private static void Main(string[] args) { using (var unicorn = new Unicorn(UcArch.UC_ARCH_ARM64, UcMode.UC_MODE_ARM)) { const ulong address = 0x1000; const ulong memSize = 0x1000; var codeBytes = new byte[] { 0x01, 0x06, 0xa0, 0xd2, 0x41, 0x10, 0x18, 0xd5, 0xdf, 0x3f, 0x03, 0xd5 }; unicorn.HookCode((uc, address1, size, data) => { Console.WriteLine("Code.."); }); unicorn.MemMap(address, memSize); unicorn.MemWrite(address, codeBytes); unicorn.RegWrite(UcArm64Reg.UC_ARM64_REG_SP, address + memSize); unicorn.EmuStart(address, address + (ulong)codeBytes.Length); } }
public static void RunTest(Byte[] code, UInt64 address) { var u = new Unicorn(Common.UC_ARCH_X86, Common.UC_MODE_32); Console.WriteLine("Unicorn version: {0}", u.Version()); // map 2MB of memory for this emulation Utils.CheckError(u.MemMap(address, new UIntPtr(2 * 1024 * 1024), Common.UC_PROT_ALL)); // write machine code to be emulated to memory Utils.CheckError(u.MemWrite(address, code)); // initialize machine registers Utils.CheckError(u.RegWrite(X86.UC_X86_REG_ESP, Utils.Int64ToBytes(address + 0x200000))); // tracing all instructions by having @begin > @end Utils.CheckError(u.AddCodeHook(CodeHookCallback, null, 1, 0).Item1); // handle interrupt ourself Utils.CheckError(u.AddInterruptHook(InterruptHookCallback, null).Item1); // handle SYSCALL Utils.CheckError(u.AddSyscallHook(SyscallHookCallback, null).Item1); Console.WriteLine(">>> Start tracing linux code"); // emulate machine code in infinite time u.EmuStart(address, address + (UInt64)code.Length, 0u, new UIntPtr(0)); Console.WriteLine(">>> Emulation Done!"); }
private static void RunTest(Byte[] code, Int64 address, Int32 mode) { using (var u = new Unicorn(Common.UC_ARCH_X86, mode)) using (var disassembler = CapstoneDisassembler.CreateX86Disassembler(DisassembleMode.Bit32)) { Console.WriteLine("Unicorn version: {0}", u.Version()); // map 2MB of memory for this emulation u.MemMap(address, 2 * 1024 * 1024, Common.UC_PROT_ALL); // initialize machine registers u.RegWrite(X86.UC_X86_REG_EAX, 0x1234); u.RegWrite(X86.UC_X86_REG_ECX, 0x1234); u.RegWrite(X86.UC_X86_REG_EDX, 0x7890); // write machine code to be emulated to memory u.MemWrite(address, code); // initialize machine registers u.RegWrite(X86.UC_X86_REG_ESP, Utils.Int64ToBytes(address + 0x200000)); // handle IN & OUT instruction u.AddInHook(InHookCallback); u.AddOutHook(OutHookCallback); // tracing all instructions by having @begin > @end u.AddCodeHook((uc, addr, size, userData) => CodeHookCallback(disassembler, uc, addr, size, userData), 1, 0); // handle interrupt ourself u.AddInterruptHook(InterruptHookCallback); // handle SYSCALL u.AddSyscallHook(SyscallHookCallback); // intercept invalid memory events u.AddEventMemHook(MemMapHookCallback, Common.UC_HOOK_MEM_READ_UNMAPPED | Common.UC_HOOK_MEM_WRITE_UNMAPPED); Console.WriteLine(">>> Start tracing code"); // emulate machine code in infinite time u.EmuStart(address, address + code.Length, 0u, 0u); // print registers var ecx = u.RegRead(X86.UC_X86_REG_ECX); var edx = u.RegRead(X86.UC_X86_REG_EDX); var eax = u.RegRead(X86.UC_X86_REG_EAX); Console.WriteLine("[!] EAX = {0}", eax.ToString("X")); Console.WriteLine("[!] ECX = {0}", ecx.ToString("X")); Console.WriteLine("[!] EDX = {0}", edx.ToString("X")); Console.WriteLine(">>> Emulation Done!"); } }
private static Boolean MemMapHookCallback(Unicorn u, Int32 eventType, Int64 address, Int32 size, Int64 value, Object userData) { if (eventType == Common.UC_MEM_WRITE_UNMAPPED) { Console.WriteLine("[!] Missing memory is being WRITE at 0x{0}, data size = {1}, data value = 0x{2}. Map memory.", address.ToString("X"), size.ToString("X"), value.ToString("X")); u.MemMap(0xaaaa0000, 2 * 1024 * 1024, Common.UC_PROT_ALL); return(true); } else { return(false); } }
