From f1ce4b8ef84db26934769f33e07d2b938a635124 Mon Sep 17 00:00:00 2001
From: momo5502 <mauriceheumann@gmail.com>
Date: Tue, 20 Aug 2024 18:16:08 +0200
Subject: [PATCH] More syscall experiments

---
 src/emulator/syscalls.cpp | 43 ++++++++++++++++++++++++++++++++++++---
 1 file changed, 40 insertions(+), 3 deletions(-)

diff --git a/src/emulator/syscalls.cpp b/src/emulator/syscalls.cpp
index f08c7f0f..2a5dedc8 100644
--- a/src/emulator/syscalls.cpp
+++ b/src/emulator/syscalls.cpp
@@ -44,6 +44,11 @@ namespace
 		uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_NOT_SUPPORTED);
 	}
 
+	void handle_NtCreateIoCompletion(const unicorn& uc)
+	{
+		uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_NOT_SUPPORTED);
+	}
+
 	void handle_NtTraceEvent(const unicorn& uc)
 	{
 		uc.reg<uint64_t>(UC_X86_REG_RAX, STATUS_NOT_SUPPORTED);
@@ -211,9 +216,11 @@ namespace
 	void handle_NtQuerySystemInformationEx(const unicorn& uc)
 	{
 		const auto info_class = uc.reg<uint32_t>(UC_X86_REG_R10D);
-		const auto system_information = uc.reg(UC_X86_REG_R8);
-		const auto system_information_length = uc.reg<uint32_t>(UC_X86_REG_R9D);
-		const unicorn_object<uint32_t> return_length{uc, uc.read_stack(5)};
+		const auto input_buffer = uc.reg(UC_X86_REG_RDX);
+		const auto input_buffer_length = uc.reg<uint32_t>(UC_X86_REG_R8D);
+		const auto system_information = uc.reg(UC_X86_REG_R9);
+		const auto system_information_length = static_cast<uint32_t>(uc.read_stack(5));
+		const unicorn_object<uint32_t> return_length{uc, uc.read_stack(6)};
 
 		if (info_class == SystemFlushInformation
 			|| info_class == SystemFeatureConfigurationInformation
@@ -223,6 +230,33 @@ namespace
 			return;
 		}
 
+		if (info_class == SystemLogicalProcessorAndGroupInformation)
+		{
+			void* buffer = calloc(1, input_buffer_length);
+			void* res_buff = calloc(1, system_information_length);
+			uc_mem_read(uc, input_buffer, buffer, input_buffer_length);
+
+			uint64_t code = 0;
+
+			return_length.access([&](uint32_t& len)
+			{
+				code = NtQuerySystemInformationEx((SYSTEM_INFORMATION_CLASS)info_class, buffer, input_buffer_length,
+				                                  res_buff,
+				                                  system_information_length, (ULONG*)&len);
+			});
+
+			if (code == 0)
+			{
+				uc_mem_write(uc, system_information, res_buff, return_length.read());
+			}
+
+			free(buffer);
+			free(res_buff);
+
+			uc.reg<uint64_t>(UC_X86_REG_RAX, code);
+			return;
+		}
+
 		if (info_class != SystemBasicInformation && info_class != SystemEmulationBasicInformation)
 		{
 			printf("Unsupported system info ex class: %X\n", info_class);
@@ -506,6 +540,9 @@ void handle_syscall(const unicorn& uc, process_context& context)
 		case 0x78:
 			handle_NtAllocateVirtualMemoryEx(uc);
 			break;
+		case 0xB2:
+			handle_NtCreateIoCompletion(uc);
+			break;
 		case 0x11A:
 			handle_NtManageHotPatch(uc);
 			break;