sha0coder / libscemu Goto Github PK
View Code? Open in Web Editor NEWSCEMU The crates.io lib, x86 cpu and systems emulator focused mainly for anti-malware
libscemu's People
Contributors
Stargazers
Watchers
libscemu's Issues
rcr not setting cf to true
[
{
"i": 2968,
"iHex": "b98",
"x64dbgLine": {
"rawLine": {
"Index": "00B98",
"Address": "0000000144EC1D68",
"Bytes": "81DB 335E463C",
"Disassembly": "sbb ebx,3C465E33",
"Registers": "rbx: FFFFFFFFFFFFC81D-> C3B969E9",
"Memory": "",
"Comments": ""
},
"rip": "144ec1d68",
"registerChanges": [
{
"registerName": "rbx",
"previousValue": "ffffffffffffc81d",
"newValue": "c3b969e9"
}
],
"memoryChanges": []
},
"scemuLine": {
"rawLine": {
"diffRegLine": "diff_reg: pos = 2968 rip = 144ec1d68 rbx ffffffffffffc81d -> c3b969ea;",
"memTraceLines": []
},
"position": "b98",
"rip": "144ec1d68",
"registerChanges": [
{
"registerName": "rbx",
"previousValue": "ffffffffffffc81d",
"newValue": "c3b969ea"
}
],
"memoryChanges": []
},
"instructionErrors": [
{
"index": 0,
"message": "newValue mismatch",
"x64dbg": "c3b969e9",
"scemu": "c3b969ea"
}
]
},
rdtsc not setting flags correctly
58 0x144ff95ae: lahf
diff_flags: rip = 144ff95ae
diff_reg: rip = 144ff95ae rax e6668424 -> e6661624;
rax: 0xe6661624 rbx: 0x0 rcx: 0x140000000 rdx: 0x1bc2b rsi: 0x20a4 rdi: 0x44e4725a rbp: 0x7ffe0000 rsp: 0x14f410
r8: 0x0 r9: 0x20000 r10: 0x7ffe0384 r11: 0x246 r12: 0x1448a76a4 r13: 0x0 r14: 0x140000000 r15: 0x0
r8u: 0x0 r9u: 0x0 r10u: 0x0 r11u: 0x0 r12u: 0x1 r13u: 0x0 r14u: 0x1 r15u: 0x0
r8d: 0x0 r9d: 0x20000 r10d: 0x7ffe0384 r11d: 0x246 r12d: 0x448a76a4 r13d: 0x0 r14d: 0x40000000 r15d: 0x0
r8w: 0x0 r9w: 0x0 r10w: 0x384 r11w: 0x246 r12w: 0x76a4 r13w: 0x0 r14w: 0x0 r15w: 0x0
r8l: 0x0 r9l: 0x0 r10l: 0x84 r11l: 0x46 r12l: 0xa4 r13l: 0x0 r14l: 0x0 r15l: 0x0
zf: false pf: true af: true of: false sf: false df: false cf: false tf: false if: false nt: false
xor f_pf calculation broken
{
"i": 436,
"x64dbgLine": {
"rawLine": {
"Index": "001B4",
"Address": "0000000144FF3291",
"Bytes": "41:0F9AC2",
"Disassembly": "setp r10b",
"Registers": "r10: 8C17F301-> 8C17F300",
"Memory": "",
"Comments": ""
},
"rip": "144ff3291",
"registerChanges": [
{
"registerName": "r10",
"previousValue": "8c17f301",
"newValue": "8c17f300"
}
],
"memoryChanges": []
},
"scemuLine": {
"rawLine": "diff_reg: rip = 144ff3291",
"rip": "144ff3291",
"registerChanges": [],
"memoryChanges": []
},
"instructionErrors": [
{
"index": 0,
"message": "unmatchedRegisterChange mismatch (x64dbg but not scemu)",
"x64dbg": "r10"
}
]
},
neg flags
{
"i": 3165,
"iHex": "c5d",
"x64dbgLine": {
"rawLine": {
"Index": "00C5D",
"Address": "0000000144F474DB",
"Bytes": "9F",
"Disassembly": "lahf ",
"Registers": "rax: 8000000-> 8008300",
"Memory": "",
"Comments": ""
},
"rip": "144f474db",
"registerChanges": [
{
"registerName": "rax",
"previousValue": "8000000",
"newValue": "8008300"
}
],
"memoryChanges": []
},
"scemuLine": {
"rawLine": {
"diffRegLine": "diff_reg: pos = 3165 rip = 144f474db rax 8000000 -> 8009300;",
"memTraceLines": []
},
"position": "c5d",
"rip": "144f474db",
"registerChanges": [
{
"registerName": "rax",
"previousValue": "8000000",
"newValue": "8009300"
}
],
"memoryChanges": []
},
"instructionErrors": [
{
"index": 0,
"message": "newValue mismatch",
"x64dbg": "8008300",
"scemu": "8009300"
}
]
},
bsr r11w, cx should not be setting cf flag
{
"i": 1712,
"iHex": "6b0",
"x64dbgLine": {
"rawLine": {
"Index": "006B0",
"Address": "0000000144FF06A9",
"Bytes": "41:0F92C3",
"Disassembly": "setb r11b",
"Registers": "r11: 74256658F93A644C-> 74256658F93A6400",
"Memory": "",
"Comments": ""
},
"rip": "144ff06a9",
"registerChanges": [
{
"registerName": "r11",
"previousValue": "74256658f93a644c",
"newValue": "74256658f93a6400"
}
],
"memoryChanges": []
},
"scemuLine": {
"rawLine": {
"diffRegLine": "diff_reg: pos = 1712 rip = 144ff06a9 r11 74256658f93a644c -> 74256658f93a6401;",
"memTraceLines": []
},
"position": "6b0",
