unicorn学习（1）-》》》 unicorn的认识

最新推荐文章于 2022-03-30 17:29:39 发布

pipixia233333

最新推荐文章于 2022-03-30 17:29:39 发布

阅读量2.4k

点赞数 1

分类专栏： web python开发

本文链接：https://blog.csdn.net/qq_41071646/article/details/104112738

版权

web python开发专栏收录该内容

15 篇文章 0 订阅

订阅专栏

在家无聊，刷题刷的头晕，打算学点新知识。。

unicorn 这个东西算是一个模拟执行

可以模拟 arm x86 mips 等等平台的指令运行前一段时间还看到有人发用 unicorn写的一个调试器

打算自己也学习一下。

这里主要用python。。现介绍一下基本的函数还有成员

uc 注册一个mode

uc（uc_arch,mode）

例子 Uc(UC_ARCH_ARM, UC_MODE_THUMB)

成员如下

// Architecture type
typedef enum uc_arch {
    UC_ARCH_ARM = 1,    // ARM architecture (including Thumb, Thumb-2)
    UC_ARCH_ARM64,      // ARM-64, also called AArch64
    UC_ARCH_MIPS,       // Mips architecture
    UC_ARCH_X86,        // X86 architecture (including x86 & x86-64)
    UC_ARCH_PPC,        // PowerPC architecture (currently unsupported)
    UC_ARCH_SPARC,      // Sparc architecture
    UC_ARCH_M68K,       // M68K architecture
    UC_ARCH_MAX,
} uc_arch;

// Mode type
typedef enum uc_mode {
    UC_MODE_LITTLE_ENDIAN = 0,    // little-endian mode (default mode)
    UC_MODE_BIG_ENDIAN = 1 << 30, // big-endian mode

    // arm / arm64
    UC_MODE_ARM = 0,              // ARM mode
    UC_MODE_THUMB = 1 << 4,       // THUMB mode (including Thumb-2)
    UC_MODE_MCLASS = 1 << 5,      // ARM's Cortex-M series (currently unsupported)
    UC_MODE_V8 = 1 << 6,          // ARMv8 A32 encodings for ARM (currently unsupported)

    // arm (32bit) cpu types
    UC_MODE_ARM926 = 1 << 7,	  // ARM926 CPU type
    UC_MODE_ARM946 = 1 << 8,	  // ARM946 CPU type
    UC_MODE_ARM1176 = 1 << 9,	  // ARM1176 CPU type

    // mips
    UC_MODE_MICRO = 1 << 4,       // MicroMips mode (currently unsupported)
    UC_MODE_MIPS3 = 1 << 5,       // Mips III ISA (currently unsupported)
    UC_MODE_MIPS32R6 = 1 << 6,    // Mips32r6 ISA (currently unsupported)
    UC_MODE_MIPS32 = 1 << 2,      // Mips32 ISA
    UC_MODE_MIPS64 = 1 << 3,      // Mips64 ISA

    // x86 / x64
    UC_MODE_16 = 1 << 1,          // 16-bit mode
    UC_MODE_32 = 1 << 2,          // 32-bit mode
    UC_MODE_64 = 1 << 3,          // 64-bit mode

    // ppc 
    UC_MODE_PPC32 = 1 << 2,       // 32-bit mode (currently unsupported)
    UC_MODE_PPC64 = 1 << 3,       // 64-bit mode (currently unsupported)
    UC_MODE_QPX = 1 << 4,         // Quad Processing eXtensions mode (currently unsupported)

    // sparc
    UC_MODE_SPARC32 = 1 << 2,     // 32-bit mode
    UC_MODE_SPARC64 = 1 << 3,     // 64-bit mode
    UC_MODE_V9 = 1 << 4,          // SparcV9 mode (currently unsupported)

