lazymio/unicorn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ae5b17edaa0b23693845f64e8fc3bfe185328c69
unicorn/bindings/rust/src/tests/ctl.rs
mio bd5a8c5146 Squashed commit of the following: 
commit 520c6647c32f02d83083d969d416154aa95e922c
Merge: 6bb29b12 b999f507
Author: mio <mio@lazym.io>
Date:   Sun Apr 13 00:14:23 2025 +0800

    merge dev

commit 6bb29b12f1d9f452365cc9cb5bc2d65ef376af30
Author: mio <mio@lazym.io>
Date:   Sun Apr 13 00:13:12 2025 +0800

    enable test

commit bcb8b363ef12ac295cf4fe4f1645416e5f0ea6ae
Author: mio <mio@lazym.io>
Date:   Sun Apr 13 00:13:06 2025 +0800

    also logging

commit 5972fc156b7379d09582c745d6d597e07555f2f4
Author: mio <mio@lazym.io>
Date:   Sun Apr 13 00:12:58 2025 +0800

    no unlimited translation

commit 7d600feebf9055505918e50d0af8b529a3eba542
Author: mio <mio@lazym.io>
Date:   Sun Apr 13 00:12:47 2025 +0800

    Ignore bindings.rs

commit dde4d50f2c7713156ac3bc284287480e4d92005f
Author: Amaan Qureshi <amaanq12@gmail.com>
Date:   Sun Apr 6 03:26:22 2025 -0400

    alias `uc_mips_reg` to `UC_MIPS_REG`

commit 04234ae01ba7c82d9717eaae64cdda289ce3b832
Author: Amaan Qureshi <amaanq12@gmail.com>
Date:   Sun Apr 6 01:13:00 2025 -0400

    remove bindings.rs

commit edec1300cd7c2d8ef4babbd51f6bcba2e126bdd7
Author: Amaan Qureshi <amaanq12@gmail.com>
Date:   Sat Apr 5 14:29:40 2025 -0400

    address review

commit feb157b28b6c262c5dc3d810ec54de55a25bcd6e
Author: Amaan Qureshi <amaanq12@gmail.com>
Date:   Sat Mar 29 22:40:53 2025 -0400

    ci(rust): rework workflow

    The notable changes are migrating to
    `actions-rust-lang/setup-rust-toolchain` for setting up Rust as it's
    maintained, and using `katyo/publish-crates` for publishing crates in a
    workspace

commit c1c7a8f8ed841b6ec5b4abe57013a1c2c9748c60
Author: Amaan Qureshi <amaanq12@gmail.com>
Date:   Sat Mar 29 22:40:06 2025 -0400

    build(rust): set `rust-version` to 1.85

commit 8df938c9f8b478160213707674157103b0893caf
Author: Amaan Qureshi <amaanq12@gmail.com>
Date:   Sat Mar 29 21:53:21 2025 -0400

    fix(rust): correct unsound pointer cast

    The size of `T` is not guaranteed to be the size of `i32` - all we know
    is that `T` is `Into<i32>`, so we should first copy them over into an
    `i32` array

commit 3059b2583a60aa0cac9278afc945ed87f7ddb65e
Author: Amaan Qureshi <amaanq12@gmail.com>
Date:   Sat Mar 29 20:13:26 2025 -0400

    docs(rust): update readme

commit 7db69a888e58a4bda20083e4e0771d26a327ad13
Author: Amaan Qureshi <amaanq12@gmail.com>
Date:   Sat Mar 29 13:58:30 2025 -0400

    feat(rust): add comprehensive tests

    These tests are copied over from the C tests

commit 78f2207f0e0481aef4de6d5908f8dc699a39a8d5
Author: Amaan Qureshi <amaanq12@gmail.com>
Date:   Sat Mar 29 13:57:27 2025 -0400

    feat(rust): add tcg hook

commit 46e53328531ec3279dadbf18c16b493432227b31
Author: Amaan Qureshi <amaanq12@gmail.com>
Date:   Sat Mar 29 13:56:55 2025 -0400

    feat(rust): add a hook for arm64 sys instructions

commit d1b58ee8282bf1eeeefbf68c87c2cf7c50c90320
Author: Amaan Qureshi <amaanq12@gmail.com>
Date:   Sat Mar 29 13:56:35 2025 -0400

