From ac806d3bfb2ac1ea84440af4cf56876970eb0dc8 Mon Sep 17 00:00:00 2001 From: McLovi9 Date: Tue, 2 Feb 2016 20:36:36 +0100 Subject: [PATCH 01/31] Create arm_init_input_crash.py --- tests/regress/arm_init_input_crash.py | 109 ++++++++++++++++++++++++++ 1 file changed, 109 insertions(+) create mode 100644 tests/regress/arm_init_input_crash.py diff --git a/tests/regress/arm_init_input_crash.py b/tests/regress/arm_init_input_crash.py new file mode 100644 index 00000000..ecafbfd2 --- /dev/null +++ b/tests/regress/arm_init_input_crash.py @@ -0,0 +1,109 @@ +#!/usr/bin/env python +# Sample code for ARM of Unicorn. Nguyen Anh Quynh +# Python sample ported by Loi Anh Tuan +# + + +from __future__ import print_function +from unicorn import * +from unicorn.arm_const import * + + +# code to be emulated +ARM_CODE = "\x37\x00\xa0\xe3\x03\x10\x42\xe0" # mov r0, #0x37; sub r1, r2, r3 +THUMB_CODE = "\x83\xb0" # sub sp, #0xc +# memory address where emulation starts +ADDRESS = 0xF0000000 + + +# callback for tracing basic blocks +def hook_block(uc, address, size, user_data): + print(">>> Tracing basic block at 0x%x, block size = 0x%x" %(address, size)) + + +# callback for tracing instructions +def hook_code(uc, address, size, user_data): + print(">>> Tracing instruction at 0x%x, instruction size = %u" %(address, size)) + + +# Test ARM +def test_arm(): + print("Emulate ARM code") + try: + # Initialize emulator in ARM mode + mu = Uc(UC_ARCH_ARM, UC_MODE_ARM) + + mem_size = 2 * (1024 * 1024) + mu.mem_map(ADDRESS, mem_size) + + stack_address = ADDRESS + mem_size + stack_size = stack_address # >>> here huge memory size + mu.mem_map(stack_address, stack_size) + + # write machine code to be emulated to memory + mu.mem_write(ADDRESS, ARM_CODE) + + # initialize machine registers + mu.reg_write(UC_ARM_REG_R0, 0x1234) + mu.reg_write(UC_ARM_REG_R2, 0x6789) + mu.reg_write(UC_ARM_REG_R3, 0x3333) + + # tracing all basic blocks with customized callback + mu.hook_add(UC_HOOK_BLOCK, hook_block) + + # tracing all instructions with customized callback + mu.hook_add(UC_HOOK_CODE, hook_code) + + # emulate machine code in infinite time + mu.emu_start(ADDRESS, ADDRESS + len(ARM_CODE)) + + # now print out some registers + print(">>> Emulation done. Below is the CPU context") + + r0 = mu.reg_read(UC_ARM_REG_R0) + r1 = mu.reg_read(UC_ARM_REG_R1) + print(">>> R0 = 0x%x" %r0) + print(">>> R1 = 0x%x" %r1) + + except UcError as e: + print("ERROR: %s" % e) + + +def test_thumb(): + print("Emulate THUMB code") + try: + # Initialize emulator in thumb mode + mu = Uc(UC_ARCH_ARM, UC_MODE_THUMB) + + # map 2MB memory for this emulation + mu.mem_map(ADDRESS, 2 * 1024 * 1024) + + # write machine code to be emulated to memory + mu.mem_write(ADDRESS, THUMB_CODE) + + # initialize machine registers + mu.reg_write(UC_ARM_REG_SP, 0x1234) + + # tracing all basic blocks with customized callback + mu.hook_add(UC_HOOK_BLOCK, hook_block) + + # tracing all instructions with customized callback + mu.hook_add(UC_HOOK_CODE, hook_code) + + # emulate machine code in infinite time + mu.emu_start(ADDRESS, ADDRESS + len(THUMB_CODE)) + + # now print out some registers + print(">>> Emulation done. Below is the CPU context") + + sp = mu.reg_read(UC_ARM_REG_SP) + print(">>> SP = 0x%x" %sp) + + except UcError as e: + print("ERROR: %s" % e) + + +if __name__ == '__main__': + test_arm() + print("=" * 20) + test_thumb() From 101f14285ae94070b20bdb47204351dd8f19ddb4 Mon Sep 17 00:00:00 2001 From: Nguyen Anh Quynh Date: Wed, 3 Feb 2016 09:20:15 +0800 Subject: [PATCH 02/31] chmod +x arm_init_input_crash.py --- tests/regress/arm_init_input_crash.py | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 tests/regress/arm_init_input_crash.py diff --git a/tests/regress/arm_init_input_crash.py b/tests/regress/arm_init_input_crash.py old mode 100644 new mode 100755 From 9977054a15419fba5541c0d224ed08bd07b84ed0 Mon Sep 17 00:00:00 2001 From: Chris Eagle Date: Wed, 3 Feb 2016 09:22:29 -0800 Subject: [PATCH 03/31] add support for setting gdtr, idtr, ldtr, and tr programatically --- include/unicorn/x86.h | 3 + qemu/target-i386/unicorn.c | 144 ++++++++++++++++++++++++++++++++++ tests/unit/test_gdt_idt_x86.c | 137 ++++++++++++++++++++++++++++++++ 3 files changed, 284 insertions(+) create mode 100755 tests/unit/test_gdt_idt_x86.c diff --git a/include/unicorn/x86.h b/include/unicorn/x86.h index b279de58..7d18c96d 100644 --- a/include/unicorn/x86.h +++ b/include/unicorn/x86.h @@ -64,6 +64,9 @@ typedef enum uc_x86_reg { UC_X86_REG_R9D, UC_X86_REG_R10D, UC_X86_REG_R11D, UC_X86_REG_R12D, UC_X86_REG_R13D, UC_X86_REG_R14D, UC_X86_REG_R15D, UC_X86_REG_R8W, UC_X86_REG_R9W, UC_X86_REG_R10W, UC_X86_REG_R11W, UC_X86_REG_R12W, UC_X86_REG_R13W, UC_X86_REG_R14W, UC_X86_REG_R15W, + UC_X86_REG_IDTR_LIMIT, UC_X86_REG_IDTR_BASE, UC_X86_REG_GDTR_LIMIT, UC_X86_REG_GDTR_BASE, + UC_X86_REG_LDTR_SS, UC_X86_REG_LDTR_LIMIT, UC_X86_REG_LDTR_BASE, UC_X86_REG_LDTR_ATTR, + UC_X86_REG_TR_SS, UC_X86_REG_TR_LIMIT, UC_X86_REG_TR_BASE, UC_X86_REG_TR_ATTR, UC_X86_REG_ENDING // <-- mark the end of the list of registers } uc_x86_reg; diff --git a/qemu/target-i386/unicorn.c b/qemu/target-i386/unicorn.c index 0af5763e..ce495c36 100644 --- a/qemu/target-i386/unicorn.c +++ b/qemu/target-i386/unicorn.c @@ -277,6 +277,42 @@ int x86_reg_read(struct uc_struct *uc, unsigned int regid, void *value) case UC_X86_REG_GS: *(int32_t *)value = X86_CPU(uc, mycpu)->env.segs[R_GS].base; break; + case UC_X86_REG_IDTR_LIMIT: + *(int16_t *)value = READ_WORD(X86_CPU(uc, mycpu)->env.idt.limit); + break; + case UC_X86_REG_IDTR_BASE: + *(int32_t *)value = X86_CPU(uc, mycpu)->env.idt.base; + break; + case UC_X86_REG_GDTR_LIMIT: + *(int16_t *)value = READ_WORD(X86_CPU(uc, mycpu)->env.gdt.limit); + break; + case UC_X86_REG_GDTR_BASE: + *(int32_t *)value = X86_CPU(uc, mycpu)->env.gdt.base; + break; + case UC_X86_REG_LDTR_SS: + *(int16_t *)value = READ_WORD(X86_CPU(uc, mycpu)->env.ldt.selector); + break; + case UC_X86_REG_LDTR_LIMIT: + *(int32_t *)value = X86_CPU(uc, mycpu)->env.ldt.limit; + break; + case UC_X86_REG_LDTR_BASE: + *(int32_t *)value = X86_CPU(uc, mycpu)->env.ldt.base; + break; + case UC_X86_REG_LDTR_ATTR: + *(int32_t *)value = X86_CPU(uc, mycpu)->env.ldt.flags; + break; + case UC_X86_REG_TR_SS: + *(int16_t *)value = READ_WORD(X86_CPU(uc, mycpu)->env.tr.selector); + break; + case UC_X86_REG_TR_LIMIT: + *(int32_t *)value = X86_CPU(uc, mycpu)->env.tr.limit; + break; + case UC_X86_REG_TR_BASE: + *(int32_t *)value = X86_CPU(uc, mycpu)->env.tr.base; + break; + case UC_X86_REG_TR_ATTR: + *(int32_t *)value = X86_CPU(uc, mycpu)->env.tr.flags; + break; } break; @@ -525,6 +561,42 @@ int x86_reg_read(struct uc_struct *uc, unsigned int regid, void *value) case UC_X86_REG_R15B: *(int8_t *)value = READ_BYTE_L(X86_CPU(uc, mycpu)->env.regs[15]); break; + case UC_X86_REG_IDTR_LIMIT: + *(int16_t *)value = READ_WORD(X86_CPU(uc, mycpu)->env.idt.limit); + break; + case UC_X86_REG_IDTR_BASE: + *(int64_t *)value = X86_CPU(uc, mycpu)->env.idt.base; + break; + case UC_X86_REG_GDTR_LIMIT: + *(int16_t *)value = READ_WORD(X86_CPU(uc, mycpu)->env.gdt.limit); + break; + case UC_X86_REG_GDTR_BASE: + *(int64_t *)value = X86_CPU(uc, mycpu)->env.gdt.base; + break; + case UC_X86_REG_LDTR_SS: + *(int16_t *)value = READ_WORD(X86_CPU(uc, mycpu)->env.ldt.selector); + break; + case UC_X86_REG_LDTR_LIMIT: + *(int32_t *)value = X86_CPU(uc, mycpu)->env.ldt.limit; + break; + case UC_X86_REG_LDTR_BASE: + *(int64_t *)value = X86_CPU(uc, mycpu)->env.ldt.base; + break; + case UC_X86_REG_LDTR_ATTR: + *(int32_t *)value = X86_CPU(uc, mycpu)->env.ldt.flags; + break; + case UC_X86_REG_TR_SS: + *(int16_t *)value = READ_WORD(X86_CPU(uc, mycpu)->env.tr.selector); + break; + case UC_X86_REG_TR_LIMIT: + *(int32_t *)value = X86_CPU(uc, mycpu)->env.tr.limit; + break; + case UC_X86_REG_TR_BASE: + *(int64_t *)value = X86_CPU(uc, mycpu)->env.tr.base; + break; + case UC_X86_REG_TR_ATTR: + *(int32_t *)value = X86_CPU(uc, mycpu)->env.tr.flags; + break; } break; #endif @@ -684,6 +756,42 @@ int x86_reg_write(struct uc_struct *uc, unsigned int regid, const void *value) case UC_X86_REG_GS: X86_CPU(uc, mycpu)->env.segs[R_GS].base = *(uint32_t *)value; break; + case UC_X86_REG_IDTR_LIMIT: + WRITE_WORD(X86_CPU(uc, mycpu)->env.idt.limit, *(uint16_t *)value); + break; + case UC_X86_REG_IDTR_BASE: + X86_CPU(uc, mycpu)->env.idt.base = *(uint32_t *)value; + break; + case UC_X86_REG_GDTR_LIMIT: + WRITE_WORD(X86_CPU(uc, mycpu)->env.gdt.limit, *(uint16_t *)value); + break; + case UC_X86_REG_GDTR_BASE: + X86_CPU(uc, mycpu)->env.gdt.base = *(uint32_t *)value; + break; + case UC_X86_REG_LDTR_SS: + WRITE_WORD(X86_CPU(uc, mycpu)->env.ldt.selector, *(uint16_t *)value); + break; + case UC_X86_REG_LDTR_LIMIT: + X86_CPU(uc, mycpu)->env.ldt.limit = *(uint32_t *)value; + break; + case UC_X86_REG_LDTR_BASE: + X86_CPU(uc, mycpu)->env.ldt.base = *(uint32_t *)value; + break; + case UC_X86_REG_LDTR_ATTR: + X86_CPU(uc, mycpu)->env.ldt.flags = *(uint32_t *)value; + break; + case UC_X86_REG_TR_SS: + WRITE_WORD(X86_CPU(uc, mycpu)->env.tr.selector, *(uint16_t *)value); + break; + case UC_X86_REG_TR_LIMIT: + X86_CPU(uc, mycpu)->env.tr.limit = *(uint32_t *)value; + break; + case UC_X86_REG_TR_BASE: + X86_CPU(uc, mycpu)->env.tr.base = *(uint32_t *)value; + break; + case UC_X86_REG_TR_ATTR: + X86_CPU(uc, mycpu)->env.tr.flags = *(uint32_t *)value; + break; } break; @@ -942,6 +1050,42 @@ int x86_reg_write(struct uc_struct *uc, unsigned int regid, const void *value) case UC_X86_REG_R15B: WRITE_BYTE_L(X86_CPU(uc, mycpu)->env.regs[15], *(uint8_t *)value); break; + case UC_X86_REG_IDTR_LIMIT: + WRITE_WORD(X86_CPU(uc, mycpu)->env.idt.limit, *(uint16_t *)value); + break; + case UC_X86_REG_IDTR_BASE: + X86_CPU(uc, mycpu)->env.idt.base = *(uint64_t *)value; + break; + case UC_X86_REG_GDTR_LIMIT: + WRITE_WORD(X86_CPU(uc, mycpu)->env.gdt.limit, *(uint16_t *)value); + break; + case UC_X86_REG_GDTR_BASE: + X86_CPU(uc, mycpu)->env.gdt.base = *(uint64_t *)value; + break; + case UC_X86_REG_LDTR_SS: + WRITE_WORD(X86_CPU(uc, mycpu)->env.ldt.selector, *(uint16_t *)value); + break; + case UC_X86_REG_LDTR_LIMIT: + WRITE_DWORD(X86_CPU(uc, mycpu)->env.ldt.limit, *(uint32_t *)value); + break; + case UC_X86_REG_LDTR_BASE: + X86_CPU(uc, mycpu)->env.ldt.base = *(uint64_t *)value; + break; + case UC_X86_REG_LDTR_ATTR: + WRITE_DWORD(X86_CPU(uc, mycpu)->env.ldt.flags, *(uint32_t *)value); + break; + case UC_X86_REG_TR_SS: + WRITE_WORD(X86_CPU(uc, mycpu)->env.tr.selector, *(uint16_t *)value); + break; + case UC_X86_REG_TR_LIMIT: + WRITE_DWORD(X86_CPU(uc, mycpu)->env.tr.limit, *(uint32_t *)value); + break; + case UC_X86_REG_TR_BASE: + X86_CPU(uc, mycpu)->env.tr.base = *(uint64_t *)value; + break; + case UC_X86_REG_TR_ATTR: + WRITE_DWORD(X86_CPU(uc, mycpu)->env.tr.flags, *(uint32_t *)value); + break; } break; #endif diff --git a/tests/unit/test_gdt_idt_x86.c b/tests/unit/test_gdt_idt_x86.c new file mode 100755 index 00000000..03c66bb9 --- /dev/null +++ b/tests/unit/test_gdt_idt_x86.c @@ -0,0 +1,137 @@ +#include +#include +#include +#include +#include +#include + +/** + * Assert that err matches expect + */ +#define uc_assert_err(expect, err) \ +do { \ + uc_err __err = err; \ + if (__err != expect) { \ + fprintf(stderr, "%s", uc_strerror(__err)); \ + exit(1); \ + } \ +} while (0) + +/** + * Assert that err is UC_ERR_OK + */ +#define uc_assert_success(err) uc_assert_err(UC_ERR_OK, err) + +/** + * Assert that err is anything but UC_ERR_OK + * + * Note: Better to use uc_assert_err(, err), + * as this serves to document which errors a function will return + * in various scenarios. + */ +#define uc_assert_fail(err) \ +do { \ + uc_err __err = err; \ + if (__err == UC_ERR_OK) { \ + fprintf(stderr, "%s", uc_strerror(__err)); \ + exit(1); \ + } \ +} while (0) + +#define OK(x) uc_assert_success(x) + +/******************************************************************************/ + +static void test_idt_gdt_i386(/*void **state*/) +{ + uc_engine *uc; + uc_err err; + uint8_t buf[6]; + + const uint8_t code[] = "\x0f\x01\x0c\x24\x0f\x01\x44\x24\x06"; // sidt [esp]; sgdt [esp+6] + const uint64_t address = 0x1000000; + + int r_esp = address + 0x1000 - 0x100; // initial esp + + int idt_base = 0x12345678; + int idt_limit = 0xabcd; + int