Created
November 4, 2018 02:41
-
-
Save wbenny/bbad92111d174c0fbf9ffa7d23fed1a4 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DECLSPEC_NORETURN | |
| VOID | |
| BTCpuSimulate( | |
| VOID | |
| ) | |
| { | |
| NTSTATUS Status; | |
| PCONTEXT Context; | |
| // | |
| // Gets WoW64 CONTEXT structure (ARM32) using | |
| // the RtlWow64GetCurrentCpuArea() function. | |
| // | |
| Status = CpupGetArmContext(&Context, NULL); | |
| if (!NT_SUCCESS(Status)) | |
| { | |
| RtlRaiseStatus(Status); | |
| // | |
| // UNREACHABLE | |
| // | |
| return; | |
| } | |
| for (;;) | |
| { | |
| // | |
| // Switch to ARM32 mode and run the emulation. | |
| // | |
| NtCurrentTeb()->TlsSlots[/* 2 */ WOW64_TLS_INCPUSIMULATION] = TRUE; | |
| CpupSwitchTo32Bit(Context); | |
| NtCurrentTeb()->TlsSlots[/* 2 */ WOW64_TLS_INCPUSIMULATION] = FALSE; | |
| // | |
| // When we get here, it means ARM32 code performed a system call. | |
| // Advance instruction pointer to skip the "UND 0F8h" instruction. | |
| // | |
| Context->Pc += 2; | |
| // | |
| // Set LSB (least significat bit) if ARM32 is executing in | |
| // Thumb mode. | |
| // | |
| if (Context->Cpsr & 0x20) { | |
| Context->Pc |= 1; | |
| } | |
| // | |
| // Let wow64.dll emulate the system call. R12 has the system call | |
| // number, Sp points to the stack which contains the system call | |
| // arguments. | |
| // | |
| Context->R0 = Wow64SystemServiceEx(Context->R12, Context->Sp); | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment