- Add WINDOWS_VERSION enum and PS_SYSTEM_DLL_INIT_BLOCK sizes for WOW64
support across different Windows builds.
- Read system information (SystemRoot, BuildNumber, UpdateBuildRevision)
from registry instead of hardcoded paths.
- Add build comparison helpers in process_context for precise build
checks.
This PR is my attempt to add support for user callbacks in the emulator.
User callbacks allow the emulator to call guest callbacks from syscalls,
and when the callback finishes running, control returns to the syscall
through the completion method. I've also added a test and implemented
the NtUserEnumDisplayMonitors syscall.
One thing to note is that this implementation isn't faithful to how the
Windows kernel does it, since the kernel uses the KernelCallbackTable
and the `ntdll!KiUserCallbackDispatch` method, and this implementation
currently just calls the callback directly.
- Add WINDOWS_VERSION enum and PS_SYSTEM_DLL_INIT_BLOCK sizes for WOW64 support across different Windows builds.
- Read system information (SystemRoot, BuildNumber, UpdateBuildRevision) from registry instead of hardcoded paths.
- Add build comparison helpers in process_context for precise build checks.
Fixes#641
This PR is my attempt to add support for user32 objects and the user32
handle table. I also added a test, but as expected, it fails on Windows
2022. I’ll try to fix that another day, but feel free to review the code
😄
This PR fixes several things related to threads emulation:
1. Support `SameTebFlags.InitialThread`
This flag is needed to support emulation of .net executables (not yet
fully supported) that don't have an entry point set in `PE` header. This
applies to both `PE32` and `PE64` executables. If `InitialThread` is set
the loader substitutes an entry point of the .net executable with
`mscoree.dll!_CorExeMain`.
2. Fix static thread local storage for `WOW64`
This fix resolves `shell32.dll` initialization on `WOW64`. This fix also
uses correct structure and field names that are obtained from the
corresponding `.pdb` files.
3. Fix dynamic thread local storage for `WOW64`
4. Fix setting argument of a `WOW64` thread start proc
5. Fix creating suspended thread and parse create_flags
Currently creating suspended thread doesn't work because
`NtCreateThreadEx` handler uses invalid flag `CREATE_SUSPENDED`. This PR
fixes that, and moreover it carefully parses create_flags of the
`NtCreateThreadEx` call.
6. Fix `FS` and `GS` handling
This PR fixes several problems with `GS` and `FS` segments:
* Wrong GDT descriptor for selector 0x53
* Update GDT descriptor for selector 0x53 for a `WOW64` process every
context switch like Windows does
* Set `GS` base when `GS` segment register is updated in 64-bit code
(code selector is `0x33`). When `GS` segment register is loaded with
correct selector (`0x2b`) `GS` base is set to 0. So, when the code
accesses something like `gs:[0]`, a page fault occurs. `KiPageFault`
handles this situation and sets correct `GS` base.
Also, take into account that `teb64.ExceptionList` initially contains
`teb32` address for `WOW64` process. This is used to setup `FS` base
when `wrfsbase` instruction is available. We can enable this instruction
using `kusd.ProcessorFeatures.arr[PF_RDWRFSGSBASE_AVAILABLE] = 1;` and
this work perfectly with `unicorn` backend. Unfortunately `icicle`
backend does not support `wrfsbase`, so I don't enable this instruction
by default.
This flag is needed to suport emulation of .net executables
that don't have an entry point set in PE header. This applies
to both PE32 and PE64 executables. If InitialThread is set
the loader substitutes an entry point of the .net executable
with mscoree.dll!_CorExeMain.
