libmwemu 0.24.5

x86 32/64bits and system internals emulator, for securely emulating malware and other stuff.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98

use crate::emu;
use crate::winapi::helper;

pub(super) fn dispatch(emu: &mut emu::Emu) -> bool {
    match emu.regs().get_eax() as u32 {
        3 => handle_syscall32_read(emu),
        4 => handle_syscall32_write(emu),
        5 => handle_syscall32_open(emu),
        6 => handle_syscall32_close(emu),
        8 => super::trace_syscall32(emu, "creat"),
        9 => super::trace_syscall32(emu, "link"),
        10 => super::trace_syscall32(emu, "unlink"),
        12 => handle_syscall32_chdir(emu),
        14 => super::trace_syscall32(emu, "mknod"),
        15 => handle_syscall32_chmod(emu),
        16 => super::trace_syscall32(emu, "lchown"),
        18 => super::trace_syscall32(emu, "oldstat"),
        _ => return false,
    }

    true
}

fn handle_syscall32_read(emu: &mut emu::Emu) {
    let fd = emu.regs().rbx;
    let buff = emu.regs().rcx;
    let sz = emu.regs().rdx;
    emu.regs_mut().rax = buff;
    log::trace!(
        "{}** {} syscall read() fd: {} buf: 0x{:x} sz: {} {}",
        emu.colors.light_red,
        emu.pos,
        fd,
        buff,
        sz,
        emu.colors.nc
    );
}

fn handle_syscall32_write(emu: &mut emu::Emu) {
    let fd = emu.regs().rbx;
    let buff = emu.regs().rcx;
    let sz = emu.regs().rdx;
    emu.regs_mut().rax = sz;
    log::trace!(
        "{}** {} syscall write() fd: {} buf: 0x{:x} sz: {} {}",
        emu.colors.light_red,
        emu.pos,
        fd,
        buff,
        sz,
        emu.colors.nc
    );
}

fn handle_syscall32_open(emu: &mut emu::Emu) {
    let file_path = emu.maps.read_string(emu.regs().rbx);
    let fd = helper::socket_create();
    emu.regs_mut().rax = fd;
    log::trace!(
        "{}** {} syscall open() file: {} fd:{} {}",
        emu.colors.light_red,
        emu.pos,
        file_path,
        fd,
        emu.colors.nc
    );
}

fn handle_syscall32_close(emu: &mut emu::Emu) {
    let fd = emu.regs().rbx;
    super::trace_syscall32(emu, &format!("close() fd: {}", fd));
    helper::socket_close(fd);
}

fn handle_syscall32_chdir(emu: &mut emu::Emu) {
    let path = emu.maps.read_string(emu.regs().rbx);
    log::trace!(
        "{}** {} syscall chdir() path: {} {}",
        emu.colors.light_red,
        emu.pos,
        path,
        emu.colors.nc
    );
}

fn handle_syscall32_chmod(emu: &mut emu::Emu) {
    let file_path = emu.maps.read_string(emu.regs().rbx);
    let perm = emu.regs().rcx;
    log::trace!(
        "{}** {} syscall chmod() file: {} perm: {} {}",
        emu.colors.light_red,
        emu.pos,
        file_path,
        perm,
        emu.colors.nc
    );
}