Merge remote-tracking branch 'origin/main'

Author: acheron2302

Cargo.lock

@@ -6,21 +6,36 @@
 [![Docs.rs](https://docs.rs/libmwemu/badge.svg)](https://docs.rs/libmwemu)
 [![codecov](https://codecov.io/gh/sha0coder/mwemu/branch/main/graph/badge.svg)](https://codecov.io/gh/sha0coder/mwemu)
 
-x86 32/64bits emulator and windows/linux simulator, for securely emulating malware and other stuff. 
+
+## What is this?
+
+It's a hardware emulator + OS process simulator implemented in pure rust.
+
+This approach is very conviniento to malware analysis and other stuff (PE, shellcode etc)
+
+The OS is mainly windows, it emulates a windows process, some very basic support for linux.
+
+The hardware is x86 32/64bits it's fast and reliable.
+
 
 ![MWEMU Logo](./docs/pics/mwemu_logo.png)
 
-## Some Videos
+## Three ways of using the software
 
-https://www.youtube.com/@JesusOlmos-wm8ch/videos
+- mwemu commandline https://github.com/sha0coder/mwemu
+- libmwemu crate https://crates.io/crates/libmwemu
+- pymwemu https://pypi.org/project/pymwemu/
 
-https://www.youtube.com/watch?v=yJ3Bgv3maq0
 
-## Automation
+## note about scemu
 
-Python apps https://pypi.org/search/?q=pymwemu
+The project was renamed from scemu to mwemu.
 
-Rust apps https://crates.io/crates/libmwemu
+## Some Videos
+
+[r2con2025](https://www.youtube.com/watch?v=-TFL-_-nIqA) using radare2 from mwemu for doing static analisys and visualization inside an emulation moment.
+
+[some demos](https://www.youtube.com/@JesusOlmos-wm8ch/videos)
 
 ## Features
 
@@ -80,6 +95,12 @@ Rust apps https://crates.io/crates/libmwemu
 - gozi bss decrypt and dga predictor.
 
