Add initial emulation framework

GleeBug/Debugger.Loop.cpp

@@ -1,5 +1,6 @@
 #include "Debugger.h"
 #include "Debugger.Thread.Registers.h"
+#include "Emulation.h"
 
 namespace GleeBug
 {
@@ -28,8 +29,26 @@ namespace GleeBug
         {
             //wait for a debug event
             mIsRunning = true;
-            if (!MyWaitForDebugEvent(&mDebugEvent, INFINITE))
+
-                break;
+            bool emulatedEvent = false;
+
+            // We go over all active processes and see if any emulator has an active event
+            // if thats the case process the emulated event first.
+            for (auto&& process : mProcesses)
+            {
+                if (process.second->emulator.WaitForEvent(mDebugEvent))
+                {
+                    emulatedEvent = true;
+                }
+            }
+
+            // Emulated events have priority over normal debug events.
+            if (!emulatedEvent)
+            {
+                if (!MyWaitForDebugEvent(&mDebugEvent, INFINITE))
+                    break;
+            }
+
             mIsRunning = false;
 
             //set default continue status
@@ -117,8 +136,19 @@ namespace GleeBug
             }
 
             //continue the debug event
-            if (!ContinueDebugEvent(mDebugEvent.dwProcessId, mDebugEvent.dwThreadId, mContinueStatus))
+
-                break;
+            bool continueEmulated = false;
+            if (mThread->isInternalStepping)
+            {
+                auto& emulator = mProcess->emulator;
+                continueEmulated = emulator.Emulate(mThread);
+            }
+
+            if (continueEmulated == false)
+            {
+                if (!ContinueDebugEvent(mDebugEvent.dwProcessId, mDebugEvent.dwThreadId, mContinueStatus))
+                    break;
+            }
 
             if (mDetach || mDetachAndBreak)
             {

GleeBug/Debugger.Process.h

@@ -6,6 +6,7 @@
 #include "Debugger.Dll.h"
 #include "Debugger.Breakpoint.h"
 #include "Static.Pattern.h"
+#include "Emulation.h"
 
 namespace GleeBug
 {
@@ -31,6 +32,7 @@ namespace GleeBug
         BreakpointInfo hardwareBreakpoints[4];
         MemoryBreakpointSet memoryBreakpointRanges;
         MemoryBreakpointMap memoryBreakpointPages;
+        Emulator emulator;
 
         /**
         \brief Constructor.

GleeBug/Emulation.Helpers.h

@@ -0,0 +1,141 @@
+#ifndef EMULATIONHELPERS_H
+#define EMULATIONHELPERS_H
+
+namespace GleeBug
+{
+
+template<typename T>
+inline T getRegisterValue(const ZydisRegister reg, Registers& regs)
+{
+    switch (reg)
+    {
+    case ZYDIS_REGISTER_RAX:
+        return (T)regs.Rax.Get();
+
+    case ZYDIS_REGISTER_RBX:
+        return (T)regs.Rbx.Get();
+
+    case ZYDIS_REGISTER_RCX:
+        return (T)regs.Rcx.Get();
+
+    case ZYDIS_REGISTER_RDX:
+        return (T)regs.Rdx.Get();
+
+    case ZYDIS_REGISTER_RBP:
+        return (T)regs.Rbp.Get();
+
+    case ZYDIS_REGISTER_RSP:
+        return (T)regs.Rsp.Get();
+
+    case ZYDIS_REGISTER_RSI:
+        return (T)regs.Rsi.Get();
+
+    case ZYDIS_REGISTER_RDI:
+        return (T)regs.Rdi.Get();
+
+    case ZYDIS_REGISTER_R8:
+        return (T)regs.R8.Get();
+
+    case ZYDIS_REGISTER_R9:
+        return (T)regs.R9.Get();
+
+    case ZYDIS_REGISTER_R10:
+        return (T)regs.R10.Get();
+
+    case ZYDIS_REGISTER_R11:
+        return (T)regs.R11.Get();
+
+    case ZYDIS_REGISTER_R12:
+        return (T)regs.R12.Get();
+
+    case ZYDIS_REGISTER_R13:
+        return (T)regs.R13.Get();
+
+    case ZYDIS_REGISTER_R14:
+        return (T)regs.R14.Get();
+    }
+}
+
+template<typename T>
+inline void setRegisterValue(const ZydisRegister reg, Registers& regs, T val)
+{
+    switch (reg)
+    {
+    case ZYDIS_REGISTER_RAX:
+        return regs.Rax.Set(val);
+
+    case ZYDIS_REGISTER_RBX:
+        return regs.Rbx.Set(val);
+
+    case ZYDIS_REGISTER_RCX:
+        return regs.Rcx.Set(val);
+
+    case ZYDIS_REGISTER_RDX:
+        return regs.Rdx.Set(val);
+
+    case ZYDIS_REGISTER_RBP:
+        return regs.Rbp.Set(val);
+
+    case ZYDIS_REGISTER_RSP:
+        return regs.Rsp.Set(val);
+
+    case ZYDIS_REGISTER_RSI:
+        return regs.Rsi.Set(val);
+
+    case ZYDIS_REGISTER_RDI:
+        return regs.Rdi.Set(val);
+
+    case ZYDIS_REGISTER_R8:
+        return regs.R8.Set(val);
+
+    case ZYDIS_REGISTER_R9:
+        return regs.R9.Set(val);
+
+    case ZYDIS_REGISTER_R10:
+        return regs.R10.Set(val);
+
+    case ZYDIS_REGISTER_R11:
+        return regs.R11.Set(val);
+
+    case ZYDIS_REGISTER_R12:
+        return regs.R12.Set(val);
+
+    case ZYDIS_REGISTER_R13:
+        return regs.R13.Set(val);
+
+    case ZYDIS_REGISTER_R14:
+        return regs.R14.Set(val);
+    }
+}
+
+inline void setCondFlag(uint32_t& flags, int64_t cond, uint32_t f)
+{
+    if(!!cond)
+        flags |= f;        
+}
+
+inline bool isParity(uint32_t v)
+{
+    v ^= v >> 1;
+    v ^= v >> 2;
+    v = (v & 0x11111111U) * 0x11111111U;
+    return (v >> 28) & 1;
+}
+
+inline bool isParity(uint64_t v)
+{
+    v ^= v >> 1;
+    v ^= v >> 2;
+    v = (v & 0x1111111111111111UL) * 0x1111111111111111UL;
+    return (v >> 60) & 1;
+}
+
+template<typename T>
+inline T xor2(T x)
+{
+    return (((x) ^ ((x) >> 1)) & 0x1);
+}
+
+} // GleeBug
+
+#endif // EMULATIONHELPERS_H

