Merge remote-tracking branch 'origin/main'

Author: acheron2302

Cargo.lock

@@ -6,12 +6,17 @@
 [![Docs.rs](https://docs.rs/libmwemu/badge.svg)](https://docs.rs/libmwemu)
 [![codecov](https://codecov.io/gh/sha0coder/mwemu/branch/main/graph/badge.svg)](https://codecov.io/gh/sha0coder/mwemu)
 
+## Official documentation
+
+I'm working in the official documentation, note that it isn't finished yet.
+
+[mwemu.github.io](https://mwemu.github.io)
 
 ## What is this?
 
 It's a hardware emulator + OS process simulator implemented in pure rust.
 
-This approach is very conviniento to malware analysis and other stuff (PE, shellcode etc)
+This approach is very convinien to malware analysis and other stuff (PE, shellcode etc)
 
 The OS is mainly windows, it emulates a windows process, some very basic support for linux.
 
@@ -20,6 +25,7 @@ The hardware is x86 32/64bits it's fast and reliable.
 
 ![MWEMU Logo](./docs/pics/mwemu_logo.png)
 
+
 ## Three ways of using the software
 
 - mwemu commandline https://github.com/sha0coder/mwemu

README.md

@@ -1,6 +1,6 @@
 [package]
 name = "libmwemu"
-version = "0.22.2"
+version = "0.23.0"
 edition = "2018"
 authors = ["sha0coder"]
 license = "MIT"

crates/libmwemu/Cargo.toml

@@ -24,8 +24,7 @@ impl Emu {
 
     /// Call a 32bits function at addr, passing argument in an array of u64 but will cast to u32.
     /// The calling convention is stack, like winapi32.
-    pub fn call32(&mut self, addr: u64, args: &[u64]) -> Result<u32, MwemuError> {
-        //TODO: why this was u64?
+    pub fn call32(&mut self, addr: u64, args: &[u32]) -> Result<u32, MwemuError> {
         if addr == self.regs().get_eip() {
             if addr == 0 {
                 return Err(MwemuError::new(
@@ -37,7 +36,7 @@ impl Emu {
         }
         let orig_stack = self.regs().get_esp();
         for arg in args.iter().rev() {
-            self.stack_push32(*arg as u32);
+            self.stack_push32(*arg);
         }
         let ret_addr = self.regs().get_eip();
         self.stack_push32(ret_addr as u32);
@@ -47,9 +46,9 @@ impl Emu {
         Ok(self.regs().get_eax() as u32)
     }
 
-    /// Call a 64bits function at addr, passing argument in an array of u64.
-    /// The calling convention is registers rcx/rdx/48/r9 and then stack. Like windows64.
-    /// Dont use for linux64 syscall like convention, on those cases craft stack/register manually.
+    /// Call 64bits function at addr using Microsoft x64 ABI, passing argument in an array of u64.
+    /// The calling convention is registers rcx/rdx/r8/r9 and then stack. Like windows64.
+    /// Dont use for linux64 syscall like convention, for this is linux_call64()
     pub fn call64(&mut self, addr: u64, args: &[u64]) -> Result<u64, MwemuError> {
         if addr == self.regs().rip {
             if addr == 0 {
@@ -74,21 +73,109 @@ impl Emu {
         if n >= 4 {
             self.regs_mut().r9 = args[3];
         }
+
+        // stack pointer backup, for restoring when function returns.
         let orig_stack = self.regs().rsp;
+
+        // padding
+        let extra_args = if n > 4 { (n - 4) * 8 } else { 0 };
+        let total = extra_args + 32 + 8;
+        let padding = (16 - (self.regs().rsp as usize + total) % 16) % 16;
+        self.regs_mut().rsp -= padding as u64;
+
+        // shadow space (32bits)
+        for _ in 0..4 {
+            self.stack_push64(0);
+        }
+
+        // stack parameters
         if n > 4 {
             for arg in args.iter().skip(4).rev() {
                 self.stack_push64(*arg);
             }
         }
 
