How to use the unicorn.UC_HOOK_CODE function in unicorn

To help you get started, we’ve selected a few unicorn examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github AeonLucid / AndroidNativeEmu / samples / example.py View on Github external
# Show loaded modules.
logger.info("Loaded modules:")

for module in emulator.modules:
    logger.info("[0x%x] %s" % (module.base, module.filename))


# Add debugging.
def hook_code(mu, address, size, user_data):
    instruction = mu.mem_read(address, size)
    instruction_str = ''.join('{:02x} '.format(x) for x in instruction)

    print('# Tracing instruction at 0x%x, instruction size = 0x%x, instruction = %s' % (address, size, instruction_str))


emulator.mu.hook_add(UC_HOOK_CODE, hook_code)

# Runs a method of "libnative-lib.so" that calls an imported function "strlen" from "libc.so".
emulator.call_symbol(lib_module, '_Z4testv')

print("String length is: %i" % emulator.mu.reg_read(UC_ARM_REG_R0))
github pwndbg / pwndbg / pwndbg / emu / emulator.py View on Github external
def emulate_with_hook(self, hook, count=512):
        ident = self.hook_add(U.UC_HOOK_CODE, hook)
        try:
            self.emu_start(self.pc, 0, count=count)
        finally:
            self.hook_del(ident)
github hugsy / cemu / cemu / emulator.py View on Github external
def create_new_vm(self) -> None:
        """
        Create a new VM, and sets up the hooks
        """
        arch, mode, endian = get_arch_mode("unicorn", self.root.arch)
        self.vm = unicorn.Uc(arch, mode | endian)
        self.vm.hook_add(unicorn.UC_HOOK_BLOCK, self.hook_block)
        self.vm.hook_add(unicorn.UC_HOOK_CODE, self.hook_code)
        self.vm.hook_add(unicorn.UC_HOOK_INTR, self.hook_interrupt)
        self.vm.hook_add(unicorn.UC_HOOK_MEM_WRITE, self.hook_mem_access)
        self.vm.hook_add(unicorn.UC_HOOK_MEM_READ, self.hook_mem_access)
        if is_x86(self.root.arch):
            self.vm.hook_add(unicorn.UC_HOOK_INSN, self.hook_syscall, None, 1, 0, unicorn.x86_const.UC_X86_INS_SYSCALL)
        return
github r00tus3r / r00tEmu / emulate.py View on Github external
if sec.sh_addr.value == 0x0:
            continue
        data = elf.readDataAtOffset(sec.sh_offset.value, sec.sh_size.value)
        mu.mem_write(sec.sh_addr.value, data)'''

    logger.info("Initializing registers")
    init_reg(mu)

    utils.dump_at_addr(mu, 0x400ce0, 0x100, logger)

    start = int(raw_input("Start emulation at address:"), 16)
    end = int(raw_input("End emulation at address:"), 16)

    #mu.hook_add(unicorn.UC_HOOK_CODE, hook_code, None, elf.elfHdr.e_entry.value,
    #            elf.elfHdr.e_entry.value + 40)
    mu.hook_add(unicorn.UC_HOOK_CODE, hook_code, None, start, end)

    logger.info("Emulating")
    #mu.emu_start(elf.elfHdr.e_entry.value, elf.elfHdr.e_entry.value + 40)
    mu.emu_start(start, end)

    logger.info("Dump of registers can be found at ./dump_regs")
    logger.info("Dump of memory mappings can be found at ./dump_mappings")
    logger.info("Finished")
github alanvivona / pwnshop / src / 0x19-crackme-darkflow-3 / emu.py View on Github external
emu.mem_map(0x7ffff7ffd000, 0x1000, 0o3)
    emu.mem_write(0x7ffff7ffd000, open('./emu_files/gef-crack3-by-D4RK_FL0W-0x7ffff7ffd000.raw', 'rb').read())

    # Mapping : 0x7ffff7ffe000-0x7ffff7fff000
    emu.mem_map(0x7ffff7ffe000, 0x1000, 0o3)
    emu.mem_write(0x7ffff7ffe000, open('./emu_files/gef-crack3-by-D4RK_FL0W-0x7ffff7ffe000.raw', 'rb').read())

    # Mapping [stack]: 0x7ffffffde000-0x7ffffffff000
    emu.mem_map(0x7ffffffde000, 0x21000, 0o3)
    emu.mem_write(0x7ffffffde000, open('./emu_files/gef-crack3-by-D4RK_FL0W-0x7ffffffde000.raw', 'rb').read())

    # Mapping [vsyscall]: 0xffffffffff600000-0xffffffffff601000
    emu.mem_map(0xffffffffff600000, 0x1000, 0o5)
    emu.mem_write(0xffffffffff600000, open('./emu_files/gef-crack3-by-D4RK_FL0W-0xffffffffff600000.raw', 'rb').read())

    emu.hook_add(unicorn.UC_HOOK_CODE, code_hook)
    emu.hook_add(unicorn.UC_HOOK_INTR, intr_hook)
    emu.hook_add(unicorn.UC_HOOK_INSN, syscall_hook, None, 1, 0, unicorn.x86_const.UC_X86_INS_SYSCALL)
    return emu
github Ledger-Donjon / rainbow / rainbow / rainbow.py View on Github external
def setup(self, sca_mode):
        """ Sets up a stack and adds base hooks to the engine """
        ## Add a stack
        self.map_space(*self.STACK)

