The emulator plug-in contains a
variety of features to assist in emulation of Windows binaries, including the following:
??? Generation of SEH frames and transfer to an installed exception handler when
an exception occurs.
??? Automatic interception of library calls. Some library calls are emulated
including LoadLibrary, GetProcAddress, and others. Calls to functions for
which x86emu has no internal emulation generate a pop-up window (see
Figure 21-3) that displays the current stack state and offers the user an
opportunity to specify a return value and to define the behavior of the function.
??? Tracking of calls to CreateThread, giving the user a chance to switch between
multiple threads while emulating instructions.
The emulator offers a rudimentary breakpoint capability that does not rely on software
breakpoints or debug control registers, preventing its breakpoint mechanism from
being thwarted by unpackers. Finally, the emulator offers the ability to enumerate allocated
heap blocks and to dump any range of memory out of the database to a file.
Advantages of emulator-based unpacking include the fact that the original program is
never executed, making this approach safe and eliminating the need to build and maintain
a sandbox.
Pages:
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924