#ifndef OS_WINDOWS + +typedef enum _TOKEN_TYPE { + TokenPrimary = 1, + TokenImpersonation +} TOKEN_TYPE; +typedef TOKEN_TYPE* PTOKEN_TYPE; + +typedef struct _TOKEN_ELEVATION { + DWORD TokenIsElevated; +} TOKEN_ELEVATION, * PTOKEN_ELEVATION; + +typedef enum _SECURITY_IMPERSONATION_LEVEL { + SecurityAnonymous, + SecurityIdentification, + SecurityImpersonation, + SecurityDelegation +} SECURITY_IMPERSONATION_LEVEL, *PSECURITY_IMPERSONATION_LEVEL; + + +typedef struct _LUID { + DWORD LowPart; + LONG HighPart; +} LUID, *PLUID; + +typedef struct _TOKEN_STATISTICS { + LUID TokenId; + LUID AuthenticationId; + LARGE_INTEGER ExpirationTime; + TOKEN_TYPE TokenType; + SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; + DWORD DynamicCharged; + DWORD DynamicAvailable; + DWORD GroupCount; + DWORD PrivilegeCount; + LUID ModifiedId; +} TOKEN_STATISTICS, *PTOKEN_STATISTICS; + +#endif + typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION { USHORT Version; diff --git a/src/common/platform/status.hpp b/src/common/platform/status.hpp index af8b8d8c..1eae6778 100644 --- a/src/common/platform/status.hpp +++ b/src/common/platform/status.hpp @@ -25,6 +25,7 @@ using NTSTATUS = std::uint32_t; #define STATUS_NO_MORE_FILES ((NTSTATUS)0x80000006L) +#define STATUS_ILLEGAL_INSTRUCTION ((DWORD )0xC000001DL) #define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L) #define STATUS_BUFFER_TOO_SMALL ((NTSTATUS)0xC0000023L) #define STATUS_OBJECT_NAME_NOT_FOUND ((NTSTATUS)0xC0000034L) diff --git a/src/windows-emulator/syscall_utils.hpp b/src/windows-emulator/syscall_utils.hpp index f9ae5c2a..9072438b 100644 --- a/src/windows-emulator/syscall_utils.hpp +++ b/src/windows-emulator/syscall_utils.hpp @@ -1,6 +1,7 @@ #pragma once #include "windows_emulator.hpp" +#include struct syscall_context { @@ -269,6 +270,10 @@ inline std::chrono::system_clock::time_point convert_from_ksystem_time(const vol return convert_from_ksystem_time(*const_cast(&time)); } +#ifndef OS_WINDOWS +using __time64_t = uint64_t; +#endif + inline LARGE_INTEGER convert_unix_to_windows_time(const __time64_t unix_time) { LARGE_INTEGER windows_time{}; diff --git a/src/windows-emulator/syscalls.cpp b/src/windows-emulator/syscalls.cpp index 8ae5b82e..b15f5d5e 100644 --- a/src/windows-emulator/syscalls.cpp +++ b/src/windows-emulator/syscalls.cpp @@ -12,6 +12,8 @@ #include #include +#include + namespace { NTSTATUS handle_NtQueryPerformanceCounter(const syscall_context& c, @@ -1409,15 +1411,15 @@ namespace { if (return_length) { - return_length.write(sizeof(ULONG_PTR)); + return_length.write(sizeof(EmulatorTraits::PVOID)); } - if (thread_information_length != sizeof(ULONG_PTR)) + if (thread_information_length != sizeof(EmulatorTraits::PVOID)) { return STATUS_BUFFER_OVERFLOW; } - const emulator_object info{c.emu, thread_information}; + const emulator_object::PVOID> info{c.emu, thread_information}; info.write(thread->start_address); return STATUS_SUCCESS; @@ -2433,7 +2435,7 @@ namespace if (token_information_class == TokenIntegrityLevel) { - constexpr auto required_size = sizeof(sid) + sizeof(TOKEN_MANDATORY_LABEL); + constexpr auto required_size = sizeof(sid) + sizeof(TOKEN_MANDATORY_LABEL64); return_length.write(required_size); if (required_size > token_information_length) @@ -2441,18 +2443,18 @@ namespace return STATUS_BUFFER_TOO_SMALL; } - TOKEN_MANDATORY_LABEL label{}; + TOKEN_MANDATORY_LABEL64 label{}; label.Label.Attributes = 0; - label.Label.Sid = reinterpret_cast(token_information + sizeof(TOKEN_MANDATORY_LABEL)); + label.Label.Sid = token_information + sizeof(TOKEN_MANDATORY_LABEL64); - emulator_object{c.emu, token_information}.write(label); - c.emu.write_memory(token_information + sizeof(TOKEN_MANDATORY_LABEL), sid, sizeof(sid)); + emulator_object{c.emu, token_information}.write(label); + c.emu.write_memory(token_information + sizeof(TOKEN_MANDATORY_LABEL64), sid, sizeof(sid)); return STATUS_SUCCESS; } if (token_information_class == TokenBnoIsolation) { - constexpr auto required_size = sizeof(TOKEN_BNO_ISOLATION_INFORMATION); + constexpr auto required_size = sizeof(TOKEN_BNO_ISOLATION_INFORMATION64); return_length.write(required_size); if (required_size > token_information_length) @@ -2460,8 +2462,8 @@ namespace return STATUS_BUFFER_TOO_SMALL; } - c.emu.write_memory(token_information, TOKEN_BNO_ISOLATION_INFORMATION{ - .IsolationPrefix = nullptr, + c.emu.write_memory(token_information, TOKEN_BNO_ISOLATION_INFORMATION64{ + .IsolationPrefix = 0, .IsolationEnabled = 0, }); @@ -2897,10 +2899,11 @@ namespace const auto filename = read_unicode_string(c.emu, emulator_object>>{c.emu, attributes.ObjectName}); const auto u8_filename = u16_to_u8(filename); - struct _stat64 file_stat{}; #ifdef OS_WINDOWS + struct _stat64 file_stat{}; if (_stat64(u8_filename.c_str(), &file_stat) != 0) #else + struct stat64 file_stat{}; if (stat64(u8_filename.c_str(), &file_stat) != 0) #endif { @@ -3398,7 +3401,7 @@ namespace thread_context.access([&](CONTEXT64& context) { - if (context.ContextFlags & CONTEXT_DEBUG_REGISTERS) + if (context.ContextFlags & CONTEXT_DEBUG_REGISTERS_64) { c.win_emu.log.print(color::pink, "--> Reading debug registers!\n"); } diff --git a/src/windows-emulator/windows_emulator.cpp b/src/windows-emulator/windows_emulator.cpp index 2be59a85..64fd2481 100644 --- a/src/windows-emulator/windows_emulator.cpp +++ b/src/windows-emulator/windows_emulator.cpp @@ -436,12 +436,12 @@ namespace ctx.ContextFlags = CONTEXT64_ALL; context_frame::save(emu, ctx); - EXCEPTION_RECORD record{}; + EMU_EXCEPTION_RECORD> record{}; memset(&record, 0, sizeof(record)); record.ExceptionCode = static_cast(STATUS_ILLEGAL_INSTRUCTION); record.ExceptionFlags = 0; - record.ExceptionRecord = nullptr; - record.ExceptionAddress = reinterpret_cast(emu.read_instruction_pointer()); + record.ExceptionRecord = 0; + record.ExceptionAddress = static_cast::PVOID>(emu.read_instruction_pointer()); record.NumberParameters = 0; EMU_EXCEPTION_POINTERS> pointers{};