Fravia's TOOLS OF OUR TRADE Messageboard ~ Moderated Re: Re: controlled environment
Thursday, 11-Feb-99 18:28:18

not necessarily that hard. On linux --where I have been running Bochs-- there are no BIOS interruots, and each process address space is separate. You could hook all interrupts and service them if the PID of the caller is a child of your process's PID; the rest you pass on to the OS. Remember that the emulated program is basically running inside the shell of the emulator, almost like an interpreted program rather than an executable.

To illustrate, normally execution happens by incrementing CS:IP and executing the opcodes found there.

In an emulator, CS:IP points to the emulator code. The emulator loads all of the emulated program in its own address space, maintains its own cs:ip, and parses the instructions found there. What happens next depends on how the emulator was programmed.

To make a much more hypothetical example, consider a basic emulator:
1) Load binary file. Parse header, load entry point into *cs_ip
2) Call Go__CS_IP -- basically a loop:
while (cs_ip) {
DWORD opcode = GetBytes(*cs_ip);
*cs_ip = Parse(opcode);
}
3) Parse returns the next cs_ip to jump to, so it is a very complex function. To simplify:
switch(HIGHBYTE(opcode)) {
case 21:
printf("Interrupt called!"); // INT handler
return cs_ip + 2;
case 74:
case 75:
case EB:
...etc...
printf("Jump!"); // JMP handler
return cs_ip + whatever-followed-opcode
}

excuse the silliness of the code :)


Of course emulating an OS is much worse than simply a processor, and to cheat you could map the opcodes in the OS/etc directly to the native equivalents...but this is insecure. Designing like an interpreter is secure...but slow.


As for TBClean, yeah I think I remember that little anti-TB trick from one of Nuke's essays...

_m

mammon_