    feat(rust): add the ability to read the arm coprocessor register

commit d304da18b9e6741042b2a70657437be8f39f5c7c
Author: Amaan Qureshi <amaanq12@gmail.com>
Date:   Sat Mar 29 13:55:29 2025 -0400

    feat(rust): add missing `Context` methods

commit 0dd87833081ac9db1feaf5bae8c839a7a2ae4947
Author: Amaan Qureshi <amaanq12@gmail.com>
Date:   Sat Mar 29 13:44:51 2025 -0400

    refactor(rust): remove unnecessary code

    `unicorn-engine-sys` will provide the necessary constants & types

commit da3d2fa7c3ecd3ae8fdb6672b6c5ea23da4570ff
Author: Amaan Qureshi <amaanq12@gmail.com>
Date:   Sat Mar 29 13:43:57 2025 -0400

    feat(rust): add a workspace `Cargo.toml`, and use `unicorn-engine-sys`

commit b27a2a93e4ac43aa2079e936df4dd30a1f8f329a
Author: Amaan Qureshi <amaanq12@gmail.com>
Date:   Sat Mar 29 13:38:06 2025 -0400

    feat(rust): introduce `unicorn-engine-sys` crate

    This crate contains generated Rust bindings to the C library via
    bindgen. It is independent from the main `unicorn-engine` bindings,
    which will leverage this

commit bcec87a3f6e316e328683c303ccfa89e530a6c56
Author: Amaan Qureshi <amaanq12@gmail.com>
Date:   Sat Mar 29 13:31:24 2025 -0400

    test(m68k): actually assert an expectation

    This test did not actually test for anything before

commit bc7e65ca96164496eb2e250b1f296a33a8aa58ee
Author: Amaan Qureshi <amaanq12@gmail.com>
Date:   Sat Mar 29 13:31:09 2025 -0400

    style(test): use bitflag shorthands

commit 0ab4b7fefb3ca17b0b5977d7b204291c5de184ad
Author: Amaan Qureshi <amaanq12@gmail.com>
Date:   Sat Mar 29 13:22:13 2025 -0400

