From 9c29f266479b83d729909475e69bfdf3411938aa Mon Sep 17 00:00:00 2001 From: momo5502 Date: Sun, 17 Aug 2025 07:26:11 +0200 Subject: [PATCH] Small fixes --- src/analyzer/analysis.cpp | 37 ++++++++++++++++++- src/windows-emulator/emulator_thread.cpp | 1 + src/windows-emulator/emulator_utils.hpp | 2 +- .../module/module_manager.hpp | 13 +++++++ src/windows-emulator/syscall_utils.hpp | 2 +- src/windows-emulator/syscalls.cpp | 2 + src/windows-emulator/syscalls/port.cpp | 5 +++ 7 files changed, 58 insertions(+), 4 deletions(-) diff --git a/src/analyzer/analysis.cpp b/src/analyzer/analysis.cpp index b05ce8f0..444e61a6 100644 --- a/src/analyzer/analysis.cpp +++ b/src/analyzer/analysis.cpp @@ -29,11 +29,44 @@ namespace }; } + std::string get_instruction_string(const emulator& emu, const uint64_t address) + { + std::vector instruction_bytes(15, 0); + const auto result = emu.try_read_memory(address, instruction_bytes.data(), instruction_bytes.size()); + if (!result) + { + return {}; + } + + disassembler disasm{}; + const auto instructions = disasm.disassemble(instruction_bytes, 1); + if (instructions.empty()) + { + return {}; + } + + auto& inst = instructions[0]; + + return std::string(inst.mnemonic) + (strlen(inst.op_str) ? " "s + inst.op_str : ""); + } + void handle_suspicious_activity(const analysis_context& c, const std::string_view details) { + std::string addition{}; const auto rip = c.win_emu->emu().read_instruction_pointer(); - c.win_emu->log.print(color::pink, "Suspicious: %.*s at 0x%" PRIx64 " (via 0x%" PRIx64 ")\n", STR_VIEW_VA(details), rip, - c.win_emu->process.previous_ip); + + // TODO: Pass enum? + if (details == "Illegal instruction") + { + const auto inst = get_instruction_string(c.win_emu->emu(), rip); + if (!inst.empty()) + { + addition = " (" + inst + ")"; + } + } + + c.win_emu->log.print(color::pink, "Suspicious: %.*s%.*s at 0x%" PRIx64 " (via 0x%" PRIx64 ")\n", STR_VIEW_VA(details), + STR_VIEW_VA(addition), rip, c.win_emu->process.previous_ip); } void handle_debug_string(const analysis_context& c, const std::string_view details) diff --git a/src/windows-emulator/emulator_thread.cpp b/src/windows-emulator/emulator_thread.cpp index 86e73e32..19af1b48 100644 --- a/src/windows-emulator/emulator_thread.cpp +++ b/src/windows-emulator/emulator_thread.cpp @@ -117,6 +117,7 @@ emulator_thread::emulator_thread(memory_manager& memory, const process_context& teb_obj.NtTib.StackLimit = this->stack_base; teb_obj.NtTib.StackBase = this->stack_base + this->stack_size; teb_obj.NtTib.Self = this->teb->value(); + teb_obj.CurrentLocale = 0x409; teb_obj.ProcessEnvironmentBlock = context.peb.value(); }); } diff --git a/src/windows-emulator/emulator_utils.hpp b/src/windows-emulator/emulator_utils.hpp index 53d82995..97c07605 100644 --- a/src/windows-emulator/emulator_utils.hpp +++ b/src/windows-emulator/emulator_utils.hpp @@ -367,7 +367,7 @@ inline std::u16string read_unicode_string(emulator& emu, const uint64_t uc_strin return read_unicode_string(emu, emulator_object>>{emu, uc_string}); } -inline uint64_t get_function_argument(x86_64_emulator& emu, const size_t index, bool is_syscall = false) +inline uint64_t get_function_argument(x86_64_emulator& emu, const size_t index, const bool is_syscall = false) { switch (index) { diff --git a/src/windows-emulator/module/module_manager.hpp b/src/windows-emulator/module/module_manager.hpp index 25acdf40..897cc777 100644 --- a/src/windows-emulator/module/module_manager.hpp +++ b/src/windows-emulator/module/module_manager.hpp @@ -39,6 +39,19 @@ class module_manager return nullptr; } + mapped_module* find_by_name(const std::string_view name) + { + for (auto& mod : this->modules_ | std::views::values) + { + if (mod.name == name) + { + return &mod; + } + } + + return nullptr; + } + const char* find_name(const uint64_t address) { const auto* mod = this->find_by_address(address); diff --git a/src/windows-emulator/syscall_utils.hpp b/src/windows-emulator/syscall_utils.hpp index 27b9d3d5..0fe55849 100644 --- a/src/windows-emulator/syscall_utils.hpp +++ b/src/windows-emulator/syscall_utils.hpp @@ -3,7 +3,7 @@ #include "windows_emulator.hpp" #include #include -#include "windows-emulator/devices/named_pipe.hpp" +#include "devices/named_pipe.hpp" struct syscall_context { diff --git a/src/windows-emulator/syscalls.cpp b/src/windows-emulator/syscalls.cpp index 1b1698da..72238d38 100644 --- a/src/windows-emulator/syscalls.cpp +++ b/src/windows-emulator/syscalls.cpp @@ -180,6 +180,7 @@ namespace syscalls /*receive_message_attributes*/, emulator_object /*timeout*/); NTSTATUS handle_NtAlpcConnectPort(); + NTSTATUS handle_NtAlpcConnectPortEx(); // syscalls/process.cpp: NTSTATUS handle_NtQueryInformationProcess(const syscall_context& c, handle process_handle, uint32_t info_class, @@ -1050,6 +1051,7 @@ void syscall_dispatcher::add_handlers(std::map& ha add_handler(NtEnumerateKey); add_handler(NtEnumerateValueKey); add_handler(NtAlpcConnectPort); + add_handler(NtAlpcConnectPortEx); add_handler(NtGetNextThread); add_handler(NtSetInformationObject); add_handler(NtUserGetCursorPos); diff --git a/src/windows-emulator/syscalls/port.cpp b/src/windows-emulator/syscalls/port.cpp index 64363c77..fcaf7319 100644 --- a/src/windows-emulator/syscalls/port.cpp +++ b/src/windows-emulator/syscalls/port.cpp @@ -94,4 +94,9 @@ namespace syscalls { return STATUS_NOT_SUPPORTED; } + + NTSTATUS handle_NtAlpcConnectPortEx() + { + return STATUS_NOT_SUPPORTED; + } }