GleeBug/Emulation.Instructions.cpp

@@ -0,0 +1,181 @@
+#include "Emulation.Instructions.h"
+#include "Debugger.Thread.Registers.h"
+#include "Emulation.Helpers.h"
+
+#include <limits>
+#include <stdint.h>
+#include <unordered_map>
+
+namespace GleeBug {
+namespace Emulation  {
+
+enum EFLAGS
+{
+    EFL_CF = (1 << 0),
+    EFL_PF = (1 << 2),
+    EFL_AF = (1 << 4),
+    EFL_ZF = (1 << 6),
+    EFL_SF = (1 << 7),
+    EFL_DF = (1 << 10),
+    EFL_OF = (1 << 11),
+};
+
+inline const size_t InstructionDataHash(size_t state, const void* data, const size_t len)
+{
+    const uint8_t *buf = reinterpret_cast<const uint8_t*>(data);
+
+    for (size_t i = 0; i < len; ++buf, ++i)
+    {
+        state ^= ((i & 1) == 0) ? ((state << 7) ^ (*buf) * (state >> 3)) :
+            (~((state << 11) + ((*buf) ^ (state >> 5))));
+    }
+
+    return state;
+}
+
+template<typename T>
+inline const size_t InstructionDataHash(const T& data)
+{
+    return InstructionDataHash(0x811c9dc5, &data, sizeof(T));
+}
+
+inline const size_t InstructionOperandHash(size_t N, uint16_t TYPE)
+{
+    return InstructionDataHash(InstructionDataHash(N));
+}
+
+template<size_t N, uint16_t TYPE>
+struct OpSig
+{
+    static constexpr size_t Hash() noexcept
+    {
+        return InstructionOperandHash(N, TYPE);
+    }
+    static bool Matches(const ZydisInstructionInfo& instr, const ZydisOperandInfo& op)
+    {
+        if(op.type != TYPE)
+            return false;
+        if(op.size != N)
+            return false;
+        return true;
+    }
+};
+
+using OpNone = OpSig<0, ZYDIS_OPERAND_TYPE_UNUSED>;
+
+template<uint16 MNEMONIC, 
+    typename OP0 = OpNone,
+    typename OP1 = OpNone,
+    typename OP2 = OpNone,
+    typename OP3 = OpNone,
+    typename OP4 = OpNone>
+struct InstrSig
+{
+    static constexpr size_t Hash() noexcept
+    {
+        return InstructionDataHash(InstructionDataHash(N));
+    }
+
+    virtual bool Matches(const ZydisInstructionInfo& info) const
+    {
+        if(info.mnemonic != MNEMONIC)
+            return false;
+        if (!OP0::Matches(info, info.operands[0]))
+            return false;
+        if (!OP1::Matches(info, info.operands[1]))
+            return false;
+        if (!OP2::Matches(info, info.operands[2]))
+            return false;
+        if (!OP3::Matches(info, info.operands[3]))
+            return false;
+        if (!OP4::Matches(info, info.operands[4]))
+            return false;
+
+        return true;
+    }
+};
+
+static std::vector<X86Instruction*> _registeredInstructions;
+
+template<typename T>
+struct X86InstructionRegistrator
+{
+    X86InstructionRegistrator()
+    {
+        static T inst;
+        _registeredInstructions.push_back(&inst);
+    }
+};
+
+const X86Instruction* LookupInstruction(const ZydisInstructionInfo& info)
+{
+    for (X86Instruction *instr : _registeredInstructions)
+    {
+        if(instr->Matches(info))
+            return instr;
+    }
+    return nullptr;
+}
+
+#define REGISTER_X86_INSTRUCTION(instrCls) static X86InstructionRegistrator<##instrCls##> __##instrCls##__()
+    
+template<typename T>