"rip": "144ff06a9",
"registerChanges": [
{
"registerName": "r11",
"previousValue": "74256658f93a644c",
"newValue": "74256658f93a6401"
}
],
"memoryChanges": []
},
"instructionErrors": [
{
"index": 0,
"message": "newValue mismatch",
"x64dbg": "74256658f93a6400",
"scemu": "74256658f93a6401"
}
]
},
movsx eax,ax broken
{
"i": 124,
"x64dbgLine": {
"rawLine": {
"Index": "0007C",
"Address": "0000000144ED425D",
"Bytes": "0FBFC0",
"Disassembly": "movsx eax,ax",
"Registers": "rax: FFFFFFFFFFEDAAC2-> FFFFAAC2",
"Memory": "",
"Comments": ""
},
"rip": "144ed425d",
"registerChanges": [
{
"registerName": "rax",
"previousValue": "ffffffffffedaac2",
"newValue": "ffffaac2"
}
],
"memoryChanges": []
},
"scemuLine": {
"rawLine": "diff_reg: rip = 144ed425d rax ffffffffffedaac2 -> ffc2;",
"rip": "144ed425d",
"registerChanges": [
{
"registerName": "rax",
"previousValue": "ffffffffffedaac2",
"newValue": "ffc2"
}
],
"memoryChanges": []
},
"instructionErrors": [
{
"index": 0,
"message": "newValue mismatch",
"x64dbg": "ffffaac2",
"scemu": "ffc2"
}
]
},
shrd broken
{
"i": 299,
"x64dbgLine": {
"rawLine": {
"Index": "0012B",
"Address": "0000000144F4B884",
"Bytes": "41:0FACC2 E4",
"Disassembly": "shrd r10d,eax,E4",
"Registers": "r10: FFFFFFFFFFFB0000-> 6FFFB000",
"Memory": "",
"Comments": ""
},
"rip": "144f4b884",
"registerChanges": [
{
"registerName": "r10",
"previousValue": "fffffffffffb0000",
"newValue": "6fffb000"
}
],
"memoryChanges": []
},
"scemuLine": {
"rawLine": "diff_reg: rip = 144f4b884 r10 fffffffffffb0000 -> 6fffb00e;",
"rip": "144f4b884",
"registerChanges": [
{
"registerName": "r10",
"previousValue": "fffffffffffb0000",
"newValue": "6fffb00e"
}
],
"memoryChanges": []
},
"instructionErrors": [
{
"index": 0,
"message": "newValue mismatch",
"x64dbg": "6fffb000",
"scemu": "6fffb00e"
}
]
},
do i need to hardcode it for undefined behavior?
bsf calculating wrong value
{
"i": 83,
"x64dbgLine": {
"rawLine": {
"Index": "00053",
"Address": "0000000144FF961A",
"Bytes": "66:0FBCC4",
"Disassembly": "bsf ax,sp",
"Registers": "rax: B5CF-> 4",
"Memory": "",
"Comments": ""
},
"rip": "144ff961a",
"registerChanges": [
{
"registerName": "rax",
"previousValue": "b5cf",
"newValue": "4"
}
],
"memoryChanges": []
},
"scemuLine": {
"rawLine": "diff_reg: rip = 144ff961a rax b5cf -> 3;",
"rip": "144ff961a",
"registerChanges": [
{
"registerName": "rax",
"previousValue": "b5cf",
"newValue": "3"
}
],
"memoryChanges": []
},
"instructionErrors": [
{
"index": 0,
"message": "newValue mismatch",
"x64dbg": "4",
"scemu": "3"
}
]
},
84 0x144ff961a: bsf ax,sp
bsf: src = f290 sz = 16 dest = 3 bitpos = 4
diff_flags: rip = 144ff961a f_zf 1 -> 0;
diff_reg: rip = 144ff961a rax b5cf -> 3;
rax: 0x3 rbx: 0x0 rcx: 0x140000000 rdx: 0x100000000 rsi: 0x14f410 rdi: 0x144e4725a rbp: 0x144ff960c rsp: 0x14f290
Provide a load_bytes method?
Hiya @sha0coder !
I wanted to drop a line and say thanks again for making scemu a lib and for improving performance. I have experienced an improvement from 500-600ms to 100-150ms so color me happy. ๐
I also wanted to ask if you have any interest in adding a method to load bytes from memory instead of from a file (which makes total sense when dealing with a shell but as a lib the byte code can come from snippets that don't exist in an external file.
I've been using
fn load_bytes(map: &mut Mem64, bytes: &[u8]) -> bool {
let bytes_len: u64 = bytes.len().try_into().unwrap();
map.set_bottom(map.get_base() + bytes_len);
map.mem = bytes.to_vec();
true
}
fn load_code_bytes(emu: &mut Emu, bytes: &[u8]) {
if emu.cfg.verbose >= 1 {
println!("Loading shellcode from bytes");
}
if !load_bytes(emu.maps.get_mem("code"), bytes) {
println!("shellcode not found!");
std::process::exit(1);
}
}I had load_code_bytes as a method for Emu when I was using the scemu code, but with the lib the above has worked but would be nice as a method again.
v86?
https://github.com/copy/v86 what could we do this?
