125 lines
4.4 KiB
C++
125 lines
4.4 KiB
C++
#include "sandbox_callbacks.h"
|
|
#define LOG_LEVEL 0
|
|
namespace sandboxCallbacks {
|
|
void handleCodeRun(uc_engine* uc, uint64_t address, uint32_t size,
|
|
void* userData) {
|
|
uint64_t currentRip = 0;
|
|
uint64_t currentRsp = 0;
|
|
uint64_t currentRax = 0;
|
|
auto* sandbox = static_cast<Sandbox*>(userData);
|
|
if (!sandbox) return;
|
|
|
|
// 读取当前执行的代码
|
|
auto codeBuffer = std::make_unique<uint8_t[]>(size);
|
|
if (uc_mem_read(uc, address, codeBuffer.get(), size) != UC_ERR_OK) {
|
|
return;
|
|
}
|
|
|
|
uc_reg_read(uc,
|
|
sandbox->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
|
|
¤tRax);
|
|
uc_reg_read(uc,
|
|
sandbox->GetPeInfo()->isX64 ? UC_X86_REG_RIP : UC_X86_REG_EIP,
|
|
¤tRip);
|
|
uc_reg_read(uc,
|
|
sandbox->GetPeInfo()->isX64 ? UC_X86_REG_RSP : UC_X86_REG_ESP,
|
|
¤tRsp);
|
|
for (auto module : sandbox->GetModuleList()) {
|
|
for (auto item : module->export_function) {
|
|
const auto vmAddress = module->base + item->function_address;
|
|
if (vmAddress == currentRip) {
|
|
printf("[%s] call function %s at file address: %llx\n",
|
|
module->name, item->name, address);
|
|
sandbox->EmulateApi(uc, vmAddress, currentRip, item->name);
|
|
}
|
|
}
|
|
}
|
|
if (LOG_LEVEL > 0) {
|
|
// 使用Capstone反汇编
|
|
cs_insn* instruction;
|
|
size_t instructionCount =
|
|
cs_disasm(sandbox->GetCapstoneHandle(), codeBuffer.get(), size,
|
|
address, 0, &instruction);
|
|
if (instructionCount > 0) {
|
|
// 打印地址和反汇编结果
|
|
printf("0x%016" PRIx64 " %-12s %s\n", instruction[0].address,
|
|
instruction[0].mnemonic, instruction[0].op_str);
|
|
}
|
|
cs_free(instruction, instructionCount);
|
|
}
|
|
}
|
|
|
|
void handleMemoryRead(uc_engine* uc, uc_mem_type type, uint64_t address,
|
|
int size, int64_t value, void* userData) {
|
|
auto* sandbox = static_cast<Sandbox*>(userData);
|
|
if (!sandbox) return;
|
|
|
|
uint64_t regRax, regRip;
|
|
uc_reg_read(uc,
|
|
sandbox->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
|
|
®Rax);
|
|
uc_reg_read(uc,
|
|
sandbox->GetPeInfo()->isX64 ? UC_X86_REG_RIP : UC_X86_REG_EIP,
|
|
®Rip);
|
|
|
|
uint64_t readAddress;
|
|
auto readError =
|
|
uc_mem_read(sandbox->GetUnicornHandle(), address, &readAddress, size);
|
|
if (LOG_LEVEL > 0) {
|
|
printf(
|
|
"[handleMemoryRead] Address: %p Size: %p Rax: %p Rip: %p Error: %d "
|
|
"ReadData: %p\n",
|
|
address, size, regRax, regRip, readError, readAddress);
|
|
}
|
|
}
|
|
void dumpVmenv(uc_engine* uc, void* userData) {
|
|
auto* sandbox = static_cast<Sandbox*>(userData);
|
|
|
|
uint64_t Rip = 0;
|
|
uint64_t Rax = 0;
|
|
uint64_t Rsp = 0;
|
|
uint64_t Rbp = 0;
|
|
uint64_t Rcx = 0;
|
|
uint64_t Rdx = 0;
|
|
uc_reg_read(uc,
|
|
sandbox->GetPeInfo()->isX64 ? UC_X86_REG_RIP : UC_X86_REG_EIP,
|
|
&Rip);
|
|
uc_reg_read(uc,
|
|
sandbox->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
|
|
&Rax);
|
|
uc_reg_read(uc,
|
|
sandbox->GetPeInfo()->isX64 ? UC_X86_REG_RSP : UC_X86_REG_ESP,
|
|
&Rsp);
|
|
uc_reg_read(uc,
|
|
sandbox->GetPeInfo()->isX64 ? UC_X86_REG_RBP : UC_X86_REG_EBP,
|
|
&Rbp);
|
|
uc_reg_read(uc,
|
|
sandbox->GetPeInfo()->isX64 ? UC_X86_REG_RCX : UC_X86_REG_ECX,
|
|
&Rcx);
|
|
uc_reg_read(uc,
|
|
sandbox->GetPeInfo()->isX64 ? UC_X86_REG_RDX : UC_X86_REG_EDX,
|
|
&Rdx);
|
|
printf("[dumpVmenv] Rip: %p Rax: %p Rsp: %p Rbp: %p Rcx: %p Rdx: %p\n", Rip,
|
|
Rax, Rsp, Rbp, Rcx, Rdx);
|
|
}
|
|
void handleMemoryUnmapRead(uc_engine* uc, uc_mem_type type, uint64_t address,
|
|
int size, int64_t value, void* userData) {
|
|
// 待实现
|
|
auto* sandbox = static_cast<Sandbox*>(userData);
|
|
|
|
printf("[handleMemoryUnmapRead] Address: %p Size: %p Value: %p\n", address,
|
|
size, value);
|
|
dumpVmenv(uc, userData);
|
|
}
|
|
|
|
void handleMemoryWrite(uc_engine* uc, uc_mem_type type, uint64_t address,
|
|
int size, int64_t value, void* userData) {
|
|
// 待实现
|
|
}
|
|
|
|
void handleSyscall(uc_engine* uc, void* userData) {
|
|
// 待实现
|
|
}
|
|
|
|
} // namespace sandboxCallbacks
|