mirrors/unicorn
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' into memleak2

Browse Source
This commit is contained in:
Nguyen Anh Quynh 2016-02-15 15:52:10 +08:00
commit b69feb8d0b
26 changed files with 1117 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -137,6 +137,7 @@ sysenter_hook_x86
test_tb_x86
test_multihook
test_pc_change
mem_fuzz
memleak_x86
memleak_arm

1
CREDITS.TXT
View File

@ -54,3 +54,4 @@ Nguyen Tan Cong
Loi Anh Tuan
Shaun Wheelhouse: Homebrew package
Kamil Rytarowski: Pkgsrc package
Zak Escano: MSVC binding

6
bindings/dotnet/UnicornManaged/Const/X86.fs
View File

@ -251,7 +251,11 @@ module X86 =
let UC_X86_REG_R13W = 239
let UC_X86_REG_R14W = 240
let UC_X86_REG_R15W = 241
let UC_X86_REG_ENDING = 242
let UC_X86_REG_IDTR = 242
let UC_X86_REG_GDTR = 243
let UC_X86_REG_LDTR = 244
let UC_X86_REG_TR = 245
let UC_X86_REG_ENDING = 246
// X86 instructions

6
bindings/go/unicorn/x86_const.go
View File

@ -246,7 +246,11 @@ const (
X86_REG_R13W = 239
X86_REG_R14W = 240
X86_REG_R15W = 241
X86_REG_ENDING = 242
X86_REG_IDTR = 242
X86_REG_GDTR = 243
X86_REG_LDTR = 244
X86_REG_TR = 245
X86_REG_ENDING = 246
// X86 instructions

77
bindings/java/samples/Sample_x86_mmr.java Normal file
View File

@ -0,0 +1,77 @@
/*
Java bindings for the Unicorn Emulator Engine
Copyright(c) 2016 Chris Eagle
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
version 2 as published by the Free Software Foundation.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
/* Sample code to demonstrate how to register read/write API */
import unicorn.*;
public class Sample_x86_mmr {
static void test_x86_mmr() {
// Initialize emulator in X86-32bit mode
Unicorn uc;
try {
uc = new Unicorn(Unicorn.UC_ARCH_X86, Unicorn.UC_MODE_32);
} catch (UnicornException uex) {
System.out.println("Failed on uc_open() with error returned: " + uex);
return;
}
// map 4k
uc.mem_map(ADDRESS, 0x1000, Unicorn.UC_PROT_ALL);
X86_MMR ldtr1 = new X86_MMR(0x1111111122222222L, 0x33333333, 0x44444444, (short)0x5555);
X86_MMR ldtr2;
X86_MMR gdtr1 = new X86_MMR(0x6666666677777777L, 0x88888888, 0x99999999, (short)0xaaaa);
X86_MMR gdtr2, gdtr3, gdtr4;
int eax;
// initialize machine registers
uc.reg_write(Unicorn.UC_X86_REG_LDTR, ldtr1);
uc.reg_write(Unicorn.UC_X86_REG_GDTR, gdtr1);
uc.reg_write(Unicorn.UC_X86_REG_EAX, new Long(0xdddddddd));
// read the registers back out
eax = (int)((Long)uc.reg_read(Unicorn.UC_X86_REG_EAX)).longValue();
ldtr2 = (X86_MMR)uc.reg_read(Unicorn.UC_X86_REG_LDTR);
gdtr2 = (X86_MMR)uc.reg_read(Unicorn.UC_X86_REG_GDTR);
System.out.printf(">>> EAX = 0x%x\n", eax);
System.out.printf(">>> LDTR.base = 0x%x\n", ldtr2.base);
System.out.printf(">>> LDTR.limit = 0x%x\n", ldtr2.limit);
System.out.printf(">>> LDTR.flags = 0x%x\n", ldtr2.flags);
System.out.printf(">>> LDTR.selector = 0x%x\n\n", ldtr2.selector);
System.out.printf(">>> GDTR.base = 0x%x\n", gdtr2.base);
System.out.printf(">>> GDTR.limit = 0x%x\n", gdtr2.limit);
uc.close();
}
public static void main(String args[])
{
test_x86_mmr();
}
}

37
bindings/java/unicorn/MemRegion.java Normal file
View File

@ -0,0 +1,37 @@
/*
Java bindings for the Unicorn Emulator Engine
Copyright(c) 2016 Chris Eagle
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
version 2 as published by the Free Software Foundation.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
package unicorn;
public class MemRegion {
public long begin;
public long end;
public int perms;
public MemRegion(long begin, long end, int perms) {
this.begin = begin;
this.end = end;
this.perms = perms;
}
}

