Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Edge case / off by 1 error in bdshemu #106

Closed
ScimitarEnjoyer opened this issue Sep 23, 2024 · 0 comments · Fixed by #107
Closed

Edge case / off by 1 error in bdshemu #106

ScimitarEnjoyer opened this issue Sep 23, 2024 · 0 comments · Fixed by #107

Comments

@ScimitarEnjoyer
Copy link
Contributor

ScimitarEnjoyer commented Sep 23, 2024
edited
Loading

When an instruction cannot be emulated, the emulator sets stop to true, and on the next iteration returns SHEMU_ABORT_CANT_EMULATE.

while (Context->InstructionsCount++ < Context->MaxInstructionsCount)
{
    SHEMU_STATUS shstatus;
    NDSTATUS ndstatus;
    ND_UINT64 rip;          // Offset, not actual linear address.
    ND_UINT32 i, ilen;
    ND_UINT8 ibytes[16];
    ND_BOOL hasNd = ND_FALSE;

    tsc++;

    // Reset all the operands to 0.
    nd_memzero(&res, sizeof(res));
    nd_memzero(&dst, sizeof(dst));
    nd_memzero(&src, sizeof(src));

    // The stop flag has been set, this means we've reached a valid instruction, but that instruction cannot be
    // emulated (for example, SYSCALL, INT, system instructions, etc).
    if (stop)
    {
        return SHEMU_ABORT_CANT_EMULATE;
    }

In cases where the last instruction cannot be emulated, this causes the emulator to return SHEMU_SUCCESS instead of the expected SHEMU_ABORT_CANT_EMULATE.

How to reproduce this issue
Set up the shellcode to emulate only 1 instruction (MaxInstructionsCount = 1) and point it to an instruction it doesn't support (like a syscall). The emulator will return SHEMU_SUCCESS instead of SHEMU_ABORT_CANT_EMULATE because the max instruction count check precedes the previous instruction unsupported check.

I have created a pull request for this issue:
#107
@ScimitarEnjoyer ScimitarEnjoyer mentioned this issue Sep 23, 2024
Merged
ScimitarEnjoyer added a commit to ScimitarEnjoyer/bddisasm that referenced this issue Sep 23, 2024
@ScimitarEnjoyer
bdshemu: Fix edge case with unsupported instrs
bba90c7 
Fixes bitdefender#106
ScimitarEnjoyer added a commit to ScimitarEnjoyer/bddisasm that referenced this issue Sep 23, 2024
@ScimitarEnjoyer
bdshemu: Fix edge case with unsupported instrs
0bfbfd3 
Fixes bitdefender#106
ScimitarEnjoyer added a commit to ScimitarEnjoyer/bddisasm that referenced this issue Sep 23, 2024
@ScimitarEnjoyer
bdshemu: Fix edge case with unsupported instrs
66b983c 
Fixes bitdefender#106
ScimitarEnjoyer added a commit to ScimitarEnjoyer/bddisasm that referenced this issue Sep 23, 2024
@ScimitarEnjoyer
bdshemu: Fix edge case with unsupported instrs
824cee7 
Fixes bitdefender#106
@vlutas vlutas closed this as completed in 7136b64 Sep 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

bdshemu: Fix edge case with unsupported instrs ScimitarEnjoyer/bddisasm
1 participant
@ScimitarEnjoyer