From 29b8ec40725bc6bc033e023f8a8244fd0af0945f Mon Sep 17 00:00:00 2001 From: thejanit0r Date: Sun, 4 Jan 2026 09:33:54 +0100 Subject: [PATCH 1/4] Added additional vmp compatibility --- src/windows-emulator/memory_utils.hpp | 4 +++ src/windows-emulator/syscalls/object.cpp | 4 ++- src/windows-emulator/syscalls/process.cpp | 31 ++++++++++++++++++++++- src/windows-emulator/syscalls/thread.cpp | 2 ++ 4 files changed, 39 insertions(+), 2 deletions(-) diff --git a/src/windows-emulator/memory_utils.hpp b/src/windows-emulator/memory_utils.hpp index 632979c6..0349806a 100644 --- a/src/windows-emulator/memory_utils.hpp +++ b/src/windows-emulator/memory_utils.hpp @@ -31,6 +31,10 @@ inline std::optional try_map_nt_to_emulator_protection(uin ext = memory_permission_ext::guard; } + // Remove the highest nibble since we are not currently handling those memory protection constants + // https://github.com/winsiderss/phnt/blob/master/ntmmapi.h#L26 + nt_protection &= ~0xF0000000; + memory_permission common = memory_permission::none; switch (nt_protection) { diff --git a/src/windows-emulator/syscalls/object.cpp b/src/windows-emulator/syscalls/object.cpp index 1d474ffe..afd1a53a 100644 --- a/src/windows-emulator/syscalls/object.cpp +++ b/src/windows-emulator/syscalls/object.cpp @@ -8,8 +8,10 @@ namespace syscalls { const auto value = h.value; - if (h.h == 0xDEADC0DE) + if (h.h == 0xDEADC0DE || h.h == 0xDEADBEEF) { + c.win_emu.callbacks.on_suspicious_activity("Anti-debug check with invalid handle"); + return STATUS_INVALID_HANDLE; } diff --git a/src/windows-emulator/syscalls/process.cpp b/src/windows-emulator/syscalls/process.cpp index 7f8c78bd..3c7a9bd2 100644 --- a/src/windows-emulator/syscalls/process.cpp +++ b/src/windows-emulator/syscalls/process.cpp @@ -15,6 +15,8 @@ namespace syscalls return STATUS_NOT_SUPPORTED; } + const auto return_length_info = c.win_emu.memory.get_region_info(return_length.value()); + switch (info_class) { case ProcessExecuteFlags: @@ -62,6 +64,24 @@ namespace syscalls }); case ProcessDebugObjectHandle: + + c.win_emu.callbacks.on_suspicious_activity("Anti-debug check with ProcessDebugObjectHandle"); + + if ((process_information & 3) != 0) + { + return STATUS_DATATYPE_MISALIGNMENT; + } + + if (return_length.value() == 0) + { + return STATUS_PORT_NOT_SET; + } + + if (!return_length_info.is_reserved) + { + return STATUS_ACCESS_VIOLATION; + } + return handle_query(c.emu, process_information, process_information_length, return_length, [](handle& h) { h = NULL_HANDLE; return STATUS_PORT_NOT_SET; @@ -75,6 +95,13 @@ namespace syscalls }); case ProcessDebugPort: + c.win_emu.callbacks.on_suspicious_activity("Anti-debug check with ProcessDebugPort"); + + return handle_query::PVOID>(c.emu, process_information, process_information_length, return_length, + [](EmulatorTraits::PVOID& ptr) { + ptr = 0; // + }); + case ProcessDeviceMap: return handle_query::PVOID>(c.emu, process_information, process_information_length, return_length, [](EmulatorTraits::PVOID& ptr) { @@ -202,7 +229,8 @@ namespace syscalls || info_class == ProcessDynamicFunctionTableInformation // || info_class == ProcessPriorityBoost // || info_class == ProcessPriorityClassEx // - || info_class == ProcessPriorityClass) + || info_class == ProcessPriorityClass + || info_class == ProcessAffinityMask) { return STATUS_SUCCESS; } @@ -333,6 +361,7 @@ namespace syscalls PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION