iat binding alternative method, when original first thunk is zero

Author: sha0coder

Cargo.lock

@@ -23,6 +23,7 @@ pub struct FPU {
     pub f_c3: bool, // precission
     pub f_c4: bool, // stack fault
     pub mxcsr: u32,
+    pub fpu_control_word: u16,
 }
 
 impl Default for FPU {
@@ -55,6 +56,7 @@ impl FPU {
             f_c3: false, // precision
             f_c4: false, // stack fault
             mxcsr: 0,
+            fpu_control_word: 0,
         }
     }
 
@@ -74,6 +76,7 @@ impl FPU {
         self.reserved = [0; 14];
         self.reserved2 = [0; 96];
         self.xmm = [0; 16];
+        self.fpu_control_word = 0;
     }
 
     pub fn set_ctrl(&mut self, ctrl: u16) {

libmwemu/src/emu/fpu.rs

@@ -13299,6 +13299,15 @@ impl Emu {
                 self.fpu.mxcsr = value as u32;
             }
 
+            Mnemonic::Fnstcw => {
+                self.show_instruction(&self.colors.red, ins);
+
+                let addr = self.get_operand_value(ins, 0, false).unwrap_or(0);
+                if addr > 0 {
+                    self.maps.write_word(addr, self.fpu.fpu_control_word);
+                }
+            }
+
             Mnemonic::Prefetchw => {
                 self.show_instruction(&self.colors.red, ins);
             }

libmwemu/src/emu/mod.rs

@@ -513,39 +513,75 @@ impl PE64 {
     }
 
     pub fn iat_binding(&mut self, emu: &mut emu::Emu) {
-        // TODO: refactor this, instead of patching the raw and the loading it, do the iat_binding
-        // after the loading, in this way its possible to use virtual addreses instad of calculate
-        // the offset on the raw blob
-
         // https://docs.microsoft.com/en-us/archive/msdn-magazine/2002/march/inside-windows-an-in-depth-look-into-the-win32-portable-executable-file-format-part-2#Binding
 
-        log::info!(
-            "IAT binding started image_import_descriptor.len() = {} ...",
-            self.image_import_descriptor.len()
-        );
-        let mut flipflop;
+        if emu.cfg.verbose >= 1 {
+            log::info!(
+                "IAT binding started image_import_descriptor.len() = {} ...",
+                self.image_import_descriptor.len()
+            );
+        }
 
         for i in 0..self.image_import_descriptor.len() {
             let iim = &self.image_import_descriptor[i];
 
             if iim.name.is_empty() {
                 continue;
             }
-
             if emu::winapi64::kernel32::load_library(emu, &iim.name) == 0 {
                 log::info!("cannot found the library {} on maps64/", &iim.name);
                 return;
             }
 
-            // Walking function names.
-            let mut off_name =
-                PE32::vaddr_to_off(&self.sect_hdr, iim.original_first_thunk) as usize;
+            if iim.original_first_thunk == 0 {
+                self.iat_binding_alternative(emu, iim.first_thunk);
+            } else {
+                self.iat_binding_original(emu, iim.original_first_thunk, iim.first_thunk);
+            }
 
-            //log::info!("----> 0x{:x}", iim.first_thunk);
-            let mut off_addr = PE32::vaddr_to_off(&self.sect_hdr, iim.first_thunk) as usize;
-            //off_addr += 8;
+        }
+        log::info!("IAT Bound.");
+    }
+
+    pub fn iat_binding_alternative(&mut self, emu: &mut emu::Emu, first_thunk: u32) {
+        // this function is called for every DLL that in iat.
+
+        let mut off = PE32::vaddr_to_off(&self.sect_hdr, first_thunk) as usize;
+        let ordinal:u16;
+
+        loop {
+            let entry = read_u64_le!(self.raw, off); 
+            if entry == 0 {
+                break;
+            }
+            if (entry & 0x80000000_00000000) != 0 {
+                ordinal = (entry & 0xFFFF) as u16;
+                println!("---- ordinal: {}", ordinal);
+                unimplemented!("third variation of iat binding not implemented");
+
+            } else {
+                let name_rva = entry as u32;
+                let name_off = PE32::vaddr_to_off(&self.sect_hdr, name_rva) as usize;
+                let api_name = PE32::read_string(&self.raw, name_off+2);
+
+                let real_addr = emu::winapi64::kernel32::resolve_api_name(emu, &api_name);
+                if real_addr > 0 {
+                    write_u64_le!(self.raw, off, real_addr); // patch the IAT to do the binding
+                }
+            }
+
+
+            off += 8;
+        }
+    }
+
+    pub fn iat_binding_original(&mut self, emu: &mut emu::Emu, original_first_thunk: u32, first_thunk: u32) {
+            // this function is called for every DLL in iat.
 
-            flipflop = false;
+            let mut off_name =
+                PE32::vaddr_to_off(&self.sect_hdr, original_first_thunk) as usize;
+            let mut off_addr = PE32::vaddr_to_off(&self.sect_hdr, first_thunk) as usize;
+            let mut flipflop = false;
 
             loop {
                 if self.raw.len() <= off_name + 4 || self.raw.len() <= off_addr + 8 {
@@ -555,10 +591,9 @@ impl PE64 {
                 let hint = pe32::HintNameItem::load(&self.raw, off_name);
                 let addr = read_u32_le!(self.raw, off_addr); // & 0b01111111_11111111_11111111_11111111;
                 let off2 = PE32::vaddr_to_off(&self.sect_hdr, hint.func_name_addr) as usize;
+
                 if off2 == 0 {
-                    //|| addr < 0x100 {
                     off_name += pe32::HintNameItem::size();
-                    //off_addr += 8;
                     if flipflop {
                         break;
                     }
@@ -567,6 +602,7 @@ impl PE64 {
                 }
                 flipflop = false;
                 let func_name = PE32::read_string(&self.raw, off2 + 2);
+                //println!("resolving func_name: {}", func_name);
                 let real_addr = emu::winapi64::kernel32::resolve_api_name(emu, &func_name);
                 if real_addr == 0 {
                     break;
@@ -579,14 +615,12 @@ impl PE64 {
                 let fake_addr = read_u64_le!(self.raw, off_addr);
 
