ShellCodeEmulator icon indicating copy to clipboard operation
ShellCodeEmulator copied to clipboard
verified publisher icon ohjeongwook

Can't emulate ntdll code with fxsave instruction

Open ohjeongwook opened this issue 6 years ago • 0 comments

Use following command line

python ShellcodeEmulator\emulator.py "33312f916c5904670f6c3b624b43516e87ebb9e3.bin" -d MemoryDumps\notepad64.dmp > 33312f916c5904670f6c3b624b43516e87ebb9e3.log
pause

Traceback (most recent call last):
  File "ShellcodeEmulator\emulator.py", line 140, in Run
    self.Emulator.Start(self.CodeStart, self.CodeStart+self.CodeLen)
  File "ShellcodeEmulator\emulator.py", line 71, in Start
    self.uc.emu_start(start, end)
  File "C:\Users\Administrator\AppData\Local\Programs\Python\Python37-32\lib\site-packages\unicorn\unicorn.py", line 288, in emu_start
    raise UcError(status)
unicorn.unicorn.UcError: Unhandled CPU exception (UC_ERR_EXCEPTION)
ntdll!RtlCaptureContext+0x30:	 7FFFA2E625C0: 0f ae 81 00 01 00 00 	fxsave	[rcx + 0x100]
rax: 754D87A0F8 ebx: 754D87A668 ecx: 754D87A0F8 edx: 00000000
rsp: 754D87A008 rbp: 754D87BE38 rsi: 00000000 rdi: 754D87A0F8
rip: 7FFFA2E625C0
  • Artifacts are shared here

ohjeongwook avatar Oct 20 '19 15:10 ohjeongwook