这简直就是坑啊,,搞一整整一天的时间,从早上9点到晚上10点。苦逼。
在用python使用unicorn时,遇到c的函数时,只能想办法使用python重新实现,奈何对python不熟悉,想到使用原生的c程序直接用,于是就有标题这一幕。
https://github.com/unicorn-engine/unicorn
打开以上链接把unicorn源码下载下来之后按以下编译:
https://github.com/unicorn-engine/unicorn/blob/master/docs/COMPILE.md
我就知道,window平台,但凡编译文件,总是有坑。
Native build on Windows, with MSVC按个来呢,我下载了vs 2022社区版,安装之后编译无反应,可能是想安装window平台的c++环境。一看要占8个g,果断放弃。vs简直太庞大了。
Cross build from Linux host to Windows, with Mingw在linux下编译window,我以为能成功,结果也是卵用。
Native build on Windows host, with MSYS2/Mingw 最后使用msys2成功了。还是这里的靠谱。
编译到是成功了,怎么创建项目成功使用unicorn呢,又搞了好久。libunicorn.dll文件死活不行,最后只用libunicorn.a 发现可以了。同样ubantu也不能使用libunicorn.so,也要使用静态库 libunicorn.a
安装第三方库,首先就得把头文件和动态库或者静态库找到。分别使用include_directories,link_directories把目录加上,再link_libraries直接使用。ubantu下面去除掉lib开头,只保留后面的。
以下是windows cmakelist源码:
cmake_minimum_required(VERSION 3.22)
project(uniconTest)
set(CMAKE_CXX_STANDARD 14)
set(UNICORN_INCLUDE_DIR "D:/project/test/uniconTest/include/unicorn/")
set(LIBRARY_UNICORN_PATH "D:/project/test/uniconTest/lib/")
# 链接外部库(三方库)
include_directories(${UNICORN_INCLUDE_DIR})
link_directories(${LIBRARY_UNICORN_PATH})
link_libraries(libunicorn.a)
add_executable(sample_arm64 sample_arm64.c)
//#link_directories(${LIBRARY_UNICORN_PATH})是必要的,link_libraries全路径ubantu会报错,不过windows下又不报错且打印了正确数据。为了兼容,以后都还是要把这段代码加上。另外include_directories(${UNICORN_INCLUDE_DIR})加上后,#include 引号中内容不需要再写路径了。以下是ubantu环境下cmakelists
cmake_minimum_required(VERSION 3.26)
project(test)
set(CMAKE_CXX_STANDARD 14)
set(UNICORN_INCLUDE_DIR "/home/cxl/CLionProjects/test/include/unicorn/")
set(LIBRARY_UNICORN_PATH "/home/cxl/CLionProjects/test/lib/")
# 链接外部库
include_directories(${UNICORN_INCLUDE_DIR})
link_directories(${LIBRARY_UNICORN_PATH})
link_libraries(unicorn.a)
add_executable(test unicornTest.c)
target_link_libraries(test PRIVATE -lm pthread)
target_link_libraries(test PRIVATE -lm pthread)这段代码要加,不然报"undefined reference to `sqrt'"等一堆错,加上-lm之后就好了,剩下的错如"undefined reference to `pthread_sigmask'" 关于线程的错加上pthread后,ubantu上运行非常好,整个项目完全跑下来了。window下编译的只跑了部分就歇菜了,感觉windows还是有些问题。以下是测试代码:/* Unicorn Emulator Engine */
/* By Nguyen Anh Quynh, 2015 */
/* Sample code to demonstrate how to emulate ARM64 code */
#include "include/unicorn/unicorn.h"
#include <string.h>
// code to be emulated
#define ARM64_CODE \
"\xab\x05\x00\xb8\xaf\x05\x40\x38" // str w11, [x13], #0; ldrb w15, [x13],
// #0
//#define ARM64_CODE_EB "\xb8\x00\x05\xab\x38\x40\x05\xaf" // str w11, [x13];
// ldrb w15, [x13]
#define ARM64_CODE_EB ARM64_CODE
// mrs x2, tpidrro_el0
#define ARM64_MRS_CODE "\x62\xd0\x3b\xd5"
// memory address where emulation starts
#define ADDRESS 0x10000
static void hook_block(uc_engine *uc, uint64_t address, uint32_t size,
void *user_data)
{
printf(">>> Tracing basic block at 0x%" PRIx64 ", block size = 0x%x\n",
address, size);
}
