How to use the unicorn.UC_HOOK_CODE function in unicorn
To help you get started, we’ve selected a few unicorn examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
AeonLucid / AndroidNativeEmu / samples / example.py View on Github 
# Show loaded modules.
logger.info("Loaded modules:")
for module in emulator.modules:
logger.info("[0x%x] %s" % (module.base, module.filename))
# Add debugging.
def hook_code(mu, address, size, user_data):
instruction = mu.mem_read(address, size)
instruction_str = ''.join('{:02x} '.format(x) for x in instruction)
print('# Tracing instruction at 0x%x, instruction size = 0x%x, instruction = %s' % (address, size, instruction_str))
emulator.mu.hook_add(UC_HOOK_CODE, hook_code)
# Runs a method of "libnative-lib.so" that calls an imported function "strlen" from "libc.so".
emulator.call_symbol(lib_module, '_Z4testv')
print("String length is: %i" % emulator.mu.reg_read(UC_ARM_REG_R0))def emulate_with_hook(self, hook, count=512):
ident = self.hook_add(U.UC_HOOK_CODE, hook)
try:
self.emu_start(self.pc, 0, count=count)
finally:
self.hook_del(ident)def create_new_vm(self) -> None:
"""
Create a new VM, and sets up the hooks
"""
arch, mode, endian = get_arch_mode("unicorn", self.root.arch)
self.vm = unicorn.Uc(arch, mode | endian)
self.vm.hook_add(unicorn.UC_HOOK_BLOCK, self.hook_block)
self.vm.hook_add(unicorn.UC_HOOK_CODE, self.hook_code)
self.vm.hook_add(unicorn.UC_HOOK_INTR, self.hook_interrupt)
self.vm.hook_add(unicorn.UC_HOOK_MEM_WRITE, self.hook_mem_access)
self.vm.hook_add(unicorn.UC_HOOK_MEM_READ, self.hook_mem_access)
if is_x86(self.root.arch):
self.vm.hook_add(unicorn.UC_HOOK_INSN, self.hook_syscall, None, 1, 0, unicorn.x86_const.UC_X86_INS_SYSCALL)
returnif sec.sh_addr.value == 0x0:
continue
data = elf.readDataAtOffset(sec.sh_offset.value, sec.sh_size.value)
mu.mem_write(sec.sh_addr.value, data)'''
logger.info("Initializing registers")
init_reg(mu)
utils.dump_at_addr(mu, 0x400ce0, 0x100, logger)
start = int(raw_input("Start emulation at address:"), 16)
end = int(raw_input("End emulation at address:"), 16)
#mu.hook_add(unicorn.UC_HOOK_CODE, hook_code, None, elf.elfHdr.e_entry.value,
# elf.elfHdr.e_entry.value + 40)
mu.hook_add(unicorn.UC_HOOK_CODE, hook_code, None, start, end)
logger.info("Emulating")
#mu.emu_start(elf.elfHdr.e_entry.value, elf.elfHdr.e_entry.value + 40)
mu.emu_start(start, end)
logger.info("Dump of registers can be found at ./dump_regs")
logger.info("Dump of memory mappings can be found at ./dump_mappings")
logger.info("Finished")
emu.mem_map(0x7ffff7ffd000, 0x1000, 0o3)
emu.mem_write(0x7ffff7ffd000, open('./emu_files/gef-crack3-by-D4RK_FL0W-0x7ffff7ffd000.raw', 'rb').read())
# Mapping : 0x7ffff7ffe000-0x7ffff7fff000
emu.mem_map(0x7ffff7ffe000, 0x1000, 0o3)
emu.mem_write(0x7ffff7ffe000, open('./emu_files/gef-crack3-by-D4RK_FL0W-0x7ffff7ffe000.raw', 'rb').read())
# Mapping [stack]: 0x7ffffffde000-0x7ffffffff000
emu.mem_map(0x7ffffffde000, 0x21000, 0o3)
emu.mem_write(0x7ffffffde000, open('./emu_files/gef-crack3-by-D4RK_FL0W-0x7ffffffde000.raw', 'rb').read())
# Mapping [vsyscall]: 0xffffffffff600000-0xffffffffff601000
emu.mem_map(0xffffffffff600000, 0x1000, 0o5)
emu.mem_write(0xffffffffff600000, open('./emu_files/gef-crack3-by-D4RK_FL0W-0xffffffffff600000.raw', 'rb').read())
emu.hook_add(unicorn.UC_HOOK_CODE, code_hook)
emu.hook_add(unicorn.UC_HOOK_INTR, intr_hook)
emu.hook_add(unicorn.UC_HOOK_INSN, syscall_hook, None, 1, 0, unicorn.x86_const.UC_X86_INS_SYSCALL)
return emudef setup(self, sca_mode):
""" Sets up a stack and adds base hooks to the engine """
## Add a stack
self.map_space(*self.STACK)
## Add hooks
self.mem_unmapped_hook = self.emu.hook_add(uc.UC_HOOK_MEM_UNMAPPED, self.unmapped_hook)
self.block_hook = self.emu.hook_add(uc.UC_HOOK_BLOCK, self.block_handler)
if sca_mode:
self.ct_hook = self.emu.hook_add(uc.UC_HOOK_CODE, self.sca_code_trace)
self.tm_hook = self.emu.hook_add(
uc.UC_HOOK_MEM_READ | uc.UC_HOOK_MEM_WRITE, self.sca_trace_mem
