Giters

vivisect / vivisect

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

imphook call return inconsistencies

mr-tz opened this issue · comments

commented

Is it expected that some of the default hooks perform a call return, e.g.

vivisect/vivisect/impemu/platarch/windows.py

Lines 84 to 88 in e0592b1

def kernel32_GetModuleHandleExA(self, emu, callconv, api, argv):
dwFlags,lpLibName,phModule = argv
libname = self.readLibraryPath(lpLibName, unicode=False)
retval = emu.setVivTaint('dynlib',libname)
callconv.execCallReturn(emu, retval, len(argv))

vs.

vivisect/vivisect/impemu/platarch/windows.py

Lines 135 to 138 in e0592b1

def seh4_prolog(self, emu, callconv, api, argv):
self.seh3_prolog(emu, callconv, api, argv)
emu.doPush(0xc0c0c0c0)
emu.doPush(0)

I think this leads to some unexpected behavior during emulation.

commented

how so? do you have any example?

commented

As an example see the test cases in viv-utils, e.g. https://github.com/williballenthin/viv-utils/blob/4b2a529374d7a65cb542ce798e8ae313a4838307/tests/test_driver.py#L373

We had to add vudrv.remove_default_viv_hooks(emu) to remove the emulated APIs that do not return.

The test file is available in https://github.com/williballenthin/viv-utils/tree/master/tests/data

.text:10001010 mov     eax, 11F8h
.text:10001015 call    __alloca_probe
.text:1000101A mov     eax, [esp+11F8h+fdwReason]

When encountering the __alloca_probe the emulator does not appear to behave correctly as we end up trying to execute 0xfefefefe.

If this is hard to follow for you I can provide an example with pure vivisect code and trace.

commented

can we close this?

commented

I still see this as inconsistent:

  • some hooks (kernel32.*) call callconv.execCallReturn so change EIP to after the function
  • other hooks (ntdll.*) change the emulator state, but EIP does not change

Is this expected and I'm understanding/using it incorrectly?