mirror of
https://github.com/yuzu-emu/unicorn.git
synced 2025-11-04 14:14:57 +00:00
115 lines
2.8 KiB
C
115 lines
2.8 KiB
C
#include <unicorn/unicorn.h>
|
|
#include <string.h>
|
|
#include <stdio.h>
|
|
|
|
|
|
int syscall_abi[] = {
|
|
UC_X86_REG_RAX, UC_X86_REG_RDI, UC_X86_REG_RSI, UC_X86_REG_RDX,
|
|
UC_X86_REG_R10, UC_X86_REG_R8, UC_X86_REG_R9
|
|
};
|
|
|
|
uint64_t vals[7] = { 200, 10, 11, 12, 13, 14, 15 };
|
|
|
|
// This part of the API is less... clean... because Unicorn supports arbitrary register types.
|
|
// So the least intrusive solution is passing individual pointers.
|
|
// On the plus side, you only need to make this pointer array once.
|
|
void *ptrs[7];
|
|
|
|
void uc_perror(const char *func, uc_err err)
|
|
{
|
|
fprintf(stderr, "Error in %s(): %s\n", func, uc_strerror(err));
|
|
}
|
|
|
|
#define BASE 0x10000
|
|
|
|
// mov rax, 100; mov rdi, 1; mov rsi, 2; mov rdx, 3; mov r10, 4; mov r8, 5; mov r9, 6; syscall
|
|
#define CODE "\x48\xc7\xc0\x64\x00\x00\x00\x48\xc7\xc7\x01\x00\x00\x00\x48\xc7\xc6\x02\x00\x00\x00\x48\xc7\xc2\x03\x00\x00\x00\x49\xc7\xc2\x04\x00\x00\x00\x49\xc7\xc0\x05\x00\x00\x00\x49\xc7\xc1\x06\x00\x00\x00\x0f\x05"
|
|
|
|
void hook_syscall(uc_engine *uc, void *user_data)
|
|
{
|
|
int i;
|
|
|
|
uc_reg_read_batch(uc, syscall_abi, ptrs, 7);
|
|
|
|
printf("syscall: {");
|
|
|
|
for (i = 0; i < 7; i++) {
|
|
if (i != 0) printf(", ");
|
|
printf("%" PRIu64, vals[i]);
|
|
}
|
|
|
|
printf("}\n");
|
|
}
|
|
|
|
void hook_code(uc_engine *uc, uint64_t addr, uint32_t size, void *user_data)
|
|
{
|
|
printf("HOOK_CODE: 0x%" PRIx64 ", 0x%x\n", addr, size);
|
|
}
|
|
|
|
int main()
|
|
{
|
|
int i;
|
|
uc_hook sys_hook;
|
|
uc_err err;
|
|
uc_engine *uc;
|
|
|
|
// set up register pointers
|
|
for (i = 0; i < 7; i++) {
|
|
ptrs[i] = &vals[i];
|
|
}
|
|
|
|
if ((err = uc_open(UC_ARCH_X86, UC_MODE_64, &uc))) {
|
|
uc_perror("uc_open", err);
|
|
return 1;
|
|
}
|
|
|
|
// reg_write_batch
|
|
printf("reg_write_batch({200, 10, 11, 12, 13, 14, 15})\n");
|
|
if ((err = uc_reg_write_batch(uc, syscall_abi, ptrs, 7))) {
|
|
uc_perror("uc_reg_write_batch", err);
|
|
return 1;
|
|
}
|
|
|
|
// reg_read_batch
|
|
memset(vals, 0, sizeof(vals));
|
|
if ((err = uc_reg_read_batch(uc, syscall_abi, ptrs, 7))) {
|
|
uc_perror("uc_reg_read_batch", err);
|
|
return 1;
|
|
}
|
|
|
|
printf("reg_read_batch = {");
|
|
|
|
for (i = 0; i < 7; i++) {
|
|
if (i != 0) printf(", ");
|
|
printf("%" PRIu64, vals[i]);
|
|
}
|
|
|
|
printf("}\n");
|
|
|
|
// syscall
|
|
printf("\n");
|
|
printf("running syscall shellcode\n");
|
|
|
|
if ((err = uc_hook_add(uc, &sys_hook, UC_HOOK_INSN, hook_syscall, NULL, 1, 0, UC_X86_INS_SYSCALL))) {
|
|
uc_perror("uc_hook_add", err);
|
|
return 1;
|
|
}
|
|
|
|
if ((err = uc_mem_map(uc, BASE, 0x1000, UC_PROT_ALL))) {
|
|
uc_perror("uc_mem_map", err);
|
|
return 1;
|
|
}
|
|
|
|
if ((err = uc_mem_write(uc, BASE, CODE, sizeof(CODE) - 1))) {
|
|
uc_perror("uc_mem_write", err);
|
|
return 1;
|
|
}
|
|
|
|
if ((err = uc_emu_start(uc, BASE, BASE + sizeof(CODE) - 1, 0, 0))) {
|
|
uc_perror("uc_emu_start", err);
|
|
return 1;
|
|
}
|
|
|
|
return 0;
|
|
}
|