bsr cf flag broken
{
"i": 313,
"x64dbgLine": {
"rawLine": {
"Index": "00139",
"Address": "0000000144F4B8B4",
"Bytes": "41:80D2 7F",
"Disassembly": "adc r10b,7F",
"Registers": "r10: 0-> 7F",
"Memory": "",
"Comments": ""
},
"rip": "144f4b8b4",
"registerChanges": [
{
"registerName": "r10",
"previousValue": "0",
"newValue": "7f"
}
],
"memoryChanges": []
},
"scemuLine": {
"rawLine": "diff_reg: rip = 144f4b8b4 r10 0 -> 80;",
"rip": "144f4b8b4",
"registerChanges": [
{
"registerName": "r10",
"previousValue": "0",
"newValue": "80"
}
],
"memoryChanges": []
},
"instructionErrors": [
{
"index": 0,
"message": "newValue mismatch",
"x64dbg": "7f",
"scemu": "80"
}
]
},
rcl is broken
80 0x144ff9608: rcl ax,0FBh
rcl: op_count = 2 value0 = 4625 value1 = fb sz = 17 result = 4a23
diff_flags: rip = 144ff9608 f_pf 1 -> 0;
diff_reg: rip = 144ff9608 rax 4625 -> 4a23;
rax: 0x4a23 rbx: 0x0 rcx: 0x140000000 rdx: 0x100000000 rsi: 0x14f410 rdi: 0x144e4725a rbp: 0x7ffe0000
{
"i": 79,
"x64dbgLine": {
"rawLine": {
"Index": "0004F",
"Address": "0000000144FF9608",
"Bytes": "66:C1D0 FB",
"Disassembly": "rcl ax,FB",
"Registers": "rax: 4625-> 948C",
"Memory": "",
"Comments": ""
},
"rip": "144ff9608",
"registerChanges": [
{
"registerName": "rax",
"previousValue": "4625",
"newValue": "948c"
}
],
"memoryChanges": []
},
"scemuLine": {
"rawLine": "diff_reg: rip = 144ff9608 rax 4625 -> 4a23;",
"rip": "144ff9608",
"registerChanges": [
{
"registerName": "rax",
"previousValue": "4625",
"newValue": "4a23"
}
],
"memoryChanges": []
},
"instructionErrors": [
{
"index": 0,
"message": "newValue mismatch",
"x64dbg": "948c",
"scemu": "4a23"
}
]
}
btc broken
{
"i": 193,
"x64dbgLine": {
"rawLine": {
"Index": "000C1",
"Address": "0000000144FE414F",
"Bytes": "41:0FBAFA DF",
"Disassembly": "btc r10d,DF",
"Registers": "r10: 4E-> 8000004E",
"Memory": "",
"Comments": ""
},
"rip": "144fe414f",
"registerChanges": [
{
"registerName": "r10",
"previousValue": "4e",
"newValue": "8000004e"
}
],
"memoryChanges": []
},
"scemuLine": {
"rawLine": "diff_reg: rip = 144fe414f",
"rip": "144fe414f",
"registerChanges": [],
"memoryChanges": []
},
"instructionErrors": [
{
"index": 0,
"message": "unmatchedRegisterChange mismatch (x64dbg but not scemu)",
"x64dbg": "r10"
}
]
},
lahf walking in with rflags 203 instead of 213
{
"i": 1252,
"x64dbgLine": {
"rawLine": {
"Index": "004E4",
"Address": "0000000144ECEC34",
"Bytes": "9F",
"Disassembly": "lahf ",
"Registers": "rax: 448A7601-> 448A1301",
"Memory": "",
"Comments": ""
},
"rip": "144ecec34",
"registerChanges": [
{
"registerName": "rax",
"previousValue": "448a7601",
"newValue": "448a1301"
}
],
"memoryChanges": []
},
"scemuLine": {
"rawLine": {
"diffRegLine": "diff_reg: pos = 1252 rip = 144ecec34 rax 448a7601 -> 448a0301;",
"diffFlagLines": [
{
"rawLine": "diff_flags: pos = 1252 rip = 144ecec34 in = 203 out = 203",
"position": "4e4",
"rip": "144ecec34"
}
],
"memTraceLines": []
},
"position": "4e4",
"rip": "144ecec34",
"registerChanges": [
{
"registerName": "rax",
"previousValue": "448a7601",
"newValue": "448a0301"
}
],
"memoryChanges": []
},
"instructionErrors": [
{
"index": 0,
"message": "newValue mismatch",
"x64dbg": "448a1301",
"scemu": "448a0301"
}
]
},
please refactor inspect/memory flags so that it makes it work like x64dbg memory changes
i need to be able to diff x64dbg CSV trace output (which is tracking memory writing as well as register writing) to see when we are writing the wrong value to memory (we currently are)
flags out of sync
{
"i": 3356,
"x64dbgLine": {
"rawLine": {
"Index": "00D1C",
"Address": "0000000144FCC57B",
"Bytes": "4C:8B0E",
"Disassembly": "mov r9,qword ptr ds:[rsi]",
"Registers": "r9: FFFFFFFFFFF9ECA2-> 203",
"Memory": "000000000014F480: 203-> 203",
"Comments": ""
},
"rip": "144fcc57b",
"registerChanges": [
{
"registerName": "r9",
"previousValue": "fffffffffff9eca2",
"newValue": "203"
}
],
"memoryChanges": [
{
"address": "14f480",
"previousValue": "203",
"newValue": "203"
}
]
},
"scemuLine": {
"rawLine": {
"diffRegLine": "diff_reg: pos = 3356 rip = 144fcc57b r9 fffffffffff9eca2 -> 213;",
"diffFlagLines": [
{
"rawLine": "diff_flags: pos = 3356 rip = 144fcc57b in = 206 out = 206",
"position": "d1c",
"rip": "144fcc57b"
}
],
"memTraceLines": []
},
"position": "d1c",
"rip": "144fcc57b",
"registerChanges": [