124
bindings/java/unicorn/Unicorn.java
View File

@ -26,6 +26,8 @@ import java.util.*;
public class Unicorn implements UnicornConst, ArmConst, Arm64Const, M68kConst, SparcConst, MipsConst, X86Const {
private long eng;
private int arch;
private int mode;
private long blockHandle = 0;
private long interruptHandle = 0;
@ -275,6 +277,38 @@ public class Unicorn implements UnicornConst, ArmConst, Arm64Const, M68kConst, S
}
}
/**
* Write to register.
*
* @param regid Register ID that is to be modified.
* @param value Number containing the new register value
*/
private native void reg_write_num(int regid, Number value) throws UnicornException;
/**
* Write to register.
*
* @param regid Register ID that is to be modified.
* @param value X86 specific memory management register containing the new register value
*/
private native void reg_write_mmr(int regid, X86_MMR value) throws UnicornException;
/**
* Read register value.
*
* @param regid Register ID that is to be retrieved.
* @return Number containing the requested register value.
*/
private native Number reg_read_num(int regid) throws UnicornException;
/**
* Read register value.
*
* @param regid Register ID that is to be retrieved.
* @return X86_MMR containing the requested register value.
*/
private native Number reg_read_mmr(int regid) throws UnicornException;
/**
* Native access to uc_open
*
@ -288,10 +322,13 @@ public class Unicorn implements UnicornConst, ArmConst, Arm64Const, M68kConst, S
*
* @param arch Architecture type (UC_ARCH_*)
* @param mode Hardware mode. This is combined of UC_MODE_*
* @see unicorn.UnicornArchs, unicorn.UnicornModes
* @see unicorn.UnicornConst
*
*/
public Unicorn(int arch, int mode) throws UnicornException {
//remember these in case we need arch specific code
this.arch = arch;
this.mode = mode;
eng = open(arch, mode);
unicorns.put(eng, this);
allLists.add(blockList);
@ -327,7 +364,7 @@ public class Unicorn implements UnicornConst, ArmConst, Arm64Const, M68kConst, S
*
* @param arch Architecture type (UC_ARCH_*)
* @return true if this library supports the given arch.
* @see unicorn.UnicornArchs
* @see unicorn.UnicornConst
*/
public native static boolean arch_supported(int arch);
@ -337,12 +374,23 @@ public class Unicorn implements UnicornConst, ArmConst, Arm64Const, M68kConst, S
*/
public native void close() throws UnicornException;
/**
* Query internal status of engine.
*
* @param type query type. See UC_QUERY_*
* @param result save the internal status queried
*
* @return: error code. see UC_ERR_*
* @see unicorn.UnicornConst
*/
public native int query(int type) throws UnicornException;
/**
* Report the last error number when some API function fail.
* Like glibc's errno, uc_errno might not retain its old value once accessed.
*
* @return Error code of uc_err enum type (UC_ERR_*, see above)
* @see unicorn.UnicornErrors
* @see unicorn.UnicornConst
*/
public native int errno();
@ -351,26 +399,67 @@ public class Unicorn implements UnicornConst, ArmConst, Arm64Const, M68kConst, S
*
* @param code Error code (see UC_ERR_* above)
* @return Returns a String that describes the error code
* @see unicorn.UnicornErrors
* @see unicorn.UnicornConst
*/
public native static String strerror(int code);
/**
* Write to register.
*
* @deprecated use reg_write(int regid, Object value) instead
* @param regid Register ID that is to be modified.
* @param value Array containing value that will be written into register @regid
*/
@Deprecated
public native void reg_write(int regid, byte[] value) throws UnicornException;
/**
* Write to register.
*
* @param regid Register ID that is to be modified.
* @param value Object containing the new register value. Long, BigInteger, or
* other custom class used to represent register values
*/
public void reg_write(int regid, Object value) throws UnicornException {
if (value instanceof Number) {
reg_write_num(regid, (Number)value);
}
else if (arch == UC_ARCH_X86 && value instanceof X86_MMR) {
if (regid >= UC_X86_REG_IDTR && regid <= UC_X86_REG_TR) {
reg_write_mmr(regid, (X86_MMR)value);
}
}
else {
throw new ClassCastException("Invalid value type");
}
}
/**
* Read register value.
*
* @deprecated use Object reg_write(int regid) instead
* @param regid Register ID that is to be retrieved.
* @param regsz Size of the register being retrieved.
* @return Byte array containing the requested register value.
*/
@Deprecated
public native byte[] reg_read(int regid, int regsz) throws UnicornException;
/**
* Read register value.
*
* @param regid Register ID that is to be retrieved.
* @param regsz Size of the register being retrieved.
* @return Byte array containing the requested register value.
* @return Object containing the requested register value. Long, BigInteger, or
* other custom class used to represent register values
*/
public native byte[] reg_read(int regid, int regsz) throws UnicornException;
public Object reg_read(int regid) throws UnicornException {
if (arch == UC_ARCH_X86 && regid >= UC_X86_REG_IDTR && regid <= UC_X86_REG_TR) {
return reg_read_mmr(regid);
}
else {
return reg_read_num(regid);
}
}
/**
* Write to memory.
@ -625,6 +714,19 @@ public class Unicorn implements UnicornConst, ArmConst, Arm64Const, M68kConst, S
*/
public native void mem_map(long address, long size, int perms) throws UnicornException;
/**
* Map existing host memory in for emulation.
* This API adds a memory region that can be used by emulation.
*
* @param address Base address of the memory range
* @param size Size of the memory block.
* @param perms Permissions on the memory block. A combination of UC_PROT_READ, UC_PROT_WRITE, UC_PROT_EXEC
* @param ptr Block of host memory backing the newly mapped memory. This block is
* expected to be an equal or larger size than provided, and be mapped with at
* least PROT_READ | PROT_WRITE. If it is not, the resulting behavior is undefined.
*/
public native void mem_map_ptr(long address, long size, int perms, byte[] block) throws UnicornException;
/**
* Unmap a range of memory.
*
@ -642,5 +744,13 @@ public class Unicorn implements UnicornConst, ArmConst, Arm64Const, M68kConst, S
*/
public native void mem_protect(long address, long size, int perms) throws UnicornException;
/**
* Retrieve all memory regions mapped by mem_map() and mem_map_ptr()
* NOTE: memory regions may be split by mem_unmap()
*
* @return list of mapped regions.
*/
public native MemRegion[] mem_regions() throws UnicornException;
}

38
bindings/java/unicorn/UnicornErrors.java
View File

@ -1,38 +0,0 @@
/*
Java bindings for the Unicorn Emulator Engine
Copyright(c) 2015 Chris Eagle
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
version 2 as published by the Free Software Foundation.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
package unicorn;
public interface UnicornErrors {
public static final int UC_ERR_OK = 0; // No error: everything was fine
public static final int UC_ERR_OOM = 1; // Out-Of-Memory error: uc_open(), uc_emulate()
public static final int UC_ERR_ARCH = 2; // Unsupported architecture: uc_open()
public static final int UC_ERR_HANDLE = 3; // Invalid handle
public static final int UC_ERR_UCH = 4; // Invalid handle (uch)
public static final int UC_ERR_MODE = 5; // Invalid/unsupported mode: uc_open()
public static final int UC_ERR_VERSION = 6; // Unsupported version (bindings)
public static final int UC_ERR_MEM_READ = 7; // Quit emulation due to invalid memory READ: uc_emu_start()
public static final int UC_ERR_MEM_WRITE = 8; // Quit emulation due to invalid memory WRITE: uc_emu_start()
public static final int UC_ERR_HOOK = 9; // Invalid hook type: uc_hook_add()
public static final int UC_ERR_INSN_INVALID = 10; // Quit emulation due to invalid instruction: uc_emu_start()
public static final int UC_ERR_MAP = 11; // Invalid memory mapping: uc_mem_map()
}

6
bindings/java/unicorn/X86Const.java
View File

@ -248,7 +248,11 @@ public interface X86Const {
public static final int UC_X86_REG_R13W = 239;
public static final int UC_X86_REG_R14W = 240;
public static final int UC_X86_REG_R15W = 241;
public static final int UC_X86_REG_ENDING = 242;
public static final int UC_X86_REG_IDTR = 242;
public static final int UC_X86_REG_GDTR = 243;
public static final int UC_X86_REG_LDTR = 244;
public static final int UC_X86_REG_TR = 245;
public static final int UC_X86_REG_ENDING = 246;
// X86 instructions

46
bindings/java/unicorn/X86_MMR.java Normal file
View File

@ -0,0 +1,46 @@
/*
Java bindings for the Unicorn Emulator Engine
Copyright(c) 2016 Chris Eagle
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
version 2 as published by the Free Software Foundation.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
package unicorn;
public class X86_MMR {
public long base;
public int limit;
public int flags;
public short selector;
public X86_MMR(long base, int limit, int flags, short selector) {
this.base = base;
this.limit = limit;
this.flags = flags;
this.selector = selector;
}
public X86_MMR(long base, int limit) {
this.base = base;
this.limit = limit;
selector = 0;
flags = 0;
}
}

