Small fixes

2026-01-19 11:43:56 +00:00 · 2025-08-17 07:26:11 +02:00
parent eb3a685f67
commit 9c29f26647
7 changed files with 58 additions and 4 deletions
--- a/src/analyzer/analysis.cpp
+++ b/src/analyzer/analysis.cpp
@@ -29,11 +29,44 @@ namespace
        };
    }

+    std::string get_instruction_string(const emulator& emu, const uint64_t address)
+    {
+        std::vector<uint8_t> instruction_bytes(15, 0);
+        const auto result = emu.try_read_memory(address, instruction_bytes.data(), instruction_bytes.size());
+        if (!result)
+        {
+            return {};
+        }
+
+        disassembler disasm{};
+        const auto instructions = disasm.disassemble(instruction_bytes, 1);
+        if (instructions.empty())
+        {
+            return {};
+        }
+
+        auto& inst = instructions[0];
+
+        return std::string(inst.mnemonic) + (strlen(inst.op_str) ? " "s + inst.op_str : "");
+    }
+
    void handle_suspicious_activity(const analysis_context& c, const std::string_view details)
    {
+        std::string addition{};
        const auto rip = c.win_emu->emu().read_instruction_pointer();
-        c.win_emu->log.print(color::pink, "Suspicious: %.*s at 0x%" PRIx64 " (via 0x%" PRIx64 ")\n", STR_VIEW_VA(details), rip,
-                             c.win_emu->process.previous_ip);
+
+        // TODO: Pass enum?
+        if (details == "Illegal instruction")
+        {
+            const auto inst = get_instruction_string(c.win_emu->emu(), rip);
+            if (!inst.empty())
+            {
+                addition = " (" + inst + ")";
+            }
+        }
+
+        c.win_emu->log.print(color::pink, "Suspicious: %.*s%.*s at 0x%" PRIx64 " (via 0x%" PRIx64 ")\n", STR_VIEW_VA(details),
+                             STR_VIEW_VA(addition), rip, c.win_emu->process.previous_ip);
    }

    void handle_debug_string(const analysis_context& c, const std::string_view details)
--- a/src/windows-emulator/emulator_thread.cpp
+++ b/src/windows-emulator/emulator_thread.cpp
@@ -117,6 +117,7 @@ emulator_thread::emulator_thread(memory_manager& memory, const process_context&
        teb_obj.NtTib.StackLimit = this->stack_base;
        teb_obj.NtTib.StackBase = this->stack_base + this->stack_size;
        teb_obj.NtTib.Self = this->teb->value();
+        teb_obj.CurrentLocale = 0x409;
        teb_obj.ProcessEnvironmentBlock = context.peb.value();
    });
 }
--- a/src/windows-emulator/emulator_utils.hpp
+++ b/src/windows-emulator/emulator_utils.hpp
@@ -367,7 +367,7 @@ inline std::u16string read_unicode_string(emulator& emu, const uint64_t uc_strin
    return read_unicode_string(emu, emulator_object<UNICODE_STRING<EmulatorTraits<Emu64>>>{emu, uc_string});
 }

-inline uint64_t get_function_argument(x86_64_emulator& emu, const size_t index, bool is_syscall = false)
+inline uint64_t get_function_argument(x86_64_emulator& emu, const size_t index, const bool is_syscall = false)
 {
    switch (index)
    {
--- a/src/windows-emulator/module/module_manager.hpp
+++ b/src/windows-emulator/module/module_manager.hpp
@@ -39,6 +39,19 @@ class module_manager
        return nullptr;
    }

+    mapped_module* find_by_name(const std::string_view name)
+    {
+        for (auto& mod : this->modules_ | std::views::values)
+        {
+            if (mod.name == name)
+            {
+                return &mod;
+            }
+        }
+
+        return nullptr;
+    }
+
    const char* find_name(const uint64_t address)
    {
        const auto* mod = this->find_by_address(address);
--- a/src/windows-emulator/syscall_utils.hpp
+++ b/src/windows-emulator/syscall_utils.hpp
@@ -3,7 +3,7 @@
 #include "windows_emulator.hpp"
 #include <ctime>
 #include <platform/primitives.hpp>
-#include "windows-emulator/devices/named_pipe.hpp"
+#include "devices/named_pipe.hpp"

 struct syscall_context
 {
--- a/src/windows-emulator/syscalls.cpp
+++ b/src/windows-emulator/syscalls.cpp
@@ -180,6 +180,7 @@ namespace syscalls
                                              /*receive_message_attributes*/,
                                              emulator_object<LARGE_INTEGER> /*timeout*/);
    NTSTATUS handle_NtAlpcConnectPort();
+    NTSTATUS handle_NtAlpcConnectPortEx();

    // syscalls/process.cpp:
    NTSTATUS handle_NtQueryInformationProcess(const syscall_context& c, handle process_handle, uint32_t info_class,
@@ -1050,6 +1051,7 @@ void syscall_dispatcher::add_handlers(std::map<std::string, syscall_handler>& ha
    add_handler(NtEnumerateKey);
    add_handler(NtEnumerateValueKey);
    add_handler(NtAlpcConnectPort);
+    add_handler(NtAlpcConnectPortEx);
    add_handler(NtGetNextThread);
    add_handler(NtSetInformationObject);
    add_handler(NtUserGetCursorPos);
--- a/src/windows-emulator/syscalls/port.cpp
+++ b/src/windows-emulator/syscalls/port.cpp
@@ -94,4 +94,9 @@ namespace syscalls
    {
        return STATUS_NOT_SUPPORTED;
    }
+
+    NTSTATUS handle_NtAlpcConnectPortEx()
+    {
+        return STATUS_NOT_SUPPORTED;
+    }
 }