From c3a760daceb91abd575650b0dd95fda171039740 Mon Sep 17 00:00:00 2001 From: ahm3dgg Date: Wed, 7 Jan 2026 08:23:00 +0200 Subject: [PATCH] Fixed Formatting --- src/common/platform/win_pefile.hpp | 6 +- src/windows-emulator/apiset/apiset.hpp | 2 +- .../module/module_manager.cpp | 5 +- .../module/module_manager.hpp | 11 +- src/windows-emulator/process_context.cpp | 254 +++++++++--------- src/windows-emulator/syscalls/section.cpp | 2 +- 6 files changed, 142 insertions(+), 138 deletions(-) diff --git a/src/common/platform/win_pefile.hpp b/src/common/platform/win_pefile.hpp index b7276975..bdeb9bcf 100644 --- a/src/common/platform/win_pefile.hpp +++ b/src/common/platform/win_pefile.hpp @@ -506,7 +506,7 @@ namespace winpe pe32, pe64 }; - + template inline uint64_t get_first_section_offset(const PENTHeaders_t& nt_headers, const uint64_t nt_headers_offset) { @@ -528,8 +528,8 @@ namespace winpe } template - IMAGE_SECTION_HEADER get_section_header_by_rva(const utils::safe_buffer_accessor& buffer, const PENTHeaders_t& nt_headers, - uint64_t nt_headers_offset, uint64_t rva) + IMAGE_SECTION_HEADER get_section_header_by_rva(const utils::safe_buffer_accessor& buffer, + const PENTHeaders_t& nt_headers, uint64_t nt_headers_offset, uint64_t rva) { IMAGE_SECTION_HEADER section_header = {}; diff --git a/src/windows-emulator/apiset/apiset.hpp b/src/windows-emulator/apiset/apiset.hpp index d6d83e58..d97a30e9 100644 --- a/src/windows-emulator/apiset/apiset.hpp +++ b/src/windows-emulator/apiset/apiset.hpp @@ -34,4 +34,4 @@ namespace apiset const API_SET_NAMESPACE& orig_api_set_map); emulator_object clone(x86_64_emulator& emu, emulator_allocator& allocator, const container& container); -} \ No newline at end of file +} diff --git a/src/windows-emulator/module/module_manager.cpp b/src/windows-emulator/module/module_manager.cpp index 867fae25..746b9005 100644 --- a/src/windows-emulator/module/module_manager.cpp +++ b/src/windows-emulator/module/module_manager.cpp @@ -220,7 +220,7 @@ mapped_module* module_manager::map_module_core(const pe_detection_result& detect [[maybe_unused]] auto& strategy = strategy_factory_.get_strategy(detection_result.architecture); mapped_module mod = mapper(); mod.is_static = is_static; - + if (!mod.path.empty()) { this->module_load_count[mod.path]++; @@ -469,7 +469,8 @@ mapped_module* module_manager::map_module(const windows_path& file, const logger } // Refactored map_local_module using the new architecture -mapped_module* module_manager::map_local_module(const std::filesystem::path& file, const logger& logger, const bool is_static, bool allow_duplicate) +mapped_module* module_manager::map_local_module(const std::filesystem::path& file, const logger& logger, const bool is_static, + bool allow_duplicate) { auto local_file = weakly_canonical(absolute(file)); diff --git a/src/windows-emulator/module/module_manager.hpp b/src/windows-emulator/module/module_manager.hpp index 95fae0fe..95fd671e 100644 --- a/src/windows-emulator/module/module_manager.hpp +++ b/src/windows-emulator/module/module_manager.hpp @@ -91,12 +91,15 @@ class module_manager module_manager(memory_manager& memory, file_system& file_sys, callbacks& cb); - void map_main_modules(const windows_path& executable_path, const windows_path& system32_path, const windows_path& syswow64_path, const logger& logger); + void map_main_modules(const windows_path& executable_path, const windows_path& system32_path, const windows_path& syswow64_path, + const logger& logger); std::optional get_module_load_count_by_path(const std::filesystem::path& path); mapped_module* map_module(const windows_path& file, const logger& logger, bool is_static = false, bool allow_duplicate = false); - mapped_module* map_local_module(const