189
bindings/java/unicorn_Unicorn.c
View File

@ -24,8 +24,8 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#include <stdlib.h>
#include <string.h>
#include <unicorn/unicorn.h>
#include <unicorn/x86.h>
#include "unicorn_Unicorn.h"
//cache jmethodID values as we look them up
@ -201,6 +201,117 @@ static uc_engine *getEngine(JNIEnv *env, jobject self) {
return (uc_engine *)(*env)->GetLongField(env, self, fid);
}
/*
* Class: unicorn_Unicorn
* Method: reg_write_num
* Signature: (ILjava/lang/Number;)V
*/
JNIEXPORT void JNICALL Java_unicorn_Unicorn_reg_1write_1num
(JNIEnv *env, jobject self, jint regid, jobject value) {
uc_engine *eng = getEngine(env, self);
jclass clz = (*env)->FindClass(env, "java/lang/Number");
if ((*env)->ExceptionCheck(env)) {
return;
}
jmethodID longValue = (*env)->GetMethodID(env, clz, "longValue", "()J");
jlong longVal = (*env)->CallLongMethod(env, value, longValue);
uc_err err = uc_reg_write(eng, regid, &longVal);
if (err != UC_ERR_OK) {
throwException(env, err);
}
}
/*
* Class: unicorn_Unicorn
* Method: reg_write_mmr
* Signature: (ILunicorn/X86_MMR;)V
*/
JNIEXPORT void JNICALL Java_unicorn_Unicorn_reg_1write_1mmr
(JNIEnv *env, jobject self, jint regid, jobject value) {
uc_engine *eng = getEngine(env, self);
uc_x86_mmr mmr;
jclass clz = (*env)->FindClass(env, "unicorn/X86_MMR");
if ((*env)->ExceptionCheck(env)) {
return;
}
jfieldID fid = (*env)->GetFieldID(env, clz, "base", "J");
mmr.base = (uint64_t)(*env)->GetLongField(env, value, fid);
fid = (*env)->GetFieldID(env, clz, "limit", "I");
mmr.limit = (uint32_t)(*env)->GetLongField(env, value, fid);
fid = (*env)->GetFieldID(env, clz, "flags", "I");
mmr.flags = (uint32_t)(*env)->GetLongField(env, value, fid);
fid = (*env)->GetFieldID(env, clz, "selector", "S");
mmr.selector = (uint16_t)(*env)->GetLongField(env, value, fid);
uc_err err = uc_reg_write(eng, regid, &mmr);
if (err != UC_ERR_OK) {
throwException(env, err);
}
}
/*
* Class: unicorn_Unicorn
* Method: reg_read_num
* Signature: (I)Ljava/lang/Number;
*/
JNIEXPORT jobject JNICALL Java_unicorn_Unicorn_reg_1read_1num
(JNIEnv *env, jobject self, jint regid) {
uc_engine *eng = getEngine(env, self);
jclass clz = (*env)->FindClass(env, "java/lang/Long");
if ((*env)->ExceptionCheck(env)) {
return NULL;
}
jlong longVal;
uc_err err = uc_reg_read(eng, regid, &longVal);
if (err != UC_ERR_OK) {
throwException(env, err);
}
jmethodID cons = (*env)->GetMethodID(env, clz, "<init>", "(J)V");
jobject result = (*env)->NewObject(env, clz, cons, longVal);
if ((*env)->ExceptionCheck(env)) {
return NULL;
}
return result;
}
/*
* Class: unicorn_Unicorn
* Method: reg_read_mmr
* Signature: (I)Ljava/lang/Number;
*/
JNIEXPORT jobject JNICALL Java_unicorn_Unicorn_reg_1read_1mmr
(JNIEnv *env, jobject self, jint regid) {
uc_engine *eng = getEngine(env, self);
jclass clz = (*env)->FindClass(env, "unicorn/X86_MMR");
if ((*env)->ExceptionCheck(env)) {
return NULL;
}
uc_x86_mmr mmr;
uc_err err = uc_reg_read(eng, regid, &mmr);
if (err != UC_ERR_OK) {
throwException(env, err);
}
jmethodID cons = (*env)->GetMethodID(env, clz, "<init>", "(JIIS)V");
jobject result = (*env)->NewObject(env, clz, cons, mmr.base, mmr.limit, mmr.flags, mmr.selector);
if ((*env)->ExceptionCheck(env)) {
return NULL;
}
return result;
}
/*
* Class: unicorn_Unicorn
* Method: open
@ -244,7 +355,28 @@ JNIEXPORT jboolean JNICALL Java_unicorn_Unicorn_arch_1supported
JNIEXPORT void JNICALL Java_unicorn_Unicorn_close
(JNIEnv *env, jobject self) {
uc_engine *eng = getEngine(env, self);
uc_close(eng);
uc_err err = uc_close(eng);
if (err != UC_ERR_OK) {
throwException(env, err);
}
//We also need to ReleaseByteArrayElements for any regions that
//were mapped with uc_mem_map_ptr
}
/*
* Class: unicorn_Unicorn
* Method: query
* Signature: (I)I
*/
JNIEXPORT jint JNICALL Java_unicorn_Unicorn_query
(JNIEnv *env, jobject self, jint type) {
uc_engine *eng = getEngine(env, self);
size_t result;
uc_err err = uc_query(eng, type, &result);
if (err != UC_ERR_OK) {
throwException(env, err);
}
return (jint)result;
}
/*
@ -508,6 +640,24 @@ JNIEXPORT void JNICALL Java_unicorn_Unicorn_mem_1map
}
}
/*
* Class: unicorn_Unicorn
* Method: mem_map_ptr
* Signature: (JJI[B)V
*/
JNIEXPORT void JNICALL Java_unicorn_Unicorn_mem_1map_1ptr
(JNIEnv *env, jobject self, jlong address, jlong size, jint perms, jbyteArray block) {
uc_engine *eng = getEngine(env, self);
jbyte *array = (*env)->GetByteArrayElements(env, block, NULL);
uc_err err = uc_mem_map_ptr(eng, (uint64_t)address, (size_t)size, (uint32_t)perms, (void*)array);
if (err != UC_ERR_OK) {
throwException(env, err);
}
//Need to track address/block/array so that we can ReleaseByteArrayElements when the
//block gets unmapped or when uc_close gets called
//(*env)->ReleaseByteArrayElements(env, block, array, JNI_ABORT);
}
/*
* Class: unicorn_Unicorn
* Method: mem_unmap
@ -521,6 +671,9 @@ JNIEXPORT void JNICALL Java_unicorn_Unicorn_mem_1unmap
if (err != UC_ERR_OK) {
throwException(env, err);
}
//If a region was mapped using uc_mem_map_ptr, we also need to
//ReleaseByteArrayElements for that region
}
/*
@ -537,3 +690,35 @@ JNIEXPORT void JNICALL Java_unicorn_Unicorn_mem_1protect
throwException(env, err);
}
}
/*
* Class: unicorn_Unicorn
* Method: mem_regions
* Signature: ()[Lunicorn/MemRegion;
*/
JNIEXPORT jobjectArray JNICALL Java_unicorn_Unicorn_mem_1regions
(JNIEnv *env, jobject self) {
uc_engine *eng = getEngine(env, self);
uc_mem_region *regions = NULL;
uint32_t count = 0;
uint32_t i;
uc_err err = uc_mem_regions(eng, &regions, &count);
if (err != UC_ERR_OK) {
throwException(env, err);
}
jclass clz = (*env)->FindClass(env, "unicorn/MemRegion");
if ((*env)->ExceptionCheck(env)) {
return NULL;
}
jobjectArray result = (*env)->NewObjectArray(env, (jsize)count, clz, NULL);
jmethodID cons = (*env)->GetMethodID(env, clz, "<init>", "(JJI)V");
for (i = 0; i < count; i++) {
jobject mr = (*env)->NewObject(env, clz, cons, regions[i].begin, regions[i].end, regions[i].perms);
(*env)->SetObjectArrayElement(env, result, (jsize)i, mr);
}
free(regions);
return result;
}