+        // return address
+        let ret_addr = self.regs().rip;
+        self.stack_push64(ret_addr);
+
+        // trigger function
+        self.regs_mut().rip = addr;
+
+        // emulate the function until return address is reached
+        self.run(Some(ret_addr))?;
+
+        // recover stack and  return rax
+        self.regs_mut().rsp = orig_stack;
+        Ok(self.regs().rax)
+    }
+
+
+    /// Call a 64bits function at addr, passing arguments in an array of u64.
+    /// The calling convention is registers RDI, RSI, RDX, RCX, R8, R9 and then stack. Like linux64.
+    pub fn linux_call64(&mut self, addr: u64, args: &[u64]) -> Result<u64, MwemuError> {
+        if addr == self.regs().rip {
+            if addr == 0 {
+                return Err(MwemuError::new(
+                    "return address reached after starting the call64, change rip.",
+                ));
+            } else {
+                self.regs_mut().rip = 0;
+            }
+        }
+
+        let n = args.len();
+        if n >= 1 {
+            self.regs_mut().rdi = args[0];
+        }
+        if n >= 2 {
+            self.regs_mut().rsi = args[1];
+        }
+        if n >= 3 {
+            self.regs_mut().rdx = args[2];
+        }
+        if n >= 4 {
+            self.regs_mut().rcx = args[3];
+        }
+        if n >= 5 {
+            self.regs_mut().r8 = args[4];
+        }
+        if n >= 6 {
+            self.regs_mut().r9 = args[5];
+        }
+
+        // stack pointer backup, for restoring when function returns.
+        let orig_stack = self.regs().rsp;
+
+        // padding
+        let extra_args = if n > 6 { (n - 6) * 8 } else { 0 };
+        let total = extra_args + 8;
+        let padding = (16 - (self.regs().rsp as usize + total) % 16) % 16;
+        self.regs_mut().rsp -= padding as u64;
+
+        // stack parameters
+        if n > 6 {
+            for arg in args.iter().skip(6).rev() {
+                self.stack_push64(*arg);
+            }
+        }
+
+        // return address
         let ret_addr = self.regs().rip;
         self.stack_push64(ret_addr);
+
+        // trigger function
         self.regs_mut().rip = addr;
+
+        // emulate the function until return address is reached
         self.run(Some(ret_addr))?;
+
+        // recover stack and  return rax
         self.regs_mut().rsp = orig_stack;
         Ok(self.regs().rax)
     }
 
+
     /// Start emulation until a ret instruction is found.
     /// It will return the address or MwemuError.
     #[inline]

crates/libmwemu/src/emu/execution.rs

@@ -227,7 +227,10 @@ impl Emu {
         .unwrap();
     }
 
+
     /// Initialize windows simulator, this does like init_cpu() but also setup the windows memory.
+    /// This require having the map files in place, otherwise use just init_cpu() but emu32() and
+    /// emu64() already call init_cpu()
     /// This is called from load_code if the code is a PE or shellcode.
     /// load_code_bytes() and other loading ways don't call this, if you need windows simulation call this.
     pub fn init(&mut self, clear_registers: bool, clear_flags: bool) {
@@ -381,6 +384,8 @@ impl Emu {
     pub fn init_mem32(&mut self) {
         log::info!("loading memory maps");
 
+        self.maps.is_64bits = false;
+
         let orig_path = std::env::current_dir().unwrap();
         std::env::set_current_dir(self.cfg.maps_folder.clone());
 
@@ -487,6 +492,7 @@ impl Emu {
     /// This is called from init(), this setup the 64bits windows memory simulation.
     pub fn init_mem64(&mut self) {
         log::info!("loading memory maps");
+        self.maps.is_64bits = true;
 
         /*
         let orig_path = std::env::current_dir().unwrap();

crates/libmwemu/src/emu/initialization.rs

@@ -0,0 +1,21 @@
+use crate::tests::helpers;
+use crate::*;
+
+#[test]
+// this tests the emu.call32() 
+pub fn call32() {
+    helpers::setup();
+
+    let mut emu = emu32();
+    let opcodes: Vec<u8> = vec![ //TODO: test it with 7 parameters
+        0x55, 0x89, 0xe5, 0x83, 0xec, 0x50, 0xb8, 0x37, 0x13, 0x00, 0x00, 0x83, 0xf0, 0x7b, 0xc9, 0xc3
+    ];
+    emu.set_verbose(3);
+    emu.linux = true; // otherwise I would need to set map files.
+    emu.load_code_bytes(&opcodes);
+    emu.regs_mut().rax = 0;
+    let eax = emu.call32(emu.regs().rip, &[]).unwrap();
+    assert_eq!(emu.regs().get_eax() as u32, eax);
+    assert_eq!(eax, 0x134c);
+    assert_eq!(emu.regs().rax, 0x134c);
+}