{
"registerName": "r9",
"previousValue": "fffffffffff9eca2",
"newValue": "213"
}
],
"memoryChanges": []
},
"instructionErrors": [
{
"index": 0,
"message": "newValue mismatch",
"x64dbg": "203",
"scemu": "213"
}
]
},
bsf not setting f_cf to 0
121 0x144ed424a: bsf ax,r12w
diff_flags: rip = 144ed424a
diff_reg: rip = 144ed424a rax ffffffffffedaca5 -> ffffffffffed0002;
rax: 0xffffffffffed0002 rbx: 0x0 rcx: 0x140000000 rdx: 0x100000000 rsi: 0x14f418 rdi: 0x144e47256 rbp: 0x144ed4239 rsp: 0x14f290
r8: 0x0 r9: 0x0 r10: 0x7ffe0384 r11: 0x1bb09de77 r12: 0x1448a76a4 r13: 0x0 r14: 0x140000000 r15: 0x0
r8d: 0x0 r9d: 0x0 r10d: 0x7ffe0384 r11d: 0xbb09de77 r12d: 0x448a76a4 r13d: 0x0 r14d: 0x40000000 r15d: 0x0
r8l: 0x0 r9l: 0x0 r10l: 0x84 r11l: 0x77 r12l: 0xa4 r13l: 0x0 r14l: 0x0 r15l: 0x0
r8w: 0x0 r9w: 0x0 r10w: 0x384 r11w: 0xde77 r12w: 0x76a4 r13w: 0x0 r14w: 0x0 r15w: 0x0
cf: true pf: true af: false zf: false sf: false tf: false if: false df: false of: false nt: false
122 0x144ed424f: adc r10,rbx
diff_flags: rip = 144ed424f f_cf 1 -> 0; f_pf 1 -> 0;
diff_reg: rip = 144ed424f r10 7ffe0384 -> 7ffe0385;
rax: 0xffffffffffed0002 rbx: 0x0 rcx: 0x140000000 rdx: 0x100000000 rsi: 0x14f418 rdi: 0x144e47256 rbp: 0x144ed4239 rsp: 0x14f290
r8: 0x0 r9: 0x0 r10: 0x7ffe0385 r11: 0x1bb09de77 r12: 0x1448a76a4 r13: 0x0 r14: 0x140000000 r15: 0x0
r8d: 0x0 r9d: 0x0 r10d: 0x7ffe0385 r11d: 0xbb09de77 r12d: 0x448a76a4 r13d: 0x0 r14d: 0x40000000 r15d: 0x0
r8l: 0x0 r9l: 0x0 r10l: 0x85 r11l: 0x77 r12l: 0xa4 r13l: 0x0 r14l: 0x0 r15l: 0x0
r8w: 0x0 r9w: 0x0 r10w: 0x385 r11w: 0xde77 r12w: 0x76a4 r13w: 0x0 r14w: 0x0 r15w: 0x0
cf: false pf: false af: false zf: false sf: false tf: false if: false df: false of: false nt: false
cmovs issue
{
"i": 791,
"x64dbgLine": {
"rawLine": {
"Index": "00317",
"Address": "0000000144EDDDA7",
"Bytes": "45:0F48D4",
"Disassembly": "cmovs r10d,r12d",
"Registers": "r10: FFFFFFFFFFEE0001-> FFEE0001",
"Memory": "",
"Comments": ""
},
"rip": "144eddda7",
"registerChanges": [
{
"registerName": "r10",
"previousValue": "ffffffffffee0001",
"newValue": "ffee0001"
}
],
"memoryChanges": []
},
"scemuLine": {
"rawLine": "diff_reg: rip = 144eddda7",
"rip": "144eddda7",
"registerChanges": [],
"memoryChanges": []
},
"instructionErrors": [
{
"index": 0,
"message": "unmatchedRegisterChange mismatch (x64dbg but not scemu)",
"x64dbg": "r10"
}
]
},
memory out of sync
{
"i": 1425,
"iHex": "591",
"x64dbgLine": {
"rawLine": {
"Index": "00591",
"Address": "0000000144FDFF35",
"Bytes": "4C:8B0E",
"Disassembly": "mov r9,qword ptr ds:[rsi]",
"Registers": "r9: 1DB36B3A-> 257",
"Memory": "000000000014F498: 257-> 257",
"Comments": ""
},
"rip": "144fdff35",
"registerChanges": [
{
"registerName": "r9",
"previousValue": "1db36b3a",
"newValue": "257"
}
],
"memoryChanges": [
"000000000014F498: 257-> 257"
]
},
"scemuLine": {
"rawLine": "diff_reg: rip = 144fdff35 r9 1db36b3a -> 246;",
"rip": "144fdff35",
"registerChanges": [
{
"registerName": "r9",
"previousValue": "1db36b3a",
"newValue": "246"
}
],
"memoryChanges": []
},
"instructionErrors": [
{
"index": 0,
"message": "newValue mismatch",
"x64dbg": "257",
"scemu": "246"
}
]
},
1124 mem trace read 64 bits -> 0x14f498: 0x1448a76ae map:'stack'
1318 mem trace write 64 bits -> 0x14f498: 0x144fa54dc map:'stack'
1355 mem trace read 64 bits -> 0x14f498: 0x144fa54dc map:'stack'
1358 mem trace write 64 bits -> 0x14f498: 0x8bda99a706d29452 map:'stack'
1387 mem trace read 64 bits -> 0x14f498: 0x8bda99a706d29452 map:'stack'
1402 mem trace write 64 bits -> 0x14f498: 0x246 map:'stack'
1426 mem trace read 64 bits -> 0x14f498: 0x246 map:'stack'
2266 mem trace write 64 bits -> 0x14f498: 0x14f4a0 map:'stack'
2305 mem trace read 64 bits -> 0x14f498: 0x14f4a0 map:'stack'
2367 mem trace write 64 bits -> 0x14f498: 0x14f4a0 map:'stack'
2679 mem trace read 64 bits -> 0x14f498: 0x14f4a0 map:'stack'
2684 mem trace write 64 bits -> 0x14f498: 0x14f480 map:'stack'
2773 mem trace read 64 bits -> 0x14f498: 0x14f480 map:'stack'
2858 mem trace write 64 bits -> 0x14f498: 0x7348a241ed2c3823 map:'stack'
3007 mem trace read 64 bits -> 0x14f498: 0x7348a241ed2c3823 map:'stack'
3014 mem trace write 64 bits -> 0x14f498: 0x40 map:'stack'
3117 mem trace write 64 bits -> 0x14f490: 0x14f498 map:'stack'
3415 mem trace read 64 bits -> 0x14f490: 0x14f498 map:'stack'