10
bindings/python/unicorn/unicorn.py
View File

@ -107,6 +107,7 @@ _setup_prototype(_uc, "uc_mem_map", ucerr, uc_engine, ctypes.c_uint64, ctypes.c_
_setup_prototype(_uc, "uc_mem_map_ptr", ucerr, uc_engine, ctypes.c_uint64, ctypes.c_size_t, ctypes.c_uint32, ctypes.c_void_p)
_setup_prototype(_uc, "uc_mem_unmap", ucerr, uc_engine, ctypes.c_uint64, ctypes.c_size_t)
_setup_prototype(_uc, "uc_mem_protect", ucerr, uc_engine, ctypes.c_uint64, ctypes.c_size_t, ctypes.c_uint32)
_setup_prototype(_uc, "uc_query", ucerr, uc_engine, ctypes.c_uint32, ctypes.POINTER(ctypes.c_size_t))
# uc_hook_add is special due to variable number of arguments
_uc.uc_hook_add = getattr(_uc, "uc_hook_add")
@ -262,6 +263,14 @@ class Uc(object):
if status != UC_ERR_OK:
raise UcError(status)
# return CPU mode at runtime
def query(self, query_mode):
result = ctypes.c_size_t(0)
status = _uc.uc_query(self._uch, query_mode, ctypes.byref(result))
if status != UC_ERR_OK:
raise UcError(status)
return result.value
def _hookcode_cb(self, handle, address, size, user_data):
# call user's callback with self object
@ -381,3 +390,4 @@ def debug():
(major, minor, _combined) = uc_version()
return "python-%s-c%u.%u-b%u.%u" % (all_archs, major, minor, UC_API_MAJOR, UC_API_MINOR)

6
bindings/python/unicorn/x86_const.py
View File

@ -244,7 +244,11 @@ UC_X86_REG_R12W = 238
UC_X86_REG_R13W = 239
UC_X86_REG_R14W = 240
UC_X86_REG_R15W = 241
UC_X86_REG_ENDING = 242
UC_X86_REG_IDTR = 242
UC_X86_REG_GDTR = 243
UC_X86_REG_LDTR = 244
UC_X86_REG_TR = 245
UC_X86_REG_ENDING = 246
# X86 instructions

1
include/unicorn/unicorn.h
View File

@ -261,7 +261,6 @@ typedef struct uc_mem_region {
// All type of queries for uc_query() API.
typedef enum uc_query_type {
// Dynamically query current hardware mode.
// For ARM, uc_query() return 1 for Thumb mode, and 0 for Arm mode
UC_QUERY_MODE = 1,
} uc_query_type;

10
include/unicorn/x86.h
View File

@ -8,6 +8,15 @@
extern "C" {
#endif
// Memory-Management Register for instructions IDTR, GDTR, LDTR, TR.
// Borrow from SegmentCache in qemu/target-i386/cpu.h
typedef struct uc_x86_mmr {
uint16_t selector; /* not used by GDTR and IDTR */
uint64_t base; /* handle 32 or 64 bit CPUs */
uint32_t limit;
uint32_t flags; /* not used by GDTR and IDTR */
} uc_x86_mmr;
// Callback function for tracing SYSCALL/SYSENTER (for uc_hook_intr())
// @user_data: user data passed to tracing APIs.
typedef void (*uc_cb_insn_syscall_t)(struct uc_struct *uc, void *user_data);
@ -64,6 +73,7 @@ typedef enum uc_x86_reg {
UC_X86_REG_R9D, UC_X86_REG_R10D, UC_X86_REG_R11D, UC_X86_REG_R12D, UC_X86_REG_R13D,
UC_X86_REG_R14D, UC_X86_REG_R15D, UC_X86_REG_R8W, UC_X86_REG_R9W, UC_X86_REG_R10W,
UC_X86_REG_R11W, UC_X86_REG_R12W, UC_X86_REG_R13W, UC_X86_REG_R14W, UC_X86_REG_R15W,
UC_X86_REG_IDTR, UC_X86_REG_GDTR, UC_X86_REG_LDTR, UC_X86_REG_TR,
UC_X86_REG_ENDING // <-- mark the end of the list of registers
} uc_x86_reg;

2
qemu/memory.c
View File

@ -86,7 +86,7 @@ void memory_unmap(struct uc_struct *uc, MemoryRegion *mr)
if (uc->mapped_blocks[i] == mr) {
uc->mapped_block_count--;
//shift remainder of array down over deleted pointer
memcpy(&uc->mapped_blocks[i], &uc->mapped_blocks[i + 1], sizeof(MemoryRegion*) * (uc->mapped_block_count - i));
memmove(&uc->mapped_blocks[i], &uc->mapped_blocks[i + 1], sizeof(MemoryRegion*) * (uc->mapped_block_count - i));
mr->destructor(mr);
obj = OBJECT(mr);
obj->ref = 1;

7
qemu/target-arm/unicorn_arm.c
View File

@ -133,10 +133,15 @@ static bool arm_stop_interrupt(int intno)
static uc_err arm_query(struct uc_struct *uc, uc_query_type type, size_t *result)
{
CPUState *mycpu = first_cpu;
uint32_t mode;
switch(type) {
case UC_QUERY_MODE:
*result = (ARM_CPU(uc, mycpu)->env.thumb != 0);
// zero out ARM/THUMB mode
mode = uc->mode & ~(UC_MODE_ARM | UC_MODE_THUMB);
// THUMB mode or ARM MOde
mode += ((ARM_CPU(uc, mycpu)->env.thumb != 0)? UC_MODE_THUMB : UC_MODE_ARM);
*result = mode;
return UC_ERR_OK;
default:
return UC_ERR_ARG;

