|
|
|
@ -1187,16 +1187,15 @@ ShemuGetOperandValue(
|
|
|
|
|
else if (op->Type == ND_OP_MEM)
|
|
|
|
|
{
|
|
|
|
|
uint64_t gla = ShemuComputeLinearAddress(Context, op);
|
|
|
|
|
uint32_t offset;
|
|
|
|
|
uint8_t seg;
|
|
|
|
|
|
|
|
|
|
if (op->Info.Memory.IsAG)
|
|
|
|
|
{
|
|
|
|
|
// Address generation instruction, the result is the linear address itself.
|
|
|
|
|
Value->Value.Qwords[0] = gla;
|
|
|
|
|
goto done_gla;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
uint32_t offset;
|
|
|
|
|
uint8_t seg;
|
|
|
|
|
|
|
|
|
|
if (Context->Ring == 3)
|
|
|
|
|
{
|
|
|
|
@ -1226,6 +1225,13 @@ ShemuGetOperandValue(
|
|
|
|
|
Context->Flags |= SHEMU_FLAG_TIB_ACCESS_WOW32;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check for accesses inside the KUSER_SHARED_DATA (SharedUserData). This page contains some
|
|
|
|
|
// global system information, it may host shellcodes, and is hard-coded at this address.
|
|
|
|
|
if (gla >= 0x7FFE0000 && gla < 0x7FFE1000)
|
|
|
|
|
{
|
|
|
|
|
Context->Flags |= SHEMU_FLAG_SUD_ACCESS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check if we are reading a previously saved RIP. Ignore RET category, which naturally uses the saved RIP.
|
|
|
|
|
// Also, ignore RMW instruction which naturally read the current value - this could happen if the code
|
|
|
|
|
// modifies the return value, for example "ADD qword [rsp], r8".
|
|
|
|
@ -1262,7 +1268,8 @@ ShemuGetOperandValue(
|
|
|
|
|
|
|
|
|
|
ShemuSetGprValue(Context, op->Info.Memory.Base, op->Info.Memory.BaseSize, regval, false);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
done_gla:;
|
|
|
|
|
}
|
|
|
|
|
else if (op->Type == ND_OP_IMM)
|
|
|
|
|
{
|
|
|
|
@ -2414,7 +2421,7 @@ check_far_branch:
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// We may, in the future, emulate far branches, but they imply some tricky context switches (including
|
|
|
|
|
// the default TEB), so it may not be as straight forward as it seems. For now, al we wish to achieve
|
|
|
|
|
// the default TEB), so it may not be as straight forward as it seems. For now, all we wish to achieve
|
|
|
|
|
// is detection of far branches in long-mode, from Wow 64.
|
|
|
|
|
stop = true;
|
|
|
|
|
break;
|
|
|
|
|