4047 mem trace read 64 bits -> 0x14f498: 0x40 map:'stack'
4051 mem trace write 64 bits -> 0x14f498: 0xffffffffffeb0b9f map:'stack'
4153 mem trace write 64 bits -> 0x14f490: 0x14f498 map:'stack'
4194 mem trace read 64 bits -> 0x14f490: 0x14f498 map:'stack'
4196 mem trace read 64 bits -> 0x14f498: 0xffffffffffeb0b9f map:'stack'
4232 mem trace read 64 bits -> 0x14f498: 0xffffffffffeb0b9f map:'stack'
4240 mem trace write 64 bits -> 0x14f498: 0x14f460 map:'stack'
4328 mem trace read 64 bits -> 0x14f498: 0x14f460 map:'stack'
we have 246, should be 257, most likely pushfq problem
bsf weirdness
{
"i": 2993,
"iHex": "bb1",
"x64dbgLine": {
"rawLine": {
"Index": "00BB1",
"Address": "000000014501BC20",
"Bytes": "45:0FBCDF",
"Disassembly": "bsf r11d,r15d",
"Registers": "",
"Memory": "",
"Comments": ""
},
"rip": "14501bc20",
"registerChanges": [],
"memoryChanges": []
},
"scemuLine": {
"rawLine": {
"diffRegLine": "diff_reg: pos = 2993 rip = 14501bc20 r11 9d46c36de8c10d85 -> e8c10d85;",
"memTraceLines": [
{
"rawLine": "mem_trace: pos = 2993 rip = 14501bc1d op = write bits = 32 address = 0x14f288 value = 0xe8c199fa name = 'stack'",
"position": "bb1",
"rip": "14501bc1d",
"operation": "write",
"bits": "20",
"address": "14f288",
"value": "e8c199fa"
}
]
},
"position": "bb1",
"rip": "14501bc20",
"registerChanges": [
{
"registerName": "r11",
"previousValue": "9d46c36de8c10d85",
"newValue": "e8c10d85"
}
],
"memoryChanges": [
{
"address": "14f288",
"previousValue": 0,
"newValue": "e8c199fa"
}
]
},
"instructionErrors": [
{
"index": 0,
"message": "unmatchedRegisterChange mismatch (scemu but not x64dbg)",
"scemu": "r11"
}
]
},
add not setting zf flag
1426 0x144fdff35: mov r9,[rsi]
mem_trace: rip = 144fdff35 read 64 bits -> 0x14f498: 0x217 map:'stack'
diff_flags: rip = 144fdff35
diff_reg: rip = 144fdff35 r9 1db36b3a -> 217;
rax: 0xfffffffffffeebe0 rbx: 0x3fd49 rcx: 0x0 rdx: 0x74256658f92d6bae rsi: 0x14f498 rdi: 0x144e471d7 rbp: 0x144fdff35 rsp: 0x14f290
r8: 0x0 r9: 0x217 r10: 0x8bda99a706d29452 r11: 0x7425665806caaf4b r12: 0x1448a76a4 r13: 0x0 r14: 0x140000000 r15: 0x0
r8u: 0x0 r9u: 0x0 r10u: 0x8bda99a7 r11u: 0x74256658 r12u: 0x1 r13u: 0x0 r14u: 0x1 r15u: 0x0
r8d: 0x0 r9d: 0x217 r10d: 0x6d29452 r11d: 0x6caaf4b r12d: 0x448a76a4 r13d: 0x0 r14d: 0x40000000 r15d: 0x0
r8w: 0x0 r9w: 0x217 r10w: 0x9452 r11w: 0xaf4b r12w: 0x76a4 r13w: 0x0 r14w: 0x0 r15w: 0x0
r8l: 0x0 r9l: 0x17 r10l: 0x52 r11l: 0x4b r12l: 0xa4 r13l: 0x0 r14l: 0x0 r15l: 0x0
zf: false pf: true af: false of: false sf: false df: false cf: true tf: false if: true nt: false
{
"i": 1425,
"iHex": "591",
"x64dbgLine": {
"rawLine": {
"Index": "00591",
"Address": "0000000144FDFF35",
"Bytes": "4C:8B0E",
"Disassembly": "mov r9,qword ptr ds:[rsi]",
"Registers": "r9: 1DB36B3A-> 257",
"Memory": "000000000014F498: 257-> 257",
"Comments": ""
},
"rip": "144fdff35",
"registerChanges": [
{
"registerName": "r9",
"previousValue": "1db36b3a",
"newValue": "257"
}
],
"memoryChanges": [
"000000000014F498: 257-> 257"
]
},
"scemuLine": {
"rawLine": "diff_reg: rip = 144fdff35 r9 1db36b3a -> 217;",
"rip": "144fdff35",
"registerChanges": [
{
"registerName": "r9",
"previousValue": "1db36b3a",
"newValue": "217"
}
],
"memoryChanges": []
},
"instructionErrors": [
{
"index": 0,
"message": "newValue mismatch",
"x64dbg": "257",
"scemu": "217"
}
]
},
dec sf flag incorrect
1750 0x144eddda7: cmovs r10d,r12d
diff_flags: pos = 5451406759 rip = 6d5
diff_reg: pos = 1749 rip = 144eddda7
rax: 0x29 rbx: 0x3fd49 rcx: 0x0 rdx: 0x74256658f92d6bae rsi: 0x14f4a8 rdi: 0x144e471be rbp: 0x144ed4239 rsp: 0x14f290
r8: 0x50 r9: 0x0 r10: 0x180200 r11: 0x7425665806ccb42d r12: 0x1448a76a4 r13: 0x0 r14: 0x140000000 r15: 0x0
r8u: 0x0 r9u: 0x0 r10u: 0x0 r11u: 0x74256658 r12u: 0x1 r13u: 0x0 r14u: 0x1 r15u: 0x0
r8d: 0x50 r9d: 0x0 r10d: 0x180200 r11d: 0x6ccb42d r12d: 0x448a76a4 r13d: 0x0 r14d: 0x40000000 r15d: 0x0
r8w: 0x50 r9w: 0x0 r10w: 0x200 r11w: 0xb42d r12w: 0x76a4 r13w: 0x0 r14w: 0x0 r15w: 0x0
r8l: 0x50 r9l: 0x0 r10l: 0x0 r11l: 0x2d r12l: 0xa4 r13l: 0x0 r14l: 0x0 r15l: 0x0
zf: false pf: false af: false of: false sf: false df: false cf: true tf: false if: true nt: false
Please update kernel32.rs in winapi64
Please update kernel32.rs in winapi64 folder, support same APIs kernel32.rs in winapi32 folder.