private static void RunTest(Byte[] code, Int64 address) { try { using (var u = new Unicorn(Common.UC_ARCH_X86, Common.UC_MODE_32)) using (var disassembler = CapstoneDisassembler.CreateX86Disassembler(DisassembleMode.Bit32)) { Console.WriteLine("Unicorn version: {0}", u.Version()); // map 2MB of memory for this emulation u.MemMap(address, 2 * 1024 * 1024, Common.UC_PROT_ALL); // write machine code to be emulated to memory u.MemWrite(address, code); // initialize machine registers u.RegWrite(X86.UC_X86_REG_ESP, Utils.Int64ToBytes(address + 0x200000)); var regv = new Byte[4]; u.RegRead(X86.UC_X86_REG_ESP, regv); // tracing all instructions by having @begin > @end u.AddCodeHook((uc, addr, size, userData) => CodeHookCallback(disassembler, uc, addr, size, userData), 1, 0); // handle interrupt ourself u.AddInterruptHook(InterruptHookCallback); // handle SYSCALL u.AddSyscallHook(SyscallHookCallback); Console.WriteLine(">>> Start tracing code"); // emulate machine code in infinite time u.EmuStart(address, address + code.Length, 0u, 0u); Console.WriteLine(">>> Emulation Done!"); } } catch (UnicornEngineException ex) { Console.Error.WriteLine("Emulation FAILED! " + ex.Message); } }
private static void RunTest(Byte[] code, Int64 address) { try { using (var u = new Unicorn(Common.UC_ARCH_X86, Common.UC_MODE_32)) using(var disassembler = CapstoneDisassembler.CreateX86Disassembler(DisassembleMode.Bit32)) { Console.WriteLine("Unicorn version: {0}", u.Version()); // map 2MB of memory for this emulation u.MemMap(address, 2 * 1024 * 1024, Common.UC_PROT_ALL); // write machine code to be emulated to memory u.MemWrite(address, code); // initialize machine registers u.RegWrite(X86.UC_X86_REG_ESP, Utils.Int64ToBytes(address + 0x200000)); var regv = new Byte[4]; u.RegRead(X86.UC_X86_REG_ESP, regv); // tracing all instructions by having @begin > @end u.AddCodeHook((uc, addr, size, userData) => CodeHookCallback(disassembler, uc, addr, size, userData), 1, 0); // handle interrupt ourself u.AddInterruptHook(InterruptHookCallback); // handle SYSCALL u.AddSyscallHook(SyscallHookCallback); Console.WriteLine(">>> Start tracing code"); // emulate machine code in infinite time u.EmuStart(address, address + code.Length, 0u, 0u); Console.WriteLine(">>> Emulation Done!"); } } catch (UnicornEngineException ex) { Console.Error.WriteLine("Emulation FAILED! " + ex.Message); } }
public static void RunTest(Byte[] code, UInt64 address) { try { var u = new Unicorn(Common.UC_ARCH_X86, Common.UC_MODE_32); Console.WriteLine("Unicorn version: {0}", u.Version()); // map 2MB of memory for this emulation u.MemMap(address, new UIntPtr(2 * 1024 * 1024), Common.UC_PROT_ALL); // write machine code to be emulated to memory u.MemWrite(address, code); // initialize machine registers u.RegWrite(X86.UC_X86_REG_ESP, Utils.Int64ToBytes(address + 0x200000)); // tracing all instructions by having @begin > @end u.AddCodeHook(CodeHookCallback, null, 1, 0); // handle interrupt ourself u.AddInterruptHook(InterruptHookCallback, null); // handle SYSCALL u.AddSyscallHook(SyscallHookCallback, null); Console.WriteLine(">>> Start tracing linux code"); // emulate machine code in infinite time u.EmuStart(address, address + (UInt64)code.Length, 0u, new UIntPtr(0)); Console.WriteLine(">>> Emulation Done!"); } catch (UnicornEngineException ex) { Console.Error.WriteLine("Emulation FAILED! " + ex.Message); } }
private static Boolean MemMapHookCallback(Unicorn u, Int32 eventType, Int64 address, Int32 size, Int64 value, Object userData) { if (eventType == Common.UC_MEM_WRITE_UNMAPPED) { Console.WriteLine("[!] Missing memory is being WRITE at 0x{0}, data size = {1}, data value = 0x{2}. Map memory.", address.ToString("X"), size.ToString("X"), value.ToString("X")); u.MemMap(0xaaaa0000, 2 * 1024 * 1024, Common.UC_PROT_ALL); return true; } else { return false; } }