 
+## Capture an emulation moment
+
+During the emulation you can see the numer of cpu insturctions emulated, that's an unique ID for an emulation moment.
+
+With -c flag you stop the emulation in a specific moment and inspect what is going on with the console.
+
 ## Usage
 
 ```

README.md

@@ -1,6 +1,6 @@
 [package]
 name = "libmwemu"
-version = "0.22.1"
+version = "0.22.2"
 edition = "2018"
 authors = ["sha0coder"]
 license = "MIT"

crates/libmwemu/Cargo.toml

@@ -43,6 +43,15 @@ pub const ERROR_BUFFER_OVERFLOW: u64 = 0x6f;
 pub const ERROR_INVALID_PARAMETER: u64 = 0x57;
 pub const ERROR_INSUFFICIENT_BUFFER: u64 = 0x7a;
 
+
+pub const HRESULT_E_INVALID_ARG: u64 = 0x80070057;
+/*
+ * HRESULT STRUCTURE:
+ * 0x8 -> severity: error
+ * 0x007 -> facility: FACILITY_WIN32
+ * 0x0057 -> ERROR_INVALID_PARAMETER
+*/
+
 pub const CP_UTF7: u64 = 65000;
 pub const CP_UTF8: u64 = 65001;
 

crates/libmwemu/src/constants.rs

@@ -30,6 +30,7 @@ pub struct SerializableThreadContext {
     pub fls: Vec<u32>,
     pub fs: BTreeMap<u64, u64>,
     pub call_stack: Vec<(u64, u64)>, // the first address is the source of the call location and the second address is the destination of the call
+    pub handle: u64
 }
 
 impl From<&ThreadContext> for SerializableThreadContext {
@@ -56,6 +57,7 @@ impl From<&ThreadContext> for SerializableThreadContext {
             fls: thread.fls.clone(),
             fs: thread.fs.clone(),
             call_stack: thread.call_stack.clone(),
+            handle: thread.handle
         }
     }
 }
@@ -84,6 +86,7 @@ impl From<SerializableThreadContext> for ThreadContext {
             fls: serialized.fls,
             fs: serialized.fs,
             call_stack: serialized.call_stack,
+            handle: serialized.handle,
         }
     }
 }

crates/libmwemu/src/serialization/thread_context.rs

@@ -25,6 +25,7 @@ pub struct ThreadContext {
     pub fls: Vec<u32>,
     pub fs: BTreeMap<u64, u64>,
     pub call_stack: Vec<(u64, u64)>,
+    pub handle: u64,
 }
 
 impl ThreadContext {
@@ -51,6 +52,7 @@ impl ThreadContext {
             fls: Vec::new(),
             fs: BTreeMap::new(),
             call_stack: Vec::with_capacity(10000),
+            handle: 0
         }
     }
 }

crates/libmwemu/src/thread_context.rs

@@ -345,6 +345,7 @@ pub use wide_char_to_multi_byte::*;
 pub use win_exec::*;
 pub use write_file::*;
 pub use write_process_memory::*;
+use crate::emu::Emu;
 
 pub fn gateway(addr: u32, emu: &mut emu::Emu) -> String {
     let api = guess_api_name(emu, addr);
@@ -390,6 +391,7 @@ pub fn gateway(addr: u32, emu: &mut emu::Emu) -> String {
         "FreeLibrary" => FreeLibrary(emu),
         "FreeResource" => FreeResource(emu),
         "GetACP" => GetACP(emu),
+        "GetThreadId" => GetThreadId(emu),
         "GetCommandLineA" => GetCommandLineA(emu),
         "GetCommandLineW" => GetCommandLineW(emu),
         "GetComputerNameA" => GetComputerNameA(emu),
@@ -545,6 +547,26 @@ pub fn gateway(addr: u32, emu: &mut emu::Emu) -> String {
     String::new()
 }
 
+fn GetThreadId(emu: &mut Emu) {
+    let hndl = emu
+        .maps
+        .read_dword(emu.regs().get_esp() + 4)
+        .expect("kernel32!GetThreadId bad handle parameter") as u64;
+
+    emu.stack_pop32(false);
+
+
+    for i in 0..emu.threads.len() {
+        if emu.threads[i].handle == hndl {
+            emu.regs_mut().rax = emu.threads[i].id;
+            log_red!(emu, "kernel32!GetThreadId hndl:{} (requested handle exists and its tid {})", hndl, emu.threads[i].id);
+            return;
+        }
+    }
+    log_red!(emu, "kernel32!GetThreadId hndl:{} (requested handle doesn't exist, returning a fake handle for now but should return zero.)", hndl);
+    emu.regs_mut().rax = 0x2c2878; // if handle not found should return zero.
+}
+
 lazy_static! {
