From eb19d9bff595830643b81d3a093675e6984dfa6b Mon Sep 17 00:00:00 2001 From: Ryan Hileman Date: Thu, 24 Sep 2015 01:01:39 -0700 Subject: [PATCH 1/5] update Go bindings for #149 --- bindings/go/unicorn/hook.go | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/bindings/go/unicorn/hook.go b/bindings/go/unicorn/hook.go index bfa72c80..c286f08f 100644 --- a/bindings/go/unicorn/hook.go +++ b/bindings/go/unicorn/hook.go @@ -71,10 +71,7 @@ func (u *uc) HookAdd(htype int, cb interface{}, extra ...uint64) (Hook, error) { case HOOK_BLOCK, HOOK_CODE: rangeMode = true callback = C.hookCode_cgo - case HOOK_MEM_INVALID: - rangeMode = true - callback = C.hookMemInvalid_cgo - case HOOK_MEM_READ, HOOK_MEM_WRITE, HOOK_MEM_READ_WRITE: + case HOOK_MEM_READ, HOOK_MEM_WRITE, HOOK_MEM_READ | HOOK_MEM_WRITE: rangeMode = true callback = C.hookMemAccess_cgo case HOOK_INTR: @@ -92,7 +89,14 @@ func (u *uc) HookAdd(htype int, cb interface{}, extra ...uint64) (Hook, error) { return 0, errors.New("Unknown instruction type.") } default: - return 0, errors.New("Unknown hook type.") + // special case for mask + if htype&(HOOK_MEM_READ_INVALID|HOOK_MEM_WRITE_INVALID|HOOK_MEM_FETCH_INVALID| + HOOK_MEM_READ_PROT|HOOK_MEM_WRITE_PROT|HOOK_MEM_FETCH_PROT) != 0 { + rangeMode = true + callback = C.hookMemInvalid_cgo + } else { + return 0, errors.New("Unknown hook type.") + } } var h2 C.uc_hook data := &HookData{u, cb} From 738b8d89f915f8093ba5243ade6c03a3ba6d6dfa Mon Sep 17 00:00:00 2001 From: Nguyen Anh Quynh Date: Thu, 24 Sep 2015 18:50:49 +0800 Subject: [PATCH 2/5] correct instructions for uc_cb_hookmem_t & uc_cb_eventmem_t. this fixes a part of issue #151 --- include/unicorn/unicorn.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/include/unicorn/unicorn.h b/include/unicorn/unicorn.h index 21661f0c..52f9cd1f 100644 --- a/include/unicorn/unicorn.h +++ b/include/unicorn/unicorn.h @@ -181,7 +181,7 @@ typedef enum uc_hook_type { UC_HOOK_MEM_FETCH = 1 << 12, // Hook memory fetch for execution events } uc_hook_type; -// Callback function for hooking memory (UC_HOOK_MEM_*) +// Callback function for hooking memory (UC_MEM_READ, UC_MEM_WRITE & UC_MEM_FETCH) // @type: this memory is being READ, or WRITE // @address: address where the code is being executed // @size: size of data being read or written @@ -190,7 +190,8 @@ typedef enum uc_hook_type { typedef void (*uc_cb_hookmem_t)(uc_engine *uc, uc_mem_type type, uint64_t address, int size, int64_t value, void *user_data); -// Callback function for handling memory events (for UC_HOOK_MEM_INVALID) +// Callback function for handling invalid memory access events (UC_MEM_*_INVALID and +// UC_MEM_*PROT events) // @type: this memory is being READ, or WRITE // @address: address where the code is being executed // @size: size of data being read or written From 2599d41404e10cfd53008e8242ab9f37e50f5289 Mon Sep 17 00:00:00 2001 From: Nguyen Anh Quynh Date: Thu, 24 Sep 2015 19:21:31 +0800 Subject: [PATCH 3/5] add some hooking macros for all kind of memory access events --- include/unicorn/unicorn.h | 19 +++++++++++++++++++ samples/mem_apis.c | 3 +-- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/include/unicorn/unicorn.h b/include/unicorn/unicorn.h index 52f9cd1f..dd7e5536 100644 --- a/include/unicorn/unicorn.h +++ b/include/unicorn/unicorn.h @@ -181,6 +181,25 @@ typedef enum uc_hook_type { UC_HOOK_MEM_FETCH = 1 << 12, // Hook memory fetch for execution events } uc_hook_type; +// hook type for all events of unmapped memory access +#define UC_HOOK_MEM_INVALID (UC_HOOK_MEM_READ_INVALID + UC_HOOK_MEM_WRITE_INVALID + UC_HOOK_MEM_FETCH_INVALID) +// hook type for all events of illegal protected memory access +#define UC_HOOK_MEM_PROT (UC_HOOK_MEM_READ_PROT + UC_HOOK_MEM_WRITE_PROT + UC_HOOK_MEM_FETCH_PROT) +// hook type for all events of illegal read memory access +#define UC_HOOK_MEM_READ_ERR (UC_HOOK_MEM_READ_PROT + UC_HOOK_MEM_READ_INVALID) +// hook