    fix(mips): lowercase enum name `uc_mips_reg`

    This aligns with other architectures

Co-authored-by: Amaan Qureshi <amaanq12@gmail.com>
2025-04-13 00:17:55 +08:00

282 lines
8.6 KiB
Rust
Raw Blame History

use std::time::{Duration, Instant};
use unicorn_engine_sys::{RegisterX86, X86Insn};
use super::*;
use crate::Unicorn;
#[test]
fn test_uc_ctl_mode() {
let uc = Unicorn::new(Arch::X86, Mode::MODE_32).unwrap();
let mode = uc.ctl_get_mode().unwrap();
assert_eq!(mode, Mode::MODE_32);
}
#[test]
fn test_uc_ctl_arch() {
let uc = Unicorn::new(Arch::X86, Mode::MODE_32).unwrap();
let arch = uc.ctl_get_arch().unwrap();
assert_eq!(arch, Arch::X86);
}
#[test]
fn test_uc_ctl_page_size() {
let uc = Unicorn::new(Arch::X86, Mode::MODE_32).unwrap();
let page_size = uc.ctl_get_page_size().unwrap();
assert_eq!(page_size, 4096);
}
#[test]
fn test_uc_ctl_timeout() {
let uc = Unicorn::new(Arch::X86, Mode::MODE_32).unwrap();
let timeout = uc.ctl_get_timeout().unwrap();
assert_eq!(timeout, 0);
}
#[test]
fn test_uc_ctl_exits() {
// cmp eax, 0;
// jg lb;
// inc eax;
// nop; <---- exit1
// lb:
// inc ebx;
// nop; <---- exit2
let code = b"\x83\xf8\x00\x7f\x02\x40\x90\x43\x90";
let eax = 0;
let ebx = 0;
let exits = [CODE_START + 6, CODE_START + 8];
let mut uc = Unicorn::new(Arch::X86, Mode::MODE_32).unwrap();
uc.mem_map(CODE_START, CODE_LEN, Prot::ALL).unwrap();
uc.mem_write(CODE_START, code).unwrap();
uc.ctl_exits_enable().unwrap();
uc.ctl_set_exits(&exits).unwrap();
uc.reg_write(RegisterX86::EAX, eax).unwrap();
uc.reg_write(RegisterX86::EBX, ebx).unwrap();
// Run twice.
uc.emu_start(CODE_START, 0, 0, 0).unwrap();
uc.emu_start(CODE_START, 0, 0, 0).unwrap();
let eax = uc.reg_read(RegisterX86::EAX).unwrap();
let ebx = uc.reg_read(RegisterX86::EBX).unwrap();
assert_eq!(eax, 1);
assert_eq!(ebx, 1);
}
#[test]
fn test_uc_ctl_tb_cache() {
fn time_emulation(uc: &mut Unicorn<'_, ()>, start: u64, end: u64) -> Duration {
let now = Instant::now();
uc.emu_start(start, end, 0, 0).unwrap();
now.elapsed()
}
const TB_COUNT: usize = 8;
const TCG_MAX_INSNS: usize = 512;
const CODE_LEN: usize = TB_COUNT * TCG_MAX_INSNS;
let code = [0x90; CODE_LEN]; // nop
let mut uc = Unicorn::new(Arch::X86, Mode::MODE_32).unwrap();
uc.mem_map(CODE_START, CODE_LEN, Prot::ALL).unwrap();
uc.mem_write(CODE_START, &code).unwrap();
let standard = time_emulation(&mut uc, CODE_START, CODE_START + code.len() as u64);
for i in 0..TB_COUNT {
uc.ctl_request_cache(CODE_START + (i * TCG_MAX_INSNS) as u64, None)
.unwrap();
}
let cached = time_emulation(&mut uc, CODE_START, CODE_START + code.len() as u64);
for i in 0..TB_COUNT {
let start = CODE_START + (i * TCG_MAX_INSNS) as u64;
uc.ctl_remove_cache(start, start + 1).unwrap();
}
let evicted = time_emulation(&mut uc, CODE_START, CODE_START + code.len() as u64);
assert!(cached < standard);
assert!(evicted > cached);
}
#[cfg(feature = "arch_arm")]
#[test]
fn test_uc_ctl_change_page_size() {
let mut uc = Unicorn::new(Arch::ARM, Mode::ARM).unwrap();
let mut uc2 = Unicorn::new(Arch::ARM, Mode::ARM).unwrap();
uc2.ctl_set_page_size(4096).unwrap();
let page_size = uc2.ctl_get_page_size().unwrap();
assert_eq!(page_size, 4096);
// Mapping at 0x400 (1024) should succeed for the first Unicorn instance,
// but fail for the second instance since the page size is different.
// (Note: ARM's default page size is 1024)
assert!(uc.mem_map(1 << 10, 1 << 10, Prot::ALL).is_ok());
assert!(uc2.mem_map(1 << 10, 1 << 10, Prot::ALL).is_err());
}
#[cfg(feature = "arch_arm")]
#[test]
fn test_uc_ctl_arm_cpu() {
use unicorn_engine_sys::ArmCpuModel;
let mut uc = Unicorn::new(Arch::ARM, Mode::THUMB).unwrap();
uc.ctl_set_cpu_model(ArmCpuModel::CORTEX_M7 as i32).unwrap();
}
#[cfg(feature = "arch_arm")]
#[test]
fn test_uc_ctl_change_page_size_arm64() {
let mut uc = Unicorn::new(Arch::ARM64, Mode::ARM).unwrap();
let mut uc2 = Unicorn::new(Arch::ARM64, Mode::ARM).unwrap();
