update
This commit is contained in:
Huoji's
@@ -56,16 +56,26 @@ void handleCodeRun(uc_engine* uc, uint64_t address, uint32_t size,
|
||||
if (currentSectionIndex >= 0) {
|
||||
sandbox->SetLastExecuteSectionIndex(currentSectionIndex);
|
||||
}
|
||||
auto [lastReadImpAddr, lastImp] = sandbox->GetLastImpRead();
|
||||
if (lastImp != nullptr && currentRip == lastReadImpAddr) {
|
||||
printf(
|
||||
"direct call function [%s]%s at file address: %llx lastRip: "
|
||||
"%llx\n",
|
||||
lastImp->dll_name,
|
||||
lastImp->name, address, lastRip);
|
||||
sandbox->EmulateApi(uc, lastReadImpAddr, currentRip, lastImp->name);
|
||||
sandbox->SetLastImpRead(0, nullptr);
|
||||
} else {
|
||||
for (auto module : sandbox->GetModuleList()) {
|
||||
for (auto item : module->export_function) {
|
||||
const auto vmAddress = module->base + item->function_address;
|
||||
if (vmAddress == currentRip) {
|
||||
printf("[!!!]detect no correct call, currentRip: 0x%llx\n",
|
||||
currentRip);
|
||||
sandbox->SetLastImpRead(0, nullptr);
|
||||
|
||||
for (auto module : sandbox->GetModuleList()) {
|
||||
for (auto item : module->export_function) {
|
||||
const auto vmAddress = module->base + item->function_address;
|
||||
if (vmAddress == currentRip) {
|
||||
printf(
|
||||
"[%s] call function %s at file address: %llx lastRip: "
|
||||
"%llx\n",
|
||||
module->name, item->name, address, lastRip);
|
||||
sandbox->EmulateApi(uc, vmAddress, currentRip, item->name);
|
||||
sandbox->EmulateApi(uc, vmAddress, currentRip, item->name);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -83,7 +93,7 @@ void handleCodeRun(uc_engine* uc, uint64_t address, uint32_t size,
|
||||
}
|
||||
cs_free(instruction, instructionCount);
|
||||
|
||||
//dumpVmenv(uc, userData);
|
||||
// dumpVmenv(uc, userData);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -126,7 +136,7 @@ void handleMemoryRead(uc_engine* uc, uc_mem_type type, uint64_t address,
|
||||
}
|
||||
}
|
||||
|
||||
uint64_t readAddress;
|
||||
uint64_t readAddress = 0;
|
||||
auto readError =
|
||||
uc_mem_read(sandbox->GetUnicornHandle(), address, &readAddress, size);
|
||||
if (LOG_LEVEL > 0) {
|
||||
@@ -135,6 +145,19 @@ void handleMemoryRead(uc_engine* uc, uc_mem_type type, uint64_t address,
|
||||
"ReadData: %p Rbp: %p\n",
|
||||
address, size, regRax, regRip, readError, readAddress, regRbp);
|
||||
}
|
||||
for (auto imp : sandbox->GetImpFuncDict()) {
|
||||
const auto vmAddress =
|
||||
sandbox->GetPeInfo()->RecImageBase + imp->function_address;
|
||||
|
||||
if (vmAddress == address) {
|
||||
printf(
|
||||
"Handle ImpRead Address: [%s] call function %s at file "
|
||||
"address: %llx readAddress: "
|
||||
"%llx\n",
|
||||
imp->name, imp->name, address, readAddress);
|
||||
sandbox->SetLastImpRead(readAddress, imp);
|
||||
}
|
||||
}
|
||||
}
|
||||
void dumpVmenv(uc_engine* uc, void* userData) {
|
||||
auto* sandbox = static_cast<Sandbox*>(userData);
|
||||
@@ -172,7 +195,7 @@ void dumpVmenv(uc_engine* uc, void* userData) {
|
||||
sandbox->GetPeInfo()->isX64 ? UC_X86_REG_ECX : UC_X86_REG_ECX,
|
||||
&Ecx);
|
||||
printf(
|
||||
"[dumpVmenv] Rip: %p Rax: %p Rsp: %p Rbp: %p Rcx: %p Rdx: %p Eax: "
|
||||
"[dumpVmenv] Rip: %p lastRip: %p Rax: %p Rsp: %p Rbp: %p Rcx: %p Rdx: %p Eax: "
|
||||
"%08x Ecx: %08x\n",
|
||||
Rip, Rax, Rsp, Rbp, Rcx, Rdx, Eax, Ecx);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user