crates/libmwemu/src/tests/call32.rs

@@ -0,0 +1,24 @@
+use crate::tests::helpers;
+use crate::*;
+
+#[test]
+// this tests the emu.call64() Microsoft ABI
+pub fn call64() {
+    helpers::setup();
+
+    let mut emu = emu64();
+    let opcodes: Vec<u8> = vec![
+        0x55, 0x48, 0x89, 0xe5, 0x89, 0x7d, 0xfc, 0x89,
+        0x75, 0xf8, 0x8b, 0x55, 0xfc, 0x8b, 0x45, 0xf8,
+        0x01, 0xd0, 0x5d, 0xc3,
+    ];
+    emu.set_verbose(3);
+    emu.linux = true; // otherwise I would need to set map files.
+    emu.load_code_bytes(&opcodes);
+    emu.regs_mut().rax = 0;
+    let rax = emu.call64(emu.regs().rip, &[]).unwrap();
+    assert_eq!(emu.regs().rip, 0x3c0013);
+    // TODO: improve this test with something with microsoft ABI and more than 4 params.
+    //assert_eq!(rax, 0x134c);
+    //assert_eq!(emu.regs().rax, 0x134c);
+}

crates/libmwemu/src/tests/call64.rs

@@ -0,0 +1,30 @@
+use crate::tests::helpers;
+use crate::*;
+
+#[test]
+// this tests the emu.linux_call64() ARM ABI (used in linux calls)
+pub fn linux_call64() {
+    helpers::setup();
+
+    /*
+         int test(int p1, int p2, int p3, int p4, int p5, int p6, int p7) {
+            return p1+p2+p3+p4+p5+p6+p7;
+        }
+     */
+
+    let mut emu = emu64();
+    let opcodes: Vec<u8> = vec![
+        0x55, 0x48, 0x89, 0xe5, 0x89, 0x7d, 0xfc, 0x89, 0x75, 0xf8, 0x89, 0x55, 
+        0xf4, 0x89, 0x4d, 0xf0, 0x44, 0x89, 0x45, 0xec, 0x44, 0x89, 0x4d, 0xe8, 
+        0x8b, 0x55, 0xfc, 0x8b, 0x45, 0xf8, 0x01, 0xc2, 0x8b, 0x45, 0xf4, 0x01,
+        0xc2, 0x8b, 0x45, 0xf0, 0x01, 0xc2, 0x8b, 0x45, 0xec, 0x01, 0xc2, 0x8b,
+        0x45, 0xe8, 0x01, 0xc2, 0x8b, 0x45, 0x10, 0x01, 0xd0, 0x5d, 0xc3
+    ];
+    emu.set_verbose(0);
+    emu.linux = true;
+    emu.load_code_bytes(&opcodes);
+    emu.regs_mut().rax = 0;
+    let rax = emu.linux_call64(emu.regs().rip, &[1,2,3,4,5,6,7]).unwrap();
+    assert_eq!(rax, emu.regs().rax);
+    assert_eq!(emu.regs().rax, 1+2+3+4+5+6+7);
+}

crates/libmwemu/src/tests/linux_call64.rs

@@ -45,3 +45,6 @@ mod stress_shl2p_all;
 mod stress_shl2p_trigger;
 mod stress_shr2p_all;
 mod test_unified_step_and_run_methods;
+mod call32;
+mod call64;
+mod linux_call64;

crates/libmwemu/src/tests/mod.rs

@@ -91,10 +91,10 @@ fn main() {
         .arg(clap_arg!("flags", "", "flags", "trace the flags hex value in every instruction."))
         .arg(clap_arg!("maps", "M", "maps", "select the memory maps folder", "PATH"))
         .arg(clap_arg!("trace_registers", "r", "trace_registers", "print the register values in every step."))
-        .arg(clap_arg!("trace_register", "R", "trace_register", "trace a specific register in every step, value and content", "REGISTER1,REGISTER2"))
+        .arg(clap_arg!("register", "R", "trace_register", "trace a specific register in every step, value and content", "REGISTER1,REGISTER2"))
         .arg(clap_arg!("console", "c", "console", "select in which moment will spawn the console to inspect.", "NUMBER"))
         .arg(clap_arg!("loops", "l", "loops", "show loop interations, it is slow."))
-        .arg(clap_arg!("nocolors", "n", "nocolors", "print without colors for redirectin to a file >out"))
+        .arg(clap_arg!("nocolors", "n", "nocolors", "print without colors for redirecting to a file >out"))
         .arg(clap_arg!("string", "s", "string", "monitor string on a specific address", "ADDRESS"))
         .arg(clap_arg!("inspect", "i", "inspect", "monitor memory like: -i 'dword ptr [ebp + 0x24]", "DIRECTION"))
         //.arg(clap_arg!("endpoint", "e", "endpoint", "perform communications with the endpoint, use tor or vpn!"))
@@ -188,6 +188,7 @@ fn main() {
             .to_string();
         emu.cfg.reg_names = regs.split(',').map(|x| x.to_string()).collect();
     }
+
     if matches.is_present("string") {
         emu.cfg.trace_string = true;
         emu.cfg.string_addr = u64::from_str_radix(