static void hook_code(uc_engine *uc, uint64_t address, uint32_t size,
void *user_data)
{
printf(">>> Tracing instruction at 0x%" PRIx64
", instruction size = 0x%x\n",
address, size);
}
static void test_arm64_mem_fetch(void)
{
printf("enter...");
uc_engine *uc;
uc_err err;
uint64_t x1, sp, x0;
// msr x0, CurrentEL
unsigned char shellcode0[4] = {64, 66, 56, 213};
// .text:00000000004002C0 LDR X1, [SP,#arg_0]
unsigned char shellcode[4] = {0xE1, 0x03, 0x40, 0xF9};
unsigned shellcode_address = 0x4002C0;
uint64_t data_address = 0x10000000000000;
printf(">>> Emulate ARM64 fetching stack data from high address %" PRIx64
"\n",
data_address);
// Initialize emulator in ARM mode
err = uc_open(UC_ARCH_ARM64, UC_MODE_ARM, &uc);
if (err) {
printf("Failed on uc_open() with error returned: %u (%s)\n", err,
uc_strerror(err));
return;
}
uc_mem_map(uc, data_address, 0x30000, UC_PROT_ALL);
uc_mem_map(uc, 0x400000, 0x1000, UC_PROT_ALL);
sp = data_address;
uc_reg_write(uc, UC_ARM64_REG_SP, &sp);
uc_mem_write(uc, data_address, "\xc8\xc8\xc8\xc8\xc8\xc8\xc8\xc8", 8);
uc_mem_write(uc, shellcode_address, shellcode0, 4);
uc_mem_write(uc, shellcode_address + 4, shellcode, 4);
err = uc_emu_start(uc, shellcode_address, shellcode_address + 4, 0, 0);
if (err) {
printf("Failed on uc_emu_start() with error returned: %u\n", err);
}
x0 = 0;
uc_reg_read(uc, UC_ARM64_REG_X0, &x0);
printf(">>> x0(Exception Level)=%" PRIx64 "\n", x0 >> 2);
err = uc_emu_start(uc, shellcode_address + 4, shellcode_address + 8, 0, 0);
if (err) {
printf("Failed on uc_emu_start() with error returned: %u\n", err);
}
uc_reg_read(uc, UC_ARM64_REG_X1, &x1);
printf(">>> X1 = 0x%" PRIx64 "\n", x1);
uc_close(uc);
}
static void test_arm64(void)
{
uc_engine *uc;
uc_err err;
uc_hook trace1, trace2;
int64_t x11 = 0x12345678; // X11 register
int64_t x13 = 0x10000 + 0x8; // X13 register
int64_t x15 = 0x33; // X15 register
printf("Emulate ARM64 code\n");
// Initialize emulator in ARM mode
err = uc_open(UC_ARCH_ARM64, UC_MODE_ARM, &uc);
if (err) {
printf("Failed on uc_open() with error returned: %u (%s)\n", err,
uc_strerror(err));
return;
}
// map 2MB memory for this emulation
uc_mem_map(uc, ADDRESS, 2 * 1024 * 1024, UC_PROT_ALL);
// write machine code to be emulated to memory
uc_mem_write(uc, ADDRESS, ARM64_CODE, sizeof(ARM64_CODE) - 1);
// initialize machine registers
uc_reg_write(uc, UC_ARM64_REG_X11, &x11);
uc_reg_write(uc, UC_ARM64_REG_X13, &x13);
uc_reg_write(uc, UC_ARM64_REG_X15, &x15);
// tracing all basic blocks with customized callback
uc_hook_add(uc, &trace1, UC_HOOK_BLOCK, hook_block, NULL, 1, 0);
// tracing one instruction at ADDRESS with customized callback
uc_hook_add(uc, &trace2, UC_HOOK_CODE, hook_code, NULL, ADDRESS, ADDRESS);
// emulate machine code in infinite time (last param = 0), or when
// finishing all the code.
