feat(emu,frida): capture Windows TEB and seed x86 segment base#13
Merged
Conversation
Frida's CpuContext carries no segment base, so every Frida-acquired slice had fs/gs base = 0 and peb = None, and the Unicorn emulator could not run x86 SEH prologues that read the TEB via fs:[0]. Capture side (frida_bridge): on Windows, resolve each thread's TEB via OpenThread + NtQueryInformationThread(ThreadBasicInformation) and record it as gs_base (x64) / fs_base (ia32). Adds version-robust export resolution. Emulator side (emu/engine): in 32-bit mode Unicorn ignores UC_X86_REG_FS_BASE/GS_BASE, so install a synthetic GDT (flat ring-3 data descriptor) for each captured base and load the matching selector; expose it through segment_base()/peb_address(). x64 already honored gs_base directly. Tests for the x86 GDT path (fs:[0x30] -> PEB), the no-base no-regression case, and segment-base flow through the Frida bridge. README updated. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Frida's
CpuContextexposes no segment base, so every Frida-acquired slice hadfs/gs base = 0andpeb = None, and the Unicorn emulator could not run x86 SEHprologues that read the TEB via
fs:[0].OpenThread+NtQueryInformationThread(ThreadBasicInformation)and record it asgs_base(x64) /fs_base(ia32). Version-robust export resolution across FridaAPI generations.
UC_X86_REG_FS_BASE/GS_BASE, so install a synthetic GDT (flat ring-3 datadescriptor) for each captured base and load the matching selector;
segment_base()/peb_address()now work on x86. x64 already honoredgs_basedirectly.
Verification
CpuContextexposes no segment base (attachingto a live x64 process:
fs/gs/fs_base/gs_baseallundefined).gs_base; on x86 thefs_basewrite is a no-op → the GDTtrick fixes it.
fs:[0x30]→PEB), no-base case (no regression), andsegment-base flow through the Frida bridge.
ruffclean. JS validated by loading it inthe real Frida engine.
🤖 Generated with Claude Code