129
qemu/target-i386/unicorn.c
View File

@ -9,6 +9,7 @@
#include "tcg.h"
#include "unicorn_common.h"
#include <unicorn/x86.h> /* needed for uc_x86_mmr */
#define READ_QWORD(x) ((uint64)x)
#define READ_DWORD(x) (x & 0xffffffff)
@ -261,22 +262,42 @@ int x86_reg_read(struct uc_struct *uc, unsigned int regid, void *value)
*(int16_t *)value = READ_WORD(X86_CPU(uc, mycpu)->env.eip);
break;
case UC_X86_REG_CS:
*(int32_t *)value = X86_CPU(uc, mycpu)->env.segs[R_CS].base;
*(int16_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_CS].selector;
break;
case UC_X86_REG_DS:
*(int32_t *)value = X86_CPU(uc, mycpu)->env.segs[R_DS].base;
*(int16_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_DS].selector;
break;
case UC_X86_REG_SS:
*(int32_t *)value = X86_CPU(uc, mycpu)->env.segs[R_SS].base;
*(int16_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_SS].selector;
break;
case UC_X86_REG_ES:
*(int32_t *)value = X86_CPU(uc, mycpu)->env.segs[R_ES].base;
*(int16_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_ES].selector;
break;
case UC_X86_REG_FS:
*(int32_t *)value = X86_CPU(uc, mycpu)->env.segs[R_FS].base;
*(int16_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_FS].selector;
break;
case UC_X86_REG_GS:
*(int32_t *)value = X86_CPU(uc, mycpu)->env.segs[R_GS].base;
*(int16_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_GS].selector;
break;
case UC_X86_REG_IDTR:
((uc_x86_mmr *)value)->limit = (uint16_t)X86_CPU(uc, mycpu)->env.idt.limit;
((uc_x86_mmr *)value)->base = (uint32_t)X86_CPU(uc, mycpu)->env.idt.base;
break;
case UC_X86_REG_GDTR:
((uc_x86_mmr *)value)->limit = (uint16_t)X86_CPU(uc, mycpu)->env.gdt.limit;
((uc_x86_mmr *)value)->base = (uint32_t)X86_CPU(uc, mycpu)->env.gdt.base;
break;
case UC_X86_REG_LDTR:
((uc_x86_mmr *)value)->limit = X86_CPU(uc, mycpu)->env.ldt.limit;
((uc_x86_mmr *)value)->base = (uint32_t)X86_CPU(uc, mycpu)->env.ldt.base;
((uc_x86_mmr *)value)->selector = (uint16_t)X86_CPU(uc, mycpu)->env.ldt.selector;
((uc_x86_mmr *)value)->flags = X86_CPU(uc, mycpu)->env.ldt.flags;
break;
case UC_X86_REG_TR:
((uc_x86_mmr *)value)->limit = X86_CPU(uc, mycpu)->env.tr.limit;
((uc_x86_mmr *)value)->base = (uint32_t)X86_CPU(uc, mycpu)->env.tr.base;
((uc_x86_mmr *)value)->selector = (uint16_t)X86_CPU(uc, mycpu)->env.tr.selector;
((uc_x86_mmr *)value)->flags = X86_CPU(uc, mycpu)->env.tr.flags;
break;
}
break;
@ -413,22 +434,22 @@ int x86_reg_read(struct uc_struct *uc, unsigned int regid, void *value)
*(int16_t *)value = READ_WORD(X86_CPU(uc, mycpu)->env.eip);
break;
case UC_X86_REG_CS:
*(int64_t *)value = X86_CPU(uc, mycpu)->env.segs[R_CS].base;
*(int16_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_CS].selector;
break;
case UC_X86_REG_DS:
*(int64_t *)value = X86_CPU(uc, mycpu)->env.segs[R_DS].base;
*(int16_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_DS].selector;
break;
case UC_X86_REG_SS:
*(int64_t *)value = X86_CPU(uc, mycpu)->env.segs[R_SS].base;
*(int16_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_SS].selector;
break;
case UC_X86_REG_ES:
*(int64_t *)value = X86_CPU(uc, mycpu)->env.segs[R_ES].base;
*(int16_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_ES].selector;
break;
case UC_X86_REG_FS:
*(int64_t *)value = X86_CPU(uc, mycpu)->env.segs[R_FS].base;
*(int16_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_FS].selector;
break;
case UC_X86_REG_GS:
*(int64_t *)value = X86_CPU(uc, mycpu)->env.segs[R_GS].base;
*(int16_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_GS].selector;
break;
case UC_X86_REG_R8:
*(int64_t *)value = READ_QWORD(X86_CPU(uc, mycpu)->env.regs[8]);
@ -526,6 +547,26 @@ int x86_reg_read(struct uc_struct *uc, unsigned int regid, void *value)
case UC_X86_REG_R15B:
*(int8_t *)value = READ_BYTE_L(X86_CPU(uc, mycpu)->env.regs[15]);
break;
case UC_X86_REG_IDTR:
((uc_x86_mmr *)value)->limit = (uint16_t)X86_CPU(uc, mycpu)->env.idt.limit;
((uc_x86_mmr *)value)->base = X86_CPU(uc, mycpu)->env.idt.base;
break;
case UC_X86_REG_GDTR:
((uc_x86_mmr *)value)->limit = (uint16_t)X86_CPU(uc, mycpu)->env.gdt.limit;
((uc_x86_mmr *)value)->base = X86_CPU(uc, mycpu)->env.gdt.base;
break;
case UC_X86_REG_LDTR:
((uc_x86_mmr *)value)->limit = X86_CPU(uc, mycpu)->env.ldt.limit;
((uc_x86_mmr *)value)->base = X86_CPU(uc, mycpu)->env.ldt.base;
((uc_x86_mmr *)value)->selector = (uint16_t)X86_CPU(uc, mycpu)->env.ldt.selector;
((uc_x86_mmr *)value)->flags = X86_CPU(uc, mycpu)->env.ldt.flags;
break;
case UC_X86_REG_TR:
((uc_x86_mmr *)value)->limit = X86_CPU(uc, mycpu)->env.tr.limit;
((uc_x86_mmr *)value)->base = X86_CPU(uc, mycpu)->env.tr.base;
((uc_x86_mmr *)value)->selector = (uint16_t)X86_CPU(uc, mycpu)->env.tr.selector;
((uc_x86_mmr *)value)->flags = X86_CPU(uc, mycpu)->env.tr.flags;
break;
}
break;
#endif
@ -668,22 +709,42 @@ int x86_reg_write(struct uc_struct *uc, unsigned int regid, const void *value)
uc_emu_stop(uc);
break;
case UC_X86_REG_CS:
X86_CPU(uc, mycpu)->env.segs[R_CS].base = *(uint32_t *)value;
X86_CPU(uc, mycpu)->env.segs[R_CS].selector = *(uint16_t *)value;
break;
case UC_X86_REG_DS:
X86_CPU(uc, mycpu)->env.segs[R_DS].base = *(uint32_t *)value;
X86_CPU(uc, mycpu)->env.segs[R_DS].selector = *(uint16_t *)value;
break;
case UC_X86_REG_SS:
X86_CPU(uc, mycpu)->env.segs[R_SS].base = *(uint32_t *)value;
X86_CPU(uc, mycpu)->env.segs[R_SS].selector = *(uint16_t *)value;
break;
case UC_X86_REG_ES:
X86_CPU(uc, mycpu)->env.segs[R_ES].base = *(uint32_t *)value;
X86_CPU(uc, mycpu)->env.segs[R_ES].selector = *(uint16_t *)value;
break;
case UC_X86_REG_FS:
X86_CPU(uc, mycpu)->env.segs[R_FS].base = *(uint32_t *)value;
X86_CPU(uc, mycpu)->env.segs[R_FS].selector = *(uint16_t *)value;
break;
case UC_X86_REG_GS:
X86_CPU(uc, mycpu)->env.segs[R_GS].base = *(uint32_t *)value;
X86_CPU(uc, mycpu)->env.segs[R_GS].selector = *(uint16_t *)value;
break;
case UC_X86_REG_IDTR:
X86_CPU(uc, mycpu)->env.idt.limit = (uint16_t)((uc_x86_mmr *)value)->limit;
X86_CPU(uc, mycpu)->env.idt.base = (uint32_t)((uc_x86_mmr *)value)->base;
break;
case UC_X86_REG_GDTR:
X86_CPU(uc, mycpu)->env.gdt.limit = (uint16_t)((uc_x86_mmr *)value)->limit;
X86_CPU(uc, mycpu)->env.gdt.base = (uint32_t)((uc_x86_mmr *)value)->base;
break;
case UC_X86_REG_LDTR:
X86_CPU(uc, mycpu)->env.ldt.limit = ((uc_x86_mmr *)value)->limit;
X86_CPU(uc, mycpu)->env.ldt.base = (uint32_t)((uc_x86_mmr *)value)->base;
X86_CPU(uc, mycpu)->env.ldt.selector = (uint16_t)((uc_x86_mmr *)value)->selector;
X86_CPU(uc, mycpu)->env.ldt.flags = ((uc_x86_mmr *)value)->flags;
break;
case UC_X86_REG_TR:
X86_CPU(uc, mycpu)->env.tr.limit = ((uc_x86_mmr *)value)->limit;
X86_CPU(uc, mycpu)->env.tr.base = (uint32_t)((uc_x86_mmr *)value)->base;
X86_CPU(uc, mycpu)->env.tr.selector = (uint16_t)((uc_x86_mmr *)value)->selector;
X86_CPU(uc, mycpu)->env.tr.flags = ((uc_x86_mmr *)value)->flags;
break;
}
break;
@ -830,22 +891,22 @@ int x86_reg_write(struct uc_struct *uc, unsigned int regid, const void *value)
uc_emu_stop(uc);
break;
case UC_X86_REG_CS:
X86_CPU(uc, mycpu)->env.segs[R_CS].base = *(uint64_t *)value;
X86_CPU(uc, mycpu)->env.segs[R_CS].selector = *(uint16_t *)value;
break;
case UC_X86_REG_DS:
X86_CPU(uc, mycpu)->env.segs[R_DS].base = *(uint64_t *)value;
X86_CPU(uc, mycpu)->env.segs[R_DS].selector = *(uint16_t *)value;
break;
case UC_X86_REG_SS:
X86_CPU(uc, mycpu)->env.segs[R_SS].base = *(uint64_t *)value;
X86_CPU(uc, mycpu)->env.segs[R_SS].selector = *(uint16_t *)value;
break;
case UC_X86_REG_ES:
X86_CPU(uc, mycpu)->env.segs[R_ES].base = *(uint64_t *)value;
X86_CPU(uc, mycpu)->env.segs[R_ES].selector = *(uint16_t *)value;
break;
case UC_X86_REG_FS:
X86_CPU(uc, mycpu)->env.segs[R_FS].base = *(uint64_t *)value;
X86_CPU(uc, mycpu)->env.segs[R_FS].selector = *(uint16_t *)value;
break;
case UC_X86_REG_GS:
X86_CPU(uc, mycpu)->env.segs[R_GS].base = *(uint64_t *)value;
X86_CPU(uc, mycpu)->env.segs[R_GS].selector = *(uint16_t *)value;
break;
case UC_X86_REG_R8:
X86_CPU(uc, mycpu)->env.regs[8] = *(uint64_t *)value;
@ -943,6 +1004,26 @@ int x86_reg_write(struct uc_struct *uc, unsigned int regid, const void *value)
case UC_X86_REG_R15B:
WRITE_BYTE_L(X86_CPU(uc, mycpu)->env.regs[15], *(uint8_t *)value);
break;
case UC_X86_REG_IDTR:
X86_CPU(uc, mycpu)->env.idt.limit = (uint16_t)((uc_x86_mmr *)value)->limit;
X86_CPU(uc, mycpu)->env.idt.base = ((uc_x86_mmr *)value)->base;
break;
case UC_X86_REG_GDTR:
X86_CPU(uc, mycpu)->env.gdt.limit = (uint16_t)((uc_x86_mmr *)value)->limit;
X86_CPU(uc, mycpu)->env.gdt.base = ((uc_x86_mmr *)value)->base;
break;
case UC_X86_REG_LDTR:
X86_CPU(uc, mycpu)->env.ldt.limit = ((uc_x86_mmr *)value)->limit;
X86_CPU(uc, mycpu)->env.ldt.base = ((uc_x86_mmr *)value)->base;
X86_CPU(uc, mycpu)->env.ldt.selector = (uint16_t)((uc_x86_mmr *)value)->selector;
X86_CPU(uc, mycpu)->env.ldt.flags = ((uc_x86_mmr *)value)->flags;
break;
case UC_X86_REG_TR:
X86_CPU(uc, mycpu)->env.tr.limit = ((uc_x86_mmr *)value)->limit;
X86_CPU(uc, mycpu)->env.tr.base = ((uc_x86_mmr *)value)->base;
X86_CPU(uc, mycpu)->env.tr.selector = (uint16_t)((uc_x86_mmr *)value)->selector;
X86_CPU(uc, mycpu)->env.tr.flags = ((uc_x86_mmr *)value)->flags;
break;
}
break;
#endif