From VirtualProctect to end.
Tks
rol missetting f_zf
{
"i": 76,
"x64dbgLine": {
"rawLine": {
"Index": "0004C",
"Address": "0000000144FF9602",
"Bytes": "9F",
"Disassembly": "lahf ",
"Registers": "rax: 624-> 4624",
"Memory": "",
"Comments": ""
},
"rip": "144ff9602",
"registerChanges": [
{
"registerName": "rax",
"previousValue": "624",
"newValue": "4624"
}
],
"memoryChanges": []
},
"scemuLine": {
"rawLine": "diff_reg: rip = 144ff9602",
"rip": "144ff9602",
"registerChanges": [],
"memoryChanges": []
},
"instructionErrors": [
{
"index": 0,
"message": "unmatchedRegisterChange mismatch (x64dbg but not scemu)",
"x64dbg": "rax"
}
]
},
mem tracing is out of sync by 1 op position compared to x64dbg
this is half nitpick half like "actual problem" in terms of lining up x64dbg vs scemu for comparison
here is x64dbg line
{
"i": 1,
"iHex": "1",
"x64dbgLine": {
"rawLine": {
"Index": "00001",
"Address": "00000001448A76A9",
"Bytes": "E8 C2C96D00",
"Disassembly": "call dts9_patcherv.144F84070",
"Registers": "rsp: 14F4A0-> 14F498",
"Memory": "000000000014F498: 7FFA617547B1-> 1448A76AE",
"Comments": ""
},
"rip": "1448a76a9",
"registerChanges": [
{
"registerName": "rsp",
"previousValue": "14f4a0",
"newValue": "14f498"
}
],
"memoryChanges": [
{
"address": "14f498",
"previousValue": "7ffa617547b1",
"newValue": "1448a76ae"
}
]
}
here is scemu line
"scemuLine": {
"rawLine": {
"diffRegLine": "diff_reg: pos = 1 rip = 1448a76a9 rsp 14f4a0 -> 14f498;",
"memTraceLines": [
{
"rawLine": "mem_trace: pos = 1 rip = 1448a76a4 op = write bits = 64 address = 0x14f4a8 value = 0x1db36b3a name = 'stack'",
"position": "1",
"rip": "1448a76a4",
"operation": "write",
"bits": "40",
"address": "14f4a8",
"value": "1db36b3a"
}
]
},
"position": "1",
"rip": "1448a76a9",
"registerChanges": [
{
"registerName": "rsp",
"previousValue": "14f4a0",
"newValue": "14f498"
}
],
"memoryChanges": [
{
"address": "14f4a8",
"previousValue": 0,
"newValue": "1db36b3a"
}
]
},
"instructionErrors": [
{
"index": 0,
"message": "unmatchedMemoryChange mismatch (x64dbg but not scemu)",
"x64dbg": "14f498"
},
{
"index": 0,
"message": "unmatchedMemoryChange mismatch (scemu but not x64dbg)",
"scemu": "14f4a8"
}
]
},
it isn't until next instruction/position (whatever you want to call it) that we pick up 000000000014F498: 7FFA617547B1-> 1448A76AE memory change
"scemuLine": {
"rawLine": {
"diffRegLine": "diff_reg: pos = 2 rip = 144f84070 rsp 14f498 -> 14f490;",
"memTraceLines": [
{
"rawLine": "mem_trace: pos = 2 rip = 1448a76a9 op = write bits = 64 address = 0x14f4a0 value = 0x1448a76ae name = 'stack'",
"position": "2",
"rip": "1448a76a9",
"operation": "write",
"bits": "40",
"address": "14f4a0",
"value": "1448a76ae"
}
]
},
"position": "2",
"rip": "144f84070",
"registerChanges": [
{
"registerName": "rsp",
"previousValue": "14f498",
"newValue": "14f490"
}
],
"memoryChanges": [
{
"address": "14f4a0",
"previousValue": 0,
"newValue": "1448a76ae"
}
]
},
this isn't necessairly a bug but i'm curious what you recommend/how you would approach/if you can think of a fix
0000000144F4B88D | 41:32C3 | xor al,r11b not clearing f_of
{
"i": 302,
"x64dbgLine": {
"rawLine": {
"Index": "0012E",
"Address": "0000000144F4B890",
"Bytes": "41:0F9DC2",
"Disassembly": "setge r10b",
"Registers": "r10: 16-> 0",
"Memory": "",
"Comments": ""
},
"rip": "144f4b890",
"registerChanges": [
{
"registerName": "r10",
"previousValue": "16",
"newValue": "0"
}
],
"memoryChanges": []
},
"scemuLine": {
"rawLine": "diff_reg: rip = 144f4b890 r10 16 -> 1;",
"rip": "144f4b890",
"registerChanges": [
{
"registerName": "r10",
"previousValue": "16",
"newValue": "1"
}
],
"memoryChanges": []
},
"instructionErrors": [
{
"index": 0,
"message": "newValue mismatch",
"x64dbg": "0",
"scemu": "1"
}
]
},
303 0x144f4b890: setge r10b
diff_flags: rip = 144f4b890
diff_reg: rip = 144f4b890 r10 16 -> 1;
rax: 0xcd rbx: 0x0 rcx: 0x140000000 rdx: 0x100000000 rsi: 0x14f430 rdi: 0x144e47246 rbp: 0x144f4b853 rsp: 0x14f290
r8: 0x0 r9: 0x0 r10: 0x1 r11: 0x1bb1956db r12: 0x1448a76a4 r13: 0x0 r14: 0x140000000 r15: 0x0