std::filesystem::path& file, const logger& logger, bool is_static = false, bool allow_duplicate = false); - mapped_module* map_memory_module(uint64_t base_address, uint64_t image_size, const std::string& module_name, const logger& logger, bool is_static = false, bool allow_duplicate = false); + mapped_module* map_local_module(const std::filesystem::path& file, const logger& logger, bool is_static = false, + bool allow_duplicate = false); + mapped_module* map_memory_module(uint64_t base_address, uint64_t image_size, const std::string& module_name, const logger& logger, + bool is_static = false, bool allow_duplicate = false); mapped_module* find_by_address(const uint64_t address) { @@ -156,7 +159,7 @@ class module_manager mapped_module* executable{}; mapped_module* ntdll{}; mapped_module* win32u{}; - std::unordered_map module_load_count; + std::unordered_map module_load_count; // WOW64-specific modules (for validation and future use) struct wow64_modules diff --git a/src/windows-emulator/process_context.cpp b/src/windows-emulator/process_context.cpp index 4825c79f..7fc9d632 100644 --- a/src/windows-emulator/process_context.cpp +++ b/src/windows-emulator/process_context.cpp @@ -179,7 +179,7 @@ namespace return env_map; } - uint32_t read_windows_build(registry_manager& registry) + uint32_t read_windows_build(registry_manager& registry) { const auto key = registry.get_key({R"(\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion)"}); @@ -211,16 +211,16 @@ namespace for (size_t i = 0; i < api_set_map->Count; i++) { - const auto entry = reinterpret_cast(reinterpret_cast(api_set_map) + - api_set_map->EntryOffset + i * sizeof(API_SET_NAMESPACE_ENTRY)); + const auto entry = reinterpret_cast( + reinterpret_cast(api_set_map) + api_set_map->EntryOffset + i * sizeof(API_SET_NAMESPACE_ENTRY)); std::u16string name(reinterpret_cast(reinterpret_cast(api_set_map) + entry->NameOffset), entry->NameLength / sizeof(char16_t)); const auto value = reinterpret_cast(reinterpret_cast(api_set_map) + entry->ValueOffset + - (entry->ValueCount - 1) * sizeof(API_SET_VALUE_ENTRY)); + (entry->ValueCount - 1) * sizeof(API_SET_VALUE_ENTRY)); std::u16string base_name(reinterpret_cast(reinterpret_cast(api_set_map) + value->ValueOffset), - value->ValueLength / sizeof(char16_t)); + value->ValueLength / sizeof(char16_t)); apiset[name + u".dll"] = base_name; } @@ -228,149 +228,149 @@ namespace return apiset; } - template - void create_known_dlls_section_objects( - std::unordered_map& knowndlls_section_objects, - registry_manager& registry, - const apiset::container& apiset_container, - const file_system& file_system, - bool is_wow64) - { - const auto* api_set_data = reinterpret_cast(apiset_container.data.data()); - auto apiset = get_apiset_namespace_table(api_set_data); + template + void create_known_dlls_section_objects(std::unordered_map& knowndlls_section_objects, + registry_manager& registry, const apiset::container& apiset_container, + const file_system& file_system, bool is_wow64) + { + const auto* api_set_data = reinterpret_cast(apiset_container.data.data()); + auto apiset = get_apiset_namespace_table(api_set_data); - std::unordered_set visited_dlls; - windows_path system_root_path; - std::filesystem::path local_system_root_path; + std::unordered_set visited_dlls; + windows_path system_root_path; + std::filesystem::path local_system_root_path; - if (is_wow64) - { - system_root_path = "C:\\Windows\\SysWOW64"; - } - else - { - system_root_path = "C:\\Windows\\System32"; - } + if (is_wow64) + { + system_root_path = "C:\\Windows\\SysWOW64"; + } + else + { + system_root_path = "C:\\Windows\\System32"; + } - std::optional knowndlls_key = registry.get_key( { R"(\Registry\Machine\System\CurrentControlSet\Control\Session