11
qemu/target-sparc/translate.c
View File

@ -2630,12 +2630,6 @@ static void disas_sparc_insn(DisasContext * dc, unsigned int insn, bool hook_ins
tcg_gen_debug_insn_start(tcg_ctx, dc->pc);
}
// end address tells us to stop emulation
if (dc->pc == dc->uc->addr_end) {
insn = 0x91d02000; // generate TRAP to end this TB
hook_insn = false; // do not hook this instruction
}
// Unicorn: trace this instruction on request
if (hook_insn && HOOK_EXISTS_BOUNDED(dc->uc, UC_HOOK_CODE, dc->pc)) {
gen_uc_tracecode(tcg_ctx, 4, UC_HOOK_CODE_IDX, dc->uc, dc->pc);
@ -5405,9 +5399,8 @@ static inline void gen_intermediate_code_internal(SPARCCPU *cpu,
// early check to see if the address of this block is the until address
if (pc_start == env->uc->addr_end) {
gen_tb_start(tcg_ctx);
insn = 0x91d02000; // generate TRAP to end this TB
disas_sparc_insn(dc, insn, false);
goto exit_gen_loop;
gen_helper_power_down(tcg_ctx, tcg_ctx->cpu_env);
goto done_generating;
}
max_insns = tb->cflags & CF_COUNT_MASK;

1
tests/regress/Makefile
View File

@ -37,6 +37,7 @@ TESTS += mips_branch_likely_issue
TESTS += hook_extrainvoke
TESTS += sysenter_hook_x86
TESTS += emu_clear_errors
TESTS += mem_fuzz
TESTS += memleak_x86
TESTS += memleak_arm

109
tests/regress/arm_init_input_crash.py Executable file
View File

@ -0,0 +1,109 @@
#!/usr/bin/env python
# Sample code for ARM of Unicorn. Nguyen Anh Quynh <aquynh@gmail.com>
# Python sample ported by Loi Anh Tuan <loianhtuan@gmail.com>
#
from __future__ import print_function
from unicorn import *
from unicorn.arm_const import *
# code to be emulated
ARM_CODE = "\x37\x00\xa0\xe3\x03\x10\x42\xe0" # mov r0, #0x37; sub r1, r2, r3
THUMB_CODE = "\x83\xb0" # sub sp, #0xc
# memory address where emulation starts
ADDRESS = 0xF0000000
# callback for tracing basic blocks
def hook_block(uc, address, size, user_data):
print(">>> Tracing basic block at 0x%x, block size = 0x%x" %(address, size))
# callback for tracing instructions
def hook_code(uc, address, size, user_data):
print(">>> Tracing instruction at 0x%x, instruction size = %u" %(address, size))
# Test ARM
def test_arm():
print("Emulate ARM code")
try:
# Initialize emulator in ARM mode
mu = Uc(UC_ARCH_ARM, UC_MODE_ARM)
mem_size = 2 * (1024 * 1024)
mu.mem_map(ADDRESS, mem_size)
stack_address = ADDRESS + mem_size
stack_size = stack_address # >>> here huge memory size
mu.mem_map(stack_address, stack_size)
# write machine code to be emulated to memory
mu.mem_write(ADDRESS, ARM_CODE)
# initialize machine registers
mu.reg_write(UC_ARM_REG_R0, 0x1234)
mu.reg_write(UC_ARM_REG_R2, 0x6789)
mu.reg_write(UC_ARM_REG_R3, 0x3333)
# tracing all basic blocks with customized callback
mu.hook_add(UC_HOOK_BLOCK, hook_block)
# tracing all instructions with customized callback
mu.hook_add(UC_HOOK_CODE, hook_code)
# emulate machine code in infinite time
mu.emu_start(ADDRESS, ADDRESS + len(ARM_CODE))
# now print out some registers
print(">>> Emulation done. Below is the CPU context")
r0 = mu.reg_read(UC_ARM_REG_R0)
r1 = mu.reg_read(UC_ARM_REG_R1)
print(">>> R0 = 0x%x" %r0)
print(">>> R1 = 0x%x" %r1)
except UcError as e:
print("ERROR: %s" % e)
def test_thumb():
print("Emulate THUMB code")
try:
# Initialize emulator in thumb mode
mu = Uc(UC_ARCH_ARM, UC_MODE_THUMB)
# map 2MB memory for this emulation
mu.mem_map(ADDRESS, 2 * 1024 * 1024)
# write machine code to be emulated to memory
mu.mem_write(ADDRESS, THUMB_CODE)
# initialize machine registers
mu.reg_write(UC_ARM_REG_SP, 0x1234)
# tracing all basic blocks with customized callback
mu.hook_add(UC_HOOK_BLOCK, hook_block)
# tracing all instructions with customized callback
mu.hook_add(UC_HOOK_CODE, hook_code)
# emulate machine code in infinite time
mu.emu_start(ADDRESS, ADDRESS + len(THUMB_CODE))
# now print out some registers
print(">>> Emulation done. Below is the CPU context")
sp = mu.reg_read(UC_ARM_REG_SP)
print(">>> SP = 0x%x" %sp)
except UcError as e:
print("ERROR: %s" % e)
if __name__ == '__main__':
test_arm()
print("=" * 20)
test_thumb()