)
else:
self.code_hook = self.emu.hook_add(uc.UC_HOOK_CODE, self.code_trace)
self.mem_access_hook = self.emu.hook_add( uc.UC_HOOK_MEM_READ | uc.UC_HOOK_MEM_WRITE, self.trace_mem):param condition: not supported
:param ignore_count: amount of times the breakpoint should be ignored before firing
:param thread: not supported
:return: breakpoint number
"""
if not hardware:
self.log.warning('Software breakpoints are not supported, falling back to hardware')
if regex:
self.log.warning('Regex breakpoints are not supported, ignoring regex')
if condition is not None:
self.log.warning('Conditional breakpoints are not supported, ignoring condition')
if thread:
self.log.warning('Thread-specific breakpoints are not supported, ignoring thread')
# TODO line <-> addr
bkptno = len(self._breakpoints)
hook = self.uc.hook_add(unicorn.UC_HOOK_CODE, self._breakpoint_hook, begin=line,
end=line, user_data=bkptno)
self._breakpoints.append(UnicornBreakpoint(hooks=[hook], temporary=temporary,
ignore_count=ignore_count))
return bkptno
logger.info("=> 0x%08x - %s" % (module.base, module.filename))
# Debug
# emulator.mu.hook_add(UC_HOOK_CODE, debug_utils.hook_code)
# emulator.mu.hook_add(UC_HOOK_MEM_UNMAPPED, debug_utils.hook_unmapped)
# emulator.mu.hook_add(UC_HOOK_MEM_WRITE, debug_utils.hook_mem_write)
# emulator.mu.hook_add(UC_HOOK_MEM_READ, debug_utils.hook_mem_read)
try:
# Run JNI_OnLoad.
# JNI_OnLoad will call 'RegisterNatives'.
emulator.call_symbol(lib_module, 'JNI_OnLoad', emulator.java_vm.address_ptr, 0x00)
emulator.mu.hook_add(UC_HOOK_MEM_UNMAPPED, debug_utils.hook_unmapped)
# Do native stuff.
emulator.mu.hook_add(UC_HOOK_CODE, debug_utils.hook_code)
main_activity = MainActivity()
logger.info("Response from JNI call: %s" % main_activity.string_from_jni(emulator))
# Dump natives found.
logger.info("Exited EMU.")
logger.info("Native methods registered to MainActivity:")
for method in MainActivity.jvm_methods.values():
if method.native:
logger.info("- [0x%08x] %s - %s" % (method.native_addr, method.name, method.signature))
except UcError as e:
print("Exit at %x" % emulator.mu.reg_read(UC_ARM_REG_PC))
raise('0x%x' % self.cli.context_manager.get_context_offset())
self.session_file = self.session_fp + '.html'
with open(self.session_file, 'w') as f:
f.write('<br>')
self.map_region_by_addr(self.cli.context_manager.get_context_offset())
for reg in self.cli.context_manager.get_context():
try:
__reg = getattr(self.cli.context_manager.get_arch().get_unicorn_constants(),
'UC_ARM_REG_%s' % reg.upper())
self.uc.reg_write(__reg, int(self.cli.context_manager.get_context()[reg]['value'], 16))
except:
pass
self.uc.hook_add(unicorn.UC_HOOK_CODE, self.hook_instr)
self.uc.hook_add(unicorn.UC_HOOK_MEM_WRITE | unicorn.UC_HOOK_MEM_READ, self.hook_mem_access)
self.uc.hook_add(unicorn.UC_HOOK_MEM_READ_UNMAPPED | unicorn.UC_HOOK_MEM_WRITE_UNMAPPED |
unicorn.UC_HOOK_MEM_FETCH_UNMAPPED, self.hook_mem_unmapped)
self.instr_count = 0
self.mem_access_count = 0
log('starting emulation at %s' % Color.colorify(
'0x%x' % self.cli.context_manager.get_context_offset(), 'red highlight'))
if self.uc_impl is not None:
try:
req_offs = self.uc_impl.required_offsets(self.uc, self.cli.context_manager.get_base())
self.loading_required_maps = True
for o in req_offs:
self._ensure_mapped(o)
self.loading_required_maps = Falsedef add_code_hook(self, callback_fn):
"""Store user-specified callback function for the instruction tracing."""
self.__hooks[uc.UC_HOOK_CODE] = callback_fn
Popular unicorn functions
- unicorn.arm64_const
- unicorn.arm_const
- unicorn.mips_const
- unicorn.Uc
- unicorn.Uc.hook_del
- unicorn.Uc.mem_unmap
- unicorn.UC_ARCH_ARM
- unicorn.UC_ARCH_ARM64
- unicorn.UC_ARCH_MIPS
- unicorn.UC_ARCH_X86
- unicorn.UC_HOOK_CODE
- unicorn.UC_MODE_32
- unicorn.UC_MODE_64
- unicorn.UC_MODE_ARM
- unicorn.UC_MODE_LITTLE_ENDIAN
- unicorn.UC_MODE_THUMB
- unicorn.UcError
- unicorn.x86_const
- unicorn.x86_const.UC_X86_REG_RDI
- unicorn.x86_const.UC_X86_REG_RIP