r8d: 0x0 r9d: 0x0 r10d: 0x1 r11d: 0xbb1956db r12d: 0x448a76a4 r13d: 0x0 r14d: 0x40000000 r15d: 0x0
r8l: 0x0 r9l: 0x0 r10l: 0x1 r11l: 0xdb r12l: 0xa4 r13l: 0x0 r14l: 0x0 r15l: 0x0
r8w: 0x0 r9w: 0x0 r10w: 0x1 r11w: 0x56db r12w: 0x76a4 r13w: 0x0 r14w: 0x0 r15w: 0x0
cf: false pf: false af: false zf: false sf: true tf: false if: false df: false of: true nt: false
flags out of sync by 0000000144F0F139 | 9C | pushfq |
{
"i": 2613,
"iHex": "a35",
"x64dbgLine": {
"rawLine": {
"Index": "00A35",
"Address": "0000000144FF3224",
"Bytes": "4C:8B0E",
"Disassembly": "mov r9,qword ptr ds:[rsi]",
"Registers": "r9: FFFFFFFFFFFE5E60-> 292",
"Memory": "000000000014F488: 292-> 292",
"Comments": ""
},
"rip": "144ff3224",
"registerChanges": [
{
"registerName": "r9",
"previousValue": "fffffffffffe5e60",
"newValue": "292"
}
],
"memoryChanges": [
{
"address": "14f488",
"previousValue": "292",
"newValue": "292"
}
]
},
"scemuLine": {
"rawLine": {
"diffRegLine": "diff_reg: pos = 2613 rip = 144ff3224 r9 fffffffffffe5e60 -> a92;",
"memTraceLines": []
},
"position": "a35",
"rip": "144ff3224",
"registerChanges": [
{
"registerName": "r9",
"previousValue": "fffffffffffe5e60",
"newValue": "a92"
}
],
"memoryChanges": []
},
"instructionErrors": [
{
"index": 0,
"message": "newValue mismatch",
"x64dbg": "292",
"scemu": "a92"
}
]
},
bsr broken
{
"i": 259,
"x64dbgLine": {
"rawLine": {
"Index": "00103",
"Address": "0000000144F94228",
"Bytes": "6645:0FBDD6",
"Disassembly": "bsr r10w,r14w",
"Registers": "",
"Memory": "",
"Comments": ""
},
"rip": "144f94228",
"registerChanges": [],
"memoryChanges": []
},
"scemuLine": {
"rawLine": "diff_reg: rip = 144f94228 r10 44f9be4e -> 44f90000;",
"rip": "144f94228",
"registerChanges": [
{
"registerName": "r10",
"previousValue": "44f9be4e",
"newValue": "44f90000"
}
],
"memoryChanges": []
},
"instructionErrors": [
{
"index": 0,
"message": "unmatchedRegisterChange mismatch (scemu but not x64dbg)",
"scemu": "r10"
}
]
}
Windows Kernel Driver Emulation
I'm writing an emulator for a kernel driver in Rust and would like to use this library. I'd be willing to implement the necessary features myself, but would appreciate getting some help.
So here are some questions:
- How are the maps generated? And why do you even need them in the first place? Can't you just load it as a regular dll?
- How hard would it be to allow kernel execution? Doesn't seem that hard to me, only requires to change a few things about the emulator imo. But I might be missing something.
Feel free to add me on Discord if you want to discuss more about it: not-matthias#1403
Btw: I quickly looked through the code and noticed that it could really benefit from using log / env_logger instead of println. Also cargo fmt would be good, to ensure clean code.
bsf
{
"i": 2993,
"iHex": "bb1",
"x64dbgLine": {
"rawLine": {
"Index": "00BB1",
"Address": "000000014501BC20",
"Bytes": "45:0FBCDF",
"Disassembly": "bsf r11d,r15d",
"Registers": "",
"Memory": "",
"Comments": ""
},
"rip": "14501bc20",
"registerChanges": [],
"memoryChanges": []
},
"scemuLine": {
"rawLine": {
"diffRegLine": "diff_reg: pos = 2993 rip = 14501bc20 r11 9d46c36de8c10d85 -> e8c10d85;",
"memTraceLines": [
{
"rawLine": "mem_trace: pos = 2993 rip = 14501bc1d op = write bits = 32 address = 0x14f288 value = 0xe8c199fa name = 'stack'",
"position": "bb1",
"rip": "14501bc1d",
"operation": "write",
"bits": "20",
"address": "14f288",
"value": "e8c199fa"
}
]
},
"position": "bb1",
"rip": "14501bc20",
"registerChanges": [
{
"registerName": "r11",
"previousValue": "9d46c36de8c10d85",
"newValue": "e8c10d85"
}
],
"memoryChanges": [
{
"address": "14f288",
"previousValue": 0,
"newValue": "e8c199fa"
}
]
},
"instructionErrors": [
{
"index": 0,
"message": "unmatchedRegisterChange mismatch (scemu but not x64dbg)",
"scemu": "r11"
}
]
},
shld broken
{
"i": 169,
"x64dbgLine": {
"rawLine": {
"Index": "000A9",
"Address": "0000000144FBED19",
"Bytes": "6641:0FA4EB 3C",
"Disassembly": "shld r11w,bp,3C",
"Registers": "r11: 1BB09DE2F-> 1BB099DE2",
"Memory": "",
"Comments": ""
},
"rip": "144fbed19",
