Emulated applications are currently able to access files from the host
system, rather than being restricted to the virtualized file system, by
using `Section` related Syscalls. This behavior appears to have been
introduced in:
- 2024-12-13: [Prepare better section support
(syscalls.cpp:582)](719a50444e (diff-96c7de348bdc06e650bdc371a600a91f80594d4201afd7a28ffa160fa755be9dR582))
- 2025-10-13: [Comprehensive WOW64 subsystem implementation
(section.cpp:141)](65eecf1cfd (diff-415eed3b4b314dc10cc9f7926687770be53799766bc9a4edca2a7f4a45477169R141)))
Because the emulator is [advertised for malware
analysis](https://github.com/momo5502/sogen/blob/main/README.md), this
unintended access path could be considered a security concern.
This PR only fixes two current misuses of an API that interacts with the
host system. As a long term solution, APIs that interact with host
resources should consistently use C++ types that enforce translation of
resource identifiers (e.g., file and registry paths) into their emulated
equivalents. This would help prevent future misuse and ensure that
emulated applications remain isolated from the host environment.
Minor change to allow minidump load to work with pages with copy
permission set.
File was probing memory via VirtualQuery incrementally, previously this
ran forever as Sogen doesn't replicate Windows behaviour.
Added exclusive allocation end boundary so that allocation / info check
on last page of user space VA works. Modified
memory_manager::find_free_allocation_base and
memory_manager::get_region_info to use exclusive boundary.
Added check to NtQueryVirtualMemory - now correctly returns
STATUS_INVALID_PARAMETER when run against memory outside of user space
VA. Kernel modules should use ZwQueryVirtualMemory not the user land
API.
This PR introduces an abstraction for ALPC ports to make them easier to
manage in the future, and implements the DNS resolver port, at least
enough to get host address queries working.
There's a lot of code in this PR that I'm not very confident about, so
don't hesitate on the feedback 😄
<img width="1377" height="624" alt="image"
src="https://github.com/user-attachments/assets/4d56b84d-4b87-42ed-9bfa-be04dbbf3735"
/>
# Major Features Implemented
**Core WOW64 Architecture**
1. Full TEB, PEB, and Windows structure implementations for 32-bit
processes
2. Proper thread context switching with 32-bit stack allocation
3. Configurable memory allocation with 32-bit/64-bit address space
handling
4. Automatic WOW64 process identification and handling
5. Heaven's Gate Implementation for handling exceptions
**Enhanced Emulation Features**
1. Fixed GDT setup and segment management for WOW64
2. Multi-architecture PE loading with proper import resolution
3. Segment-aware disassembly with WOW64 debugging capabilities
**Testing & Validation**
**32-bit Test Sample**: Minimal "hello" executable with full ASM source
# TODO
Needs more testing, currently in very early stages.
This PR introduces several enhancements, mainly to the file system
syscalls:
- Implements file renaming via `NtSetInformationFile` by adding a
deferred rename mechanism to `file_handle`. The rename operation occurs
when the file handle is closed.
- Adds support for the `RootDirectory` parameter in
`NtQueryAttributesFile` to handle relative file paths.
- Adds support for opening the console output device (`\\??\\CONOUT$`).
- Stubs out the `NtLockVirtualMemory` syscall.
- Fixes an incorrect assertion in `socket_wrapper` that could fire on
`recvfrom` errors.
In `ntdll!RtlGetSystemTimePrecise`, `kusd.SystemTime` is queried first, and QPC offset (`QPC() - kusd.BaselineSystemTimeQpc`) is added if it's larger than 0.
Setting `kusd.BaselineSystemTimeQpc` to `UINT64_MAX` avoids the adjustment, so incorrect adjustments won't happen.
Alternatively, We can update `kusd.BaselineSystemTimeQpc` to be the QPC value just when `kusd.SystemTime` changes, but that's not possible, because we cannot monitor `kusd.SystemTime` for change.