type for all events of illegal write memory access +#define UC_HOOK_MEM_WRITE_ERR (UC_HOOK_MEM_WRITE_PROT + UC_HOOK_MEM_WRITE_INVALID) +// hook type for all events of illegal fetch memory access +#define UC_HOOK_MEM_FETCH_ERR (UC_HOOK_MEM_FETCH_PROT + UC_HOOK_MEM_FETCH_INVALID) +// hook type for all events of illegal memory access +#define UC_HOOK_MEM_ERR (UC_HOOK_MEM_INVALID + UC_HOOK_MEM_PROT) +// hook type for all events of read memory access +#define UC_HOOK_MEM_READ_ALL (UC_HOOK_MEM_READ_ERR + UC_HOOK_MEM_READ) +// hook type for all events of write memory access +#define UC_HOOK_MEM_WRITE_ALL (UC_HOOK_MEM_WRITE_ERR + UC_HOOK_MEM_WRITE) +// hook type for all events of fetch memory access +#define UC_HOOK_MEM_FETCH_ALL (UC_HOOK_MEM_FETCH_ERR + UC_HOOK_MEM_FETCH) + // Callback function for hooking memory (UC_MEM_READ, UC_MEM_WRITE & UC_MEM_FETCH) // @type: this memory is being READ, or WRITE // @address: address where the code is being executed diff --git a/samples/mem_apis.c b/samples/mem_apis.c index fea1a834..28f2b60c 100644 --- a/samples/mem_apis.c +++ b/samples/mem_apis.c @@ -147,8 +147,7 @@ static void do_nx_demo(bool cause_fault) // intercept code and invalid memory events if (uc_hook_add(uc, &trace2, UC_HOOK_CODE, hook_code, NULL, (uint64_t)1, (uint64_t)0) != UC_ERR_OK || - uc_hook_add(uc, &trace1, - UC_HOOK_MEM_READ_INVALID | UC_HOOK_MEM_WRITE_INVALID | UC_HOOK_MEM_FETCH_INVALID | UC_HOOK_MEM_FETCH_PROT | UC_HOOK_MEM_WRITE_PROT | UC_HOOK_MEM_READ_PROT, + uc_hook_add(uc, &trace1, UC_HOOK_MEM_ERR, hook_mem_invalid, NULL) != UC_ERR_OK) { printf("not ok - Failed to install hooks\n"); return; From aa546ba7d6124ec1aac6a2dce36d7f3efbda443e Mon Sep 17 00:00:00 2001 From: Nguyen Anh Quynh Date: Thu, 24 Sep 2015 20:59:45 +0800 Subject: [PATCH 4/5] add UC_HOOK_MEM_ALL macro to hook all kind of memory accesses --- include/unicorn/unicorn.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/unicorn/unicorn.h b/include/unicorn/unicorn.h index dd7e5536..8fd36c9e 100644 --- a/include/unicorn/unicorn.h +++ b/include/unicorn/unicorn.h @@ -199,6 +199,8 @@ typedef enum uc_hook_type { #define UC_HOOK_MEM_WRITE_ALL (UC_HOOK_MEM_WRITE_ERR + UC_HOOK_MEM_WRITE) // hook type for all events of fetch memory access #define UC_HOOK_MEM_FETCH_ALL (UC_HOOK_MEM_FETCH_ERR + UC_HOOK_MEM_FETCH) +// hook type for all events of memory access +#define UC_HOOK_MEM_ALL (UC_HOOK_READ_ALL + UC_HOOK_WRITE_ALL + UC_HOOK_FETCH_ALL) // Callback function for hooking memory (UC_MEM_READ, UC_MEM_WRITE & UC_MEM_FETCH) // @type: this memory is being READ, or WRITE From dc1e9d36264d01cf332fd5e2e919db330f7a259c Mon Sep 17 00:00:00 2001 From: Nguyen Anh Quynh Date: Thu, 24 Sep 2015 23:23:05 +0800 Subject: [PATCH 5/5] remove UC_HOOK_*_ALL hook types as they are not for same hook handlers --- include/unicorn/unicorn.h | 8 -------- 1 file changed, 8 deletions(-) diff --git a/include/unicorn/unicorn.h b/include/unicorn/unicorn.h index 8fd36c9e..75f47064 100644 --- a/include/unicorn/unicorn.h +++ b/include/unicorn/unicorn.h @@ -193,14 +193,6 @@ typedef enum uc_hook_type { #define UC_HOOK_MEM_FETCH_ERR (UC_HOOK_MEM_FETCH_PROT + UC_HOOK_MEM_FETCH_INVALID) // hook type for all events of illegal memory access #define UC_HOOK_MEM_ERR (UC_HOOK_MEM_INVALID + UC_HOOK_MEM_PROT) -// hook type for all events of read memory access -#define UC_HOOK_MEM_READ_ALL (UC_HOOK_MEM_READ_ERR + UC_HOOK_MEM_READ) -// hook type for all events of write memory access -#define UC_HOOK_MEM_WRITE_ALL (UC_HOOK_MEM_WRITE_ERR + UC_HOOK_MEM_WRITE) -// hook type for all events of fetch memory access -#define UC_HOOK_MEM_FETCH_ALL (UC_HOOK_MEM_FETCH_ERR + UC_HOOK_MEM_FETCH) -// hook type for all events of memory access -#define UC_HOOK_MEM_ALL (UC_HOOK_READ_ALL + UC_HOOK_WRITE_ALL + UC_HOOK_FETCH_ALL) // Callback function for hooking memory (UC_MEM_READ, UC_MEM_WRITE & UC_MEM_FETCH) // @type: this memory is being READ, or WRITE