yizhi-js-lib/favicon-trap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

make cleanup

Browse Source
This commit is contained in:
Stephen
2016-10-28 16:31:52 -07:00
committed by sgroat
parent 4d5738eeb5
commit 186540e160
38 changed files with 1149 additions and 800 deletions
Download Patch File Download Diff File Expand all files Collapse all files

236
bindings/python/sample_x86.py
View File

@ -8,6 +8,8 @@ from unicorn.x86_const import *
X86_CODE32 = b"\x41\x4a\x66\x0f\xef\xc1" # INC ecx; DEC edx; PXOR xmm0, xmm1
X86_CODE32_LOOP = b"\x41\x4a\xeb\xfe" # INC ecx; DEC edx; JMP self-loop
X86_CODE32_JUMP = b"\xeb\x02\x90\x90\x90\x90\x90\x90" # jmp 4; nop; nop; nop; nop; nop; nop
X86_CODE32_JMP_INVALID = b"\xe9\xe9\xee\xee\xee\x41\x4a" # JMP outside; INC ecx; DEC edx
X86_CODE32_MEM_READ = b"\x8B\x0D\xAA\xAA\xAA\xAA\x41\x4a" # mov ecx,[0xaaaaaaaa]; INC ecx; DEC edx
X86_CODE32_MEM_WRITE = b"\x89\x0D\xAA\xAA\xAA\xAA\x41\x4a" # mov [0xaaaaaaaa], ecx; INC ecx; DEC edx
X86_CODE64 = b"\x41\xBC\x3B\xB0\x28\x2A\x49\x0F\xC9\x90\x4D\x0F\xAD\xCF\x49\x87\xFD\x90\x48\x81\xD2\x8A\xCE\x77\x35\x48\xF7\xD9\x4D\x29\xF4\x49\x81\xC9\xF6\x8A\xC6\x53\x4D\x87\xED\x48\x0F\xAD\xD2\x49\xF7\xD4\x48\xF7\xE1\x4D\x19\xC5\x4D\x89\xC5\x48\xF7\xD6\x41\xB8\x4F\x8D\x6B\x59\x4D\x87\xD0\x68\x6A\x1E\x09\x3C\x59"
@ -26,9 +28,14 @@ def hook_block(uc, address, size, user_data):
# callback for tracing instructions
def hook_code(uc, address, size, user_data):
print(">>> Tracing instruction at 0x%x, instruction size = %u" %(address, size))
#eip = uc.reg_read(UC_X86_REG_EIP)
#print(">>> EIP = 0x%x" %(eip))
print(">>> Tracing instruction at 0x%x, instruction size = 0x%x" %(address, size))
eip = uc.reg_read(UC_X86_REG_EFLAGS)
print(">>> --- EFLAGS is 0x%x" %(eip))
def hook_code64(uc, address, size, user_data):
print(">>> Tracing instruction at 0x%x, instruction size = 0x%x" %(address, size))
rip = uc.reg_read(UC_X86_REG_RIP)
print(">>> RIP is 0x%x" %rip);
# callback for tracing invalid memory access (READ or WRITE)
@ -128,21 +135,21 @@ def test_i386():
r_xmm0 = mu.reg_read(UC_X86_REG_XMM0)
print(">>> ECX = 0x%x" %r_ecx)
print(">>> EDX = 0x%x" %r_edx)
print(">>> XMM0 = 0x%x" %r_xmm0)
print(">>> XMM0 = 0x%.32x" %r_xmm0)
# read from memory
tmp = mu.mem_read(ADDRESS, 2)
print(">>> Read 2 bytes from [0x%x] =" %(ADDRESS), end="")
for i in tmp:
print(" 0x%x" %i, end="")
tmp = mu.mem_read(ADDRESS, 4)
print(">>> Read 4 bytes from [0x%x] = 0x" %(ADDRESS), end="")
for i in reversed(tmp):
print("%x" %(i), end="")
print("")
except UcError as e:
print("ERROR: %s" % e)
def test_i386_loop():
print("Emulate i386 code with infinite loop - wait for 2 seconds then stop emulation")