Manager\KnownDLLs)" }); - if (!knowndlls_key) - { - return; - } + std::optional knowndlls_key = + registry.get_key({R"(\Registry\Machine\System\CurrentControlSet\Control\Session Manager\KnownDLLs)"}); + if (!knowndlls_key) + { + return; + } - local_system_root_path = file_system.translate(system_root_path); - for (size_t i = 0; const auto value_opt = registry.get_value(*knowndlls_key, i); i++) - { - const auto& value = *value_opt; + local_system_root_path = file_system.translate(system_root_path); + for (size_t i = 0; const auto value_opt = registry.get_value(*knowndlls_key, i); i++) + { + const auto& value = *value_opt; - if (value.type != REG_SZ && value.type != REG_EXPAND_SZ) - { - continue; - } + if (value.type != REG_SZ && value.type != REG_EXPAND_SZ) + { + continue; + } - if (value.data.empty() || value.data.size() % 2 != 0) - { - continue; - } + if (value.data.empty() || value.data.size() % 2 != 0) + { + continue; + } - const auto char_count = value.data.size() / sizeof(char16_t); - const auto* data_ptr = reinterpret_cast(value.data.data()); - if (data_ptr[char_count - 1] != u'\0') - { - continue; - } + const auto char_count = value.data.size() / sizeof(char16_t); + const auto* data_ptr = reinterpret_cast(value.data.data()); + if (data_ptr[char_count - 1] != u'\0') + { + continue; + } - auto known_dll_name = std::u16string(data_ptr, char_count - 1); - auto known_dll_path = local_system_root_path / known_dll_name; + auto known_dll_name = std::u16string(data_ptr, char_count - 1); + auto known_dll_path = local_system_root_path / known_dll_name; - if (!std::filesystem::exists(known_dll_path)) - { - continue; - } + if (!std::filesystem::exists(known_dll_path)) + { + continue; + } - utils::string::to_lower_inplace(known_dll_name); - if (visited_dlls.contains(known_dll_name)) - { - continue; - } + utils::string::to_lower_inplace(known_dll_name); + if (visited_dlls.contains(known_dll_name)) + { + continue; + } - auto file = utils::io::read_file(known_dll_path); - { - section s; - s.file_name = known_dll_path.u16string(); - s.maximum_size = page_align_up(std::filesystem::file_size(s.file_name)); - s.allocation_attributes = SEC_IMAGE; - s.section_page_protection = PAGE_EXECUTE; - s.cache_image_info_from_filedata(file); - knowndlls_section_objects[known_dll_name] = s; - } + auto file = utils::io::read_file(known_dll_path); + { + section s; + s.file_name = known_dll_path.u16string(); + s.maximum_size = page_align_up(std::filesystem::file_size(s.file_name)); + s.allocation_attributes = SEC_IMAGE; + s.section_page_protection = PAGE_EXECUTE; + s.cache_image_info_from_filedata(file); + knowndlls_section_objects[known_dll_name] = s; + } - utils::safe_buffer_accessor buffer { file }; + utils::safe_buffer_accessor buffer{file}; - const auto dos_header = buffer.as(0).get(); - const auto nt_headers_offset = dos_header.e_lfanew; - const auto nt_headers = buffer.as>(nt_headers_offset).get(); + const auto dos_header = buffer.as(0).get(); + const auto nt_headers_offset = dos_header.e_lfanew; + const auto nt_headers = buffer.as>(nt_headers_offset).get(); - const auto& import_directory_entry = winpe::get_data_directory_by_index(nt_headers, IMAGE_DIRECTORY_ENTRY_IMPORT); - if (!import_directory_entry.VirtualAddress) - { - continue; - } + const auto& import_directory_entry = winpe::get_data_directory_by_index(nt_headers, IMAGE_DIRECTORY_ENTRY_IMPORT); + if (!import_directory_entry.VirtualAddress) + { + continue; + } - const auto section_with_import_descs = winpe::get_section_header_by_rva(buffer, nt_headers, nt_headers_offset, import_directory_entry.VirtualAddress); - auto import_directory_vbase = section_with_import_descs.VirtualAddress; - auto import_directory_rbase = section_with_import_descs.PointerToRawData; + const