From d4a35ab563696ba965639e763722dbeb068e96ae Mon Sep 17 00:00:00 2001 From: celyrin Date: Fri, 28 Jun 2024 15:43:06 +0800 Subject: [PATCH 1/2] Add handling for the "0x48 0xff 0x25" instruction in the hook_create_stub function to resolve the bug where imported functions fail to correctly jump to the original execution flow after hooking on x86-64 samples under Windows 10/Windows 11. --- src/hooking.c | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/src/hooking.c b/src/hooking.c index 491a9ff1e..59622457c 100644 --- a/src/hooking.c +++ b/src/hooking.c @@ -416,6 +416,40 @@ int hook_create_stub(uint8_t *tramp, const uint8_t *addr, int len) tramp += 3; } addr += 7; + } + else if (*addr == 0x48 && addr[1] == 0xFF && addr[2] == 0x25) { + // This code block handles a specific assembly instruction sequence that + // corresponds to a 64-bit relative jump (jmp qword ptr [rip+displacement]). + // It checks the validity and accessibility of the target memory addresses + // before attempting to read them and perform a jump. + + // Calculate the address in the Immediate Address Table (IAT) using the displacement + // provided in the instruction sequence. + const uint8_t * iat = addr + *(int32_t *)(addr + 3) + 7; + + MEMORY_BASIC_INFORMATION mbi; + // Use VirtualQuery to obtain information about the memory area pointed to by iat + if (VirtualQuery(iat, &mbi, sizeof(mbi)) == 0) { + pipe("CRITICAL:VirtualQuery iat failed for %p!", iat); + return -1; + } + // Ensure the memory is not marked as NOACCESS or EXECUTE only, to prevent access violations + if (mbi.Protect & PAGE_NOACCESS || mbi.Protect & PAGE_EXECUTE) { + pipe("CRITICAL:VirtualQuery failed for %p!", iat); + return -1; + } + + // Retrieve the target address from the IAT and check its validity + const uint8_t *target = *(const uint8_t **)(iat); + // Use VirtualQuery again to ensure that the target address is also valid and accessible + if (VirtualQuery(target, &mbi, sizeof(mbi)) == 0) { + pipe("CRITICAL:VirtualQuery target failed for %p!", target); + return -1; + } + + tramp += asm_jump(tramp, target); + + addr += 7; } #endif // Return instruction indicates the end of basic block as well so we From 5e0b9b309036ddf6c887a3bbe54e11a9409cb624 Mon Sep 17 00:00:00 2001 From: celyrin Date: Fri, 28 Jun 2024 16:02:55 +0800 Subject: [PATCH 2/2] Update README.md --- README.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 4b20bef89..2552f4532 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,13 @@ monitor The new Cuckoo Monitor. [Click here for documentation][docs]. If at first it doesn't compile, just try a second time! -Note that you'll need the `pyyaml` package, which may be installed as follows: -`pip install pyyaml`. +**New Features:** +- Now supports running in Windows 10 and Windows 11 guest environments. + +**Notes:** +- The issue with x86-64 samples where hooks could not jump back to the original function execution flow has been resolved. There may still be other issues, which are currently under development and testing. + +- Note that you'll need the `pyyaml` package, which may be installed as follows: + `pip install pyyaml`. [docs]: http://cuckoo-monitor.readthedocs.org/en/latest/