def test_i386_map_ptr():
print("Emulate i386 code - use uc_mem_map_ptr()")
try:
# Initialize emulator in X86-32bit mode
mu = Uc(UC_ARCH_X86, UC_MODE_32)
@ -151,14 +158,20 @@ def test_i386_loop():
mu.mem_map(ADDRESS, 2 * 1024 * 1024)
# write machine code to be emulated to memory
mu.mem_write(ADDRESS, X86_CODE32_LOOP)
mu.mem_write(ADDRESS, X86_CODE32)
# initialize machine registers
mu.reg_write(UC_X86_REG_ECX, 0x1234)
mu.reg_write(UC_X86_REG_EDX, 0x7890)
# tracing all basic blocks with customized callback
mu.hook_add(UC_HOOK_BLOCK, hook_block)
# tracing all instructions with customized callback
mu.hook_add(UC_HOOK_CODE, hook_code)
# emulate machine code in infinite time
mu.emu_start(ADDRESS, ADDRESS + len(X86_CODE32_LOOP), 2 * UC_SECOND_SCALE)
mu.emu_start(ADDRESS, ADDRESS + len(X86_CODE32), 2 * UC_SECOND_SCALE)
# now print out some registers
print(">>> Emulation done. Below is the CPU context")
@ -168,6 +181,13 @@ def test_i386_loop():
print(">>> ECX = 0x%x" %r_ecx)
print(">>> EDX = 0x%x" %r_edx)
# read from memory
tmp = mu.mem_read(ADDRESS, 4)
print(">>> Read 4 bytes from [0x%x] = 0x" %(ADDRESS), end="")
for i in reversed(tmp):
print("%x" %(i), end="")
print("")
except UcError as e:
print("ERROR: %s" % e)
@ -198,7 +218,7 @@ def test_i386_invalid_mem_read():
# emulate machine code in infinite time
mu.emu_start(ADDRESS, ADDRESS + len(X86_CODE32_MEM_READ))
except UcError as e:
print("ERROR: %s" % e)
print("Failed on uc_emu_start() with error returned 6: %s" % e)
# now print out some registers
print(">>> Emulation done. Below is the CPU context")
@ -211,6 +231,35 @@ def test_i386_invalid_mem_read():
except UcError as e:
print("ERROR: %s" % e)
def test_i386_jump():
print("Emulate i386 code with jump")
try:
# Initialize emulator in X86-32bit mode
mu = Uc(UC_ARCH_X86, UC_MODE_32)
# map 2MB memory for this emulation
mu.mem_map(ADDRESS, 2 * 1024 * 1024)
# write machine code to be emulated to memory
mu.mem_write(ADDRESS, X86_CODE32_JUMP)
# tracing all basic blocks with customized callback
mu.hook_add(UC_HOOK_BLOCK, hook_block, begin=ADDRESS, end=ADDRESS)
# tracing all instructions with customized callback
mu.hook_add(UC_HOOK_CODE, hook_code, begin=ADDRESS, end=ADDRESS)
try:
# emulate machine code in infinite time
mu.emu_start(ADDRESS, ADDRESS + len(X86_CODE32_JUMP))
except UcError as e:
print("ERROR: %s" % e)
print(">>> Emulation done. Below is the CPU context")
except UcError as e:
print("ERROR: %s" % e)
def test_i386_invalid_mem_write():
print("Emulate i386 code that write to invalid memory")
@ -229,10 +278,10 @@ def test_i386_invalid_mem_write():
mu.reg_write(UC_X86_REG_EDX, 0x7890)