uc2.ctl_set_page_size(16384).unwrap();
let page_size = uc2.ctl_get_page_size().unwrap();
assert_eq!(page_size, 16384);
// Mapping at 0x400 (1024) should succeed for the first Unicorn instance,
// but fail for the second instance since the page size is different.
// (Note: ARM64's default page size is 1024)
assert!(uc.mem_map(1 << 10, 1 << 10, Prot::ALL).is_ok());
assert!(uc2.mem_map(1 << 10, 1 << 10, Prot::ALL).is_err());
}
#[test]
fn test_uc_hook_cached_uaf() {
let code = b"\x41\x4a\xeb\x00\x90";
let mut uc = Unicorn::new_with_data(Arch::X86, Mode::MODE_32, 0u64).unwrap();
uc.mem_map(CODE_START, CODE_LEN, Prot::ALL).unwrap();
uc.mem_write(CODE_START, code).unwrap();
let hook = uc
.add_code_hook(CODE_START, CODE_START + code.len() as u64, |uc, _, _| {
*uc.get_data_mut() += 1;
})
.unwrap();
uc.emu_start(CODE_START, CODE_START + code.len() as u64, 0, 0)
.unwrap();
// Move the hook to the deleted hooks list.
uc.remove_hook(hook).unwrap();
// This will clear deleted hooks and SHOULD clear cache.
uc.emu_start(CODE_START, CODE_START + code.len() as u64, 0, 0)
.unwrap();
// Now hooks are deleted and thus this _should not_ call
// test_uc_hook_cached_cb anymore. If the hook is allocated like from
// malloc, and the code region is free-ed, this call _shall not_ call the
// hook anymore to avoid UAF.
uc.emu_start(CODE_START, CODE_START + code.len() as u64, 0, 0)
.unwrap();
// Only 4 calls
assert_eq!(*uc.get_data(), 4);
}
#[test]
fn test_uc_emu_stop_set_ip() {
#[rustfmt::skip]
let code = &[
0x48, 0x31, 0xc0, // 0x0 xor rax, rax : rax = 0
0x90, // 0x3 nop :
0x48, 0xff, 0xc0, // 0x4 inc rax : rax++
0x90, // 0x7 nop : <-- going to stop here
0x48, 0xff, 0xc0, // 0x8 inc rax : rax++
0x90, // 0xb nop :
0x0f, 0x0b, // 0xc ud2 : <-- will raise UC_ERR_INSN_INVALID,
// : but should not never be reached
0x90, // 0xe nop :
0x90, // 0xf nop :
];
let mut uc = Unicorn::new(Arch::X86, Mode::MODE_64).unwrap();
uc.mem_map(CODE_START, CODE_LEN, Prot::ALL).unwrap();
uc.mem_write(CODE_START, code).unwrap();
uc.add_code_hook(
CODE_START,
CODE_START + code.len() as u64,
|uc, address, _| {
let rip = CODE_START + 0xb;
if address == CODE_START + 0x7 {
uc.emu_stop().unwrap();
uc.reg_write(RegisterX86::RIP, rip).unwrap();
}
},
)
.unwrap();
uc.emu_start(CODE_START, CODE_START + code.len() as u64, 0, 0)
.unwrap();
let rip = uc.reg_read(RegisterX86::RIP).unwrap();
assert_eq!(rip, CODE_START + 0xb);
}
#[test]
fn test_tlb_clear() {
#[rustfmt::skip]
let code = &[
0xa3, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, // movabs dword ptr [0x200000], eax
0x0f, 0x05, // syscall
0xa3, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, // movabs dword ptr [0x200000], eax
];
let mut uc = Unicorn::new_with_data(Arch::X86, Mode::MODE_64, 0usize).unwrap();
uc.mem_map(CODE_START, CODE_LEN, Prot::ALL).unwrap();
uc.mem_write(CODE_START, code).unwrap();
uc.mem_map(0x200000, 0x1000, Prot::ALL).unwrap();
uc.ctl_set_tlb_type(TlbType::VIRTUAL).unwrap();
uc.add_tlb_hook(1, 0, |uc, addr, _| {
*uc.get_data_mut() += 1;
Some(TlbEntry {
paddr: addr,
perms: Prot::ALL,
})
})
.unwrap();
uc.add_insn_sys_hook(X86Insn::SYSCALL, 1, 0, |uc| {
uc.ctl_flush_tlb().unwrap();
})
.unwrap();
uc.emu_start(CODE_START, CODE_START + code.len() as u64, 0, 0)
.unwrap();
let tlbcount = *uc.get_data();
assert_eq!(tlbcount, 4);
}
#[test]
fn test_noexec() {
#[rustfmt::skip]
let code = &[
0x8a, 0x05, 0x00, 0x00, 0x00, 0x00, // mov al, byte ptr[rip]
0x90, // nop
];
let mut uc = Unicorn::new(Arch::X86, Mode::MODE_64).unwrap();
uc.mem_map(CODE_START, CODE_LEN, Prot::ALL).unwrap();
uc.mem_write(CODE_START, code).unwrap();
uc.ctl_set_tlb_type(TlbType::VIRTUAL).unwrap();
uc.mem_protect(CODE_START, CODE_START as usize + 0x1000, Prot::EXEC)
.unwrap();
let err = uc
.emu_start(CODE_START, CODE_START + code.len() as u64, 0, 0)
.unwrap_err();
assert_eq!(err, uc_error::READ_PROT);
}
Reference in New Issue View Git Blame Copy Permalink