     static ref COUNT_READ: Mutex<u32> = Mutex::new(0);
     static ref COUNT_WRITE: Mutex<u32> = Mutex::new(0);

crates/libmwemu/src/winapi/winapi32/kernel32/mod.rs

@@ -9,6 +9,8 @@ use crate::winapi::winapi32::kernel32;
 
 use crate::maps::mem64::Permission;
 use scan_fmt::scan_fmt_some;
+use crate::emu::Emu;
+use crate::winapi::winapi64::kernel32::InitializeCriticalSection;
 
 const PAGE_NOACCESS: u32 = 0x01;
 const PAGE_READONLY: u32 = 0x02;
@@ -36,6 +38,8 @@ pub fn gateway(addr: u32, emu: &mut emu::Emu) -> String {
         "NtQueryPerformanceCounter" => NtQueryPerformanceCounter(emu),
         "RtlGetProcessHeaps" => RtlGetProcessHeaps(emu),
         "RtlDosPathNameToNtPathName_U" => RtlDosPathNameToNtPathName_U(emu),
+        "RtlInitializeCriticalSection" => InitializeCriticalSection(emu),
+        "RtlZeroMemory" => RtlZeroMemory(emu),
         "NtCreateFile" => NtCreateFile(emu),
         "RtlFreeHeap" => RtlFreeHeap(emu),
         "NtQueryInformationFile" => NtQueryInformationFile(emu),
@@ -80,6 +84,26 @@ pub fn gateway(addr: u32, emu: &mut emu::Emu) -> String {
     String::new()
 }
 
+fn RtlZeroMemory(emu: &mut Emu) {
+    let dest = emu
+        .maps
+        .read_dword(emu.regs().get_esp() + 4)
+        .expect("bad RtlZeroMemory address pointer parameter") as u64;
+    let length = emu
+        .maps
+        .read_dword(emu.regs().get_esp() + 8)
+        .expect("bad RtlZeroMemory address length parameter") as u64;
+
+    log_red!(
+        emu,
+        "ntdll!RtlZeroMemory dest: 0x{:x} length: {}",
+        dest,
+        length
+    );
+
+    emu.maps.memset(dest, 0, length as usize);
+}
+
 fn NtAllocateVirtualMemory(emu: &mut emu::Emu) {
     /*
         __kernel_entry NTSYSCALLAPI NTSTATUS NtAllocateVirtualMemory(

crates/libmwemu/src/winapi/winapi32/ntdll.rs

@@ -63,6 +63,119 @@ lazy_static! {
     static ref COUNT_RECV: Mutex<u32> = Mutex::new(0);
 }
 
+fn getaddrinfo(emu: &mut emu::Emu) {
+    let node_name_ptr = emu
+        .maps
+        .read_dword(emu.regs().get_esp() + 4)
+        .expect("ws2_32!getaddrinfo cannot read node_name_ptr");
+    let service_name_ptr = emu
+        .maps
+        .read_dword(emu.regs().get_esp() + 8)
+        .expect("ws2_32!getaddrinfo cannot read service_name_ptr");
+    let hints_ptr = emu
+        .maps
+        .read_dword(emu.regs().get_esp() + 12)
+        .expect("ws2_32!getaddrinfo cannot read hints_ptr");
+    let result_ptr_ptr = emu
+        .maps
+        .read_dword(emu.regs().get_esp() + 16)
+        .expect("ws2_32!getaddrinfo cannot read result_ptr_ptr");
+
+    let node_name = if node_name_ptr != 0 {
+        emu.maps.read_string(node_name_ptr as u64)
+    } else {
+        "NULL".to_string()
+    };
+
+    let service_name = if service_name_ptr != 0 {
+        emu.maps.read_string(service_name_ptr as u64)
+    } else {
+        "NULL".to_string()
+    };
+
+    log_red!(emu, "ws2_32!getaddrinfo node: `{}` service: `{}`", node_name, service_name);
+
+    // Read hints if provided
+    let mut hints_flags = 0;
+    let mut hints_family = 0;
+    let mut hints_socktype = 0;
+    let mut hints_protocol = 0;
+
+    if hints_ptr != 0 {
+        hints_flags = emu.maps.read_dword(hints_ptr as u64).unwrap_or(0) as i32;
+        hints_family = emu.maps.read_dword((hints_ptr + 4) as u64).unwrap_or(0) as i32;
+        hints_socktype = emu.maps.read_dword((hints_ptr + 8) as u64).unwrap_or(0) as i32;
+        hints_protocol = emu.maps.read_dword((hints_ptr + 12) as u64).unwrap_or(0) as i32;
+    }
+
+    // Create a dummy ADDRINFO structure
+    let addrinfo_size = 48; // Size of ADDRINFOA structure (approximate)
+    let sockaddr_in_size = 16; // Size of sockaddr_in structure
+
+    // Allocate memory for the result
