Workaround for (yet another) bug in unicorn where eip isn't increased after a sysenter

Author: mrexodia

.github/workflows/build.yml

@@ -55,31 +55,30 @@ jobs:
         curl -sSOJL https://github.com/mrexodia/dumpulator/releases/download/v0.0.1/StringEncryptionFun_x86.dmp
         python download_artifacts.py
 
-    - name: StringEncryptionFun_x64
+    - name: 'Test: StringEncryptionFun_x64'
       run: |
         cd tests
         python getting-started.py
 
-    - name: StringEncryptionFun_x86
+    - name: 'Test: StringEncryptionFun_x86'
       run: |
         cd tests
         python getting-started32.py
 
-    - name: Run DumpulatorTests
+    - name: 'Test: DumpulatorTests'
       run: |
         cd tests
         python harness-tests.py
 
-    - name: ExceptionTest_x64
+    - name: 'Test: ExceptionTest_x64'
       run: |
         cd tests
         python execute-dump.py ExceptionTest_x64.dmp
 
-    # TODO: remove the trace argument once the bug is fixed
-    - name: ExceptionTest_x86
+    - name: 'Test: ExceptionTest_x86'
       run: |
         cd tests
-        python execute-dump.py ExceptionTest_x86.dmp trace
+        python execute-dump.py ExceptionTest_x86.dmp
 
   publish:
     if: ${{ startsWith(github.ref, 'refs/tags/v') }}

src/dumpulator/dumpulator.py

@@ -37,6 +37,7 @@ class ExceptionType(Enum):
     Memory = 1
     Interrupt = 2
     ContextSwitch = 3
+    Terminate = 4
 
 @dataclass
 class ExceptionInfo:
@@ -783,7 +784,7 @@ def _setup_syscalls(self):
                 self.info(f"Patching Wow64Transition: {export.address:x} -> {patch_addr:x}")
                 # See: https://opcode0x90.wordpress.com/2007/05/18/kifastsystemcall-hook/
                 # mov edx, esp; sysenter; ret
-                KiFastSystemCall = b"\x8B\xD4\x0F\x34\xC3"
+                KiFastSystemCall = b"\x8B\xD4\x0F\x34\x90\x90\xC3"
                 self.write(patch_addr, KiFastSystemCall)
             elif export.name == "KiUserExceptionDispatcher":
                 self.KiUserExceptionDispatcher = export.address
@@ -1003,6 +1004,12 @@ def start(self, begin, end=0xffffffffffffffff, count=0) -> None:
                         # Restore the context (unicorn might mess with it before stopping)
                         if self.exception.context is not None:
                             self._uc.context_restore(self.exception.context)
+
+                        if self.exception.type == ExceptionType.Terminate:
+                            if self.exit_code is not None:
+                                self.info(f"exit code: {self.exit_code:x}")
+                            break
+
                         try:
                             emu_begin = self.handle_exception()
                         except:
@@ -1465,7 +1472,7 @@ def syscall_arg(index):
                     return dp.regs.r10
                 return dp.args[index]
 
-            dp.info(f"[{dp.sequence_id}] syscall: {name}(")
+            dp.info(f"[{dp.sequence_id}] syscall (index: {hex(index)}): {name}(")
             for i in range(0, argcount):
                 argname = argspec.args[1 + i]
                 argtype = argspec.annotations[argname]
@@ -1513,6 +1520,9 @@ def syscall_arg(index):
                     if dp.x64:
                         dp.regs.rcx = dp.regs.cip + 2
                         dp.regs.r11 = dp.regs.eflags
+                    else:
+                        # HACK: there is a bug in unicorn that doesn't increment EIP
+                        dp.regs.eip += 2
             except UcError as err:
                 raise err
             except Exception as exc:

src/dumpulator/ntsyscalls.py

@@ -4475,7 +4475,11 @@ def ZwTerminateProcess(dp: Dumpulator,
                        ):
     assert ProcessHandle == 0 or ProcessHandle == dp.NtCurrentProcess()
     dp.stop(ExitStatus)
-    return STATUS_SUCCESS
+    exception = ExceptionInfo()
+    exception.type = ExceptionType.Terminate
+    exception.final = True
+    exception.context = dp._uc.context_save()
+    return exception
 
 @syscall
 def ZwTerminateThread(dp: Dumpulator,