unicorn Callback triggered repeat

Callback triggered repeat

Open kanren3 opened this issue 2 years ago • 4 comments

Arch : x86
Mode: 64 bit

I created a hook using uc_hook_add with types READ_UNMAPPED, WRITE_UNMAPPED, and FETCH_UNMAPPED and I handled these situations in my callback. When I tried to handle FETCH_UNMAPPED, I called uc_emu_stop to stop the emulation, but after calling it, I still got my callback triggered with the address argument pointed to the next byte to the last one. I'm using unicorn version 2, the same code works perfectly in version 1. Am I using it incorrectly or it is a bug in this version?

x86_ldub_code ->load_helper->fetch_unmapped_callback : 1452
- disas_insn.next_byte->x86_ldub_code : 4845
- disas_insn.reswitch->x86_ldub_code : 5073

Mar 29 '22 15:03 kanren3

We can't help too much if you don't give a reproduction.

Mar 29 '22 18:03 wtdcode

如果您不提供复制品，我们将无法提供太多帮助。

unsigned char shellcode[] = { 
    0xE9, 0x00, 0x00, 0x00, 0x10,  //jmp
    0x90, 0x90 };   //nop

bool uc_hook_mem(uc_engine* uc, uc_mem_type type, uint64_t address, int size, int64_t value, void* user_data)
{
    printf("[stop] address:%llx\n", address);
    return false;
}

void test_example()
{
    uc_err uc_state = UC_ERR_OK;
    uc_engine* uc_handle = NULL;
    uc_hook mem_hook = 0;

    uc_state = uc_open(UC_ARCH_X86, UC_MODE_64, &uc_handle);

    if (UC_ERR_OK == uc_state) {
        uc_mem_map(uc_handle, 0x10000, 0x1000, UC_PROT_ALL);
        uc_mem_write(uc_handle, 0x10000, shellcode, sizeof(shellcode));

        uc_hook_add(uc_handle, &mem_hook, UC_HOOK_MEM_FETCH_UNMAPPED, uc_hook_mem, NULL, 1, 0);

        uc_emu_start(uc_handle, 0x10000, ~1, 0, 0);
    }
}