"registerChanges": [
{
"registerName": "r11",
"previousValue": "1bb09de2f",
"newValue": "1bb099de2"
}
],
"memoryChanges": []
},
"scemuLine": {
"rawLine": "diff_reg: rip = 144fbed19 r11 1bb09de2f -> 1bb099de3;",
"rip": "144fbed19",
"registerChanges": [
{
"registerName": "r11",
"previousValue": "1bb09de2f",
"newValue": "1bb099de3"
}
],
"memoryChanges": []
},
"instructionErrors": [
{
"index": 0,
"message": "newValue mismatch",
"x64dbg": "1bb099de2",
"scemu": "1bb099de3"
}
]
},
shld broken
{
"i": 169,
"x64dbgLine": {
"rawLine": {
"Index": "000A9",
"Address": "0000000144FBED19",
"Bytes": "6641:0FA4EB 3C",
"Disassembly": "shld r11w,bp,3C",
"Registers": "r11: 1BB09DE2F-> 1BB099DE2",
"Memory": "",
"Comments": ""
},
"rip": "144fbed19",
"registerChanges": [
{
"registerName": "r11",
"previousValue": "1bb09de2f",
"newValue": "1bb099de2"
}
],
"memoryChanges": []
},
"scemuLine": {
"rawLine": "diff_reg: rip = 144fbed19",
"rip": "144fbed19",
"registerChanges": [],
"memoryChanges": []
},
"instructionErrors": [
{
"index": 0,
"message": "unmatchedRegisterChange mismatch (x64dbg but not scemu)",
"x64dbg": "r11"
}
]
},
bt broken
{
"i": 141,
"x64dbgLine": {
"rawLine": {
"Index": "0008D",
"Address": "0000000144EDDDB3",
"Bytes": "4D:0FA3EA",
"Disassembly": "bt r10,r13",
"Registers": "",
"Memory": "",
"Comments": ""
},
"rip": "144edddb3",
"registerChanges": [],
"memoryChanges": []
},
"scemuLine": {
"rawLine": "diff_reg: rip = 144edddb3 r10 7ffe0002 -> 7ffe0003;",
"rip": "144edddb3",
"registerChanges": [
{
"registerName": "r10",
"previousValue": "7ffe0002",
"newValue": "7ffe0003"
}
],
"memoryChanges": []
},
"instructionErrors": [
{
"index": 0,
"message": "unmatchedRegisterChange mismatch (scemu but not x64dbg)",
"scemu": "r10"
}
]
},
pushfq not correct
{
"i": 350,
"iHex": "15e",
"x64dbgLine": {
"rawLine": {
"Index": "0015E",
"Address": "0000000144F95899",
"Bytes": "4C:8B0E",
"Disassembly": "mov r9,qword ptr ds:[rsi]",
"Registers": "r9: 0-> 246",
"Memory": "000000000014F430: 246-> 246",
"Comments": ""
},
"rip": "144f95899",
"registerChanges": [
{
"registerName": "r9",
"previousValue": "0",
"newValue": "246"
}
],
"memoryChanges": [
"000000000014F430: 246-> 246"
]
},
"scemuLine": {
"rawLine": "diff_reg: rip = 144f95899",
"rip": "144f95899",
"registerChanges": [],
"memoryChanges": []
},
"instructionErrors": [
{
"index": 0,
"message": "unmatchedRegisterChange mismatch (x64dbg but not scemu)",
"x64dbg": "r9"
}
]
},
neg rcx not calculating af flag
{
"i": 1252,
"iHex": "4e4",
"x64dbgLine": {
"rawLine": {
"Index": "004E4",
"Address": "0000000144ECEC34",
"Bytes": "9F",
"Disassembly": "lahf ",
"Registers": "rax: 448A7601-> 448A1301",
"Memory": "",
"Comments": ""
},
"rip": "144ecec34",
"registerChanges": [
{
"registerName": "rax",
"previousValue": "448a7601",
"newValue": "448a1301"
}
],
"memoryChanges": []
},
"scemuLine": {
"rawLine": "diff_reg: rip = 144ecec34 rax 448a7601 -> 448a0301;",
"rip": "144ecec34",
"registerChanges": [
{
"registerName": "rax",
"previousValue": "448a7601",
"newValue": "448a0301"
}
],
"memoryChanges": []
},
"instructionErrors": [
{
"index": 0,
"message": "newValue mismatch",
"x64dbg": "448a1301",
"scemu": "448a0301"
}
]
},
1253 0x144ecec34: lahf
diff_flags: rip = 144ecec34
diff_reg: rip = 144ecec34 rax 448a7601 -> 448a0301;
rax: 0x448a0301 rbx: 0x0 rcx: 0x74256658f92d6bae rdx: 0x100000000 rsi: 0x14f4a8 rdi: 0x144e471ef rbp: 0x144ecec02 rsp: 0x14f290
r8: 0x0 r9: 0x1db36b3a r10: 0xfffffffffff445d5 r11: 0x144e94764 r12: 0x1448a76a4 r13: 0x0 r14: 0x140000000 r15: 0x0
r8u: 0x0 r9u: 0x0 r10u: 0xffffffff r11u: 0x1 r12u: 0x1 r13u: 0x0 r14u: 0x1 r15u: 0x0
r8d: 0x0 r9d: 0x1db36b3a r10d: 0xfff445d5 r11d: 0x44e94764 r12d: 0x448a76a4 r13d: 0x0 r14d: 0x40000000 r15d: 0x0
r8w: 0x0 r9w: 0x6b3a r10w: 0x45d5 r11w: 0x4764 r12w: 0x76a4 r13w: 0x0 r14w: 0x0 r15w: 0x0
r8l: 0x0 r9l: 0x3a r10l: 0xd5 r11l: 0x64 r12l: 0xa4 r13l: 0x0 r14l: 0x0 r15l: 0x0
zf: false pf: false af: false of: false sf: false df: false cf: true tf: false if: false nt: false
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.