Comments (14)
Yeah, I guess those things make sense to add. So the complete list for this issue would be:
- Allow only tracing specific regions
- Print the return address if a
call
instruction is encountered
I only implement features I actually need myself, but you are welcome to give it a shot and make a PR if you choose. The trace function is _hook_code
.
This is also (somewhat) related to #27.
from dumpulator.
You can surround your code with 3x backtick (`)
The RIP is already in the instruction and it’s an argument to the function as well, you don’t have to read it again
from dumpulator.
This is already implemented?
from dumpulator.
This is already implemented?
Sorry i just saw my bad,
take a look at this for example, it does not show useful info like where it will return (ret address) like in the system modules or the user modules (user code). if you can implement what i said above would be nice thanks.
EDIT (Or is this already added, because i cant see)
and something else also you should have like a option where it will only trace the usercode and writes the contents to file. because tracing system stuff is time consuming 😄
from dumpulator.
1234.zip - .dmp file Just a simple crackme. for test
Hey, i took time to implement these features. But im having a problem, for right now im just working on to print the ret address if a call is encountered.
def _hook_code(uc: Uc, address, size, dp: Dumpulator):
code = b""
try:
code = dp.read(address, min(size, 15))
instr = next(dp.cs.disasm(code, address, 1))
except StopIteration:
instr = None # Unsupported instruction
except IndexError:
instr = None # Likely invalid memory
address_name = dp.exports.get(address, "")
module = ""
if dp.last_module and address in dp.last_module:
# same module again
pass
else:
# new module
dp.last_module = dp.modules.find(address)
if dp.last_module:
module = dp.last_module.name
if address_name:
address_name = " " + address_name
elif module:
address_name = " " + module
line = f"{hex(address)}{address_name}|"
if instr is not None:
line += instr.mnemonic
if instr.op_str:
line += " "
line += instr.op_str
for reg in _get_regs(instr):
line += f"|{reg}={hex(dp.regs.__getattr__(reg))}"
if instr.mnemonic == "call":
# print return address
ret_address_size = 4 //32 bit
ret_address = dp._uc.mem_read(dp.regs.sp, ret_address_size)
line += f"|return_address={hex(int.from_bytes(ret_address, byteorder='little'))}"
if instr.mnemonic in {"syscall", "sysenter"}:
line += f"|sequence_id=[{dp.sequence_id}]"
else:
line += f"??? (code: {code.hex()}, size: {hex(size)})"
line += "\n"
dp.trace.write(line)
Error => unicorn.unicorn.UcError: Invalid memory read (UC_ERR_READ_UNMAPPED)
And also the cip is pointing to valid address since i checked it manually. also the cip is 0x9227a7. 32 bit architecture also the target test file. maybe something wrong with mem_read not so sure
sorry if the code is bad. python is not my best language.
from dumpulator.
The return address if you’re executing a call
is the next instruction… so cip + insn.size (or whatever capstone uses)
from dumpulator.
The return address if you’re executing a
call
is the next instruction… so cip + insn.size (or whatever capstone uses)
Ok problem solved thanks for the help. i should consider learning python more extensively. i also made it more cleaner, so i changed from this:
ret_address_size = 4 //32 bit
ret_address = dp._uc.mem_read(dp.regs.sp, ret_address_size)
to this:
ret_address = uc.reg_read(UC_X86_REG_RIP) + instr.size
def _hook_code(uc: Uc, address, size, dp: Dumpulator):
code = b""
try:
code = dp.read(address, min(size, 15))
instr = next(dp.cs.disasm(code, address, 1))
except StopIteration:
instr = None # Unsupported instruction
except IndexError:
instr = None # Likely invalid memory
address_name = dp.exports.get(address, "")
module = ""
if dp.last_module and address in dp.last_module:
# same module again
pass
else:
# new module
dp.last_module = dp.modules.find(address)
if dp.last_module:
module = dp.last_module.name
if address_name:
address_name = " " + address_name
elif module:
address_name = " " + module
line = f"{hex(address)}{address_name}|"
if instr is not None:
line += instr.mnemonic
if instr.op_str:
line += " "
line += instr.op_str
for reg in _get_regs(instr):
line += f"|{reg}={hex(dp.regs.__getattr__(reg))}"
if instr.mnemonic == "call":
# print return address
ret_address = address + instr.size
line += f"|return_address={hex(ret_address)}"
if instr.mnemonic in {"syscall", "sysenter"}:
line += f"|sequence_id=[{dp.sequence_id}]"
else:
line += f"??? (code: {code.hex()}, size: {hex(size)})"
line += "\n"
dp.trace.write(line)
from dumpulator.
Man why the format is messed up sorry for that
from dumpulator.
My bad, will fix now
from dumpulator.
Phew done, ok so you want me to create a pr request, or will you just add it from this comment the changes ?
from dumpulator.
A pull request will be better. That will run the tests and give a clearer overview of what actually changed.
from dumpulator.
A pull request will be better. That will run the tests and give a clearer overview of what actually changed.
Is there any time frame for when my pull request will be merged? Thank you. Also, could you please provide me with the location of the tracing function, so that I can try to implement tracing for specific regions? Thank you again.
from dumpulator.
No worries, I’ll get to it. The tracing function is the one you already modified…
from dumpulator.
I did some initial work on the flexible-tracing
branch: bbbc3ca
Currently the idea is that the user derives from the AbstractTrace
class and can implement their own logic inside of the step
function. The function dp.set_tracing()
can be used to enable/disable tracing.
Some thinking is needed about the interface, it would be nice if the user can enable/disable tracing for sequence events (see #27) and also say 'only trace ranges X/Y/Z'.
Unicorn supports tracing specific ranges, but the annoying thing is that the callbacks will be delivered multiple times. This would need some special logic to work as a user might expect.
from dumpulator.
Related Issues (20)
- Implement a handle manager HOT 5
- Implement a module manager HOT 1
- Trace points
- Proper (extensible) testing
- Document the handle/memory/module manager
- Incorrect width for Enums in 64bit HOT 1
- Dumpulator takes a long time to load when handling large dumps HOT 4
- allocate throwing error
- Improve performance of the `LazyPageManager`
- Update @syscall example with the right imports
- Add support for exception hooks HOT 1
- Reading beyond the size causes assertion failure
- Add an API for printing address information
- Add heap information to the memory map HOT 1
- Rename `quiet` to `log_level` HOT 1
- Hide the unicorn part from the stack trace HOT 1
- Add an example of `dumpulator.Struct`
- Support fixed-size arrays in `Struct`
- Better error when information is missing
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dumpulator.