gdt_base = 0x87654321; + int gdt_limit = 0xdcba; + + // Initialize emulator in X86-32bit mode + err = uc_open(UC_ARCH_X86, UC_MODE_32, &uc); + uc_assert_success(err); + + // map 1 page memory for this emulation + err = uc_mem_map(uc, address, 0x1000, UC_PROT_ALL); + uc_assert_success(err); + + // write machine code to be emulated to memory + err = uc_mem_write(uc, address, code, sizeof(code)-1); + uc_assert_success(err); + + // initialize machine registers + err = uc_reg_write(uc, UC_X86_REG_ESP, &r_esp); + uc_assert_success(err); + err = uc_reg_write(uc, UC_X86_REG_IDTR_BASE, &idt_base); + uc_assert_success(err); + err = uc_reg_write(uc, UC_X86_REG_IDTR_LIMIT, &idt_limit); + uc_assert_success(err); + err = uc_reg_write(uc, UC_X86_REG_GDTR_BASE, &gdt_base); + uc_assert_success(err); + err = uc_reg_write(uc, UC_X86_REG_GDTR_LIMIT, &gdt_limit); + uc_assert_success(err); + + idt_base = 0; + idt_limit = 0; + gdt_base = 0; + gdt_limit = 0; + + // emulate machine code in infinite time + err = uc_emu_start(uc, address, address+sizeof(code)-1, 0, 0); + uc_assert_success(err); + + + uc_reg_read(uc, UC_X86_REG_IDTR_BASE, &idt_base); + assert(idt_base == 0x12345678); + + uc_reg_read(uc, UC_X86_REG_IDTR_LIMIT, &idt_limit); + assert(idt_limit == 0xabcd); + + uc_reg_read(uc, UC_X86_REG_GDTR_BASE, &gdt_base); + assert(gdt_base == 0x87654321); + + uc_reg_read(uc, UC_X86_REG_GDTR_LIMIT, &gdt_limit); + assert(gdt_limit == 0xdcba); + + // read from memory + err = uc_mem_read(uc, r_esp, buf, 6); + uc_assert_success(err); + + assert(memcmp(buf, "\xcd\xab\x78\x56\x34\x12", 6) == 0); + + // read from memory + err = uc_mem_read(uc, r_esp + 6, buf, 6); + uc_assert_success(err); + + assert(memcmp(buf, "\xba\xdc\x21\x43\x65\x87", 6) == 0); + + uc_close(uc); + +} + +/******************************************************************************/ + +int main(void) { +/* + const struct CMUnitTest tests[] = { + cmocka_unit_test(test_idt_gdt_i386) + }; + return cmocka_run_group_tests(tests, NULL, NULL); +*/ + test_idt_gdt_i386(); + + fprintf(stderr, "success\n"); + + return 0; +} From 1e13777c914ca73b38eee365b11c127d26f9fe2e Mon Sep 17 00:00:00 2001 From: coco Date: Thu, 4 Feb 2016 19:57:20 +0100 Subject: [PATCH 04/31] added memory fuzzer and 2 resulting testcases --- tests/regress/Makefile | 1 + tests/regress/mem_fuzz.c | 119 ++++++++++++++++++++++++++++++++++++++ tests/unit/test_mem_map.c | 25 ++++++++ 3 files changed, 145 insertions(+) create mode 100644 tests/regress/mem_fuzz.c diff --git a/tests/regress/Makefile b/tests/regress/Makefile index 3de87998..6b8381a9 100644 --- a/tests/regress/Makefile +++ b/tests/regress/Makefile @@ -37,6 +37,7 @@ TESTS += mips_branch_likely_issue TESTS += hook_extrainvoke TESTS += sysenter_hook_x86 TESTS += emu_clear_errors +TESTS += mem_fuzz all: $(TESTS) diff --git a/tests/regress/mem_fuzz.c b/tests/regress/mem_fuzz.c new file mode 100644 index 00000000..a1e080cf --- /dev/null +++ b/tests/regress/mem_fuzz.c @@ -0,0 +1,119 @@ +#define __STDC_FORMAT_MACROS +#include +#include +#include +#include +#include +#include + +#include + + +uint64_t baseranges[] = {0,0,0,0}; +int step =0; + +uint64_t urnd(){ + uint64_t rnd = rand(); + rnd = rnd << 32; + rnd += rand(); + return rnd; +} +uint64_t get_addr(){ + uint64_t base = ((uint64_t)urnd())%4; + uint64_t addr= baseranges[base] + urnd()%(4096*10); + return addr; +} + +uint64_t get_aligned_addr(){ + uint64_t addr = get_addr(); + return addr - (addr % 4096); +} + +uint64_t get_len(){ + uint64_t len = (urnd() % (4096*5))+1; + return len; +} + +uint64_t get_aligned_len(){ + uint64_t len = get_len(); + len = len - (len %4096); + len = ((len == 0) ? 4096 : len); + return len; +} + +void perform_map_step(uc_engine *uc){ + uint64_t addr = get_aligned_addr(); + uint64_t len = get_aligned_len(); + printf("map(0x%lx,0x%lx); //%d\n", addr, len, step); + uc_mem_map(uc, addr, len, UC_PROT_READ | UC_PROT_WRITE); +} + +void perform_unmap_step(uc_engine *uc){ + uint64_t addr = get_aligned_addr(); + uint64_t len = get_aligned_len(); + printf("unmap(0x%lx,0x%lx); //%d\n", addr, len, step); + uc_mem_unmap(uc, addr, len); +} + +void perform_write_step(uc_engine *uc){ + char* buff[4096*4]; + memset(buff, 0, 4096*4); + uint64_t addr = get_addr(); + uint64_t len = get_len()%(4096*3); + printf("write(0x%lx,0x%lx); //%d\n", addr, len, step); + uc_mem_write(uc, addr, buff, len); +} + +void perform_read_step(uc_engine *uc){ + char* buff[4096*4]; + uint64_t addr = get_addr(); + uint64_t len = get_len()%(4096*3); + printf("read(0x%lx,0x%lx); //%d\n", addr, len, step); + uc_mem_read(uc, addr, buff, len); +} + +void perform_fuzz_step(uc_engine *uc){ + switch( ((uint32_t)rand())%2 ){ + case 0: perform_map_step(uc); break; + case 1: perform_unmap_step(uc); break; + //case 2: perform_read_step(uc); break; + //case 3: perform_write_step(uc); break; + } +} + +int main(int argc, char **argv, char **envp) +{ + uc_engine *uc; + uc_hook trace1, trace2; + uc_err err; + if(argc<2){ + printf("usage: mem_fuzz $seed\n"); + return 1; + } + int seed = atoi(argv[1]); + int i = 0; + + //don't really care about quality of randomness + srand(seed); + printf("running with seed %d\n",seed); + + // Initialize emulator in X86-32bit mode + err = uc_open(UC_ARCH_X86, UC_MODE_64, &uc); + if (err) { + printf("Failed on uc_open() with error returned: %u\n", err); + return 1; + } + + for(i = 0; i < 2048; i++){ + step++; + perform_fuzz_step(uc); + } + // fill in sections that shouldn't get touched + + if (uc_close(uc) != UC_ERR_OK) { + printf("Failed on uc_close\n"); + return 1; + } + + return 0; +} diff --git a/tests/unit/test_mem_map.c b/tests/unit/test_mem_map.c index 210d4790..6b743f0c 100644 --- a/tests/unit/test_mem_map.c +++ b/tests/unit/test_mem_map.c @@ -138,6 +138,29 @@ static void test_unmap_double_map(void **state) uc_assert_fail(uc_mem_map(uc, 0x0000, 0x1000, 0)); /* 0x1000 - 0x1000 */ } +static void test_overlap_unmap_double_map(void **state) +{ + uc_engine *uc = *state; + uc_mem_map( uc, 0x1000, 0x2000, 0); + uc_mem_map( uc, 0x1000, 0x1000, 0); + uc_mem_unmap(uc, 0x2000, 0x1000); +} + +static void test_strange_map(void **state) +{ + uc_engine *uc = *state; + uc_mem_map( uc, 0x0,0x3000,0); + uc_mem_unmap(uc, 0x1000,0x1000); + uc_mem_map( uc, 0x3000,0x1000,0); + uc_mem_map( uc, 0x4000,0x1000,0); + uc_mem_map( uc, 0x1000,0x1000,0); + uc_mem_map( uc, 0x5000,0x1000,0); + uc_mem_unmap(uc, 0x0,0x1000); +} + + + + int main(void) { #define test(x) cmocka_unit_test_setup_teardown(x, setup, teardown) const struct CMUnitTest tests[] = { @@ -147,6 +170,8 @@ int main(void) { test(test_bad_unmap), test(test_rw_across_boundaries), test(test_unmap_double_map), + test(test_overlap_unmap_double_map), + test(test_strange_map), }; #undef test return cmocka_run_group_tests(tests, NULL, NULL); From e59382e030aa14e62ebd3fd867889fffb5d64a07 Mon Sep 17 00:00:00 2001 From: Chris Eagle Date: Thu, 4 Feb 2016 16:44:52 -0800 Subject: [PATCH 05/31] updated gdtr/idtr/ldtr/tr read/write code --- include/unicorn/x86.h | 13 ++- qemu/target-i386/cpu.h | 2 +- qemu/target-i386/unicorn.c | 192 ++++++++++++---------------------- tests/unit/test_gdt_idt_x86.c | 68 ++++++++---- 4 files changed, 120 insertions(+), 155 deletions(-) mode change 100644 => 100755 include/unicorn/x86.h mode change 100644 => 100755 qemu/target-i386/cpu.h mode change 100644 => 100755 qemu/target-i386/unicorn.c diff --git a/include/unicorn/x86.h b/include/unicorn/x86.h old mode 100644 new mode 100755 index 7d18c96d..ab5a0481 --- a/include/unicorn/x86.h +++ b/include/unicorn/x86.h @@ -8,6 +8,15 @@ extern "C" { #endif +//Memory-Management Register fields (idtr, gdtr, ldtr, tr) +//borrow from SegmentCache in qemu/target-i386/cpu.h +typedef struct x86_mmr { + uint32_t selector; + uint64_t base; /* handle 32 or 64 bit CPUs */ + uint32_t limit; + uint32_t flags; +} x86_mmr; + // Callback function for tracing SYSCALL/SYSENTER (for uc_hook_intr()) // @user_data: user data passed to tracing APIs. typedef void (*uc_cb_insn_syscall_t)(struct uc_struct *uc, void *user_data); @@ -64,9 +73,7 @@ typedef enum uc_x86_reg { UC_X86_REG_R9D, UC_X86_REG_R10D, UC_X86_REG_R11D, UC_X86_REG_R12D, UC_X86_REG_R13D, UC_X86_REG_R14D, UC_X86_REG_R15D, UC_X86_REG_R8W, UC_X86_REG_R9W, UC_X86_REG_R10W, UC_X86_REG_R11W, UC_X86_REG_R12W, UC_X86_REG_R13W, UC_X86_REG_R14W, UC_X86_REG_R15W, - UC_X86_REG_IDTR_LIMIT, UC_X86_REG_IDTR_BASE, UC_X86_REG_GDTR_LIMIT, UC_X86_REG_GDTR_BASE, - UC_X86_REG_LDTR_SS, UC_X86_REG_LDTR_LIMIT, UC_X86_REG_LDTR_BASE, UC_X86_REG_LDTR_ATTR, - UC_X86_REG_TR_SS, UC_X86_REG_TR_LIMIT, UC_X86_REG_TR_BASE, UC_X86_REG_TR_ATTR, + UC_X86_REG_IDTR, UC_X86_REG_GDTR, UC_X86_REG_LDTR, UC_X86_REG_TR, UC_X86_REG_ENDING // <-- mark the end of the list of registers } uc_x86_reg; diff --git a/qemu/target-i386/cpu.h b/qemu/target-i386/cpu.h old mode 100644 new mode 100755 index 4628a8df..68f802f9 --- a/qemu/target-i386/cpu.h +++ b/qemu/target-i386/cpu.h @@ -699,7 +699,7 @@ typedef enum { typedef struct SegmentCache { uint32_t selector; - target_ulong base; + uint64_t base; /* handle 32 or 64 bit CPUs */ uint32_t limit; uint32_t flags; } SegmentCache; diff --git a/qemu/target-i386/unicorn.c b/qemu/target-i386/unicorn.c old mode 100644 new mode 100755 index ce495c36..89ccdb6d --- a/qemu/target-i386/unicorn.c +++ b/qemu/target-i386/unicorn.c @@ -277,41 +277,25 @@ int x86_reg_read(struct uc_struct *uc, unsigned int regid, void *value) case UC_X86_REG_GS: *(int32_t *)value = X86_CPU(uc, mycpu)->env.segs[R_GS].base; break; - case UC_X86_REG_IDTR_LIMIT: - *(int16_t *)value = READ_WORD(X86_CPU(uc, mycpu)->env.idt.limit); + case UC_X86_REG_IDTR: + ((SegmentCache *)value)->limit = (uint16_t)X86_CPU(uc, mycpu)->env.idt.limit; + ((SegmentCache *)value)->base = (uint32_t)X86_CPU(uc, mycpu)->env.idt.base; break; - case UC_X86_REG_IDTR_BASE: - *(int32_t *)value = X86_CPU(uc, mycpu)->env.idt.base; + case UC_X86_REG_GDTR: + ((SegmentCache *)value)->limit = (uint16_t)X86_CPU(uc, mycpu)->env.gdt.limit; + ((SegmentCache *)value)->base = (uint32_t)X86_CPU(uc, mycpu)->env.gdt.base; break; - case UC_X86_REG_GDTR_LIMIT: - *(int16_t *)value = READ_WORD(X86_CPU(uc, mycpu)->env.gdt.limit); + case UC_X86_REG_LDTR: + ((SegmentCache *)value)->limit = X86_CPU(uc, mycpu)->env.ldt.limit; + ((SegmentCache *)value)->base = (uint32_t)X86_CPU(uc, mycpu)->env.ldt.base; + ((SegmentCache *)value)->selector = (uint16_t)X86_CPU(uc, mycpu)->env.ldt.selector; + ((SegmentCache *)value)->flags = X86_CPU(uc, mycpu)->env.ldt.flags; break; - case UC_X86_REG_GDTR_BASE: - *(int32_t *)value = X86_CPU(uc, mycpu)->env.gdt.base; - break; - case UC_X86_REG_LDTR_SS: - *(int16_t *)value = READ_WORD(X86_CPU(uc, mycpu)->env.ldt.selector); - break; - case UC_X86_REG_LDTR_LIMIT: - *(int32_t *)value = X86_CPU(uc, mycpu)->env.ldt.limit; - break; - case UC_X86_REG_LDTR_BASE: - *(int32_t *)value = X86_CPU(uc, mycpu)->env.ldt.base; - break; - case UC_X86_REG_LDTR_ATTR: - *(int32_t *)value = X86_CPU(uc, mycpu)->env.ldt.flags; - break; - case UC_X86_REG_TR_SS: - *(int16_t *)value = READ_WORD(X86_CPU(uc, mycpu)->env.tr.selector); - break; - case UC_X86_REG_TR_LIMIT: - *(int32_t *)value = X86_CPU(uc, mycpu)->env.tr.limit; - break; - case UC_X86_REG_TR_BASE: - *(int32_t *)value = X86_CPU(uc, mycpu)->env.tr.base; - break; - case UC_X86_REG_TR_ATTR: - *(int32_t *)value = X86_CPU(uc, mycpu)->env.tr.flags; + case UC_X86_REG_TR: + ((SegmentCache *)value)->limit = X86_CPU(uc, mycpu)->env.tr.limit; + ((SegmentCache *)value)->base = (uint32_t)X86_CPU(uc, mycpu)->env.tr.base; + ((SegmentCache *)value)->selector = (uint16_t)X86_CPU(uc, mycpu)->env.tr.selector; + ((SegmentCache *)value)->flags = X86_CPU(uc, mycpu)->env.tr.flags; break; } break; @@ -561,41 +545,25 @@ int x86_reg_read(struct uc_struct *uc, unsigned int regid, void *value) case UC_X86_REG_R15B: *(int8_t *)value = READ_BYTE_L(X86_CPU(uc, mycpu)->env.regs[15]); break; - case UC_X86_REG_IDTR_LIMIT: - *(int16_t *)value = READ_WORD(X86_CPU(uc, mycpu)->env.idt.limit); + case UC_X86_REG_IDTR: + ((SegmentCache *)value)->limit = (uint16_t)X86_CPU(uc, mycpu)->env.idt.limit; + ((SegmentCache *)value)->base = X86_CPU(uc, mycpu)->env.idt.base; break; - case UC_X86_REG_IDTR_BASE: - *(int64_t *)value = X86_CPU(uc, mycpu)->env.idt.base; + case UC_X86_REG_GDTR: + ((SegmentCache *)value)->limit = (uint16_t)X86_CPU(uc, mycpu)->env.gdt.limit; + ((SegmentCache *)value)->base = X86_CPU(uc, mycpu)->env.gdt.base; break; - case UC_X86_REG_GDTR_LIMIT: - *(int16_t *)value = READ_WORD(X86_CPU(uc, mycpu)->env.gdt.limit); + case UC_X86_REG_LDTR: + ((SegmentCache *)value)->limit = X86_CPU(uc, mycpu)->env.ldt.limit; + ((SegmentCache *)value)->base = X86_CPU(uc, mycpu)->env.ldt.base; + ((SegmentCache *)value)->selector = (uint16_t)X86_CPU(uc, mycpu)->env.ldt.selector; + ((SegmentCache *)value)->flags = X86_CPU(uc, mycpu)->env.ldt.flags; break; - case UC_X86_REG_GDTR_BASE: - *(int64_t *)value = X86_CPU(uc, mycpu)->env.gdt.base; - break; - case UC_X86_REG_LDTR_SS: - *(int16_t *)value = READ_WORD(X86_CPU(uc, mycpu)->env.ldt.selector); - break; - case UC_X86_REG_LDTR_LIMIT: - *(int32_t *)value = X86_CPU(uc, mycpu)->env.ldt.limit; - break; - case UC_X86_REG_LDTR_BASE: - *(int64_t *)value = X86_CPU(uc, mycpu)->env.ldt.base; - break; - case UC_X86_REG_LDTR_ATTR: - *(int32_t *)value = X86_CPU(uc, mycpu)->env.ldt.flags; - break; - case UC_X86_REG_TR_SS: - *(int16_t *)value = READ_WORD(X86_CPU(uc, mycpu)->env.tr.selector); - break; - case UC_X86_REG_TR_LIMIT: - *(int32_t *)value = X86_CPU(uc, mycpu)->env.tr.limit; - break; - case UC_X86_REG_TR_BASE: - *(int64_t *)value = X86_CPU(uc, mycpu)->env.tr.base; - break; - case UC_X86_REG_TR_ATTR: - *(int32_t *)value = X86_CPU(uc, mycpu)->env.tr.flags; + case UC_X86_REG_TR: + ((SegmentCache *)value)->limit = X86_CPU(uc, mycpu)->env.tr.limit; + ((SegmentCache *)value)->base = X86_CPU(uc, mycpu)->env.tr.base; + ((SegmentCache *)value)->selector = (uint16_t)X86_CPU(uc, mycpu)->env.tr.selector; + ((SegmentCache *)value)->flags = X86_CPU(uc, mycpu)->env.tr.flags; break; } break; @@ -756,41 +724,25 @@ int x86_reg_write(struct uc_struct *uc, unsigned int regid, const void *value) case UC_X86_REG_GS: X86_CPU(uc, mycpu)->env.segs[R_GS].base = *(uint32_t *)value; break; - case UC_X86_REG_IDTR_LIMIT: - WRITE_WORD(X86_CPU(uc, mycpu)->env.idt.limit, *(uint16_t *)value); + case UC_X86_REG_IDTR: + X86_CPU(uc, mycpu)->env.idt.limit = (uint16_t)((SegmentCache *)value)->limit; + X86_CPU(uc, mycpu)->env.idt.base = (uint32_t)((SegmentCache *)value)->base; break; - case UC_X86_REG_IDTR_BASE: - X86_CPU(uc, mycpu)->env.idt.base = *(uint32_t *)value; + case UC_X86_REG_GDTR: + X86_CPU(uc, mycpu)->env.gdt.limit = (uint16_t)((SegmentCache *)value)->limit; + X86_CPU(uc, mycpu)->env.gdt.base = (uint32_t)((SegmentCache *)value)->base; break; - case UC_X86_REG_GDTR_LIMIT: - WRITE_WORD(X86_CPU(uc, mycpu)->env.gdt.limit, *(uint16_t *)value); + case UC_X86_REG_LDTR: + X86_CPU(uc, mycpu)->env.ldt.limit = ((SegmentCache *)value)->limit; + X86_CPU(uc, mycpu)->env.ldt.base = (uint32_t)((SegmentCache *)value)->base; + X86_CPU(uc, mycpu)->env.ldt.selector = (uint16_t)((SegmentCache *)value)->selector; + X86_CPU(uc, mycpu)->env.ldt.flags = ((SegmentCache *)value)->flags; break; - case UC_X86_REG_GDTR_BASE: - X86_CPU(uc, mycpu)->env.gdt.base = *(uint32_t *)value; - break; - case UC_X86_REG_LDTR_SS: - WRITE_WORD(X86_CPU(uc, mycpu)->env.ldt.selector, *(uint16_t *)value); - break; - case UC_X86_REG_LDTR_LIMIT: - X86_CPU(uc, mycpu)->env.ldt.limit = *(uint32_t *)value; - break; - case UC_X86_REG_LDTR_BASE: - X86_CPU(uc, mycpu)->env.ldt.base = *(uint32_t *)value; - break; - case UC_X86_REG_LDTR_ATTR: - X86_CPU(uc, mycpu)->env.ldt.flags = *(uint32_t *)value; - break; - case UC_X86_REG_TR_SS: - WRITE_WORD(X86_CPU(uc, mycpu)->env.tr.selector, *(uint16_t *)value); - break; - case UC_X86_REG_TR_LIMIT: - X86_CPU(uc, mycpu)->env.tr.limit = *(uint32_t *)value; - break; - case UC_X86_REG_TR_BASE: - X86_CPU(uc, mycpu)->env.tr.base = *(uint32_t *)value; - break; - case UC_X86_REG_TR_ATTR: - X86_CPU(uc, mycpu)->env.tr.flags = *(uint32_t *)value; + case UC_X86_REG_TR: + X86_CPU(uc, mycpu)->env.tr.limit = ((SegmentCache *)value)->limit; + X86_CPU(uc, mycpu)->env.tr.base = (uint32_t)((SegmentCache *)value)->base; + X86_CPU(uc, mycpu)->env.tr.selector = (uint16_t)((SegmentCache *)value)->selector; + X86_CPU(uc, mycpu)->env.tr.flags = ((SegmentCache *)value)->flags; break; } break; @@ -1050,41 +1002,25 @@ int x86_reg_write(struct uc_struct *uc, unsigned int regid, const void *value) case UC_X86_REG_R15B: WRITE_BYTE_L(X86_CPU(uc, mycpu)->env.regs[15], *(uint8_t *)value); break; - case UC_X86_REG_IDTR_LIMIT: - WRITE_WORD(X86_CPU(uc, mycpu)->env.idt.limit, *(uint16_t *)value); + case UC_X86_REG_IDTR: + X86_CPU(uc, mycpu)->env.idt.limit = (uint16_t)((SegmentCache *)value)->limit; + X86_CPU(uc, mycpu)->env.idt.base = ((SegmentCache *)value)->base; break; - case UC_X86_REG_IDTR_BASE: - X86_CPU(uc, mycpu)->env.idt.base = *(uint64_t *)value; + case UC_X86_REG_GDTR: + X86_CPU(uc, mycpu)->env.gdt.limit = (uint16_t)((SegmentCache *)value)->limit; + X86_CPU(uc, mycpu)->env.gdt.base = ((SegmentCache *)value)->base; break; - case UC_X86_REG_GDTR_LIMIT: - WRITE_WORD(X86_CPU(uc, mycpu)->env.gdt.limit, *(uint16_t *)value); + case UC_X86_REG_LDTR: + X86_CPU(uc, mycpu)->env.ldt.limit = ((SegmentCache *)value)->limit; + X86_CPU(uc, mycpu)->env.ldt.base = ((SegmentCache *)value)->base; + X86_CPU(uc, mycpu)->env.ldt.selector = (uint16_t)((SegmentCache *)value)->selector; + X86_CPU(uc, mycpu)->env.ldt.flags = ((SegmentCache *)value)->flags; break; - case UC_X86_REG_GDTR_BASE: - X86_CPU(uc, mycpu)->env.gdt.base = *(uint64_t *)value; - break; - case UC_X86_REG_LDTR_SS: - WRITE_WORD(X86_CPU(uc, mycpu)->env.ldt.selector, *(uint16_t *)value); - break; - case UC_X86_REG_LDTR_LIMIT: - WRITE_DWORD(X86_CPU(uc, mycpu)->env.ldt.limit, *(uint32_t *)value); - break; - case UC_X86_REG_LDTR_BASE: - X86_CPU(uc, mycpu)->env.ldt.base = *(uint64_t *)value; - break; - case UC_X86_REG_LDTR_ATTR: - WRITE_DWORD(X86_CPU(uc, mycpu)->env.ldt.flags, *(uint32_t *)value); - break; - case UC_X86_REG_TR_SS: - WRITE_WORD(X86_CPU(uc, mycpu)->env.tr.selector, *(uint16_t *)value); - break; - case UC_X86_REG_TR_LIMIT: - WRITE_DWORD(X86_CPU(uc, mycpu)->env.tr.limit, *(uint32_t *)value); - break; - case UC_X86_REG_TR_BASE: - X86_CPU(uc, mycpu)->env.tr.base = *(uint64_t *)value; - break; - case UC_X86_REG_TR_ATTR: - WRITE_DWORD(X86_CPU(uc, mycpu)->env.tr.flags, *(uint32_t *)value); + case UC_X86_REG_TR: + X86_CPU(uc, mycpu)->env.tr.limit = ((SegmentCache *)value)->limit; + X86_CPU(uc, mycpu)->env.tr.base = ((SegmentCache *)value)->base; + X86_CPU(uc, mycpu)->env.tr.selector = (uint16_t)((SegmentCache *)value)->selector; + X86_CPU(uc, mycpu)->env.tr.flags = ((SegmentCache *)value)->flags; break; } break; diff --git a/tests/unit/test_gdt_idt_x86.c b/tests/unit/test_gdt_idt_x86.c index 03c66bb9..27183f0e 100755 --- a/tests/unit/test_gdt_idt_x86.c +++ b/tests/unit/test_gdt_idt_x86.c @@ -47,16 +47,30 @@ static void test_idt_gdt_i386(/*void **state*/) uc_engine *uc; uc_err err; uint8_t buf[6]; + x86_mmr idt; + x86_mmr gdt; + x86_mmr ldt; + x86_mmr tr; const uint8_t code[] = "\x0f\x01\x0c\x24\x0f\x01\x44\x24\x06"; // sidt [esp]; sgdt [esp+6] const uint64_t address = 0x1000000; int r_esp = address + 0x1000 - 0x100; // initial esp - int idt_base = 0x12345678; - int idt_limit = 0xabcd; - int gdt_base = 0x87654321; - int gdt_limit = 0xdcba; + idt.base = 0x12345678; + idt.limit = 0xabcd; + gdt.base = 0x87654321; + gdt.limit = 0xdcba; + + ldt.base = 0xfedcba98; + ldt.limit = 0x11111111; + ldt.selector = 0x3333; + ldt.flags = 0x55555555; + + tr.base = 0x22222222; + tr.limit = 0x33333333; + tr.selector = 0x4444; + tr.flags = 0x66666666; // Initialize emulator in X86-32bit mode err = uc_open(UC_ARCH_X86, UC_MODE_32, &uc); @@ -73,36 +87,44 @@ static void test_idt_gdt_i386(/*void **state*/) // initialize machine registers err = uc_reg_write(uc, UC_X86_REG_ESP, &r_esp); uc_assert_success(err); - err = uc_reg_write(uc, UC_X86_REG_IDTR_BASE, &idt_base); + err = uc_reg_write(uc, UC_X86_REG_IDTR, &idt); uc_assert_success(err); - err = uc_reg_write(uc, UC_X86_REG_IDTR_LIMIT, &idt_limit); - uc_assert_success(err); - err = uc_reg_write(uc, UC_X86_REG_GDTR_BASE, &gdt_base); - uc_assert_success(err); - err = uc_reg_write(uc, UC_X86_REG_GDTR_LIMIT, &gdt_limit); + err = uc_reg_write(uc, UC_X86_REG_GDTR, &gdt); uc_assert_success(err); - idt_base = 0; - idt_limit = 0; - gdt_base = 0; - gdt_limit = 0; + idt.base = 0; + idt.limit = 0; + gdt.base = 0; + gdt.limit = 0; // emulate machine code in infinite time err = uc_emu_start(uc, address, address+sizeof(code)-1, 0, 0); uc_assert_success(err); - uc_reg_read(uc, UC_X86_REG_IDTR_BASE, &idt_base); - assert(idt_base == 0x12345678); - - uc_reg_read(uc, UC_X86_REG_IDTR_LIMIT, &idt_limit); - assert(idt_limit == 0xabcd); + uc_reg_read(uc, UC_X86_REG_IDTR, &idt); + assert(idt.base == 0x12345678); + assert(idt.limit == 0xabcd); - uc_reg_read(uc, UC_X86_REG_GDTR_BASE, &gdt_base); - assert(gdt_base == 0x87654321); + uc_reg_read(uc, UC_X86_REG_GDTR, &gdt); + assert(gdt.base == 0x87654321); + assert(gdt.limit == 0xdcba); - uc_reg_read(uc, UC_X86_REG_GDTR_LIMIT, &gdt_limit); - assert(gdt_limit == 0xdcba); + //userspace can only set ldt selector, remainder are loaded from + //GDT/LDT, but we allow all to emulator user + uc_reg_read(uc, UC_X86_REG_LDTR, &ldt); + assert(ldt.base == 0xfedcba98); + assert(ldt.limit == 0x11111111); + assert(ldt.selector == 0x3333); + assert(ldt.flags = 0x55555555); + + //userspace can only set tr selector, remainder are loaded from + //GDT/LDT, but we allow all to emulator user + uc_reg_read(uc, UC_X86_REG_TR, &tr); + assert(tr.base == 0x22222222); + assert(tr.limit == 0x33333333); + assert(tr.selector == 0x4444); + assert(tr.flags = 0x66666666); // read from memory err = uc_mem_read(uc, r_esp, buf, 6); From 59f7bf3be733b0b08bfca02eec40b48cfccbaf13 Mon Sep 17 00:00:00 2001 From: Chris Eagle Date: Thu, 4 Feb 2016 16:48:27 -0800 Subject: [PATCH 06/31] file perms --- include/unicorn/x86.h | 0 qemu/target-i386/cpu.h | 0 qemu/target-i386/unicorn.c | 0 tests/unit/test_gdt_idt_x86.c | 12 ++++++++---- 4 files changed, 8 insertions(+), 4 deletions(-) mode change 100755 => 100644 include/unicorn/x86.h mode change 100755 => 100644 qemu/target-i386/cpu.h mode change 100755 => 100644 qemu/target-i386/unicorn.c mode change 100755 => 100644 tests/unit/test_gdt_idt_x86.c diff --git a/include/unicorn/x86.h b/include/unicorn/x86.h old mode 100755 new mode 100644 diff --git a/qemu/target-i386/cpu.h b/qemu/target-i386/cpu.h old mode 100755 new mode 100644 diff --git a/qemu/target-i386/unicorn.c b/qemu/target-i386/unicorn.c old mode 100755 new mode 100644 diff --git a/tests/unit/test_gdt_idt_x86.c b/tests/unit/test_gdt_idt_x86.c old mode 100755 new mode 100644 index 27183f0e..0ee0c9bc --- a/tests/unit/test_gdt_idt_x86.c +++ b/tests/unit/test_gdt_idt_x86.c @@ -91,11 +91,15 @@ static void test_idt_gdt_i386(/*void **state*/) uc_assert_success(err); err = uc_reg_write(uc, UC_X86_REG_GDTR, &gdt); uc_assert_success(err); + err = uc_reg_write(uc, UC_X86_REG_LDTR, &ldt); + uc_assert_success(err); + err = uc_reg_write(uc, UC_X86_REG_TR, &tr); + uc_assert_success(err); - idt.base = 0; - idt.limit = 0; - gdt.base = 0; - gdt.limit = 0; + memset(&idt, 0, sizeof(idt)); + memset(&gdt, 0, sizeof(gdt)); + memset(&ldt, 0, sizeof(ldt)); + memset(&tr, 0, sizeof(tr)); // emulate machine code in infinite time err = uc_emu_start(uc, address, address+sizeof(code)-1, 0, 0); From 9b6d1bf324fd6725f45de3518fa2b4c55de80a49 Mon Sep 17 00:00:00 2001 From: Nguyen Anh Quynh Date: Fri, 5 Feb 2016 08:54:52 +0800 Subject: [PATCH 07/31] regress: fix compilation warning for mem_fuzz.c --- .gitignore | 1 + tests/regress/mem_fuzz.c | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index d3ddf440..8d291285 100644 --- a/.gitignore +++ b/.gitignore @@ -137,6 +137,7 @@ sysenter_hook_x86 test_tb_x86 test_multihook test_pc_change +mem_fuzz ################# diff --git a/tests/regress/mem_fuzz.c b/tests/regress/mem_fuzz.c index a1e080cf..aee3cdb0 100644 --- a/tests/regress/mem_fuzz.c +++ b/tests/regress/mem_fuzz.c @@ -44,14 +44,14 @@ uint64_t get_aligned_len(){ void perform_map_step(uc_engine *uc){ uint64_t addr = get_aligned_addr(); uint64_t len = get_aligned_len(); - printf("map(0x%lx,0x%lx); //%d\n", addr, len, step); + printf("map(0x%"PRIx64",0x%"PRIx64"); //%d\n", addr, len, step); uc_mem_map(uc, addr, len, UC_PROT_READ | UC_PROT_WRITE); } void perform_unmap_step(uc_engine *uc){ uint64_t addr = get_aligned_addr(); uint64_t len = get_aligned_len(); - printf("unmap(0x%lx,0x%lx); //%d\n", addr, len, step); + printf("unmap(0x%"PRIx64",0x%"PRIx64"); //%d\n", addr, len, step); uc_mem_unmap(uc, addr, len); } @@ -60,7 +60,7 @@ void perform_write_step(uc_engine *uc){ memset(buff, 0, 4096*4); uint64_t addr = get_addr(); uint64_t len = get_len()%(4096*3); - printf("write(0x%lx,0x%lx); //%d\n", addr, len, step); + printf("write(0x%"PRIx64",0x%"PRIx64"); //%d\n", addr, len, step); uc_mem_write(uc, addr, buff, len); } @@ -68,7 +68,7 @@ void perform_read_step(uc_engine *uc){ char* buff[4096*4]; uint64_t addr = get_addr(); uint64_t len = get_len()%(4096*3); - printf("read(0x%lx,0x%lx); //%d\n", addr, len, step); + printf("read(0x%"PRIx64",0x%"PRIx64"); //%d\n", addr, len, step); uc_mem_read(uc, addr, buff, len); } From f3dc2522a090e1f8467f5a67571dc3e1bef49786 Mon Sep 17 00:00:00 2001 From: Chris Eagle Date: Thu, 4 Feb 2016 17:17:40 -0800 Subject: [PATCH 08/31] read/write of x86 segment registers should modify selector field not base field --- qemu/target-i386/unicorn.c | 48 +++++++++++++++++++------------------- 1 file changed, 24 insertions(+), 24 deletions(-) mode change 100644 => 100755 qemu/target-i386/unicorn.c diff --git a/qemu/target-i386/unicorn.c b/qemu/target-i386/unicorn.c old mode 100644 new mode 100755 index 0af5763e..e6705133 --- a/qemu/target-i386/unicorn.c +++ b/qemu/target-i386/unicorn.c @@ -260,22 +260,22 @@ int x86_reg_read(struct uc_struct *uc, unsigned int regid, void *value) *(int16_t *)value = READ_WORD(X86_CPU(uc, mycpu)->env.eip); break; case UC_X86_REG_CS: - *(int32_t *)value = X86_CPU(uc, mycpu)->env.segs[R_CS].base; + *(int32_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_CS].selector; break; case UC_X86_REG_DS: - *(int32_t *)value = X86_CPU(uc, mycpu)->env.segs[R_DS].base; + *(int32_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_DS].selector; break; case UC_X86_REG_SS: - *(int32_t *)value = X86_CPU(uc, mycpu)->env.segs[R_SS].base; + *(int32_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_SS].selector; break; case UC_X86_REG_ES: - *(int32_t *)value = X86_CPU(uc, mycpu)->env.segs[R_ES].base; + *(int32_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_ES].selector; break; case UC_X86_REG_FS: - *(int32_t *)value = X86_CPU(uc, mycpu)->env.segs[R_FS].base; + *(int32_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_FS].selector; break; case UC_X86_REG_GS: - *(int32_t *)value = X86_CPU(uc, mycpu)->env.segs[R_GS].base; + *(int32_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_GS].selector; break; } break; @@ -412,22 +412,22 @@ int x86_reg_read(struct uc_struct *uc, unsigned int regid, void *value) *(int16_t *)value = READ_WORD(X86_CPU(uc, mycpu)->env.eip); break; case UC_X86_REG_CS: - *(int64_t *)value = X86_CPU(uc, mycpu)->env.segs[R_CS].base; + *(int64_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_CS].selector; break; case UC_X86_REG_DS: - *(int64_t *)value = X86_CPU(uc, mycpu)->env.segs[R_DS].base; + *(int64_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_DS].selector; break; case UC_X86_REG_SS: - *(int64_t *)value = X86_CPU(uc, mycpu)->env.segs[R_SS].base; + *(int64_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_SS].selector; break; case UC_X86_REG_ES: - *(int64_t *)value = X86_CPU(uc, mycpu)->env.segs[R_ES].base; + *(int64_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_ES].selector; break; case UC_X86_REG_FS: - *(int64_t *)value = X86_CPU(uc, mycpu)->env.segs[R_FS].base; + *(int64_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_FS].selector; break; case UC_X86_REG_GS: - *(int64_t *)value = X86_CPU(uc, mycpu)->env.segs[R_GS].base; + *(int64_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_GS].selector; break; case UC_X86_REG_R8: *(int64_t *)value = READ_QWORD(X86_CPU(uc, mycpu)->env.regs[8]); @@ -667,22 +667,22 @@ int x86_reg_write(struct uc_struct *uc, unsigned int regid, const void *value) uc_emu_stop(uc); break; case UC_X86_REG_CS: - X86_CPU(uc, mycpu)->env.segs[R_CS].base = *(uint32_t *)value; + X86_CPU(uc, mycpu)->env.segs[R_CS].selector = *(uint16_t *)value; break; case UC_X86_REG_DS: - X86_CPU(uc, mycpu)->env.segs[R_DS].base = *(uint32_t *)value; + X86_CPU(uc, mycpu)->env.segs[R_DS].selector = *(uint16_t *)value; break; case UC_X86_REG_SS: - X86_CPU(uc, mycpu)->env.segs[R_SS].base = *(uint32_t *)value; + X86_CPU(uc, mycpu)->env.segs[R_SS].selector = *(uint16_t *)value; break; case UC_X86_REG_ES: - X86_CPU(uc, mycpu)->env.segs[R_ES].base = *(uint32_t *)value; + X86_CPU(uc, mycpu)->env.segs[R_ES].selector = *(uint16_t *)value; break; case UC_X86_REG_FS: - X86_CPU(uc, mycpu)->env.segs[R_FS].base = *(uint32_t *)value; + X86_CPU(uc, mycpu)->env.segs[R_FS].selector = *(uint16_t *)value; break; case UC_X86_REG_GS: - X86_CPU(uc, mycpu)->env.segs[R_GS].base = *(uint32_t *)value; + X86_CPU(uc, mycpu)->env.segs[R_GS].selector = *(uint16_t *)value; break; } break; @@ -829,22 +829,22 @@ int x86_reg_write(struct uc_struct *uc, unsigned int regid, const void *value) uc_emu_stop(uc); break; case UC_X86_REG_CS: - X86_CPU(uc, mycpu)->env.segs[R_CS].base = *(uint64_t *)value; + X86_CPU(uc, mycpu)->env.segs[R_CS].selector = *(uint16_t *)value; break; case UC_X86_REG_DS: - X86_CPU(uc, mycpu)->env.segs[R_DS].base = *(uint64_t *)value; + X86_CPU(uc, mycpu)->env.segs[R_DS].selector = *(uint16_t *)value; break; case UC_X86_REG_SS: - X86_CPU(uc, mycpu)->env.segs[R_SS].base = *(uint64_t *)value; + X86_CPU(uc, mycpu)->env.segs[R_SS].selector = *(uint16_t *)value; break; case UC_X86_REG_ES: - X86_CPU(uc, mycpu)->env.segs[R_ES].base = *(uint64_t *)value; + X86_CPU(uc, mycpu)->env.segs[R_ES].selector = *(uint16_t *)value; break; case UC_X86_REG_FS: - X86_CPU(uc, mycpu)->env.segs[R_FS].base = *(uint64_t *)value; + X86_CPU(uc, mycpu)->env.segs[R_FS].selector = *(uint16_t *)value; break; case UC_X86_REG_GS: - X86_CPU(uc, mycpu)->env.segs[R_GS].base = *(uint64_t *)value; + X86_CPU(uc, mycpu)->env.segs[R_GS].selector = *(uint16_t *)value; break; case UC_X86_REG_R8: X86_CPU(uc, mycpu)->env.regs[8] = *(uint64_t *)value; From c339ced21863745be7fa49a14d17d51dd5a89509 Mon Sep 17 00:00:00 2001 From: Chris Eagle Date: Thu, 4 Feb 2016 17:18:24 -0800 Subject: [PATCH 09/31] file perms --- qemu/target-i386/unicorn.c | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 qemu/target-i386/unicorn.c diff --git a/qemu/target-i386/unicorn.c b/qemu/target-i386/unicorn.c old mode 100755 new mode 100644 From bcfa41c90de34071b4b176151c72e98bf9ad76fd Mon Sep 17 00:00:00 2001 From: Ryan Hileman Date: Fri, 5 Feb 2016 02:35:17 +0100 Subject: [PATCH 10/31] add regress for #421 --- tests/regress/mov_gs_eax.py | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100755 tests/regress/mov_gs_eax.py diff --git a/tests/regress/mov_gs_eax.py b/tests/regress/mov_gs_eax.py new file mode 100755 index 00000000..73fd6306 --- /dev/null +++ b/tests/regress/mov_gs_eax.py @@ -0,0 +1,27 @@ +#!/usr/bin/python + +from unicorn import * +from unicorn.x86_const import * + +import regress + +class VldrPcInsn(regress.RegressTest): + + def runTest(self): + uc = Uc(UC_ARCH_X86, UC_MODE_32) + uc.mem_map(0x1000, 0x1000) + # mov gs, eax; mov eax, 1 + code = '8ee8b801000000'.decode('hex') + uc.mem_write(0x1000, code) + + uc.reg_write(UC_X86_REG_EAX, 0xFFFFFFFF) + # this should throw an error + # the eax test is just to prove the second instruction doesn't execute + try: + uc.emu_start(0x1000, len(code)) + except UcError: + return + self.assertEqual(uc.reg_read(UC_X86_REG_EAX), 1) + +if __name__ == '__main__': + regress.main() From 49b9f4f8da637cb1aebe3184ec8a5e46a1272e9f Mon Sep 17 00:00:00 2001 From: Chris Eagle Date: Thu, 4 Feb 2016 19:09:41 -0800 Subject: [PATCH 11/31] uc_x86_mmr type available in qemu/target-i386/unicorn.c --- include/unicorn/x86.h | 10 ++-- qemu/target-i386/cpu.h | 2 +- qemu/target-i386/unicorn.c | 97 ++++++++++++++++++----------------- tests/unit/test_gdt_idt_x86.c | 8 +-- 4 files changed, 59 insertions(+), 58 deletions(-) diff --git a/include/unicorn/x86.h b/include/unicorn/x86.h index ab5a0481..37667cfc 100644 --- a/include/unicorn/x86.h +++ b/include/unicorn/x86.h @@ -10,12 +10,12 @@ extern "C" { //Memory-Management Register fields (idtr, gdtr, ldtr, tr) //borrow from SegmentCache in qemu/target-i386/cpu.h -typedef struct x86_mmr { - uint32_t selector; - uint64_t base; /* handle 32 or 64 bit CPUs */ +typedef struct uc_x86_mmr { + uint16_t selector; /* not used by gdtr and idtr */ + uint64_t base; /* handle 32 or 64 bit CPUs */ uint32_t limit; - uint32_t flags; -} x86_mmr; + uint32_t flags; /* not used by gdtr and idtr */ +} uc_x86_mmr; // Callback function for tracing SYSCALL/SYSENTER (for uc_hook_intr()) // @user_data: user data passed to tracing APIs. diff --git a/qemu/target-i386/cpu.h b/qemu/target-i386/cpu.h index 68f802f9..4628a8df 100644 --- a/qemu/target-i386/cpu.h +++ b/qemu/target-i386/cpu.h @@ -699,7 +699,7 @@ typedef enum { typedef struct SegmentCache { uint32_t selector; - uint64_t base; /* handle 32 or 64 bit CPUs */ + target_ulong base; uint32_t limit; uint32_t flags; } SegmentCache; diff --git a/qemu/target-i386/unicorn.c b/qemu/target-i386/unicorn.c index 89ccdb6d..19b3dfcf 100644 --- a/qemu/target-i386/unicorn.c +++ b/qemu/target-i386/unicorn.c @@ -9,6 +9,7 @@ #include "tcg.h" #include "unicorn_common.h" +#include /* needed for uc_x86_mmr */ #define READ_QWORD(x) ((uint64)x) #define READ_DWORD(x) (x & 0xffffffff) @@ -278,24 +279,24 @@ int x86_reg_read(struct uc_struct *uc, unsigned int regid, void *value) *(int32_t *)value = X86_CPU(uc, mycpu)->env.segs[R_GS].base; break; case UC_X86_REG_IDTR: - ((SegmentCache *)value)->limit = (uint16_t)X86_CPU(uc, mycpu)->env.idt.limit; - ((SegmentCache *)value)->base = (uint32_t)X86_CPU(uc, mycpu)->env.idt.base; + ((uc_x86_mmr *)value)->limit = (uint16_t)X86_CPU(uc, mycpu)->env.idt.limit; + ((uc_x86_mmr *)value)->base = (uint32_t)X86_CPU(uc, mycpu)->env.idt.base; break; case UC_X86_REG_GDTR: - ((SegmentCache *)value)->limit = (uint16_t)X86_CPU(uc, mycpu)->env.gdt.limit; - ((SegmentCache *)value)->base = (uint32_t)X86_CPU(uc, mycpu)->env.gdt.base; + ((uc_x86_mmr *)value)->limit = (uint16_t)X86_CPU(uc, mycpu)->env.gdt.limit; + ((uc_x86_mmr *)value)->base = (uint32_t)X86_CPU(uc, mycpu)->env.gdt.base; break; case UC_X86_REG_LDTR: - ((SegmentCache *)value)->limit = X86_CPU(uc, mycpu)->env.ldt.limit; - ((SegmentCache *)value)->base = (uint32_t)X86_CPU(uc, mycpu)->env.ldt.base; - ((SegmentCache *)value)->selector = (uint16_t)X86_CPU(uc, mycpu)->env.ldt.selector; - ((SegmentCache *)value)->flags = X86_CPU(uc, mycpu)->env.ldt.flags; + ((uc_x86_mmr *)value)->limit = X86_CPU(uc, mycpu)->env.ldt.limit; + ((uc_x86_mmr *)value)->base = (uint32_t)X86_CPU(uc, mycpu)->env.ldt.base; + ((uc_x86_mmr *)value)->selector = (uint16_t)X86_CPU(uc, mycpu)->env.ldt.selector; + ((uc_x86_mmr *)value)->flags = X86_CPU(uc, mycpu)->env.ldt.flags; break; case UC_X86_REG_TR: - ((SegmentCache *)value)->limit = X86_CPU(uc, mycpu)->env.tr.limit; - ((SegmentCache *)value)->base = (uint32_t)X86_CPU(uc, mycpu)->env.tr.base; - ((SegmentCache *)value)->selector = (uint16_t)X86_CPU(uc, mycpu)->env.tr.selector; - ((SegmentCache *)value)->flags = X86_CPU(uc, mycpu)->env.tr.flags; + ((uc_x86_mmr *)value)->limit = X86_CPU(uc, mycpu)->env.tr.limit; + ((uc_x86_mmr *)value)->base = (uint32_t)X86_CPU(uc, mycpu)->env.tr.base; + ((uc_x86_mmr *)value)->selector = (uint16_t)X86_CPU(uc, mycpu)->env.tr.selector; + ((uc_x86_mmr *)value)->flags = X86_CPU(uc, mycpu)->env.tr.flags; break; } break; @@ -546,24 +547,24 @@ int x86_reg_read(struct uc_struct *uc, unsigned int regid, void *value) *(int8_t *)value = READ_BYTE_L(X86_CPU(uc, mycpu)->env.regs[15]); break; case UC_X86_REG_IDTR: - ((SegmentCache *)value)->limit = (uint16_t)X86_CPU(uc, mycpu)->env.idt.limit; - ((SegmentCache *)value)->base = X86_CPU(uc, mycpu)->env.idt.base; + ((uc_x86_mmr *)value)->limit = (uint16_t)X86_CPU(uc, mycpu)->env.idt.limit; + ((uc_x86_mmr *)value)->base = X86_CPU(uc, mycpu)->env.idt.base; break; case UC_X86_REG_GDTR: - ((SegmentCache *)value)->limit = (uint16_t)X86_CPU(uc, mycpu)->env.gdt.limit; - ((SegmentCache *)value)->base = X86_CPU(uc, mycpu)->env.gdt.base; + ((uc_x86_mmr *)value)->limit = (uint16_t)X86_CPU(uc, mycpu)->env.gdt.limit; + ((uc_x86_mmr *)value)->base = X86_CPU(uc, mycpu)->env.gdt.base; break; case UC_X86_REG_LDTR: - ((SegmentCache *)value)->limit = X86_CPU(uc, mycpu)->env.ldt.limit; - ((SegmentCache *)value)->base = X86_CPU(uc, mycpu)->env.ldt.base; - ((SegmentCache *)value)->selector = (uint16_t)X86_CPU(uc, mycpu)->env.ldt.selector; - ((SegmentCache *)value)->flags = X86_CPU(uc, mycpu)->env.ldt.flags; + ((uc_x86_mmr *)value)->limit = X86_CPU(uc, mycpu)->env.ldt.limit; + ((uc_x86_mmr *)value)->base = X86_CPU(uc, mycpu)->env.ldt.base; + ((uc_x86_mmr *)value)->selector = (uint16_t)X86_CPU(uc, mycpu)->env.ldt.selector; + ((uc_x86_mmr *)value)->flags = X86_CPU(uc, mycpu)->env.ldt.flags; break; case UC_X86_REG_TR: - ((SegmentCache *)value)->limit = X86_CPU(uc, mycpu)->env.tr.limit; - ((SegmentCache *)value)->base = X86_CPU(uc, mycpu)->env.tr.base; - ((SegmentCache *)value)->selector = (uint16_t)X86_CPU(uc, mycpu)->env.tr.selector; - ((SegmentCache *)value)->flags = X86_CPU(uc, mycpu)->env.tr.flags; + ((uc_x86_mmr *)value)->limit = X86_CPU(uc, mycpu)->env.tr.limit; + ((uc_x86_mmr *)value)->base = X86_CPU(uc, mycpu)->env.tr.base; + ((uc_x86_mmr *)value)->selector = (uint16_t)X86_CPU(uc, mycpu)->env.tr.selector; + ((uc_x86_mmr *)value)->flags = X86_CPU(uc, mycpu)->env.tr.flags; break; } break; @@ -725,24 +726,24 @@ int x86_reg_write(struct uc_struct *uc, unsigned int regid, const void *value) X86_CPU(uc, mycpu)->env.segs[R_GS].base = *(uint32_t *)value; break; case UC_X86_REG_IDTR: - X86_CPU(uc, mycpu)->env.idt.limit = (uint16_t)((SegmentCache *)value)->limit; - X86_CPU(uc, mycpu)->env.idt.base = (uint32_t)((SegmentCache *)value)->base; + X86_CPU(uc, mycpu)->env.idt.limit = (uint16_t)((uc_x86_mmr *)value)->limit; + X86_CPU(uc, mycpu)->env.idt.base = (uint32_t)((uc_x86_mmr *)value)->base; break; case UC_X86_REG_GDTR: - X86_CPU(uc, mycpu)->env.gdt.limit = (uint16_t)((SegmentCache *)value)->limit; - X86_CPU(uc, mycpu)->env.gdt.base = (uint32_t)((SegmentCache *)value)->base; + X86_CPU(uc, mycpu)->env.gdt.limit = (uint16_t)((uc_x86_mmr *)value)->limit; + X86_CPU(uc, mycpu)->env.gdt.base = (uint32_t)((uc_x86_mmr *)value)->base; break; case UC_X86_REG_LDTR: - X86_CPU(uc, mycpu)->env.ldt.limit = ((SegmentCache *)value)->limit; - X86_CPU(uc, mycpu)->env.ldt.base = (uint32_t)((SegmentCache *)value)->base; - X86_CPU(uc, mycpu)->env.ldt.selector = (uint16_t)((SegmentCache *)value)->selector; - X86_CPU(uc, mycpu)->env.ldt.flags = ((SegmentCache *)value)->flags; + X86_CPU(uc, mycpu)->env.ldt.limit = (uint16_t)((uc_x86_mmr *)value)->limit; + X86_CPU(uc, mycpu)->env.ldt.base = (uint32_t)((uc_x86_mmr *)value)->base; + X86_CPU(uc, mycpu)->env.ldt.selector = (uint16_t)((uc_x86_mmr *)value)->selector; + X86_CPU(uc, mycpu)->env.ldt.flags = ((uc_x86_mmr *)value)->flags; break; case UC_X86_REG_TR: - X86_CPU(uc, mycpu)->env.tr.limit = ((SegmentCache *)value)->limit; - X86_CPU(uc, mycpu)->env.tr.base = (uint32_t)((SegmentCache *)value)->base; - X86_CPU(uc, mycpu)->env.tr.selector = (uint16_t)((SegmentCache *)value)->selector; - X86_CPU(uc, mycpu)->env.tr.flags = ((SegmentCache *)value)->flags; + X86_CPU(uc, mycpu)->env.tr.limit = (uint16_t)((uc_x86_mmr *)value)->limit; + X86_CPU(uc, mycpu)->env.tr.base = (uint32_t)((uc_x86_mmr *)value)->base; + X86_CPU(uc, mycpu)->env.tr.selector = (uint16_t)((uc_x86_mmr *)value)->selector; + X86_CPU(uc, mycpu)->env.tr.flags = ((uc_x86_mmr *)value)->flags; break; } break; @@ -1003,24 +1004,24 @@ int x86_reg_write(struct uc_struct *uc, unsigned int regid, const void *value) WRITE_BYTE_L(X86_CPU(uc, mycpu)->env.regs[15], *(uint8_t *)value); break; case UC_X86_REG_IDTR: - X86_CPU(uc, mycpu)->env.idt.limit = (uint16_t)((SegmentCache *)value)->limit; - X86_CPU(uc, mycpu)->env.idt.base = ((SegmentCache *)value)->base; + X86_CPU(uc, mycpu)->env.idt.limit = (uint16_t)((uc_x86_mmr *)value)->limit; + X86_CPU(uc, mycpu)->env.idt.base = ((uc_x86_mmr *)value)->base; break; case UC_X86_REG_GDTR: - X86_CPU(uc, mycpu)->env.gdt.limit = (uint16_t)((SegmentCache *)value)->limit; - X86_CPU(uc, mycpu)->env.gdt.base = ((SegmentCache *)value)->base; + X86_CPU(uc, mycpu)->env.gdt.limit = (uint16_t)((uc_x86_mmr *)value)->limit; + X86_CPU(uc, mycpu)->env.gdt.base = ((uc_x86_mmr *)value)->base; break; case UC_X86_REG_LDTR: - X86_CPU(uc, mycpu)->env.ldt.limit = ((SegmentCache *)value)->limit; - X86_CPU(uc, mycpu)->env.ldt.base = ((SegmentCache *)value)->base; - X86_CPU(uc, mycpu)->env.ldt.selector = (uint16_t)((SegmentCache *)value)->selector; - X86_CPU(uc, mycpu)->env.ldt.flags = ((SegmentCache *)value)->flags; + X86_CPU(uc, mycpu)->env.ldt.limit = ((uc_x86_mmr *)value)->limit; + X86_CPU(uc, mycpu)->env.ldt.base = ((uc_x86_mmr *)value)->base; + X86_CPU(uc, mycpu)->env.ldt.selector = (uint16_t)((uc_x86_mmr *)value)->selector; + X86_CPU(uc, mycpu)->env.ldt.flags = ((uc_x86_mmr *)value)->flags; break; case UC_X86_REG_TR: - X86_CPU(uc, mycpu)->env.tr.limit = ((SegmentCache *)value)->limit; - X86_CPU(uc, mycpu)->env.tr.base = ((SegmentCache *)value)->base; - X86_CPU(uc, mycpu)->env.tr.selector = (uint16_t)((SegmentCache *)value)->selector; - X86_CPU(uc, mycpu)->env.tr.flags = ((SegmentCache *)value)->flags; + X86_CPU(uc, mycpu)->env.tr.limit = ((uc_x86_mmr *)value)->limit; + X86_CPU(uc, mycpu)->env.tr.base = ((uc_x86_mmr *)value)->base; + X86_CPU(uc, mycpu)->env.tr.selector = (uint16_t)((uc_x86_mmr *)value)->selector; + X86_CPU(uc, mycpu)->env.tr.flags = ((uc_x86_mmr *)value)->flags; break; } break; diff --git a/tests/unit/test_gdt_idt_x86.c b/tests/unit/test_gdt_idt_x86.c index 0ee0c9bc..5344d7a5 100644 --- a/tests/unit/test_gdt_idt_x86.c +++ b/tests/unit/test_gdt_idt_x86.c @@ -47,10 +47,10 @@ static void test_idt_gdt_i386(/*void **state*/) uc_engine *uc; uc_err err; uint8_t buf[6]; - x86_mmr idt; - x86_mmr gdt; - x86_mmr ldt; - x86_mmr tr; + uc_x86_mmr idt; + uc_x86_mmr gdt; + uc_x86_mmr ldt; + uc_x86_mmr tr; const uint8_t code[] = "\x0f\x01\x0c\x24\x0f\x01\x44\x24\x06"; // sidt [esp]; sgdt [esp+6] const uint64_t address = 0x1000000; From 4cb43be5bf5a7dee090a6c0c337e1ae0573a679f Mon Sep 17 00:00:00 2001 From: Chris Eagle Date: Thu, 4 Feb 2016 19:20:59 -0800 Subject: [PATCH 12/31] fix reg_read casting for x86 segment registers --- qemu/target-i386/unicorn.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) mode change 100644 => 100755 qemu/target-i386/unicorn.c diff --git a/qemu/target-i386/unicorn.c b/qemu/target-i386/unicorn.c old mode 100644 new mode 100755 index e6705133..3da1c94d --- a/qemu/target-i386/unicorn.c +++ b/qemu/target-i386/unicorn.c @@ -260,22 +260,22 @@ int x86_reg_read(struct uc_struct *uc, unsigned int regid, void *value) *(int16_t *)value = READ_WORD(X86_CPU(uc, mycpu)->env.eip); break; case UC_X86_REG_CS: - *(int32_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_CS].selector; + *(int16_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_CS].selector; break; case UC_X86_REG_DS: - *(int32_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_DS].selector; + *(int16_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_DS].selector; break; case UC_X86_REG_SS: - *(int32_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_SS].selector; + *(int16_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_SS].selector; break; case UC_X86_REG_ES: - *(int32_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_ES].selector; + *(int16_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_ES].selector; break; case UC_X86_REG_FS: - *(int32_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_FS].selector; + *(int16_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_FS].selector; break; case UC_X86_REG_GS: - *(int32_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_GS].selector; + *(int16_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_GS].selector; break; } break; @@ -412,22 +412,22 @@ int x86_reg_read(struct uc_struct *uc, unsigned int regid, void *value) *(int16_t *)value = READ_WORD(X86_CPU(uc, mycpu)->env.eip); break; case UC_X86_REG_CS: - *(int64_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_CS].selector; + *(int16_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_CS].selector; break; case UC_X86_REG_DS: - *(int64_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_DS].selector; + *(int16_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_DS].selector; break; case UC_X86_REG_SS: - *(int64_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_SS].selector; + *(int16_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_SS].selector; break; case UC_X86_REG_ES: - *(int64_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_ES].selector; + *(int16_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_ES].selector; break; case UC_X86_REG_FS: - *(int64_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_FS].selector; + *(int16_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_FS].selector; break; case UC_X86_REG_GS: - *(int64_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_GS].selector; + *(int16_t *)value = (uint16_t)X86_CPU(uc, mycpu)->env.segs[R_GS].selector; break; case UC_X86_REG_R8: *(int64_t *)value = READ_QWORD(X86_CPU(uc, mycpu)->env.regs[8]); From b49358524f2f6f0b019943aabc8cc719176c5d35 Mon Sep 17 00:00:00 2001 From: Chris Eagle Date: Thu, 4 Feb 2016 19:22:39 -0800 Subject: [PATCH 13/31] fix reg_read casting for x86 segment registers --- qemu/target-i386/unicorn.c | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 qemu/target-i386/unicorn.c diff --git a/qemu/target-i386/unicorn.c b/qemu/target-i386/unicorn.c old mode 100755 new mode 100644 From dec3615d1208a388c60a39beb27cd2ea75b3a6b0 Mon Sep 17 00:00:00 2001 From: Chris Eagle Date: Thu, 4 Feb 2016 19:26:47 -0800 Subject: [PATCH 14/31] ldtr and tr limit is 20 bits, not 16 bits --- qemu/target-i386/unicorn.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) mode change 100644 => 100755 qemu/target-i386/unicorn.c diff --git a/qemu/target-i386/unicorn.c b/qemu/target-i386/unicorn.c old mode 100644 new mode 100755 index 19b3dfcf..cf03faa0 --- a/qemu/target-i386/unicorn.c +++ b/qemu/target-i386/unicorn.c @@ -734,13 +734,13 @@ int x86_reg_write(struct uc_struct *uc, unsigned int regid, const void *value) X86_CPU(uc, mycpu)->env.gdt.base = (uint32_t)((uc_x86_mmr *)value)->base; break; case UC_X86_REG_LDTR: - X86_CPU(uc, mycpu)->env.ldt.limit = (uint16_t)((uc_x86_mmr *)value)->limit; + X86_CPU(uc, mycpu)->env.ldt.limit = ((uc_x86_mmr *)value)->limit; X86_CPU(uc, mycpu)->env.ldt.base = (uint32_t)((uc_x86_mmr *)value)->base; X86_CPU(uc, mycpu)->env.ldt.selector = (uint16_t)((uc_x86_mmr *)value)->selector; X86_CPU(uc, mycpu)->env.ldt.flags = ((uc_x86_mmr *)value)->flags; break; case UC_X86_REG_TR: - X86_CPU(uc, mycpu)->env.tr.limit = (uint16_t)((uc_x86_mmr *)value)->limit; + X86_CPU(uc, mycpu)->env.tr.limit = ((uc_x86_mmr *)value)->limit; X86_CPU(uc, mycpu)->env.tr.base = (uint32_t)((uc_x86_mmr *)value)->base; X86_CPU(uc, mycpu)->env.tr.selector = (uint16_t)((uc_x86_mmr *)value)->selector; X86_CPU(uc, mycpu)->env.tr.flags = ((uc_x86_mmr *)value)->flags; From e73cbf1c88b333bbe3551855f44cab610ea204ce Mon Sep 17 00:00:00 2001 From: Nguyen Anh Quynh Date: Sat, 6 Feb 2016 09:47:57 +0800 Subject: [PATCH 15/31] arm: UC_QUERY_MODE return hardware mode (see issue #397) --- qemu/target-arm/unicorn_arm.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/qemu/target-arm/unicorn_arm.c b/qemu/target-arm/unicorn_arm.c index c8349806..95ea812d 100644 --- a/qemu/target-arm/unicorn_arm.c +++ b/qemu/target-arm/unicorn_arm.c @@ -116,10 +116,15 @@ static bool arm_stop_interrupt(int intno) static uc_err arm_query(struct uc_struct *uc, uc_query_type type, size_t *result) { CPUState *mycpu = first_cpu; + uint32_t mode; switch(type) { case UC_QUERY_MODE: - *result = (ARM_CPU(uc, mycpu)->env.thumb != 0); + // zero out ARM/THUMB mode + mode = uc->mode & ~(UC_MODE_ARM | UC_MODE_THUMB); + // THUMB mode or ARM MOde + mode += ((ARM_CPU(uc, mycpu)->env.thumb != 0)? UC_MODE_THUMB : UC_MODE_ARM); + *result = mode; return UC_ERR_OK; default: return UC_ERR_ARG; From ed77cacbf3398c880a7ca34e72ca9ca55601a932 Mon Sep 17 00:00:00 2001 From: Nguyen Anh Quynh Date: Sat, 6 Feb 2016 17:34:19 +0800 Subject: [PATCH 16/31] cosmetic change for uc_x86_mmr --- include/unicorn/x86.