    // m68k
} uc_mode;

uc_reg_read uc_reg_write 对寄存器读写

uc_mem_write uc_mem_read 对地址空间进行读写

emu_start 开始模拟

uc_emu_start(uc_engine *uc, uint64_t begin, uint64_t until, uint64_t timeout, size_t count);

uc_emu_stop 停止模拟

uc_hook_add 注册一个hook事件的回调

uc_hook_del 删除一个hook事件

uc_mem_map 映射空间进行模拟

uc_mem_unmap 取消映射空间

hook 的类型

这段代码添加了一个HOOK（向Unicorn引擎中），我们定义的函数会在执行每一条命令之前被执行。参数含义如下：

typedef enum uc_hook_type {
    // Hook all interrupt/syscall events
    UC_HOOK_INTR = 1 << 0,
    // Hook a particular instruction - only a very small subset of instructions supported here
    UC_HOOK_INSN = 1 << 1,
    // Hook a range of code
    UC_HOOK_CODE = 1 << 2,
    // Hook basic blocks
    UC_HOOK_BLOCK = 1 << 3,
    // Hook for memory read on unmapped memory
    UC_HOOK_MEM_READ_UNMAPPED = 1 << 4,
    // Hook for invalid memory write events
    UC_HOOK_MEM_WRITE_UNMAPPED = 1 << 5,
    // Hook for invalid memory fetch for execution events
    UC_HOOK_MEM_FETCH_UNMAPPED = 1 << 6,
    // Hook for memory read on read-protected memory
    UC_HOOK_MEM_READ_PROT = 1 << 7,
    // Hook for memory write on write-protected memory
    UC_HOOK_MEM_WRITE_PROT = 1 << 8,
    // Hook for memory fetch on non-executable memory
    UC_HOOK_MEM_FETCH_PROT = 1 << 9,
    // Hook memory read events.
    UC_HOOK_MEM_READ = 1 << 10,
    // Hook memory write events.
    UC_HOOK_MEM_WRITE = 1 << 11,
    // Hook memory fetch for execution events
    UC_HOOK_MEM_FETCH = 1 << 12,
    // Hook memory read events, but only successful access.
    // The callback will be triggered after successful read.
    UC_HOOK_MEM_READ_AFTER = 1 << 13,
    // Hook invalid instructions exceptions.
    UC_HOOK_INSN_INVALID = 1 << 14,
} uc_hook_type;

现在可以写一个demo 来熟悉一下

from unicorn import *
from unicorn.x86_const import *
code = b"\x41" #INC ecx;
 
# callback for tracing instructions
def call_back(uc, address, size, user_data):
    print("[*]  addr %x size %x user_data %x") %(address,size,user_data)

def demo_x86():
    try:
        mu = Uc(UC_ARCH_X86, UC_MODE_32)
 
        ADDRESS = 0x10000
        mu.mem_map(ADDRESS, 2 * 0x10000)
        mu.mem_write(ADDRESS, code)
 
        mu.reg_write(UC_X86_REG_ECX, 0x201f)
 
        mu.hook_add(UC_HOOK_CODE, call_back,0x2020,begin=ADDRESS, end=ADDRESS)
        mu.emu_start(ADDRESS, ADDRESS + len(code))
        ecx_value = mu.reg_read(UC_X86_REG_ECX)
        print("[*] ecx_value: %x") %(ecx_value)
    except UcError as e:
        print("UcError %x") %(e)



demo_x86()

详细例子在官方的github上看到

pipixia233333

关注

1
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
unicorn学习（1）-》》》 unicorn的认识

在家无聊，刷题刷的头晕，打算学点新知识。。unicorn 这个东西算是一个模拟执行可以模拟 arm x86 mips 等等平台的指令运行前一段时间还看到有人发用 unicorn写的一个调试器打算自己也学习一下。这里主要用python。。现介绍一下基本的函数还有成员uc 注册一个modeuc（uc_arch,mode）例子 Uc(UC_ARCH_AR...
复制链接

扫一扫