# tracing all basic blocks with customized callback
#mu.hook_add(UC_HOOK_BLOCK, hook_block)
mu.hook_add(UC_HOOK_BLOCK, hook_block)
# tracing all instructions with customized callback
#mu.hook_add(UC_HOOK_CODE, hook_code)
mu.hook_add(UC_HOOK_CODE, hook_code)
# intercept invalid memory events
mu.hook_add(UC_HOOK_MEM_READ_UNMAPPED | UC_HOOK_MEM_WRITE_UNMAPPED, hook_mem_invalid)
@ -251,25 +300,92 @@ def test_i386_invalid_mem_write():
print(">>> ECX = 0x%x" %r_ecx)
print(">>> EDX = 0x%x" %r_edx)
# read from memory
print(">>> Read 4 bytes from [0x%x] = 0x" %(0xaaaaaaaa), end="")
tmp = mu.mem_read(0xaaaaaaaa, 4)
for i in reversed(tmp):
if i != 0:
print("%x" %i, end="")
print("")
try:
# read from memory
print(">>> Read 4 bytes from [0x%x] = " %(0xaaaaaaaa), end="")
tmp = mu.mem_read(0xaaaaaaaa, 4)
for i in tmp:
print(" 0x%x" %i, end="")
tmp = mu.mem_read(0xffffffaa, 4)
print(">>> Read 4 bytes from [0x%x] = 0x" %(0xffffffaa), end="")
for i in reversed(tmp):
print("%x" %i, end="")
print("")
print(">>> Read 4 bytes from [0x%x] = " %(0xffffffaa), end="")
tmp = mu.mem_read(0xffffffaa, 4)
for i in tmp:
print(" 0x%x" %i, end="")
print("")
except UcError as e:
print("ERROR: %s" % e)
print(">>> Failed to read 4 bytes from [0xffffffaa]")
except UcError as e:
print("ERROR: %s" % e)
def test_i386_jump_invalid():
print("Emulate i386 code that jumps to invalid memory")
try:
# Initialize emulator in X86-32bit mode
mu = Uc(UC_ARCH_X86, UC_MODE_32)
# map 2MB memory for this emulation
mu.mem_map(ADDRESS, 2 * 1024 * 1024)
# write machine code to be emulated to memory
mu.mem_write(ADDRESS, X86_CODE32_JMP_INVALID)
# initialize machine registers
mu.reg_write(UC_X86_REG_ECX, 0x1234)
mu.reg_write(UC_X86_REG_EDX, 0x7890)
# tracing all basic blocks with customized callback
mu.hook_add(UC_HOOK_BLOCK, hook_block)
# tracing all instructions with customized callback
mu.hook_add(UC_HOOK_CODE, hook_code)
try:
mu.emu_start(ADDRESS, ADDRESS + len(X86_CODE32_JMP_INVALID))
except UcError as e:
print("Failed on uc_emu_start() with error returned 8: %s" %e)
print(">>> Emulation done. Below is the CPU context")
r_ecx = mu.reg_read(UC_X86_REG_ECX)
r_edx = mu.reg_read(UC_X86_REG_EDX)
print(">>> ECX = 0x%x" %r_ecx)
print(">>> EDX = 0x%x" %r_edx)
except UcError as e:
print("ERROR %s" % e)
def test_i386_loop():
print("Emulate i386 code that loop forever")
try:
# Initialize emulator in X86-32bit mode
mu = Uc(UC_ARCH_X86, UC_MODE_32)
# map 2MB memory for this emulation
mu.mem_map(ADDRESS, 2 * 1024 * 1024)
# write machine code to be emulated to memory
mu.mem_write(ADDRESS, X86_CODE32_LOOP)
# initialize machine registers
mu.reg_write(UC_X86_REG_ECX, 0x1234)
mu.reg_write(UC_X86_REG_EDX, 0x7890)
