From 400f396a2aa3deef435d3151348ab14c9a6b8046 Mon Sep 17 00:00:00 2001 From: Nguyen Anh Quynh Date: Wed, 6 Apr 2016 09:48:38 +0800 Subject: [PATCH] samples: code style for sample_batch_reg.c --- samples/sample_batch_reg.c | 42 ++++++++++++++++++++++++++++++-------- 1 file changed, 33 insertions(+), 9 deletions(-) diff --git a/samples/sample_batch_reg.c b/samples/sample_batch_reg.c index 2e5e0468..abbee210 100644 --- a/samples/sample_batch_reg.c +++ b/samples/sample_batch_reg.c @@ -3,14 +3,20 @@ #include #include -int syscall_abi[] = {UC_X86_REG_RAX, UC_X86_REG_RDI, UC_X86_REG_RSI, UC_X86_REG_RDX, UC_X86_REG_R10, UC_X86_REG_R8, UC_X86_REG_R9}; -uint64_t vals[7] = {200, 10, 11, 12, 13, 14, 15}; +int syscall_abi[] = { + UC_X86_REG_RAX, UC_X86_REG_RDI, UC_X86_REG_RSI, UC_X86_REG_RDX, + UC_X86_REG_R10, UC_X86_REG_R8, UC_X86_REG_R9 +}; + +uint64_t vals[7] = { 200, 10, 11, 12, 13, 14, 15 }; + // This part of the API is less... clean... because Unicorn supports arbitrary register types. // So the least intrusive solution is passing individual pointers. // On the plus side, you only need to make this pointer array once. void *ptrs[7]; -void uc_perror(const char *func, uc_err err) { +void uc_perror(const char *func, uc_err err) +{ fprintf(stderr, "Error in %s(): %s\n", func, uc_strerror(err)); } @@ -19,30 +25,39 @@ void uc_perror(const char *func, uc_err err) { // mov rax, 100; mov rdi, 1; mov rsi, 2; mov rdx, 3; mov r10, 4; mov r8, 5; mov r9, 6; syscall #define CODE "\x48\xc7\xc0\x64\x00\x00\x00\x48\xc7\xc7\x01\x00\x00\x00\x48\xc7\xc6\x02\x00\x00\x00\x48\xc7\xc2\x03\x00\x00\x00\x49\xc7\xc2\x04\x00\x00\x00\x49\xc7\xc0\x05\x00\x00\x00\x49\xc7\xc1\x06\x00\x00\x00\x0f\x05" -void hook_syscall(uc_engine *uc, void *user_data) { +void hook_syscall(uc_engine *uc, void *user_data) +{ int i; + uc_reg_read_batch(uc, syscall_abi, ptrs, 7); + printf("syscall: {"); + for (i = 0; i < 7; i++) { if (i != 0) printf(", "); printf("%llu", vals[i]); } + printf("}\n"); } -void hook_code(uc_engine *uc, uint64_t addr, uint32_t size, void *user_data) { +void hook_code(uc_engine *uc, uint64_t addr, uint32_t size, void *user_data) +{ printf("HOOK_CODE: 0x%llx, 0x%x\n", addr, size); } -int main() { +int main() +{ int i; + uc_hook sys_hook; + uc_err err; + uc_engine *uc; + // set up register pointers for (i = 0; i < 7; i++) { ptrs[i] = &vals[i]; } - uc_err err; - uc_engine *uc; if ((err = uc_open(UC_ARCH_X86, UC_MODE_64, &uc))) { uc_perror("uc_open", err); return 1; @@ -54,37 +69,46 @@ int main() { uc_perror("uc_reg_write_batch", err); return 1; } + // reg_read_batch memset(vals, 0, sizeof(vals)); if ((err = uc_reg_read_batch(uc, syscall_abi, ptrs, 7))) { uc_perror("uc_reg_read_batch", err); return 1; } + printf("reg_read_batch = {"); + for (i = 0; i < 7; i++) { if (i != 0) printf(", "); printf("%llu", vals[i]); } + printf("}\n"); // syscall printf("\n"); printf("running syscall shellcode\n"); - uc_hook sys_hook; + if ((err = uc_hook_add(uc, &sys_hook, UC_HOOK_INSN, hook_syscall, NULL, 1, 0, UC_X86_INS_SYSCALL))) { uc_perror("uc_hook_add", err); return 1; } + if ((err = uc_mem_map(uc, BASE, 0x1000, UC_PROT_ALL))) { uc_perror("uc_mem_map", err); return 1; } + if ((err = uc_mem_write(uc, BASE, CODE, sizeof(CODE) - 1))) { uc_perror("uc_mem_write", err); return 1; } + if ((err = uc_emu_start(uc, BASE, BASE + sizeof(CODE) - 1, 0, 0))) { uc_perror("uc_emu_start", err); return 1; } + + return 0; }