err = uc_emu_start(uc, ADDRESS, ADDRESS + sizeof(ARM64_CODE) - 1, 0, 0);
if (err) {
printf("Failed on uc_emu_start() with error returned: %u\n", err);
}
// now print out some registers
printf(">>> Emulation done. Below is the CPU context\n");
printf(">>> As little endian, X15 should be 0x78:\n");
uc_reg_read(uc, UC_ARM64_REG_X15, &x15);
printf(">>> X15 = 0x%" PRIx64 "\n", x15);
uc_close(uc);
}
static void test_arm64eb(void)
{
uc_engine *uc;
uc_err err;
uc_hook trace1, trace2;
int64_t x11 = 0x12345678; // X11 register
int64_t x13 = 0x10000 + 0x8; // X13 register
int64_t x15 = 0x33; // X15 register
printf("Emulate ARM64 Big-Endian code\n");
// Initialize emulator in ARM mode
err = uc_open(UC_ARCH_ARM64, UC_MODE_ARM + UC_MODE_BIG_ENDIAN, &uc);
if (err) {
printf("Failed on uc_open() with error returned: %u (%s)\n", err,
uc_strerror(err));
return;
}
// map 2MB memory for this emulation
uc_mem_map(uc, ADDRESS, 2 * 1024 * 1024, UC_PROT_ALL);
// write machine code to be emulated to memory
uc_mem_write(uc, ADDRESS, ARM64_CODE_EB, sizeof(ARM64_CODE_EB) - 1);
// initialize machine registers
uc_reg_write(uc, UC_ARM64_REG_X11, &x11);
uc_reg_write(uc, UC_ARM64_REG_X13, &x13);
uc_reg_write(uc, UC_ARM64_REG_X15, &x15);
// tracing all basic blocks with customized callback
uc_hook_add(uc, &trace1, UC_HOOK_BLOCK, hook_block, NULL, 1, 0);
// tracing one instruction at ADDRESS with customized callback
uc_hook_add(uc, &trace2, UC_HOOK_CODE, hook_code, NULL, ADDRESS, ADDRESS);
// emulate machine code in infinite time (last param = 0), or when
// finishing all the code.
err = uc_emu_start(uc, ADDRESS, ADDRESS + sizeof(ARM64_CODE_EB) - 1, 0, 0);
if (err) {
printf("Failed on uc_emu_start() with error returned: %u\n", err);
}
// now print out some registers
printf(">>> Emulation done. Below is the CPU context\n");
printf(">>> As big endian, X15 should be 0x78:\n");
uc_reg_read(uc, UC_ARM64_REG_X15, &x15);
printf(">>> X15 = 0x%" PRIx64 "\n", x15);
uc_close(uc);
}
static void test_arm64_sctlr()
{
uc_engine *uc;
uc_err err;
uc_arm64_cp_reg reg;
printf("Read the SCTLR register.\n");
err = uc_open(UC_ARCH_ARM64, UC_MODE_LITTLE_ENDIAN | UC_MODE_ARM, &uc);
if (err != UC_ERR_OK) {
printf("Failed on uc_open() with error returned: %u\n", err);
}
// SCTLR_EL1. See arm reference.