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/unicorn/x86.h b/include/unicorn/x86.h index 37667cfc..51401eba 100644 --- a/include/unicorn/x86.h +++ b/include/unicorn/x86.h @@ -8,13 +8,13 @@ extern "C" { #endif -//Memory-Management Register fields (idtr, gdtr, ldtr, tr) -//borrow from SegmentCache in qemu/target-i386/cpu.h +// Memory-Management Register for instructions IDTR, GDTR, LDTR, TR. +// Borrow from SegmentCache in qemu/target-i386/cpu.h typedef struct uc_x86_mmr { - uint16_t selector; /* not used by gdtr and idtr */ + uint16_t selector; /* not used by GDTR and IDTR */ uint64_t base; /* handle 32 or 64 bit CPUs */ uint32_t limit; - uint32_t flags; /* not used by gdtr and idtr */ + uint32_t flags; /* not used by GDTR and IDTR */ } uc_x86_mmr; // Callback function for tracing SYSCALL/SYSENTER (for uc_hook_intr()) From 6986fa39475313e3b55294e99ca9439e397f8e40 Mon Sep 17 00:00:00 2001 From: Nguyen Anh Quynh Date: Sat, 6 Feb 2016 17:35:45 +0800 Subject: [PATCH 17/31] x86: add new register enums for IDT, LDT, GDT & TR --- bindings/dotnet/UnicornManaged/Const/X86.fs | 6 +++++- bindings/go/unicorn/x86_const.go | 6 +++++- bindings/java/unicorn/X86Const.java | 6 +++++- bindings/python/unicorn/x86_const.py | 6 +++++- 4 files changed, 20 insertions(+), 4 deletions(-) diff --git a/bindings/dotnet/UnicornManaged/Const/X86.fs b/bindings/dotnet/UnicornManaged/Const/X86.fs index 01fca68e..e293d5a1 100644 --- a/bindings/dotnet/UnicornManaged/Const/X86.fs +++ b/bindings/dotnet/UnicornManaged/Const/X86.fs @@ -251,7 +251,11 @@ module X86 = let UC_X86_REG_R13W = 239 let UC_X86_REG_R14W = 240 let UC_X86_REG_R15W = 241 - let UC_X86_REG_ENDING = 242 + let UC_X86_REG_IDTR = 242 + let UC_X86_REG_GDTR = 243 + let UC_X86_REG_LDTR = 244 + let UC_X86_REG_TR = 245 + let UC_X86_REG_ENDING = 246 // X86 instructions diff --git a/bindings/go/unicorn/x86_const.go b/bindings/go/unicorn/x86_const.go index 74b87e62..49e2310f 100644 --- a/bindings/go/unicorn/x86_const.go +++ b/bindings/go/unicorn/x86_const.go @@ -246,7 +246,11 @@ const ( X86_REG_R13W = 239 X86_REG_R14W = 240 X86_REG_R15W = 241 - X86_REG_ENDING = 242 + X86_REG_IDTR = 242 + X86_REG_GDTR = 243 + X86_REG_LDTR = 244 + X86_REG_TR = 245 + X86_REG_ENDING = 246 // X86 instructions diff --git a/bindings/java/unicorn/X86Const.java b/bindings/java/unicorn/X86Const.java index 1a558a63..9c6d93ee 100644 --- a/bindings/java/unicorn/X86Const.java +++ b/bindings/java/unicorn/X86Const.java @@ -248,7 +248,11 @@ public interface X86Const { public static final int UC_X86_REG_R13W = 239; public static final int UC_X86_REG_R14W = 240; public static final int UC_X86_REG_R15W = 241; - public static final int UC_X86_REG_ENDING = 242; + public static final int UC_X86_REG_IDTR = 242; + public static final int UC_X86_REG_GDTR = 243; + public static final int UC_X86_REG_LDTR = 244; + public static final int UC_X86_REG_TR = 245; + public static final int UC_X86_REG_ENDING = 246; // X86 instructions diff --git a/bindings/python/unicorn/x86_const.py b/bindings/python/unicorn/x86_const.py index 124da17b..a0cf0abc 100644 --- a/bindings/python/unicorn/x86_const.py +++ b/bindings/python/unicorn/x86_const.py @@ -244,7 +244,11 @@ UC_X86_REG_R12W = 238 UC_X86_REG_R13W = 239 UC_X86_REG_R14W = 240 UC_X86_REG_R15W = 241 -UC_X86_REG_ENDING = 242 +UC_X86_REG_IDTR = 242 +UC_X86_REG_GDTR = 243 +UC_X86_REG_LDTR = 244 +UC_X86_REG_TR = 245 +UC_X86_REG_ENDING = 246 # X86 instructions From 7394a9ba30fc1005520f40c78c27ebd467a71379 Mon Sep 17 00:00:00 2001 From: McLovi9 Date: Sat, 6 Feb 2016 14:35:31 +0100 Subject: [PATCH 18/31] Add query mode bind --- bindings/python/unicorn/unicorn.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/bindings/python/unicorn/unicorn.py b/bindings/python/unicorn/unicorn.py index 9fd9a896..476ac552 100644 --- a/bindings/python/unicorn/unicorn.py +++ b/bindings/python/unicorn/unicorn.py @@ -107,6 +107,7 @@ _setup_prototype(_uc, "uc_mem_map", ucerr, uc_engine, ctypes.c_uint64, ctypes.c_ _setup_prototype(_uc, "uc_mem_map_ptr", ucerr, uc_engine, ctypes.c_uint64, ctypes.c_size_t, ctypes.c_uint32, ctypes.c_void_p) _setup_prototype(_uc, "uc_mem_unmap", ucerr, uc_engine, ctypes.c_uint64, ctypes.c_size_t) _setup_prototype(_uc, "uc_mem_protect", ucerr, uc_engine, ctypes.c_uint64, ctypes.c_size_t, ctypes.c_uint32) +_setup_prototype(_uc, "uc_query", ucerr, uc_engine, ctypes.c_uint32, ctypes.POINTER(ctypes.c_size_t)) # uc_hook_add is special due to variable number of arguments _uc.uc_hook_add = getattr(_uc, "uc_hook_add") @@ -262,6 +263,14 @@ class Uc(object): if status != UC_ERR_OK: raise UcError(status) + # return CPU mode at runtime + def query(self, query_mode): + result = ctypes.c_size_t(0) + status = _uc.uc_query(self._uch, query_mode, ctypes.byref(result)) + if status != UC_ERR_OK: + raise UcError(status) + return result.value + def _hookcode_cb(self, handle, address, size, user_data): # call user's callback with self object @@ -381,3 +390,4 @@ def debug(): (major, minor, _combined) = uc_version() return "python-%s-c%u.%u-b%u.%u" % (all_archs, major, minor, UC_API_MAJOR, UC_API_MINOR) + From aa1657006b3c2beedfdc7f484e2c1cb19ba113c9 Mon Sep 17 00:00:00 2001 From: Chris Eagle Date: Sat, 6 Feb 2016 15:16:44 -0800 Subject: [PATCH 19/31] implement missing APIs (uc_query, uc_mem_map_ptr, uc_mem_regions) in java binding --- bindings/java/unicorn/MemRegion.java | 37 ++++++++++++++ bindings/java/unicorn/Unicorn.java | 40 +++++++++++++-- bindings/java/unicorn_Unicorn.c | 76 +++++++++++++++++++++++++++- 3 files changed, 148 insertions(+), 5 deletions(-) create mode 100755 bindings/java/unicorn/MemRegion.java mode change 100644 => 100755 bindings/java/unicorn/Unicorn.java mode change 100644 => 100755 bindings/java/unicorn_Unicorn.c diff --git a/bindings/java/unicorn/MemRegion.java b/bindings/java/unicorn/MemRegion.java new file mode 100755 index 00000000..b729b3a9 --- /dev/null +++ b/bindings/java/unicorn/MemRegion.java @@ -0,0 +1,37 @@ +/* + +Java bindings for the Unicorn Emulator Engine + +Copyright(c) 2016 Chris Eagle + +This program is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License +version 2 as published by the Free Software Foundation. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +*/ + +package unicorn; + +public class MemRegion { + + public long begin; + public long end; + public int perms; + + public MemRegion(long begin, long end, int perms) { + this.begin = begin; + this.end = end; + this.perms = perms; + } + +} + diff --git a/bindings/java/unicorn/Unicorn.java b/bindings/java/unicorn/Unicorn.java old mode 100644 new mode 100755 index 5a28c267..f1a5d15f --- a/bindings/java/unicorn/Unicorn.java +++ b/bindings/java/unicorn/Unicorn.java @@ -288,7 +288,7 @@ public class Unicorn implements UnicornConst, ArmConst, Arm64Const, M68kConst, S * * @param arch Architecture type (UC_ARCH_*) * @param mode Hardware mode. This is combined of UC_MODE_* - * @see unicorn.UnicornArchs, unicorn.UnicornModes + * @see unicorn.UnicornConst * */ public Unicorn(int arch, int mode) throws UnicornException { @@ -327,7 +327,7 @@ public class Unicorn implements UnicornConst, ArmConst, Arm64Const, M68kConst, S * * @param arch Architecture type (UC_ARCH_*) * @return true if this library supports the given arch. - * @see unicorn.UnicornArchs + * @see unicorn.UnicornConst */ public native static boolean arch_supported(int arch); @@ -337,12 +337,23 @@ public class Unicorn implements UnicornConst, ArmConst, Arm64Const, M68kConst, S */ public native void close() throws UnicornException; +/** + * Query internal status of engine. + * + * @param type query type. See UC_QUERY_* + * @param result save the internal status queried + * + * @return: error code. see UC_ERR_* + * @see unicorn.UnicornConst + */ + public native int query(int type) throws UnicornException; + /** * Report the last error number when some API function fail. * Like glibc's errno, uc_errno might not retain its old value once accessed. * * @return Error code of uc_err enum type (UC_ERR_*, see above) - * @see unicorn.UnicornErrors + * @see unicorn.UnicornConst */ public native int errno(); @@ -351,7 +362,7 @@ public class Unicorn implements UnicornConst, ArmConst, Arm64Const, M68kConst, S * * @param code Error code (see UC_ERR_* above) * @return Returns a String that describes the error code - * @see unicorn.UnicornErrors + * @see unicorn.UnicornConst */ public native static String strerror(int code); @@ -625,6 +636,19 @@ public class Unicorn implements UnicornConst, ArmConst, Arm64Const, M68kConst, S */ public native void mem_map(long address, long size, int perms) throws UnicornException; +/** + * Map existing host memory in for emulation. + * This API adds a memory region that can be used by emulation. + * + * @param address Base address of the memory range + * @param size Size of the memory block. + * @param perms Permissions on the memory block. A combination of UC_PROT_READ, UC_PROT_WRITE, UC_PROT_EXEC + * @param ptr Block of host memory backing the newly mapped memory. This block is + * expected to be an equal or larger size than provided, and be mapped with at + * least PROT_READ | PROT_WRITE. If it is not, the resulting behavior is undefined. + */ + public native void mem_map_ptr(long address, long size, int perms, byte[] block) throws UnicornException; + /** * Unmap a range of memory. * @@ -642,5 +666,13 @@ public class Unicorn implements UnicornConst, ArmConst, Arm64Const, M68kConst, S */ public native void mem_protect(long address, long size, int perms) throws UnicornException; +/** + * Retrieve all memory regions mapped by mem_map() and mem_map_ptr() + * NOTE: memory regions may be split by mem_unmap() + * + * @return list of mapped regions. +*/ + public native MemRegion[] mem_regions() throws UnicornException; + } diff --git a/bindings/java/unicorn_Unicorn.c b/bindings/java/unicorn_Unicorn.c old mode 100644 new mode 100755 index a14bd9e4..01af31ee --- a/bindings/java/unicorn_Unicorn.c +++ b/bindings/java/unicorn_Unicorn.c @@ -244,7 +244,28 @@ JNIEXPORT jboolean JNICALL Java_unicorn_Unicorn_arch_1supported JNIEXPORT void JNICALL Java_unicorn_Unicorn_close (JNIEnv *env, jobject self) { uc_engine *eng = getEngine(env, self); - uc_close(eng); + uc_err err = uc_close(eng); + if (err != UC_ERR_OK) { + throwException(env, err); + } + //We also need to ReleaseByteArrayElements for any regions that + //were mapped with uc_mem_map_ptr +} + +/* + * Class: unicorn_Unicorn + * Method: query + * Signature: (I)I + */ +JNIEXPORT jint JNICALL Java_unicorn_Unicorn_query + (JNIEnv *env, jobject self, jint type) { + uc_engine *eng = getEngine(env, self); + size_t result; + uc_err err = uc_query(eng, type, &result); + if (err != UC_ERR_OK) { + throwException(env, err); + } + return (jint)result; } /* @@ -508,6 +529,24 @@ JNIEXPORT void JNICALL Java_unicorn_Unicorn_mem_1map } } +/* + * Class: unicorn_Unicorn + * Method: mem_map_ptr + * Signature: (JJI[B)V + */ +JNIEXPORT void JNICALL Java_unicorn_Unicorn_mem_1map_1ptr + (JNIEnv *env, jobject self, jlong address, jlong size, jint perms, jbyteArray block) { + uc_engine *eng = getEngine(env, self); + jbyte *array = (*env)->GetByteArrayElements(env, block, NULL); + uc_err err = uc_mem_map_ptr(eng, (uint64_t)address, (size_t)size, (uint32_t)perms, (void*)array); + if (err != UC_ERR_OK) { + throwException(env, err); + } + //Need to track address/block/array so that we can ReleaseByteArrayElements when the + //block gets unmapped or when uc_close gets called + //(*env)->ReleaseByteArrayElements(env, block, array, JNI_ABORT); +} + /* * Class: unicorn_Unicorn * Method: mem_unmap @@ -521,6 +560,9 @@ JNIEXPORT void JNICALL Java_unicorn_Unicorn_mem_1unmap if (err != UC_ERR_OK) { throwException(env, err); } + + //If a region was mapped using uc_mem_map_ptr, we also need to + //ReleaseByteArrayElements for that region } /* @@ -537,3 +579,35 @@ JNIEXPORT void JNICALL Java_unicorn_Unicorn_mem_1protect throwException(env, err); } } + +/* + * Class: unicorn_Unicorn + * Method: mem_regions + * Signature: ()[Lunicorn/MemRegion; + */ +JNIEXPORT jobjectArray JNICALL Java_unicorn_Unicorn_mem_1regions + (JNIEnv *env, jobject self) { + uc_engine *eng = getEngine(env, self); + + uc_mem_region *regions = NULL; + uint32_t count = 0; + uint32_t i; + + uc_err err = uc_mem_regions(eng, ®ions, &count); + if (err != UC_ERR_OK) { + throwException(env, err); + } + jclass clz = (*env)->FindClass(env, "unicorn/MemRegion"); + if ((*env)->ExceptionCheck(env)) { + return NULL; + } + jobjectArray result = (*env)->NewObjectArray(env, (jsize)count, clz, NULL); + jmethodID cons = (*env)->GetMethodID(env, clz, "", "(JJI)V"); + for (i = 0; i < count; i++) { + jobject mr = (*env)->NewObject(env, clz, cons, regions[i].begin, regions[i].end, regions[i].perms); + (*env)->SetObjectArrayElement(env, result, (jsize)i, mr); + } + free(regions); + + return result; +} From 21b9fa860bb8a11d50bbb71e96c2f4e7fc88b85f Mon Sep 17 00:00:00 2001 From: Chris Eagle Date: Sat, 6 Feb 2016 15:18:03 -0800 Subject: [PATCH 20/31] fix file perms --- bindings/java/unicorn/MemRegion.java | 0 bindings/java/unicorn_Unicorn.c | 0 2 files changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 bindings/java/unicorn/MemRegion.java mode change 100755 => 100644 bindings/java/unicorn_Unicorn.c diff --git a/bindings/java/unicorn/MemRegion.java b/bindings/java/unicorn/MemRegion.java old mode 100755 new mode 100644 diff --git a/bindings/java/unicorn_Unicorn.c b/bindings/java/unicorn_Unicorn.c old mode 100755 new mode 100644 From ec5998bd027af61646f6f61c985e3a061f72cdef Mon Sep 17 00:00:00 2001 From: Chris Eagle Date: Sat, 6 Feb 2016 15:18:44 -0800 Subject: [PATCH 21/31] fix file perms --- bindings/java/unicorn/Unicorn.java | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 bindings/java/unicorn/Unicorn.java diff --git a/bindings/java/unicorn/Unicorn.java b/bindings/java/unicorn/Unicorn.java old mode 100755 new mode 100644 From a5b1ae47c3ee82f6f8a1d6ce746d63114e51b688 Mon Sep 17 00:00:00 2001 From: Chris Eagle Date: Sat, 6 Feb 2016 19:19:55 -0800 Subject: [PATCH 22/31] remove unnecessary file --- bindings/java/unicorn/UnicornErrors.java | 38 ------------------------ 1 file changed, 38 deletions(-) delete mode 100644 bindings/java/unicorn/UnicornErrors.java diff --git a/bindings/java/unicorn/UnicornErrors.java b/bindings/java/unicorn/UnicornErrors.java deleted file mode 100644 index d3f376f5..00000000 --- a/bindings/java/unicorn/UnicornErrors.java +++ /dev/null @@ -1,38 +0,0 @@ -/* - -Java bindings for the Unicorn Emulator Engine - -Copyright(c) 2015 Chris Eagle - -This program is free software; you can redistribute it and/or -modify it under the terms of the GNU General Public License -version 2 as published by the Free Software Foundation. - -This program is distributed in the hope that it will be useful, -but WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -GNU General Public License for more details. - -You should have received a copy of the GNU General Public License -along with this program; if not, write to the Free Software -Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - -*/ - -package unicorn; - -public interface UnicornErrors { - public static final int UC_ERR_OK = 0; // No error: everything was fine - public static final int UC_ERR_OOM = 1; // Out-Of-Memory error: uc_open(), uc_emulate() - public static final int UC_ERR_ARCH = 2; // Unsupported architecture: uc_open() - public static final int UC_ERR_HANDLE = 3; // Invalid handle - public static final int UC_ERR_UCH = 4; // Invalid handle (uch) - public static final int UC_ERR_MODE = 5; // Invalid/unsupported mode: uc_open() - public static final int UC_ERR_VERSION = 6; // Unsupported version (bindings) - public static final int UC_ERR_MEM_READ = 7; // Quit emulation due to invalid memory READ: uc_emu_start() - public static final int UC_ERR_MEM_WRITE = 8; // Quit emulation due to invalid memory WRITE: uc_emu_start() - public static final int UC_ERR_HOOK = 9; // Invalid hook type: uc_hook_add() - public static final int UC_ERR_INSN_INVALID = 10; // Quit emulation due to invalid instruction: uc_emu_start() - public static final int UC_ERR_MAP = 11; // Invalid memory mapping: uc_mem_map() -} - From 84fbe5aa5ddfa5ad6e92a49197f731e03171cfb3 Mon Sep 17 00:00:00 2001 From: Chris Eagle Date: Sun, 7 Feb 2016 07:23:07 -0800 Subject: [PATCH 23/31] add x86 mmr handling to java binding --- bindings/java/samples/Sample_x86_mmr.java | 77 +++++++++++++++ bindings/java/unicorn/Unicorn.java | 84 +++++++++++++++- bindings/java/unicorn/X86_MMR.java | 46 +++++++++ bindings/java/unicorn_Unicorn.c | 113 +++++++++++++++++++++- 4 files changed, 316 insertions(+), 4 deletions(-) create mode 100644 bindings/java/samples/Sample_x86_mmr.java create mode 100644 bindings/java/unicorn/X86_MMR.java mode change 100644 => 100755 bindings/java/unicorn_Unicorn.c diff --git a/bindings/java/samples/Sample_x86_mmr.java b/bindings/java/samples/Sample_x86_mmr.java new file mode 100644 index 00000000..87bd8a0a --- /dev/null +++ b/bindings/java/samples/Sample_x86_mmr.java @@ -0,0 +1,77 @@ +/* + +Java bindings for the Unicorn Emulator Engine + +Copyright(c) 2016 Chris Eagle + +This program is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License +version 2 as published by the Free Software Foundation. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +*/ + +/* Sample code to demonstrate how to register read/write API */ + +import unicorn.*; + +public class Sample_x86_mmr { + + static void test_x86_mmr() { + // Initialize emulator in X86-32bit mode + Unicorn uc; + try { + uc = new Unicorn(Unicorn.UC_ARCH_X86, Unicorn.UC_MODE_32); + } catch (UnicornException uex) { + System.out.println("Failed on uc_open() with error returned: " + uex); + return; + } + + // map 4k + uc.mem_map(ADDRESS, 0x1000, Unicorn.UC_PROT_ALL); + + X86_MMR ldtr1 = new X86_MMR(0x1111111122222222L, 0x33333333, 0x44444444, (short)0x5555); + X86_MMR ldtr2; + X86_MMR gdtr1 = new X86_MMR(0x6666666677777777L, 0x88888888, 0x99999999, (short)0xaaaa); + X86_MMR gdtr2, gdtr3, gdtr4; + + int eax; + + // initialize machine registers + + uc.reg_write(Unicorn.UC_X86_REG_LDTR, ldtr1); + uc.reg_write(Unicorn.UC_X86_REG_GDTR, gdtr1); + uc.reg_write(Unicorn.UC_X86_REG_EAX, new Long(0xdddddddd)); + + // read the registers back out + eax = (int)((Long)uc.reg_read(Unicorn.UC_X86_REG_EAX)).longValue(); + ldtr2 = (X86_MMR)uc.reg_read(Unicorn.UC_X86_REG_LDTR); + gdtr2 = (X86_MMR)uc.reg_read(Unicorn.UC_X86_REG_GDTR); + + System.out.printf(">>> EAX = 0x%x\n", eax); + + System.out.printf(">>> LDTR.base = 0x%x\n", ldtr2.base); + System.out.printf(">>> LDTR.limit = 0x%x\n", ldtr2.limit); + System.out.printf(">>> LDTR.flags = 0x%x\n", ldtr2.flags); + System.out.printf(">>> LDTR.selector = 0x%x\n\n", ldtr2.selector); + + System.out.printf(">>> GDTR.base = 0x%x\n", gdtr2.base); + System.out.printf(">>> GDTR.limit = 0x%x\n", gdtr2.limit); + + uc.close(); + } + + public static void main(String args[]) + { + test_x86_mmr(); + } + +} diff --git a/bindings/java/unicorn/Unicorn.java b/bindings/java/unicorn/Unicorn.java index f1a5d15f..edf43a29 100644 --- a/bindings/java/unicorn/Unicorn.java +++ b/bindings/java/unicorn/Unicorn.java @@ -26,6 +26,8 @@ import java.util.*; public class Unicorn implements UnicornConst, ArmConst, Arm64Const, M68kConst, SparcConst, MipsConst, X86Const { private long eng; + private int arch; + private int mode; private long blockHandle = 0; private long interruptHandle = 0; @@ -275,6 +277,38 @@ public class Unicorn implements UnicornConst, ArmConst, Arm64Const, M68kConst, S } } +/** + * Write to register. + * + * @param regid Register ID that is to be modified. + * @param value Number containing the new register value + */ + private native void reg_write_num(int regid, Number value) throws UnicornException; + +/** + * Write to register. + * + * @param regid Register ID that is to be modified. + * @param value X86 specific memory management register containing the new register value + */ + private native void reg_write_mmr(int regid, X86_MMR value) throws UnicornException; + +/** + * Read register value. + * + * @param regid Register ID that is to be retrieved. + * @return Number containing the requested register value. + */ + private native Number reg_read_num(int regid) throws UnicornException; + +/** + * Read register value. + * + * @param regid Register ID that is to be retrieved. + * @return X86_MMR containing the requested register value. + */ + private native Number reg_read_mmr(int regid) throws UnicornException; + /** * Native access to uc_open * @@ -292,6 +326,9 @@ public class Unicorn implements UnicornConst, ArmConst, Arm64Const, M68kConst, S * */ public Unicorn(int arch, int mode) throws UnicornException { + //remember these in case we need arch specific code + this.arch = arch; + this.mode = mode; eng = open(arch, mode); unicorns.put(eng, this); allLists.add(blockList); @@ -369,19 +406,60 @@ public class Unicorn implements UnicornConst, ArmConst, Arm64Const, M68kConst, S /** * Write to register. * + * @deprecated use reg_write(int regid, Object value) instead * @param regid Register ID that is to be modified. * @param value Array containing value that will be written into register @regid */ +@Deprecated public native void reg_write(int regid, byte[] value) throws UnicornException; +/** + * Write to register. + * + * @param regid Register ID that is to be modified. + * @param value Object containing the new register value. Long, BigInteger, or + * other custom class used to represent register values + */ + public void reg_write(int regid, Object value) throws UnicornException { + if (value instanceof Number) { + reg_write_num(regid, (Number)value); + } + else if (arch == UC_ARCH_X86 && value instanceof X86_MMR) { + if (regid >= UC_X86_REG_IDTR && regid <= UC_X86_REG_TR) { + reg_write_mmr(regid, (X86_MMR)value); + } + } + else { + throw new ClassCastException("Invalid value type"); + } + } + +/** + * Read register value. + * + * @deprecated use Object reg_write(int regid) instead + * @param regid Register ID that is to be retrieved. + * @param regsz Size of the register being retrieved. + * @return Byte array containing the requested register value. + */ +@Deprecated + public native byte[] reg_read(int regid, int regsz) throws UnicornException; + /** * Read register value. * * @param regid Register ID that is to be retrieved. - * @param regsz Size of the register being retrieved. - * @return Byte array containing the requested register value. + * @return Object containing the requested register value. Long, BigInteger, or + * other custom class used to represent register values */ - public native byte[] reg_read(int regid, int regsz) throws UnicornException; + public Object reg_read(int regid) throws UnicornException { + if (arch == UC_ARCH_X86 && regid >= UC_X86_REG_IDTR && regid <= UC_X86_REG_TR) { + return reg_read_mmr(regid); + } + else { + return reg_read_num(regid); + } + } /** * Write to memory. diff --git a/bindings/java/unicorn/X86_MMR.java b/bindings/java/unicorn/X86_MMR.java new file mode 100644 index 00000000..1c3db2bc --- /dev/null +++ b/bindings/java/unicorn/X86_MMR.java @@ -0,0 +1,46 @@ +/* + +Java bindings for the Unicorn Emulator Engine + +Copyright(c) 2016 Chris Eagle + +This program is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License +version 2 as published by the Free Software Foundation. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +*/ + +package unicorn; + +public class X86_MMR { + + public long base; + public int limit; + public int flags; + public short selector; + + public X86_MMR(long base, int limit, int flags, short selector) { + this.base = base; + this.limit = limit; + this.flags = flags; + this.selector = selector; + } + + public X86_MMR(long base, int limit) { + this.base = base; + this.limit = limit; + selector = 0; + flags = 0; + } + +} + diff --git a/bindings/java/unicorn_Unicorn.c b/bindings/java/unicorn_Unicorn.c old mode 100644 new mode 100755 index 01af31ee..8b3bcfe2 --- a/bindings/java/unicorn_Unicorn.c +++ b/bindings/java/unicorn_Unicorn.c @@ -24,8 +24,8 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. #include #include - #include +#include #include "unicorn_Unicorn.h" //cache jmethodID values as we look them up @@ -201,6 +201,117 @@ static uc_engine *getEngine(JNIEnv *env, jobject self) { return (uc_engine *)(*env)->GetLongField(env, self, fid); } +/* + * Class: unicorn_Unicorn + * Method: reg_write_num + * Signature: (ILjava/lang/Number;)V + */ +JNIEXPORT void JNICALL Java_unicorn_Unicorn_reg_1write_1num + (JNIEnv *env, jobject self, jint regid, jobject value) { + uc_engine *eng = getEngine(env, self); + + jclass clz = (*env)->FindClass(env, "java/lang/Number"); + if ((*env)->ExceptionCheck(env)) { + return; + } + + jmethodID longValue = (*env)->GetMethodID(env, clz, "longValue", "()J"); + jlong longVal = (*env)->CallLongMethod(env, value, longValue); + uc_err err = uc_reg_write(eng, regid, &longVal); + if (err != UC_ERR_OK) { + throwException(env, err); + } +} + +/* + * Class: unicorn_Unicorn + * Method: reg_write_mmr + * Signature: (ILunicorn/X86_MMR;)V + */ +JNIEXPORT void JNICALL Java_unicorn_Unicorn_reg_1write_1mmr + (JNIEnv *env, jobject self, jint regid, jobject value) { + uc_engine *eng = getEngine(env, self); + uc_x86_mmr mmr; + + jclass clz = (*env)->FindClass(env, "unicorn/X86_MMR"); + if ((*env)->ExceptionCheck(env)) { + return; + } + + jfieldID fid = (*env)->GetFieldID(env, clz, "base", "J"); + mmr.base = (uint64_t)(*env)->GetLongField(env, value, fid); + + fid = (*env)->GetFieldID(env, clz, "limit", "I"); + mmr.limit = (uint32_t)(*env)->GetLongField(env, value, fid); + + fid = (*env)->GetFieldID(env, clz, "flags", "I"); + mmr.flags = (uint32_t)(*env)->GetLongField(env, value, fid); + + fid = (*env)->GetFieldID(env, clz, "selector", "S"); + mmr.selector = (uint16_t)(*env)->GetLongField(env, value, fid); + + uc_err err = uc_reg_write(eng, regid, &mmr); + if (err != UC_ERR_OK) { + throwException(env, err); + } +} + +/* + * Class: unicorn_Unicorn + * Method: reg_read_num + * Signature: (I)Ljava/lang/Number; + */ +JNIEXPORT jobject JNICALL Java_unicorn_Unicorn_reg_1read_1num + (JNIEnv *env, jobject self, jint regid) { + uc_engine *eng = getEngine(env, self); + + jclass clz = (*env)->FindClass(env, "java/lang/Long"); + if ((*env)->ExceptionCheck(env)) { + return NULL; + } + + jlong longVal; + uc_err err = uc_reg_read(eng, regid, &longVal); + if (err != UC_ERR_OK) { + throwException(env, err); + } + + jmethodID cons = (*env)->GetMethodID(env, clz, "", "(J)V"); + jobject result = (*env)->NewObject(env, clz, cons, longVal); + if ((*env)->ExceptionCheck(env)) { + return NULL; + } + return result; +} + +/* + * Class: unicorn_Unicorn + * Method: reg_read_mmr + * Signature: (I)Ljava/lang/Number; + */ +JNIEXPORT jobject JNICALL Java_unicorn_Unicorn_reg_1read_1mmr + (JNIEnv *env, jobject self, jint regid) { + uc_engine *eng = getEngine(env, self); + + jclass clz = (*env)->FindClass(env, "unicorn/X86_MMR"); + if ((*env)->ExceptionCheck(env)) { + return NULL; + } + + uc_x86_mmr mmr; + uc_err err = uc_reg_read(eng, regid, &mmr); + if (err != UC_ERR_OK) { + throwException(env, err); + } + + jmethodID cons = (*env)->GetMethodID(env, clz, "", "(JIIS)V"); + jobject result = (*env)->NewObject(env, clz, cons, mmr.base, mmr.limit, mmr.flags, mmr.selector); + if ((*env)->ExceptionCheck(env)) { + return NULL; + } + return result; +} + /* * Class: unicorn_Unicorn * Method: open From 9b8098bf634d6739ae9600f785e6176b8bb9d8e0 Mon Sep 17 00:00:00 2001 From: Chris Eagle Date: Sun, 7 Feb 2016 07:24:34 -0800 Subject: [PATCH 24/31] file perms --- bindings/java/unicorn_Unicorn.c | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 bindings/java/unicorn_Unicorn.c diff --git a/bindings/java/unicorn_Unicorn.c b/bindings/java/unicorn_Unicorn.c old mode 100755 new mode 100644 From 17684086371a1f131b63dc0d113ef40ec6bba7b0 Mon Sep 17 00:00:00 2001 From: Nguyen Anh Quynh Date: Thu, 11 Feb 2016 09:13:45 +0800 Subject: [PATCH 25/31] update CREDITS.TXT --- CREDITS.TXT | 1 + 1 file changed, 1 insertion(+) diff --git a/CREDITS.TXT b/CREDITS.TXT index 5d6cd88e..049e9b56 100644 --- a/CREDITS.TXT +++ b/CREDITS.TXT @@ -54,3 +54,4 @@ Nguyen Tan Cong Loi Anh Tuan Shaun Wheelhouse: Homebrew package Kamil Rytarowski: Pkgsrc package +Zak Escano: MSVC binding From 5719481e3ffa66e7b9829f25dc693dd9fc0caf04 Mon Sep 17 00:00:00 2001 From: Nguyen Anh Quynh Date: Thu, 11 Feb 2016 17:53:51 +0800 Subject: [PATCH 26/31] move memory_overlap() around from mem_map() to mem_map_check(). this fixes test_mem_map.c in issue #420 --- uc.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/uc.c b/uc.c index ab466601..4eb04f8f 100644 --- a/uc.c +++ b/uc.c @@ -622,10 +622,6 @@ static uc_err mem_map(uc_engine *uc, uint64_t address, size_t size, uint32_t per { MemoryRegion **regions; - // this area overlaps existing mapped regions? - if (memory_overlap(uc, address, size)) - return UC_ERR_MAP; - if (block == NULL) return UC_ERR_NOMEM; @@ -666,6 +662,11 @@ static uc_err mem_map_check(uc_engine *uc, uint64_t address, size_t size, uint32 if ((perms & ~UC_PROT_ALL) != 0) return UC_ERR_ARG; + // this area overlaps existing mapped regions? + if (memory_overlap(uc, address, size)) { + return UC_ERR_MAP; + } + return UC_ERR_OK; } From bfbe91834e411700bc321852b83dfe279467a1d1 Mon Sep 17 00:00:00 2001 From: coco Date: Thu, 11 Feb 2016 15:02:14 +0100 Subject: [PATCH 27/31] two more testcases --- tests/regress/mem_fuzz.c | 14 ++++++------ tests/unit/test_mem_map.c | 48 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 55 insertions(+), 7 deletions(-) diff --git a/tests/regress/mem_fuzz.c b/tests/regress/mem_fuzz.c index aee3cdb0..bbf37eec 100644 --- a/tests/regress/mem_fuzz.c +++ b/tests/regress/mem_fuzz.c @@ -44,14 +44,14 @@ uint64_t get_aligned_len(){ void perform_map_step(uc_engine *uc){ uint64_t addr = get_aligned_addr(); uint64_t len = get_aligned_len(); - printf("map(0x%"PRIx64",0x%"PRIx64"); //%d\n", addr, len, step); + printf("map(uc,0x%"PRIx64",0x%"PRIx64"); //%d\n", addr, len, step); uc_mem_map(uc, addr, len, UC_PROT_READ | UC_PROT_WRITE); } void perform_unmap_step(uc_engine *uc){ uint64_t addr = get_aligned_addr(); uint64_t len = get_aligned_len(); - printf("unmap(0x%"PRIx64",0x%"PRIx64"); //%d\n", addr, len, step); + printf("unmap(uc,0x%"PRIx64",0x%"PRIx64"); //%d\n", addr, len, step); uc_mem_unmap(uc, addr, len); } @@ -60,7 +60,7 @@ void perform_write_step(uc_engine *uc){ memset(buff, 0, 4096*4); uint64_t addr = get_addr(); uint64_t len = get_len()%(4096*3); - printf("write(0x%"PRIx64",0x%"PRIx64"); //%d\n", addr, len, step); + printf("write(uc,0x%"PRIx64",0x%"PRIx64"); //%d\n", addr, len, step); uc_mem_write(uc, addr, buff, len); } @@ -68,16 +68,16 @@ void perform_read_step(uc_engine *uc){ char* buff[4096*4]; uint64_t addr = get_addr(); uint64_t len = get_len()%(4096*3); - printf("read(0x%"PRIx64",0x%"PRIx64"); //%d\n", addr, len, step); + printf("read(uc,0x%"PRIx64",0x%"PRIx64"); //%d\n", addr, len, step); uc_mem_read(uc, addr, buff, len); } void perform_fuzz_step(uc_engine *uc){ - switch( ((uint32_t)rand())%2 ){ + switch( ((uint32_t)rand())%4 ){ case 0: perform_map_step(uc); break; case 1: perform_unmap_step(uc); break; - //case 2: perform_read_step(uc); break; - //case 3: perform_write_step(uc); break; + case 2: perform_read_step(uc); break; + case 3: perform_write_step(uc); break; } } diff --git a/tests/unit/test_mem_map.c b/tests/unit/test_mem_map.c index 6b743f0c..303a370b 100644 --- a/tests/unit/test_mem_map.c +++ b/tests/unit/test_mem_map.c @@ -158,6 +158,52 @@ static void test_strange_map(void **state) uc_mem_unmap(uc, 0x0,0x1000); } +void write(uc_engine* uc, uint64_t addr, uint64_t len){ + uint8_t* buff = alloca(len); + memset(buff,0,len); + uc_mem_write(uc, addr, buff, len); + +} + +void read(uc_engine* uc, uint64_t addr, uint64_t len){ + uint8_t* buff = alloca(len); + uc_mem_read(uc, addr, buff, len); +} + +void map(uc_engine* uc, uint64_t addr, uint64_t len){ + uc_mem_map(uc, addr, len, UC_PROT_READ | UC_PROT_WRITE); +} + +void unmap(uc_engine* uc, uint64_t addr, uint64_t len){ + uc_mem_unmap(uc, addr, len); +} + +//most likely same bug as in test_strange_map, but looked different in fuzzer (sefault instead of assertion fail) +static void test_assertion_fail(void **state){ + uc_engine *uc = *state; + + map(uc,0x2000,0x4000); //5 + unmap(uc,0x3000,0x2000); //11 + map(uc,0x0,0x2000); //23 + map(uc,0x3000,0x2000); //24 + map(uc,0x9000,0x4000); //32 + map(uc,0x8000,0x1000); //34 + unmap(uc,0x1000,0x4000); //35 +} + +static void test_bad_offset(void **state){ + uc_engine *uc = *state; + map(uc,0x9000,0x4000); //17 + map(uc,0x4000,0x2000); //32 + unmap(uc,0x5000,0x1000); //35 + map(uc,0x0,0x1000); //42 + map(uc,0x5000,0x4000); //51 + map(uc,0x2000,0x1000); //53 + map(uc,0x1000,0x1000); //55 + unmap(uc,0x7000,0x3000); //58 + unmap(uc,0x5000,0x1000); //59 + unmap(uc,0x4000,0x2000); //70 +} @@ -167,6 +213,8 @@ int main(void) { test(test_basic), //test(test_bad_read), //test(test_bad_write), + test(test_bad_offset), + test(test_assertion_fail), test(test_bad_unmap), test(test_rw_across_boundaries), test(test_unmap_double_map), From 95beec805cbe3275788709c3b468a8c73f8e1297 Mon Sep 17 00:00:00 2001 From: coco Date: Thu, 11 Feb 2016 16:38:50 +0100 Subject: [PATCH 28/31] fixed memcpy that should be memmove --- qemu/memory.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qemu/memory.c b/qemu/memory.c index 26683230..af38155f 100644 --- a/qemu/memory.c +++ b/qemu/memory.c @@ -85,7 +85,7 @@ void memory_unmap(struct uc_struct *uc, MemoryRegion *mr) if (uc->mapped_blocks[i] == mr) { uc->mapped_block_count--; //shift remainder of array down over deleted pointer - memcpy(&uc->mapped_blocks[i], &uc->mapped_blocks[i + 1], sizeof(MemoryRegion*) * (uc->mapped_block_count - i)); + memmove(&uc->mapped_blocks[i], &uc->mapped_blocks[i + 1], sizeof(MemoryRegion*) * (uc->mapped_block_count - i)); mr->destructor(mr); g_free((char *)mr->name); g_free(mr->ioeventfds); From 3bd7fa4bfe37b276714f2ca2dcc1e291066f85c6 Mon Sep 17 00:00:00 2001 From: Nguyen Anh Quynh Date: Fri, 12 Feb 2016 13:48:58 +0800 Subject: [PATCH 29/31] chmod -x qemu/target-i386/unicorn.c --- qemu/target-i386/unicorn.c | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 qemu/target-i386/unicorn.c diff --git a/qemu/target-i386/unicorn.c b/qemu/target-i386/unicorn.c old mode 100755 new mode 100644 From f267ff2b17235c925dce02b3aa025304837d8983 Mon Sep 17 00:00:00 2001 From: Nguyen Anh Quynh Date: Mon, 15 Feb 2016 10:27:20 +0800 Subject: [PATCH 30/31] Update unicorn.h remove an outdated line on UC_QUERY_MODE --- include/unicorn/unicorn.h | 1 - 1 file changed, 1 deletion(-) diff --git a/include/unicorn/unicorn.h b/include/unicorn/unicorn.h index 2a556841..ae8cd736 100644 --- a/include/unicorn/unicorn.h +++ b/include/unicorn/unicorn.h @@ -261,7 +261,6 @@ typedef struct uc_mem_region { // All type of queries for uc_query() API. typedef enum uc_query_type { // Dynamically query current hardware mode. - // For ARM, uc_query() return 1 for Thumb mode, and 0 for Arm mode UC_QUERY_MODE = 1, } uc_query_type; From 8962adc9c5d1f8dfd4db9460989943a0e665a99b Mon Sep 17 00:00:00 2001 From: Nguyen Anh Quynh Date: Mon, 15 Feb 2016 15:51:14 +0800 Subject: [PATCH 31/31] sparc: use power_down to terminate emulation, rather than using trap. this fix hangup issue of tests/regress/sparc_reg.py --- qemu/target-sparc/translate.c | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/qemu/target-sparc/translate.c b/qemu/target-sparc/translate.c index a7f067cf..77dc4cb8 100644 --- a/qemu/target-sparc/translate.c +++ b/qemu/target-sparc/translate.c @@ -2630,12 +2630,6 @@ static void disas_sparc_insn(DisasContext * dc, unsigned int insn, bool hook_ins tcg_gen_debug_insn_start(tcg_ctx, dc->pc); } - // end address tells us to stop emulation - if (dc->pc == dc->uc->addr_end) { - insn = 0x91d02000; // generate TRAP to end this TB - hook_insn = false; // do not hook this instruction - } - // Unicorn: trace this instruction on request if (hook_insn && HOOK_EXISTS_BOUNDED(dc->uc, UC_HOOK_CODE, dc->pc)) { gen_uc_tracecode(tcg_ctx, 4, UC_HOOK_CODE_IDX, dc->uc, dc->pc); @@ -5405,9 +5399,8 @@ static inline void gen_intermediate_code_internal(SPARCCPU *cpu, // early check to see if the address of this block is the until address if (pc_start == env->uc->addr_end) { gen_tb_start(tcg_ctx); - insn = 0x91d02000; // generate TRAP to end this TB - disas_sparc_insn(dc, insn, false); - goto exit_gen_loop; + gen_helper_power_down(tcg_ctx, tcg_ctx->cpu_env); + goto done_generating; } max_insns = tb->cflags & CF_COUNT_MASK;