diff --git a/src/sample/main.cpp b/src/sample/main.cpp index e2bb9c03..435ad513 100644 --- a/src/sample/main.cpp +++ b/src/sample/main.cpp @@ -68,6 +68,7 @@ namespace //watch_system_objects(win_emu); win_emu.buffer_stdout = true; + //win_emu.verbose_calls = true; const auto& exe = *win_emu.process().executable; @@ -84,36 +85,32 @@ namespace } }); - win_emu.add_syscall_hook([&] + /*win_emu.add_syscall_hook([&] { - const auto rip = win_emu.emu().read_instruction_pointer(); - if (rip >= text_start && rip < text_end) + const auto syscall_id = win_emu.emu().reg(x64_register::eax); + const auto syscall_name = win_emu.dispatcher().get_syscall_name(syscall_id); + + if (syscall_name != "NtQueryInformationProcess") { - const auto syscall_id = win_emu.emu().reg(x64_register::eax); - const auto syscall_name = win_emu.dispatcher().get_syscall_name(syscall_id); - - win_emu.logger.print(color::blue, "Executing inline syscall: %s (0x%X) at 0x%llX\n", - syscall_name.c_str(), - syscall_id, rip); - - /*if (syscall_name == "NtQueryInformationProcess") - { - const auto info_class = win_emu.emu().reg(x64_register::rdx); - if (info_class == ProcessImageFileNameWin32) - { - const auto data = win_emu.emu().reg(x64_register::r8); - - emulator_allocator data_allocator{win_emu.emu(), data, 0x100}; - data_allocator.make_unicode_string( - L"C:\\Users\\mauri\\source\\repos\\lul\\x64\\Release\\lul.exe"); - win_emu.emu().reg(x64_register::rax, STATUS_SUCCESS); - return instruction_hook_continuation::skip_instruction; - } - }*/ + return instruction_hook_continuation::run_instruction; } - return instruction_hook_continuation::run_instruction; - }); + const auto info_class = win_emu.emu().reg(x64_register::rdx); + if (info_class != ProcessImageFileNameWin32) + { + return instruction_hook_continuation::run_instruction; + } + + win_emu.logger.print(color::pink, "Patching NtQueryInformationProcess...\n"); + + const auto data = win_emu.emu().reg(x64_register::r8); + + emulator_allocator data_allocator{win_emu.emu(), data, 0x100}; + data_allocator.make_unicode_string( + L"C:\\Users\\mauri\\source\\repos\\lul\\x64\\Release\\lul.exe"); + win_emu.emu().reg(x64_register::rax, STATUS_SUCCESS); + return instruction_hook_continuation::skip_instruction; + });*/ run_emulation(win_emu); } diff --git a/src/windows_emulator/syscalls.cpp b/src/windows_emulator/syscalls.cpp index 3e56c776..4a1b82e3 100644 --- a/src/windows_emulator/syscalls.cpp +++ b/src/windows_emulator/syscalls.cpp @@ -657,7 +657,7 @@ namespace } const auto region_info = c.emu.get_region_info(base_address); - if(!region_info.is_reserved) + if (!region_info.is_reserved) { return STATUS_INVALID_ADDRESS; } @@ -1961,8 +1961,22 @@ void syscall_dispatcher::dispatch(windows_emulator& win_emu) return; } - win_emu.logger.print(color::dark_gray, "Syscall: %s (0x%X) at 0x%llX\n", entry->second.name.c_str(), syscall_id, - address); + const auto* mod = context.module_manager.find_by_address(address); + if (mod != context.ntdll && mod != context.win32u) + { + win_emu.logger.print(color::blue, "Executing inline syscall: %s (0x%X) at 0x%llX (%s)\n", + entry->second.name.c_str(), + syscall_id, + address, mod ? mod->name.c_str() : ""); + } + else + { + win_emu.logger.print(color::dark_gray, "Executing syscall: %s (0x%X) at 0x%llX\n", + entry->second.name.c_str(), + syscall_id, + address); + } + entry->second.handler(c); } catch (std::exception& e) diff --git a/src/windows_emulator/windows_emulator.cpp b/src/windows_emulator/windows_emulator.cpp index c48d5291..3a12ac9e 100644 --- a/src/windows_emulator/windows_emulator.cpp +++ b/src/windows_emulator/windows_emulator.cpp @@ -614,7 +614,7 @@ void windows_emulator::setup_hooks() const auto export_entry = binary->address_names.find(address); if (export_entry != binary->address_names.end()) { - logger.print(is_interesting_call ? color::yellow : color::gray, + logger.print(is_interesting_call ? color::yellow : color::dark_gray, "Executing function: %s - %s (0x%llX)\n", binary->name.c_str(), export_entry->second.c_str(), address);