Fix a bug where ZwContinue would reset fs_base/gs_base

mrexodia · Mar 5, 2023 · 9dda07f · 9dda07f
1 parent 3c9f210
commit 9dda07f
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/src/dumpulator/dumpulator.py b/src/dumpulator/dumpulator.py
@@ -869,10 +869,11 @@ def handle_exception(self):
         self.exception.handling = True
 
         if self.exception.type == ExceptionType.ContextSwitch:
-            self.info(f"switching context, cip: {hex(self.regs.cip)}")
+            self.info(f"context switch, cip: {hex(self.regs.cip)}")
             # Clear the pending exception
             self.last_exception = self.exception
             self.exception = ExceptionInfo()
+            # NOTE: the context has already been restored using context_restore in the caller
             return self.regs.cip
 
         self.info(f"handling exception...")

diff --git a/src/dumpulator/ntsyscalls.py b/src/dumpulator/ntsyscalls.py
@@ -775,6 +775,7 @@ def ZwContinue(dp: Dumpulator,
                ContextRecord: Annotated[P(CONTEXT), SAL("_In_")],
                TestAlert: Annotated[BOOLEAN, SAL("_In_")]
                ):
+    # Trigger a context switch
     assert not TestAlert
     exception = ExceptionInfo()
     exception.type = ExceptionType.ContextSwitch
@@ -784,6 +785,12 @@ def ZwContinue(dp: Dumpulator,
     data = dp.read(ContextRecord.ptr, context_size)
     context = context_type.from_buffer(data)
     context.to_regs(dp.regs)
+    # Modifying fs/gs also appears to reset fs_base/gs_base
+    if dp.x64:
+        dp.regs.gs_base = dp.teb
+    else:
+        dp.regs.fs_base = dp.teb
+        dp.regs.gs_base = dp.teb - 2 * PAGE_SIZE
     exception.context = dp._uc.context_save()
     return exception