        ## Add hooks
        self.mem_unmapped_hook = self.emu.hook_add(uc.UC_HOOK_MEM_UNMAPPED, self.unmapped_hook)
        self.block_hook = self.emu.hook_add(uc.UC_HOOK_BLOCK, self.block_handler)
        if sca_mode:
            self.ct_hook = self.emu.hook_add(uc.UC_HOOK_CODE, self.sca_code_trace)
            self.tm_hook = self.emu.hook_add(
                uc.UC_HOOK_MEM_READ | uc.UC_HOOK_MEM_WRITE, self.sca_trace_mem
            )
        else:
            self.code_hook = self.emu.hook_add(uc.UC_HOOK_CODE, self.code_trace)
            self.mem_access_hook = self.emu.hook_add( uc.UC_HOOK_MEM_READ | uc.UC_HOOK_MEM_WRITE, self.trace_mem)
github avatartwo / avatar2 / avatar2 / protocols / unicorn_protocol.py View on Github external
:param condition:    not supported
        :param ignore_count: amount of times the breakpoint should be ignored before firing
        :param thread:       not supported
        :return: breakpoint number
        """
        if not hardware:
            self.log.warning('Software breakpoints are not supported, falling back to hardware')
        if regex:
            self.log.warning('Regex breakpoints are not supported, ignoring regex')
        if condition is not None:
            self.log.warning('Conditional breakpoints are not supported, ignoring condition')
        if thread:
            self.log.warning('Thread-specific breakpoints are not supported, ignoring thread')
        # TODO line <-> addr
        bkptno = len(self._breakpoints)
        hook = self.uc.hook_add(unicorn.UC_HOOK_CODE, self._breakpoint_hook, begin=line,
                                end=line, user_data=bkptno)
        self._breakpoints.append(UnicornBreakpoint(hooks=[hook], temporary=temporary,
                                                   ignore_count=ignore_count))
        return bkptno
github AeonLucid / AndroidNativeEmu / samples / example_jni.py View on Github external
logger.info("=> 0x%08x - %s" % (module.base, module.filename))

# Debug
# emulator.mu.hook_add(UC_HOOK_CODE, debug_utils.hook_code)
# emulator.mu.hook_add(UC_HOOK_MEM_UNMAPPED, debug_utils.hook_unmapped)
# emulator.mu.hook_add(UC_HOOK_MEM_WRITE, debug_utils.hook_mem_write)
# emulator.mu.hook_add(UC_HOOK_MEM_READ, debug_utils.hook_mem_read)

try:
    # Run JNI_OnLoad.
    #   JNI_OnLoad will call 'RegisterNatives'.
    emulator.call_symbol(lib_module, 'JNI_OnLoad', emulator.java_vm.address_ptr, 0x00)
    emulator.mu.hook_add(UC_HOOK_MEM_UNMAPPED, debug_utils.hook_unmapped)

    # Do native stuff.
    emulator.mu.hook_add(UC_HOOK_CODE, debug_utils.hook_code)
    main_activity = MainActivity()
    logger.info("Response from JNI call: %s" % main_activity.string_from_jni(emulator))

    # Dump natives found.
    logger.info("Exited EMU.")
    logger.info("Native methods registered to MainActivity:")

    for method in MainActivity.jvm_methods.values():
        if method.native:
            logger.info("- [0x%08x] %s - %s" % (method.native_addr, method.name, method.signature))
except UcError as e:
    print("Exit at %x" % emulator.mu.reg_read(UC_ARM_REG_PC))
    raise
github iGio90 / frick / main.py View on Github external
('0x%x' % self.cli.context_manager.get_context_offset())
            self.session_file = self.session_fp + '.html'
            with open(self.session_file, 'w') as f:
                f.write('<br>')

        self.map_region_by_addr(self.cli.context_manager.get_context_offset())

        for reg in self.cli.context_manager.get_context():
            try:
                __reg = getattr(self.cli.context_manager.get_arch().get_unicorn_constants(),
                                'UC_ARM_REG_%s' % reg.upper())
                self.uc.reg_write(__reg, int(self.cli.context_manager.get_context()[reg]['value'], 16))
            except:
                pass

        self.uc.hook_add(unicorn.UC_HOOK_CODE, self.hook_instr)
        self.uc.hook_add(unicorn.UC_HOOK_MEM_WRITE | unicorn.UC_HOOK_MEM_READ, self.hook_mem_access)
        self.uc.hook_add(unicorn.UC_HOOK_MEM_READ_UNMAPPED | unicorn.UC_HOOK_MEM_WRITE_UNMAPPED |
                         unicorn.UC_HOOK_MEM_FETCH_UNMAPPED, self.hook_mem_unmapped)

        self.instr_count = 0
        self.mem_access_count = 0
        log('starting emulation at %s' % Color.colorify(
            '0x%x' % self.cli.context_manager.get_context_offset(), 'red highlight'))

        if self.uc_impl is not None:
            try:
                req_offs = self.uc_impl.required_offsets(self.uc, self.cli.context_manager.get_base())
                self.loading_required_maps = True
                for o in req_offs:
                    self._ensure_mapped(o)
                self.loading_required_maps = False
github smuniz / pimp_my_ride / pimp_my_ride.py View on Github external
def add_code_hook(self, callback_fn):
        """Store user-specified callback function for the instruction tracing."""
        self.__hooks[uc.UC_HOOK_CODE] = callback_fn