auto section_with_import_descs = + winpe::get_section_header_by_rva(buffer, nt_headers, nt_headers_offset, import_directory_entry.VirtualAddress); + auto import_directory_vbase = section_with_import_descs.VirtualAddress; + auto import_directory_rbase = section_with_import_descs.PointerToRawData; - uint64_t import_directory_raw = rva_to_raw(import_directory_vbase, import_directory_rbase, import_directory_entry.VirtualAddress); - auto import_descriptors = buffer.as(import_directory_raw); - for (size_t import_desc_index = 0;; import_desc_index++) - { - const auto descriptor = import_descriptors.get(import_desc_index); - if (!descriptor.Name) - { - break; - } + uint64_t import_directory_raw = + rva_to_raw(import_directory_vbase, import_directory_rbase, import_directory_entry.VirtualAddress); + auto import_descriptors = buffer.as(import_directory_raw); + for (size_t import_desc_index = 0;; import_desc_index++) + { + const auto descriptor = import_descriptors.get(import_desc_index); + if (!descriptor.Name) + { + break; + } - auto known_dll_dep_name = buffer.as_string(rva_to_raw(import_directory_vbase, import_directory_rbase, descriptor.Name)); - - utils::string::to_lower_inplace(known_dll_dep_name); - auto known_dll_dep_name_16 = u8_to_u16(known_dll_dep_name); + auto known_dll_dep_name = buffer.as_string(rva_to_raw(import_directory_vbase, import_directory_rbase, descriptor.Name)); - if (known_dll_dep_name_16.starts_with(u"api-") || known_dll_dep_name_16.starts_with(u"ext-")) - { - if (apiset.contains(known_dll_dep_name_16)) - { - known_dll_dep_name_16 = apiset[known_dll_dep_name_16]; - } - else - { - continue; - } - } - - if (knowndlls_section_objects.contains(known_dll_dep_name_16)) - { - continue; - } + utils::string::to_lower_inplace(known_dll_dep_name); + auto known_dll_dep_name_16 = u8_to_u16(known_dll_dep_name); - { - auto known_dll_dep_path = local_system_root_path / known_dll_dep_name_16; - auto file = utils::io::read_file(known_dll_dep_path); + if (known_dll_dep_name_16.starts_with(u"api-") || known_dll_dep_name_16.starts_with(u"ext-")) + { + if (apiset.contains(known_dll_dep_name_16)) + { + known_dll_dep_name_16 = apiset[known_dll_dep_name_16]; + } + else + { + continue; + } + } - section s; - s.file_name = known_dll_dep_path.u16string(); - s.maximum_size = page_align_up(std::filesystem::file_size(s.file_name)); - s.allocation_attributes = SEC_IMAGE; - s.section_page_protection = PAGE_EXECUTE; - s.cache_image_info_from_filedata(file); - - knowndlls_section_objects[known_dll_dep_name_16] = s; - } - } + if (knowndlls_section_objects.contains(known_dll_dep_name_16)) + { + continue; + } - visited_dlls.insert(known_dll_name); - } - } + { + auto known_dll_dep_path = local_system_root_path / known_dll_dep_name_16; + auto file = utils::io::read_file(known_dll_dep_path); + + section s; + s.file_name = known_dll_dep_path.u16string(); + s.maximum_size = page_align_up(std::filesystem::file_size(s.file_name)); + s.allocation_attributes = SEC_IMAGE; + s.section_page_protection = PAGE_EXECUTE; + s.cache_image_info_from_filedata(file); + + knowndlls_section_objects[known_dll_dep_name_16] = s; + } + } + + visited_dlls.insert(known_dll_name); + } + } } void process_context::setup(x86_64_emulator& emu, memory_manager& memory, registry_manager& registry, const file_system& file_system, diff --git a/src/windows-emulator/syscalls/section.cpp b/src/windows-emulator/syscalls/section.cpp index 783d1f62..c1dbfbf5 100644 --- a/src/windows-emulator/syscalls/section.cpp +++ b/src/windows-emulator/syscalls/section.cpp @@ -119,7 +119,7 @@ namespace syscalls } utils::string::to_lower_inplace(filename); - + if (is_known_dll) { auto& knowndlls_sections = c.win_emu.process.knowndlls_sections;