UnicornTemplate

1. from __future__ import print_function
2. from keystone import *
3. from unicorn import *
4. from unicorn.x86_const import *
5. from capstone import *
6. #separate assembly instructions by;
7. CODEADDRESS = 0x08048000
8. STACKADDRESS= 0x7FFc0000
9. CODE = b'''
10. mov eax,0
11. mov ebx,1
12.  
13. mov ecx,2
14. mov edx,3
15. loop:
16. DEC ECX
17. TEST ECX,ECX
18. int3
19. jne loop
20. mov eax,0
21. syscall
22. '''
23. #Break interupt with interupt number intno
24. def hook_int(mu, intno,user_data):
25.  
26.     if (intno==0x3):
27.         r_eip = mu.reg_read(UC_X86_REG_EIP)
28.         r_ecx = mu.reg_read(UC_X86_REG_ECX)
29.         print(">>> ECX = 0x%x" % r_ecx)
30.         print(">>> Breakpoint hit at 0x%x " % r_eip)
31.  
32. #hook every instruction
33. def hook_code(uc, address, size, user_data):
34.     global X86_CODE32
35.     #print(">>> Tracing instruction at 0x%x, instruction size = 0x%x" %(address, size))
36.     # read this instruction code from memory
37.     #print(">>> Instruction code at [0x%x] =" %(address), end="")
38.     tmp = X86_CODE32[address-CODEADDRESS:address-CODEADDRESS+size]
39.     print(repr(tmp))
40.     ins=cs.disasm(tmp, address)
41.     for i in cs.disasm(X86_CODE32, CODEADDRESS):
42.         if (i.address==address):
43.             print("0x%x:\t%s\t%s" % (i.address, i.mnemonic, i.op_str))
44.  
45. #hook instruction (eg: syscall)
46. def hook_syscall(uc, user_data):
47.     r_eax = mu.reg_read(UC_X86_REG_EAX)
48.     print("Syscall with eax=0x%x" % r_eax)
49.  
50. def unicornInit():
51.     # map 2 MB memory for this emulation
52.     mu = Uc(UC_ARCH_X86, UC_MODE_32)
53.     mu.mem_map(CODEADDRESS, 2 * 1024 * 1024)
54.     # init stack
55.     mu.mem_map(STACKADDRESS,0x1000*3)
56.     # write machine code to be emulated to memory
57.     mu.mem_write(CODEADDRESS, X86_CODE32)
58.  
59.     # initialize machine registers
60.     mu.reg_write(UC_X86_REG_ECX, 0x1234)
61.     mu.reg_write(UC_X86_REG_EDX, 0x7890)
62.     mu.reg_write(UC_X86_REG_ESP, 0x7FFd0000)
63.     mu.reg_write(UC_X86_REG_EBP, 0x7FFd0000)
64.     # initialize machine hook
65.     mu.hook_add(UC_HOOK_INTR, hook_int)  # hook interupt
66.     mu.hook_add(UC_HOOK_CODE, hook_code)  # hook code
67.     mu.hook_add(UC_HOOK_INSN, hook_syscall,None,1,0,UC_X86_INS_SYSCALL)  # hook instruction
68.     return mu
69. def capstoneInit():
70.     cs = Cs(CS_ARCH_X86, CS_MODE_32)
71.     return cs
72.  
73.  
74. def keystoneInit():
75.     ks = Ks(KS_ARCH_X86, KS_MODE_32)
76.     return ks
77.  
78. def listToByteString(a):
79.     s=b""
80.     for i in a:
81.        s+=chr(i)
82.     return s
83.  
84.  
85. cs=capstoneInit()
86. try: #Initialize engine in X86 - 32 bit mode
87.     ks=keystoneInit()
88.     encoding, count = ks.asm(CODE)
89.     print("%s = %s (number of statements: %u)" % (CODE, encoding, count))
90. except KsError as e:
91.   print("ERROR: %s" % e)
92.  
93. X86_CODE32=listToByteString(encoding)
94. print("Emulate i386 code")
95.  
96.  
97.  
98. try: #Initialize emulator in X86 - 32 bit mode
99.  
100.     mu=unicornInit()
101.  
102.     mu.emu_start(CODEADDRESS, CODEADDRESS + len(X86_CODE32))
103.  
104.     # now print out some registers
105.     print("Emulation done. Below is the CPU context")
106.     r_eax = mu.reg_read(UC_X86_REG_EAX)
107.     r_ebx = mu.reg_read(UC_X86_REG_EBX)
108.     r_ecx = mu.reg_read(UC_X86_REG_ECX)
109.     r_edx = mu.reg_read(UC_X86_REG_EDX)
110.     print(">>> EAX = 0x%x" % r_eax)
111.     print(">>> EBX = 0x%x" % r_ebx)
112.     print(">>> ECX = 0x%x" % r_ecx)
113.     print(">>> EDX = 0x%x" % r_edx)
114.  
115. except UcError as e:
116.     print("ERROR: %s" % e)