                 //println!("writing real_addr: 0x{:x} {} 0x{:x} -> 0x{:x} ", off_addr, func_name, fake_addr, real_addr);
-
                 write_u64_le!(self.raw, off_addr, real_addr);
 
                 off_name += pe32::HintNameItem::size();
                 off_addr += 8;
             }
-        }
-        log::info!("IAT Bound.");
+
     }
 
     pub fn import_addr_to_name(&self, paddr: u64) -> String {

libmwemu/src/emu/pe64.rs

@@ -135,6 +135,8 @@ pub fn gateway(addr: u64, emu: &mut emu::Emu) -> String {
         "GetNativeSystemInfo" => GetNativeSystemInfo(emu),
         "lstrcpyW" => lstrcpyW(emu),
         "lstrcpy" => lstrcpy(emu),
+        "GetModuleHandleA" => GetModuleHandleA(emu),
+        "GetModuleHandleW" => GetModuleHandleW(emu),
 
         _ => {
             log::info!(
@@ -352,6 +354,35 @@ pub fn load_library(emu: &mut emu::Emu, libname: &str) -> u64 {
     }
 }
 
+pub fn get_library_handle(emu: &mut emu::Emu, libname: &str) -> u64 {
+    // log::info!("kern32!load_library: {}", libname);
+
+    let mut dll = libname.to_string().to_lowercase();
+
+    if dll.is_empty() {
+        emu.regs.rax = 0;
+        return 0;
+    }
+
+    if !dll.ends_with(".dll") {
+        dll.push_str(".dll");
+    }
+
+    let mut dll_path = emu.cfg.maps_folder.clone();
+    dll_path.push('/');
+    dll_path.push_str(&dll);
+
+    match peb64::get_module_base(&dll, emu) {
+        Some(base) => {
+            return base;
+        }
+        None => {
+            // if is not linked, dont link, this is not a load_library
+            return 0;
+        }
+    }
+}
+
 fn LoadLibraryA(emu: &mut emu::Emu) {
     let dllptr = emu.regs.rcx;
     let dll = emu.maps.read_string(dllptr);
@@ -2734,3 +2765,36 @@ pub fn FindActCtxSectionStringW(emu: &mut emu::Emu) {
 
     emu.regs.rax = 0;
 }
+
+fn GetModuleHandleA(emu: &mut emu::Emu) {
+    let module_name = emu.maps.read_string(emu.regs.rcx);
+    let handle = get_library_handle(emu, &module_name);
+
+    log::info!(
+        "{}** {} kernel32!GetModuleHandleA module_name: {} handle: 0x{:x} {}",
+        emu.colors.light_red,
+        emu.pos,
+        module_name,
+        handle,
+        emu.colors.nc
+    );
+
+    emu.regs.rax = handle;
+}
+
+fn GetModuleHandleW(emu: &mut emu::Emu) {
+    let module_name = emu.maps.read_wide_string(emu.regs.rcx);
+    let handle = get_library_handle(emu, &module_name);
+
+    log::info!(
+        "{}** {} kernel32!GetModuleHandleW module_name: {} handle: 0x{:x} {}",
+        emu.colors.light_red,
+        emu.pos,
+        module_name,
+        handle,
+        emu.colors.nc
+    );
+
+    emu.regs.rax = handle;
+}
+    

libmwemu/src/emu/winapi64/kernel32.rs

@@ -12,5 +12,5 @@ crate-type = ["cdylib"]
 [dependencies]
 pyo3 = "0.18.1"
 env_logger = "0.11.6"
-#libmwemu = { path = "../libmwemu" }
-libmwemu = "0.19.4"
+libmwemu = { path = "../libmwemu" }
+#libmwemu = "0.19.4"

pymwemu/Cargo.toml

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+set -x
+
+export RUST_BACKTRACE=1
+export RUST_LOG=info
+
+cargo run --release \
+    --target x86_64-apple-darwin \
+    -- \
+    --filename ~/Downloads/enigma/surprise.dll \
+    --maps ./maps64 \
+    --64bits \
+    --trace_start 0xD950920 \
+    --trace /tmp/output.csv \
+    --memory \
+    --mxcsr 0x1FC00001FA0 \
+    --stack_address 0x32C6FE000 \
+    --exit 0xD95092E \
+    --base 0x7FFBFA260000 \
+    --entry 0x7FFBFB295FF0 \
+    --rax 0x7FFBFB295FF0 \
+    --rbx 0x7FFE0385 \
+    --rcx 0x7FFBFA260000 \
+    --rdx 0x1 \
+    --rsp 0x32C6FE378 \
+    --rbp 0x32C6FE6B8 \
+    --rsi 0x1 \
+    --rdi 0x7FFE0384 \
+    --r8 0x0 \
+    --r9 0x0 \
+    --r10 0xA440AE23305F3A70 \
+    --r11 0x32C6FE3E8 \
+    --r12 0x7FFBFB295FF0 \
+    --r13 0x120136C63F0 \
+    --r14 0x7FFBFA260000 \
+    --r15 0x0 \
+    --rflags 0x344