+    let heap_management = emu.heap_management.as_mut().unwrap();
+    let addrinfo_addr = heap_management.allocate((addrinfo_size + sockaddr_in_size + 100) as usize).unwrap();
+    let sockaddr_addr = addrinfo_addr + addrinfo_size;
+    let canonname_addr = sockaddr_addr + sockaddr_in_size;
+
+    // Create a dummy sockaddr_in (IPv4 address 127.0.0.1, port based on service)
+    let ip_addr = 0x0100007f; // 127.0.0.1 in network byte order
+
+    // Determine port based on service name
+    let port = if service_name == "http" || service_name == "80" {
+        80u16
+    } else if service_name == "https" || service_name == "443" {
+        443u16
+    } else if service_name == "ftp" || service_name == "21" {
+        21u16
+    } else if service_name == "ssh" || service_name == "22" {
+        22u16
+    } else if service_name == "smtp" || service_name == "25" {
+        25u16
+    } else if service_name == "dns" || service_name == "53" {
+        53u16
+    } else {
+        service_name.parse().unwrap_or(80u16)
+    };
+
+    // Write sockaddr_in structure
+    emu.maps.write_word(sockaddr_addr, 2); // AF_INET = 2
+    emu.maps.write_word(sockaddr_addr + 2, port.to_be()); // Port in network byte order
+    emu.maps.write_dword(sockaddr_addr + 4, ip_addr); // IP address (127.0.0.1)
+    emu.maps.memset(sockaddr_addr + 8, 0, 8); // Zero out the rest
+
+    // Write ADDRINFO structure
+    emu.maps.write_dword(addrinfo_addr, hints_flags as u32); // ai_flags
+    emu.maps.write_dword(addrinfo_addr + 4, if hints_family != 0 { hints_family as u32 } else { 2 }); // ai_family (AF_INET)
+    emu.maps.write_dword(addrinfo_addr + 8, if hints_socktype != 0 { hints_socktype as u32 } else { 1 }); // ai_socktype (SOCK_STREAM)
+    emu.maps.write_dword(addrinfo_addr + 12, if hints_protocol != 0 { hints_protocol as u32 } else { 6 }); // ai_protocol (IPPROTO_TCP)
+    emu.maps.write_qword(addrinfo_addr + 16, sockaddr_in_size as u64); // ai_addrlen
+    emu.maps.write_qword(addrinfo_addr + 24, canonname_addr); // ai_canonname
+    emu.maps.write_qword(addrinfo_addr + 32, sockaddr_addr); // ai_addr
+
+    // Set ai_canonname to the node name or "localhost"
+    let canon_name = if node_name == "NULL" || node_name.is_empty() || node_name == "localhost" {
+        "localhost.localdomain".to_string()
+    } else if node_name == "127.0.0.1" {
+        "localhost".to_string()
+    } else {
+        format!("{}.localdomain", node_name)
+    };
+    emu.maps.write_string(canonname_addr, &canon_name);
+
+    // ai_next is NULL (end of list)
+    emu.maps.write_qword(addrinfo_addr + 40, 0);
+
+    // Store the result pointer in the ppResult parameter
+    emu.maps.write_qword(result_ptr_ptr as u64, addrinfo_addr);
+
+    log::info!("\tcreated dummy ADDRINFO for {}:{} at 0x{:x}", node_name, service_name, addrinfo_addr);
+    log::info!("\tsockaddr at 0x{:x}, canonname at 0x{:x}", sockaddr_addr, canonname_addr);
+
+    // Return 0 for success (WSA error code)
+    emu.regs_mut().rax = 0;
+}
+
 fn WsaStartup(emu: &mut emu::Emu) {
     log_red!(emu, "ws2_32!WsaStartup");
 

crates/libmwemu/src/winapi/winapi32/ws2_32.rs

@@ -0,0 +1,16 @@
+use crate::emu;
+use crate::constants;
+
+pub fn api_DeviceIoControl(emu: &mut emu::Emu) {
+    let hDevice = emu.regs().rcx;
+    let dwIoControlCode = emu.regs().rdx;
+    let lpInBuffer = emu.regs().r8;
+    let lpOutBuffer = emu.regs().r9;
+    let rsp = emu.regs().rsp;
+    let nOutBufferSize = emu.maps.read_qword(rsp + 0x20).expect("DeviceIoControl arg6 stack error.");
+    let lpBytesReturned = emu.maps.read_qword(rsp + 0x28).expect("DeviceIoControl arg7 stack error.");
+
+    log_red!(emu, "kernel32!DeviceIoControl hDev: 0x{:x} code: 0x{:x} buff: 0x{:x}", hDevice, dwIoControlCode, lpInBuffer);
+
+    emu.regs_mut().rax = constants::TRUE;
+}