info; c.emu.read_memory(process_information, &info, sizeof(PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION)); + c.win_emu.callbacks.on_suspicious_activity("Setting ProcessInstrumentationCallback"); c.proc.instrumentation_callback = info.Callback; diff --git a/src/windows-emulator/syscalls/thread.cpp b/src/windows-emulator/syscalls/thread.cpp index 81caa575..e53aaf29 100644 --- a/src/windows-emulator/syscalls/thread.cpp +++ b/src/windows-emulator/syscalls/thread.cpp @@ -309,6 +309,8 @@ namespace syscalls const emulator_object info{c.emu, thread_information}; info.write(cur_emulator_thread.debugger_hide); + c.win_emu.callbacks.on_suspicious_activity("Checking if the thread is hidden from the debugger"); + return STATUS_SUCCESS; } From 497a4e98cbbf0af7b179072f80b47b57ae46c100 Mon Sep 17 00:00:00 2001 From: thejanit0r Date: Sun, 4 Jan 2026 13:35:54 +0100 Subject: [PATCH 2/4] Fixed formatting --- src/windows-emulator/syscalls/process.cpp | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/windows-emulator/syscalls/process.cpp b/src/windows-emulator/syscalls/process.cpp index 3c7a9bd2..f708eb73 100644 --- a/src/windows-emulator/syscalls/process.cpp +++ b/src/windows-emulator/syscalls/process.cpp @@ -71,12 +71,12 @@ namespace syscalls { return STATUS_DATATYPE_MISALIGNMENT; } - + if (return_length.value() == 0) { return STATUS_PORT_NOT_SET; } - + if (!return_length_info.is_reserved) { return STATUS_ACCESS_VIOLATION; @@ -229,8 +229,7 @@ namespace syscalls || info_class == ProcessDynamicFunctionTableInformation // || info_class == ProcessPriorityBoost // || info_class == ProcessPriorityClassEx // - || info_class == ProcessPriorityClass - || info_class == ProcessAffinityMask) + || info_class == ProcessPriorityClass || info_class == ProcessAffinityMask) { return STATUS_SUCCESS; } From f524a8cc386eff6d98d5e4790129b8fcbac5c0f2 Mon Sep 17 00:00:00 2001 From: thejanit0r Date: Sun, 4 Jan 2026 14:47:08 +0100 Subject: [PATCH 3/4] Fixed clang-tidy errors --- src/common/platform/status.hpp | 1 + 1 file changed, 1 insertion(+) diff --git a/src/common/platform/status.hpp b/src/common/platform/status.hpp index 23b55e7a..3ad07a04 100644 --- a/src/common/platform/status.hpp +++ b/src/common/platform/status.hpp @@ -28,6 +28,7 @@ using NTSTATUS = std::uint32_t; #define STATUS_OBJECT_NAME_EXISTS ((NTSTATUS)0x40000000L) +#define STATUS_DATATYPE_MISALIGNMENT ((NTSTATUS)0x80000002L) #define STATUS_NO_MORE_FILES ((NTSTATUS)0x80000006L) #define STATUS_NO_MORE_ENTRIES ((NTSTATUS)0x8000001AL) From 3b68260921428eb1e150c351ad2f041b8748e5fd Mon Sep 17 00:00:00 2001 From: thejanit0r Date: Sun, 4 Jan 2026 14:53:53 +0100 Subject: [PATCH 4/4] Fixed build errors --- src/common/platform/status.hpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/common/platform/status.hpp b/src/common/platform/status.hpp index 3ad07a04..943fe376 100644 --- a/src/common/platform/status.hpp +++ b/src/common/platform/status.hpp @@ -11,6 +11,7 @@ using NTSTATUS = std::uint32_t; #define STATUS_PENDING ((NTSTATUS)0x00000103L) #define STATUS_GUARD_PAGE_VIOLATION ((NTSTATUS)0x80000001L) +#define STATUS_DATATYPE_MISALIGNMENT ((NTSTATUS)0x80000002L) #define STATUS_BREAKPOINT ((NTSTATUS)0x80000003L) #define STATUS_SINGLE_STEP ((NTSTATUS)0x80000004L) @@ -28,7 +29,6 @@ using NTSTATUS = std::uint32_t; #define STATUS_OBJECT_NAME_EXISTS ((NTSTATUS)0x40000000L) -#define STATUS_DATATYPE_MISALIGNMENT ((NTSTATUS)0x80000002L) #define STATUS_NO_MORE_FILES ((NTSTATUS)0x80000006L) #define STATUS_NO_MORE_ENTRIES ((NTSTATUS)0x8000001AL)