mu.emu_start(ADDRESS, ADDRESS + len(X86_CODE32_LOOP), timeout=2*UC_SECOND_SCALE)
print(">>> Emulation done. Below is the CPU context")
r_ecx = mu.reg_read(UC_X86_REG_ECX)
r_edx = mu.reg_read(UC_X86_REG_EDX)
print(">>> ECX = 0x%x" %r_ecx)
print(">>> EDX = 0x%x" %r_edx)
except UcError as e:
print("ERROR: %s" % e)
# Test X86 32 bit with IN/OUT instruction
def test_i386_inout():
@ -397,7 +513,7 @@ def test_x86_64():
mu.hook_add(UC_HOOK_BLOCK, hook_block)
# tracing all instructions in range [ADDRESS, ADDRESS+20]
mu.hook_add(UC_HOOK_CODE, hook_code, None, ADDRESS, ADDRESS+20)
mu.hook_add(UC_HOOK_CODE, hook_code64, None, ADDRESS, ADDRESS+20)
# tracing all memory READ & WRITE access
mu.hook_add(UC_HOOK_MEM_WRITE, hook_mem_access)
@ -429,23 +545,21 @@ def test_x86_64():
r14 = mu.reg_read(UC_X86_REG_R14)
r15 = mu.reg_read(UC_X86_REG_R15)
print(">>> RAX = %x" %rax)
print(">>> RBX = %x" %rbx)
print(">>> RCX = %x" %rcx)
print(">>> RDX = %x" %rdx)
print(">>> RSI = %x" %rsi)
print(">>> RDI = %x" %rdi)
print(">>> R8 = %x" %r8)
print(">>> R9 = %x" %r9)
print(">>> R10 = %x" %r10)
print(">>> R11 = %x" %r11)
print(">>> R12 = %x" %r12)
print(">>> R13 = %x" %r13)
print(">>> R14 = %x" %r14)
print(">>> R15 = %x" %r15)
print(">>> RAX = 0x%x" %rax)
print(">>> RBX = 0x%x" %rbx)
print(">>> RCX = 0x%x" %rcx)
print(">>> RDX = 0x%x" %rdx)
print(">>> RSI = 0x%x" %rsi)
print(">>> RDI = 0x%x" %rdi)
print(">>> R8 = 0x%x" %r8)
print(">>> R9 = 0x%x" %r9)
print(">>> R10 = 0x%x" %r10)
print(">>> R11 = 0x%x" %r11)
print(">>> R12 = 0x%x" %r12)
print(">>> R13 = 0x%x" %r13)
print(">>> R14 = 0x%x" %r14)
print(">>> R15 = 0x%x" %r15)
#BUG
mu.emu_start(ADDRESS, ADDRESS + len(X86_CODE64))
except UcError as e:
print("ERROR: %s" % e)
@ -516,27 +630,29 @@ def test_x86_16():
print(">>> Emulation done. Below is the CPU context")
tmp = mu.mem_read(11, 1)
print("[0x%x] = 0x%x" %(11, tmp[0]))
print(">>> Read 1 bytes from [0x%x] = 0x%x" %(11, tmp[0]))
except UcError as e:
print("ERROR: %s" % e)
if __name__ == '__main__':
test_i386()
print("=" * 20)
test_i386_loop()
print("=" * 20)
test_i386_invalid_mem_read()
print("=" * 20)
test_i386_invalid_mem_write()
print("=" * 20)
test_i386_inout()
print("=" * 20)
test_i386_context_save()
print("=" * 20)
test_x86_64()
print("=" * 20)
test_x86_64_syscall()
print("=" * 20)
test_x86_16()
test_i386()
print("=" * 35)
test_i386_map_ptr()
print("=" * 35)
test_i386_inout()
print("=" * 35)
test_i386_jump()
print("=" * 35)
test_i386_loop()
print("=" * 35)
test_i386_invalid_mem_read()
print("=" * 35)
test_i386_invalid_mem_write()
print("=" * 35)
test_i386_jump_invalid()
test_x86_64()
print("=" * 35)
test_x86_64_syscall()