119
tests/regress/mem_fuzz.c Normal file
View File

@ -0,0 +1,119 @@
#define __STDC_FORMAT_MACROS
#include <inttypes.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <unicorn/unicorn.h>
uint64_t baseranges[] = {0,0,0,0};
int step =0;
uint64_t urnd(){
uint64_t rnd = rand();
rnd = rnd << 32;
rnd += rand();
return rnd;
}
uint64_t get_addr(){
uint64_t base = ((uint64_t)urnd())%4;
uint64_t addr= baseranges[base] + urnd()%(4096*10);
return addr;
}
uint64_t get_aligned_addr(){
uint64_t addr = get_addr();
return addr - (addr % 4096);
}
uint64_t get_len(){
uint64_t len = (urnd() % (4096*5))+1;
return len;
}
uint64_t get_aligned_len(){
uint64_t len = get_len();
len = len - (len %4096);
len = ((len == 0) ? 4096 : len);
return len;
}
void perform_map_step(uc_engine *uc){
uint64_t addr = get_aligned_addr();
uint64_t len = get_aligned_len();
printf("map(uc,0x%"PRIx64",0x%"PRIx64"); //%d\n", addr, len, step);
uc_mem_map(uc, addr, len, UC_PROT_READ | UC_PROT_WRITE);
}
void perform_unmap_step(uc_engine *uc){
uint64_t addr = get_aligned_addr();
uint64_t len = get_aligned_len();
printf("unmap(uc,0x%"PRIx64",0x%"PRIx64"); //%d\n", addr, len, step);
uc_mem_unmap(uc, addr, len);
}
void perform_write_step(uc_engine *uc){
char* buff[4096*4];
memset(buff, 0, 4096*4);
uint64_t addr = get_addr();
uint64_t len = get_len()%(4096*3);
printf("write(uc,0x%"PRIx64",0x%"PRIx64"); //%d\n", addr, len, step);
uc_mem_write(uc, addr, buff, len);
}
void perform_read_step(uc_engine *uc){
char* buff[4096*4];
uint64_t addr = get_addr();
uint64_t len = get_len()%(4096*3);
printf("read(uc,0x%"PRIx64",0x%"PRIx64"); //%d\n", addr, len, step);
uc_mem_read(uc, addr, buff, len);
}
void perform_fuzz_step(uc_engine *uc){
switch( ((uint32_t)rand())%4 ){
case 0: perform_map_step(uc); break;
case 1: perform_unmap_step(uc); break;
case 2: perform_read_step(uc); break;
case 3: perform_write_step(uc); break;
}
}
int main(int argc, char **argv, char **envp)
{
uc_engine *uc;
uc_hook trace1, trace2;
uc_err err;
if(argc<2){
printf("usage: mem_fuzz $seed\n");
return 1;
}
int seed = atoi(argv[1]);
int i = 0;
//don't really care about quality of randomness
srand(seed);
printf("running with seed %d\n",seed);
// Initialize emulator in X86-32bit mode
err = uc_open(UC_ARCH_X86, UC_MODE_64, &uc);
if (err) {
printf("Failed on uc_open() with error returned: %u\n", err);
return 1;
}
for(i = 0; i < 2048; i++){
step++;
perform_fuzz_step(uc);
}
// fill in sections that shouldn't get touched
if (uc_close(uc) != UC_ERR_OK) {
printf("Failed on uc_close\n");
return 1;
}
return 0;
}

27
tests/regress/mov_gs_eax.py Executable file
View File

@ -0,0 +1,27 @@
#!/usr/bin/python
from unicorn import *
from unicorn.x86_const import *
import regress
class VldrPcInsn(regress.RegressTest):
def runTest(self):
uc = Uc(UC_ARCH_X86, UC_MODE_32)
uc.mem_map(0x1000, 0x1000)
# mov gs, eax; mov eax, 1
code = '8ee8b801000000'.decode('hex')
uc.mem_write(0x1000, code)
uc.reg_write(UC_X86_REG_EAX, 0xFFFFFFFF)
# this should throw an error
# the eax test is just to prove the second instruction doesn't execute
try:
uc.emu_start(0x1000, len(code))
except UcError:
return
self.assertEqual(uc.reg_read(UC_X86_REG_EAX), 1)
if __name__ == '__main__':
regress.main()

