mandiant / speakeasy

Windows kernel and user mode emulation.
MIT License
1.53k stars 232 forks source link

UC_MEM_READ_PROT | Potential bug on memory allocation permissions #225

Closed stonerhash closed 1 year ago

stonerhash commented 1 year ago

Hello,

I have an allocated memory with READ_WRITE permissions and doing sequential reads and writes within the range. I have observed in some read/writes within the allocated memory I am getting an UC_MEM_READ_PROT (not all) which I handle with an invalid memory hook . This is very strange since other nearby read/writes are executed successfully. The faulty access is of type UC_MEM_READ_PROT. Can you help me understand the reason behind this error?

Thank

stonerhash commented 1 year ago

After further troubleshooting I concluded to the following. The allocated memory took place through ZwMapViewOfSection and the protection rights were set to 0x4 (PAGE_READWRITE). However on common.py. PERM_MEM_READ = 0x02 PERM_MEM_WRITE = 0x04 with PERM_MEM_RW = PERM_MEM_READ | PERM_MEM_WRITE = 0x6

On Winnt.h PERM_READWRITE = 0x4 which is in contrast with common.py which is PERM_MEM_WRITE only.

I am not sure if I am understanding correctly what is going on but by patching the code accordingly I fixed the issue.

Waiting for your thoughts?

stonerhash commented 1 year ago

I forgot to mention what the patch was to include "win_perms_to_emu_perms" as defined in kernel32.py to ntoskrnl.py and use it in ZwMapViewOfSection with the Win32Protect variable

williballenthin commented 1 year ago

hey @stonerhash thanks for opening an issue here. I think there's a good chance that you've found the bug and have a fix. Would you consider opening a PR here so that we can incorporate your changes?

stonerhash commented 1 year ago

Please check PR #226 https://github.com/mandiant/speakeasy/pull/226

williballenthin commented 1 year ago

fixed in #226