+struct SubImpl
+{
+    static T Execute(int32_t val1, int32_t val2, Registers& regs, uint32_t flagsOut)
+    {
+        constexpr int NumBits = sizeof(T) * 8;
+        constexpr T SignMask = T(1) << (NumBits - 1);
+        constexpr T InvMask = ~T(0);
+
+        T res = val1 - val2;
+
+        flagsOut = 0;
+        setCondFlag(flagsOut, res & SignMask, EFL_SF);
+        setCondFlag(flagsOut, (res & InvMask) == 0, EFL_ZF);
+        setCondFlag(flagsOut, isParity(res & 0xFF), EFL_PF);
+
+        T bc = (res & (~val1 | val2)) | (~val1 & val2);
+        setCondFlag(flagsOut, bc & SignMask, EFL_CF);
+        setCondFlag(flagsOut, xor2(bc >> (NumBits - 2)), EFL_OF);
+        setCondFlag(flagsOut, bc & 0x08, EFL_AF);
+
+        return res;
+    }
+};
+
+struct Instr_Sub32 : X86Instruction, InstrSig< ZYDIS_MNEMONIC_SUB, OpSig<32, ZYDIS_OPERAND_TYPE_REGISTER>, OpSig<32, ZYDIS_OPERAND_TYPE_IMMEDIATE> >
+{
+    virtual bool Execute(const ZydisInstructionInfo& info, X86Context& ctx) override
+    {
+        // Value is sign extended.
+        int32_t val1 = getRegisterValue<int32_t>(info.operands[1].reg, ctx.regs);
+        int32_t val2 = info.operands[1].imm.value.sdword;
+
+        uint32_t flagsOut = 0;
+        int32_t res = SubImpl<uint32_t>::Execute(val1, val2, ctx.regs, flagsOut);
+
+        setRegisterValue(info.operands[1].reg, ctx.regs, res);
+    }
+};
+REGISTER_X86_INSTRUCTION(Instr_Sub32);
+
+struct Instr_Sub64 : X86Instruction, InstrSig< ZYDIS_MNEMONIC_SUB, OpSig<64, ZYDIS_OPERAND_TYPE_REGISTER>, OpSig<32, ZYDIS_OPERAND_TYPE_IMMEDIATE> >
+{
+    virtual bool Execute(const ZydisInstructionInfo& info, X86Context& ctx) override
+    {
+        // Value is sign extended.
+        int64_t val1 = getRegisterValue<int64_t>(info.operands[1].reg, ctx.regs);
+        int64_t val2 = info.operands[1].imm.value.sdword;
+
+        uint32_t flagsOut = 0;
+        int64_t res = SubImpl<uint64_t>::Execute(val1, val2, ctx.regs, flagsOut);
+
+        setRegisterValue(info.operands[1].reg, ctx.regs, res);
+    }
+};
+
+REGISTER_X86_INSTRUCTION(Instr_Sub64);
+
+}
+}

GleeBug/Emulation.Instructions.h

@@ -0,0 +1,40 @@
+#ifndef EMULATIONINSTRUCTIONS_H
+#define EMULATIONINSTRUCTIONS_H
+
+#include "Debugger.Global.h"
+#include "Debugger.Process.h"
+#include "Debugger.Breakpoint.h"
+#include "Debugger.Thread.h"
+#include "Debugger.Thread.Registers.h"
+
+#define ZYDIS_EXPORTS
+#define ZYDIS_ENABLE_FEATURE_IMPLICITLY_USED_REGISTERS
+#define ZYDIS_ENABLE_FEATURE_AFFECTED_FLAGS
+#include <Zydis/Zydis.h>
+
+namespace GleeBug {
+namespace Emulation {
+
+struct X86Context
+{
+    Registers& regs;
+    Thread& thread;
+
+    explicit X86Context(Registers& inRegs, Thread& inThread) : regs(inRegs), 
+        thread(inThread)
+    {
+    }
+};
+
+struct X86Instruction
+{
+    virtual bool Matches(const ZydisInstructionInfo& info) = 0;
+    virtual bool Execute(const ZydisInstructionInfo& info, X86Context& ctx) = 0;
+};
+
+const X86Instruction* LookupInstruction(const ZydisInstructionInfo& info);
+
+} // Emulation
+} // GleeBug
+
+#endif // EMULATIONINSTRUCTIONS_H