reg.crn = 1;
reg.crm = 0;
reg.op0 = 0b11;
reg.op1 = 0;
reg.op2 = 0;
err = uc_reg_read(uc, UC_ARM64_REG_CP_REG, ®);
if (err != UC_ERR_OK) {
printf("Failed on uc_reg_read() with error returned: %u\n", err);
}
printf(">>> SCTLR_EL1 = 0x%" PRIx64 "\n", reg.val);
reg.op1 = 0b100;
err = uc_reg_read(uc, UC_ARM64_REG_CP_REG, ®);
if (err != UC_ERR_OK) {
printf("Failed on uc_reg_read() with error returned: %u\n", err);
}
printf(">>> SCTLR_EL2 = 0x%" PRIx64 "\n", reg.val);
uc_close(uc);
}
static uint32_t hook_mrs(uc_engine *uc, uc_arm64_reg reg,
const uc_arm64_cp_reg *cp_reg, void *user_data)
{
uint64_t r_x2 = 0x114514;
printf(">>> Hook MSR instruction. Write 0x114514 to X2.\n");
uc_reg_write(uc, reg, &r_x2);
// Skip
return 1;
}
static void test_arm64_hook_mrs()
{
uc_engine *uc;
uc_err err;
uint64_t r_x2;
uc_hook hk;
printf("Hook MRS instruction.\n");
err = uc_open(UC_ARCH_ARM64, UC_MODE_LITTLE_ENDIAN | UC_MODE_ARM, &uc);
if (err != UC_ERR_OK) {
printf("Failed on uc_open() with error returned: %u\n", err);
}
err = uc_mem_map(uc, 0x1000, 0x1000, UC_PROT_ALL);
if (err != UC_ERR_OK) {
printf("Failed on uc_mem_map() with error returned: %u\n", err);
}
err = uc_mem_write(uc, 0x1000, ARM64_MRS_CODE, sizeof(ARM64_MRS_CODE));
if (err != UC_ERR_OK) {
printf("Failed on uc_mem_write() with error returned: %u\n", err);
}
err = uc_hook_add(uc, &hk, UC_HOOK_INSN, hook_mrs, NULL, 1, 0,
UC_ARM64_INS_MRS);
if (err != UC_ERR_OK) {
printf("Failed on uc_hook_add() with error returned: %u\n", err);
}
err = uc_emu_start(uc, 0x1000, 0x1000 + sizeof(ARM64_MRS_CODE) - 1, 0, 0);
if (err != UC_ERR_OK) {
printf("Failed on uc_emu_start() with error returned: %u\n", err);
}
err = uc_reg_read(uc, UC_ARM64_REG_X2, &r_x2);
if (err != UC_ERR_OK) {
printf("Failed on uc_reg_read() with error returned: %u\n", err);
}
printf(">>> X2 = 0x%" PRIx64 "\n", r_x2);
uc_close(uc);
}
int main(int argc, char **argv, char **envp)
{
test_arm64_mem_fetch();
test_arm64();
printf("-------------------------\n");
test_arm64eb();
printf("-------------------------\n");
// test_arm64_sctlr();
printf("-------------------------\n");
//test_arm64_hook_mrs();
return 0;
}
//程序输出:
/home/cxl/CLionProjects/test/cmake-build-debug/test
helloenter...>>> Emulate ARM64 fetching stack data from high address 10000000000000
>>> x0(Exception Level)=1
>>> X1 = 0xc8c8c8c8c8c8c8c8
Emulate ARM64 code
>>> Tracing basic block at 0x10000, block size = 0x8
>>> Tracing instruction at 0x10000, instruction size = 0x4
>>> Emulation done. Below is the CPU context
>>> As little endian, X15 should be 0x78:
>>> X15 = 0x78 //windows只到这里就结束了,后面的没有输出了
-------------------------
Emulate ARM64 Big-Endian code
>>> Tracing basic block at 0x10000, block size = 0x8
>>> Tracing instruction at 0x10000, instruction size = 0x4
>>> Emulation done. Below is the CPU context
>>> As big endian, X15 should be 0x78:
>>> X15 = 0x12
-------------------------
Read the SCTLR register.
>>> SCTLR_EL1 = 0xc50838
>>> SCTLR_EL2 = 0x0
-------------------------
Hook MRS instruction.
>>> Hook MSR instruction. Write 0x114514 to X2.