163
tests/unit/test_gdt_idt_x86.c Normal file
View File

@ -0,0 +1,163 @@
#include <unicorn/unicorn.h>
#include <inttypes.h>
#include <assert.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
/**
* Assert that err matches expect
*/
#define uc_assert_err(expect, err) \
do { \
uc_err __err = err; \
if (__err != expect) { \
fprintf(stderr, "%s", uc_strerror(__err)); \
exit(1); \
} \
} while (0)
/**
* Assert that err is UC_ERR_OK
*/
#define uc_assert_success(err) uc_assert_err(UC_ERR_OK, err)
/**
* Assert that err is anything but UC_ERR_OK
*
* Note: Better to use uc_assert_err(<specific error>, err),
* as this serves to document which errors a function will return
* in various scenarios.
*/
#define uc_assert_fail(err) \
do { \
uc_err __err = err; \
if (__err == UC_ERR_OK) { \
fprintf(stderr, "%s", uc_strerror(__err)); \
exit(1); \
} \
} while (0)
#define OK(x) uc_assert_success(x)
/******************************************************************************/
static void test_idt_gdt_i386(/*void **state*/)
{
uc_engine *uc;
uc_err err;
uint8_t buf[6];
uc_x86_mmr idt;
uc_x86_mmr gdt;
uc_x86_mmr ldt;
uc_x86_mmr tr;
const uint8_t code[] = "\x0f\x01\x0c\x24\x0f\x01\x44\x24\x06"; // sidt [esp]; sgdt [esp+6]
const uint64_t address = 0x1000000;
int r_esp = address + 0x1000 - 0x100; // initial esp
idt.base = 0x12345678;
idt.limit = 0xabcd;
gdt.base = 0x87654321;
gdt.limit = 0xdcba;
ldt.base = 0xfedcba98;
ldt.limit = 0x11111111;
ldt.selector = 0x3333;
ldt.flags = 0x55555555;
tr.base = 0x22222222;
tr.limit = 0x33333333;
tr.selector = 0x4444;
tr.flags = 0x66666666;
// Initialize emulator in X86-32bit mode
err = uc_open(UC_ARCH_X86, UC_MODE_32, &uc);
uc_assert_success(err);
// map 1 page memory for this emulation
err = uc_mem_map(uc, address, 0x1000, UC_PROT_ALL);
uc_assert_success(err);
// write machine code to be emulated to memory
err = uc_mem_write(uc, address, code, sizeof(code)-1);
uc_assert_success(err);
// initialize machine registers
err = uc_reg_write(uc, UC_X86_REG_ESP, &r_esp);
uc_assert_success(err);
err = uc_reg_write(uc, UC_X86_REG_IDTR, &idt);
uc_assert_success(err);
err = uc_reg_write(uc, UC_X86_REG_GDTR, &gdt);
uc_assert_success(err);
err = uc_reg_write(uc, UC_X86_REG_LDTR, &ldt);
uc_assert_success(err);
err = uc_reg_write(uc, UC_X86_REG_TR, &tr);
uc_assert_success(err);
memset(&idt, 0, sizeof(idt));
memset(&gdt, 0, sizeof(gdt));
memset(&ldt, 0, sizeof(ldt));
memset(&tr, 0, sizeof(tr));
// emulate machine code in infinite time
err = uc_emu_start(uc, address, address+sizeof(code)-1, 0, 0);
uc_assert_success(err);
uc_reg_read(uc, UC_X86_REG_IDTR, &idt);
assert(idt.base == 0x12345678);
assert(idt.limit == 0xabcd);
uc_reg_read(uc, UC_X86_REG_GDTR, &gdt);
assert(gdt.base == 0x87654321);
assert(gdt.limit == 0xdcba);
//userspace can only set ldt selector, remainder are loaded from
//GDT/LDT, but we allow all to emulator user
uc_reg_read(uc, UC_X86_REG_LDTR, &ldt);
assert(ldt.base == 0xfedcba98);
assert(ldt.limit == 0x11111111);
assert(ldt.selector == 0x3333);
assert(ldt.flags = 0x55555555);
//userspace can only set tr selector, remainder are loaded from
//GDT/LDT, but we allow all to emulator user
uc_reg_read(uc, UC_X86_REG_TR, &tr);
assert(tr.base == 0x22222222);
assert(tr.limit == 0x33333333);
assert(tr.selector == 0x4444);
assert(tr.flags = 0x66666666);
// read from memory
err = uc_mem_read(uc, r_esp, buf, 6);
uc_assert_success(err);
assert(memcmp(buf, "\xcd\xab\x78\x56\x34\x12", 6) == 0);
// read from memory
err = uc_mem_read(uc, r_esp + 6, buf, 6);
uc_assert_success(err);
assert(memcmp(buf, "\xba\xdc\x21\x43\x65\x87", 6) == 0);
uc_close(uc);
}
/******************************************************************************/
int main(void) {
/*
const struct CMUnitTest tests[] = {
cmocka_unit_test(test_idt_gdt_i386)
};
return cmocka_run_group_tests(tests, NULL, NULL);
*/
test_idt_gdt_i386();
fprintf(stderr, "success\n");
return 0;
}

73
tests/unit/test_mem_map.c
View File

@ -138,15 +138,88 @@ static void test_unmap_double_map(void **state)
uc_assert_fail(uc_mem_map(uc, 0x0000, 0x1000, 0)); /* 0x1000 - 0x1000 */
}
static void test_overlap_unmap_double_map(void **state)
{
uc_engine *uc = *state;
uc_mem_map( uc, 0x1000, 0x2000, 0);
uc_mem_map( uc, 0x1000, 0x1000, 0);
uc_mem_unmap(uc, 0x2000, 0x1000);
}
static void test_strange_map(void **state)
{
uc_engine *uc = *state;
uc_mem_map( uc, 0x0,0x3000,0);
uc_mem_unmap(uc, 0x1000,0x1000);
uc_mem_map( uc, 0x3000,0x1000,0);
uc_mem_map( uc, 0x4000,0x1000,0);
uc_mem_map( uc, 0x1000,0x1000,0);
uc_mem_map( uc, 0x5000,0x1000,0);
uc_mem_unmap(uc, 0x0,0x1000);
}
void write(uc_engine* uc, uint64_t addr, uint64_t len){
uint8_t* buff = alloca(len);
memset(buff,0,len);
uc_mem_write(uc, addr, buff, len);
}
void read(uc_engine* uc, uint64_t addr, uint64_t len){
uint8_t* buff = alloca(len);
uc_mem_read(uc, addr, buff, len);
}
void map(uc_engine* uc, uint64_t addr, uint64_t len){
uc_mem_map(uc, addr, len, UC_PROT_READ | UC_PROT_WRITE);
}
void unmap(uc_engine* uc, uint64_t addr, uint64_t len){
uc_mem_unmap(uc, addr, len);
}
//most likely same bug as in test_strange_map, but looked different in fuzzer (sefault instead of assertion fail)
static void test_assertion_fail(void **state){
uc_engine *uc = *state;
map(uc,0x2000,0x4000); //5
unmap(uc,0x3000,0x2000); //11
map(uc,0x0,0x2000); //23
map(uc,0x3000,0x2000); //24
map(uc,0x9000,0x4000); //32
map(uc,0x8000,0x1000); //34
unmap(uc,0x1000,0x4000); //35
}
static void test_bad_offset(void **state){
uc_engine *uc = *state;
map(uc,0x9000,0x4000); //17
map(uc,0x4000,0x2000); //32
unmap(uc,0x5000,0x1000); //35
map(uc,0x0,0x1000); //42
map(uc,0x5000,0x4000); //51
map(uc,0x2000,0x1000); //53
map(uc,0x1000,0x1000); //55
unmap(uc,0x7000,0x3000); //58
unmap(uc,0x5000,0x1000); //59
unmap(uc,0x4000,0x2000); //70
}
int main(void) {
#define test(x) cmocka_unit_test_setup_teardown(x, setup, teardown)
const struct CMUnitTest tests[] = {
test(test_basic),
//test(test_bad_read),
//test(test_bad_write),
test(test_bad_offset),
test(test_assertion_fail),
test(test_bad_unmap),
test(test_rw_across_boundaries),
test(test_unmap_double_map),
test(test_overlap_unmap_double_map),
test(test_strange_map),
};
#undef test
return cmocka_run_group_tests(tests, NULL, NULL);

9
uc.c
View File

@ -618,10 +618,6 @@ static uc_err mem_map(uc_engine *uc, uint64_t address, size_t size, uint32_t per
{
MemoryRegion **regions;
// this area overlaps existing mapped regions?
if (memory_overlap(uc, address, size))
return UC_ERR_MAP;
if (block == NULL)
return UC_ERR_NOMEM;
@ -662,6 +658,11 @@ static uc_err mem_map_check(uc_engine *uc, uint64_t address, size_t size, uint32
if ((perms & ~UC_PROT_ALL) != 0)
return UC_ERR_ARG;
// this area overlaps existing mapped regions?
if (memory_overlap(uc, address, size)) {
return UC_ERR_MAP;
}
return UC_ERR_OK;
}