GleeBug/Emulation.cpp

@@ -0,0 +1,45 @@
+#include "Emulation.h"
+#include "Emulation.Instructions.h"
+
+namespace GleeBug {
+
+bool Emulator::IsActive() const
+{
+    return _active;
+}
+
+bool Emulator::WaitForEvent(DEBUG_EVENT& debugEvent) const
+{
+    return false;
+}
+
+bool Emulator::Emulate(Thread* thread)
+{
+    SetActiveThread(thread);
+
+    return true;
+}
+
+void Emulator::Flush()
+{
+    if (_registers != nullptr)
+    {
+        delete _registers;
+        _registers = nullptr;
+    }
+    _activeThread = nullptr;
+}
+
+void Emulator::SetActiveThread(Thread *thread)
+{
+    if (_activeThread != thread)
+    {
+        // Commit current state if we change threads between.
+        Flush();
+
+        _registers = new Registers(thread->hThread, CONTEXT_CONTROL);
+        _activeThread = thread;
+    }
+}
+
+}

GleeBug/Emulation.h

@@ -0,0 +1,32 @@
+#ifndef EMULATION_H
+#define EMULATION_H
+
+#include "Debugger.Global.h"
+#include "Debugger.Breakpoint.h"
+#include "Debugger.Thread.h"
+#include "Debugger.Thread.Registers.h"
+
+namespace GleeBug
+{
+
+class Process;
+
+class Emulator
+{
+    bool _active = false;
+    Thread *_activeThread = nullptr;
+    Registers* _registers = nullptr;
+
+public:
+    bool IsActive() const;
+    bool WaitForEvent(DEBUG_EVENT& debugEvent) const;
+    bool Emulate(Thread* thread);
+    void Flush();
+
+private:
+    void SetActiveThread(Thread *thread);
+};
+
+} // GleeBug
+
+#endif // EMULATION_H

GleeBug/GleeBug.vcxproj

@@ -167,6 +167,8 @@
     <ClCompile Include="Debugger.Thread.HardwareBreakpoint.cpp" />
     <ClCompile Include="Debugger.Thread.Registers.cpp" />
     <ClCompile Include="Debugger.Thread.Registers.GetSet.cpp" />
+    <ClCompile Include="Emulation.cpp" />
+    <ClCompile Include="Emulation.Instructions.cpp" />
     <ClCompile Include="Static.BufferFile.cpp" />
     <ClCompile Include="Static.File.cpp" />
     <ClCompile Include="Static.Pattern.cpp" />
@@ -194,6 +196,9 @@
     <ClInclude Include="Debugger.Thread.Registers.Flag.h" />
     <ClInclude Include="Debugger.Thread.Registers.h" />
     <ClInclude Include="Debugger.Thread.Registers.Register.h" />
+    <ClInclude Include="Emulation.h" />
+    <ClInclude Include="Emulation.Helpers.h" />
+    <ClInclude Include="Emulation.Instructions.h" />
     <ClInclude Include="GleeBug.h" />
     <ClInclude Include="oprintf.h" />
     <ClInclude Include="Static.BufferFile.h" />

GleeBug/GleeBug.vcxproj.filters

@@ -104,6 +104,12 @@
     <ClCompile Include="zyan-disassembler-engine\src\Zydis.c">
       <Filter>Source Files\Zydis</Filter>
     </ClCompile>
+    <ClCompile Include="Emulation.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="Emulation.Instructions.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="Debugger.h">
@@ -193,6 +199,15 @@
     <ClInclude Include="oprintf.h">
       <Filter>Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="Emulation.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="Emulation.Instructions.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="Emulation.Helpers.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <None Include="zyan-disassembler-engine\include\Zydis\Internal\GeneratedTypes.inc">

TitanEngineEmulator/Emulator.h

@@ -18,7 +18,7 @@
 
 using namespace GleeBug;
 
-class Emulator : public Debugger
+class TitanEngineEmulator : public Debugger
 {
 public:
     HINSTANCE engineHandle;

TitanEngineEmulator/TitanEngineEmulator.cpp

@@ -1,7 +1,7 @@
 #include <windows.h>
 #include "Emulator.h"
 
-Emulator emu;
+TitanEngineEmulator emu;
 
 //Debugger basics
 __declspec(dllexport) void* TITCALL InitDebugW(const wchar_t* szFileName, const wchar_t* szCommandLine, const wchar_t* szCurrentFolder)