>>> X2 = 0x114514
Process finished with exit code 0window中只把test_arm64()运行完后就中止了,后面的arm64eb,arm64_sctlr,arm64_hook_mrs没有运行。
ubantu全部运行完成。
以下是区别:
“arm64eb”、“arm64”和“arm64_sctlr”是与计算机体系结构相关的术语,专门指ARMv8-A体系结构。
-ARM64:它是“ARM 64位”的缩写,指的是ARM体系结构的64位版本。与旧的32位ARM体系结构相比,它提供了改进的性能和功能。
-ARM64EB:“EB”代表“Endianess Big”。它是ARM64体系结构的扩展,支持大端字节顺序,其中最高有效字节存储在最低内存地址。
-ARM64_SCTLR:系统控制寄存器(SCTLR)是ARMv8-a体系结构中的一个寄存器,用于控制各种系统级设置和行为。您提到的特定寄存器“arm64_sctlr”可能是指特定于arm64体系结构的系统控制寄存器。它负责配置处理器模式、内存管理、缓存行为和其他系统级设置。
总结:
如果添加了动态库文件,结果总是报一堆与动态库相关的没有定义的错,说明动态库没有被加载成功。如果检查后没问题,那就换静态库试试。这是来自windows上的教训。
如果分别使用
ninja: error: '/home/cxl/CLionProjects/test/lib/unicorn.a', needed by 'test', missing and no known rule to make itinclude_directories(${UNICORN_INCLUDE_DIR})
link_directories(${LIBRARY_UNICORN_PATH})
target_link_libraries(test PRIVATE unicorn.so)//使用libunicorn.so,unicorn都不行。都报这个错,/home/cxl/CLionProjects/test/cmake-build-debug/test: error while loading shared libraries: libunicorn.so.2: cannot open shared object file: No such file or directory
使用:
target_link_libraries(test PRIVATE libunicorn)
//报这个错;&& /usr/bin/cc -g CMakeFiles/test.dir/unicornTest.c.o -o test -L/home/cxl/CLionProjects/test/lib -Wl,-rpath,/home/cxl/CLionProjects/test/lib -llibunicorn -lm -lpthread && :
/usr/bin/ld: cannot find -llibunicorn
collect2: error: ld returned 1 exit status
ninja: build stopped: subcommand failed.
linux仅能成功的6条都只有在添加了link_directories(${LIBRARY_UNICORN_PATH})这段代码后,
才可以,以下是成功的代码,看来去不去lib开头都一样的,加不加引号也都是一样的。
target_link_libraries(test PRIVATE unicorn.a)
target_link_libraries(test PRIVATE libunicorn.a)
target_link_libraries(test PRIVATE "libunicorn.a")
link_libraries("libunicorn.a")
link_libraries(libunicorn.a)
link_libraries(unicorn.a)
不过window全路径是有效的,可以成功的
# 链接外部库
include_directories(${UNICORN_INCLUDE_DIR})
#[[link_directories(${LIBRARY_UNICORN_PATH})]]
link_libraries("D:/project/test/uniconTest/lib/libunicorn.a")
不报错,成功。不过为了统一,以后还是要link_directories加上。target_link_libraries(test PRIVATE "/home/cxl/CLionProjects/test/lib/unicorn.a")//改成unicorn.so,不要引号都是以下错:ninja: error: '/home/cxl/CLionProjects/test/lib/unicorn.a', needed by 'test', missing and no known rule to make it
说明target_link_libraries只能配合link_directories使用,单独给绝对路径有问题,在这里耽误了好久时间来验证出来。target_link_libraries(test PRIVATE unicorn.a)//这个要在前
target_link_libraries(test PRIVATE -lm pthread)//这个要在后,顺序颠倒等于这段代码没加。
chatgpt 和BitoAlpha 是个好东西,有什么问题问它比百度和谷歌好使。要是没有它,我今天一天肯定是没啥收获的。
搞定!对cmakelist又多了一些理解。明天正式用c代码使用unicorn呢。