9f578946d5
* Fix Python regression test suite (partial) * Fix Python regression test suite * Add a test for mapping at high addresses * Add ctl tests
89 lines
3.6 KiB
Python
Executable File
89 lines
3.6 KiB
Python
Executable File
#!/usr/bin/python
|
|
|
|
import binascii
|
|
import regress
|
|
|
|
from unicorn import *
|
|
from unicorn.x86_const import *
|
|
|
|
|
|
# callback for tracing instructions
|
|
def hook_code(uc, address, size, user_data):
|
|
# invalid instruction?
|
|
if size == 0xf1f1f1f1:
|
|
return
|
|
|
|
regress.logger.debug("[%#x] = %s" , address, binascii.hexlify(uc.mem_read(address, size)))
|
|
|
|
|
|
# callback for tracing Linux interrupt
|
|
def hook_intr(uc, intno, user_data):
|
|
# only handle Linux syscall
|
|
rip = uc.reg_read(UC_X86_REG_RIP)
|
|
|
|
regress.logger.debug("[%#x]: got interrupt %#x", rip, intno)
|
|
regress.logger.debug(" EAX = %#010x", uc.reg_read(UC_X86_REG_EAX))
|
|
regress.logger.debug(" EBX = %#010x", uc.reg_read(UC_X86_REG_EBX))
|
|
regress.logger.debug(" ECX = %#010x", uc.reg_read(UC_X86_REG_ECX))
|
|
regress.logger.debug(" EDX = %#010x", uc.reg_read(UC_X86_REG_EDX))
|
|
|
|
uc.emu_stop()
|
|
|
|
|
|
class Hang(regress.RegressTest):
|
|
def runTest(self):
|
|
# self modifying shellcode execve('/bin/sh')
|
|
shellcode = (
|
|
b'\xeb\x1c' # 00: jmp 0x1e
|
|
b'\x5a' # 02: pop rdx
|
|
b'\x89\xd6' # 03: mov esi, edx
|
|
b'\x8b\x02' # 05: mov eax, [rdx]
|
|
b'\x66\x3d\xca\x7d' # 07: cmp ax, 0x7dca
|
|
b'\x75\x06' # 0b: jne 0x13
|
|
b'\x66\x05\x03\x03' # 0d: add ax,0x303
|
|
b'\x89\x02' # 11: mov [rdx], eax
|
|
b'\xfe\xc2' # 13: inc dl
|
|
b'\x3d\x41\x41\x41\x41' # 15: cmp eax, 0x41414141
|
|
b'\x75\xe9' # 1a: jne 0x5
|
|
b'\xff\xe6' # 1c: jmp rsi
|
|
b'\xe8\xdf\xff\xff\xff' # 1e: call 0x2
|
|
b'\x31\xd2' # 23: xor edx, edx
|
|
b'\x6a\x0b' # 25: push 0xb
|
|
b'\x58' # 27: pop rax
|
|
b'\x99' # 28: cdq
|
|
b'\x52' # 29: push rdx
|
|
b'\x68\x2f\x2f\x73\x68' # 2a: push 0x68732f2f
|
|
b'\x68\x2f\x62\x69\x6e' # 2f: push 0x6e69622f
|
|
b'\x89\xe3' # 34: mov ebx, esp
|
|
b'\x52' # 36: push rdx
|
|
b'\x53' # 37: push rbx
|
|
b'\x89\xe1' # 38: mov ecx, esp
|
|
b'\xca\x7d\x41\x41\x41\x41\x41\x41\x41\x41' # 3a: .db ca 7d 41 41 41 41 41 41 41 41
|
|
)
|
|
|
|
address = 0x00000000
|
|
|
|
mu = Uc(UC_ARCH_X86, UC_MODE_64)
|
|
|
|
mu.mem_map(address, 0x1000)
|
|
|
|
# tracing all instructions with customized callback
|
|
mu.hook_add(UC_HOOK_CODE, hook_code)
|
|
|
|
# handle interrupt ourself
|
|
mu.hook_add(UC_HOOK_INTR, hook_intr)
|
|
|
|
# setup stack
|
|
mu.reg_write(UC_X86_REG_RSP, 0x1000 - 8)
|
|
|
|
# write machine code to be emulated to memory
|
|
mu.mem_write(address, shellcode)
|
|
|
|
regress.logger.debug('Starting emulation')
|
|
|
|
mu.emu_start(address, address + len(shellcode))
|
|
|
|
|
|
if __name__ == '__main__':
|
|
regress.main()
|