hzqst / unicorn_pe Goto Github PK

Unicorn PE is an unicorn based instrumentation project designed to emulate code execution for windows PE files.

License: MIT License

C++ 2.73% C 89.37% CMake 0.19% Assembly 0.01% Makefile 0.13% Python 1.62% Java 1.69% Shell 0.32% OCaml 0.61% PowerShell 0.04% Batchfile 0.03% Tcl 0.01% Smalltalk 0.01% C# 1.84% Ruby 0.26% F# 0.30% Go 0.22% Haskell 0.22% Pascal 0.32% Objective-C 0.09%

unicorn_pe's People

Contributors

Stargazers

Watchers

Forkers

fengjixuchui killvxk zhuhuibeishadiao meesong y11en pumpkinbro applesky6 yuaom fcccode supertanglang eipp4ssenger woozoo86 sylingyy shuixi2013 bjblcracked lllllllllllll5796 debugpro profiles boogie77 explife0011 uvbs zzz9328fb fake-cheater mrsrc whathhh-d in12hacker nevinhappy yang-zhiyuan l4ys a-new wdnmd-rushb 786556605 qiyeboy wgwjifeng coolboy4me b-xiang loudy2000 zcg19 luciouskami huangfengye sudami joker594302831 attackgithub kmwin 3h54n caobj haidragon whyliuxing armasm doublecl yang123vc szdyg iamhatling imulmul bestforever startion2007 xxr1537156 dybrkr mebuis alehacksp moodsdada huerr mountainspeak omgkaka taodaqiao tai7sy crackercat jilvan1234 huoji120 trash-code waterman178 peterg75 minrelp fiappy huamanlouyyy andy9211 sup817ch levisre grindfuzz ykankaya ibrahim-elsakka breakcount qqq694637644 leonzhangtw damen0909 trietptm-on-coding-algorithms okandok ju-87 enllune xu7103224 dff2020 shonker bronxc layerfsd newdive bb33bb cloutain prtectint3 mrexodia clayne

unicorn_pe's Issues

Improve debug logging in the project itself

Hi,

it would be more productive if we add debug test macros to identify problem areas faster.

Regards

Unexpected program termination during emulation

Hi,

unicorn_pe cpudata.exe -disasm
BlackBone: Allocate: Allocating at address 0x0000023ECC610000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x0000023ECC620000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x0000023ECC630000 (0x4000 bytes)
BlackBone: ManualMap: Mapping image 'cpudata.exe' with flags 0x1d001
BlackBone: ManualMap: Loading new image 'cpudata.exe'
BlackBone: ManualMap: Image base allocated at 0x0000023ecc640000
BlackBone: ManualMap: Performing image copy
BlackBone: ManualMap: Relocating image 'cpudata.exe'
BlackBone: ManualMap: Calling entry point for 'cpudata.exe', Reason: 1
BlackBone: ManualMap: DllMain of 'cpudata.exe' returned 0
BlackBone: Free: Decommit at address 0x0000023ECC64B000 (0x1000 bytes)
23ecc641000 enter 0x80, 0
23ecc641004 sub rsp, 0x60
23ecc641008 xor rcx, rcx
23ecc64100b call qword ptr [rip + 0x3057]
UC_MEM_FETCH_UNMAPPED from 7ff8535ce090
UC_MEM_FETCH_UNMAPPED rip at 7ff8535ce090
BlackBone: ManualMap: Unmapping image 'cpudata.exe'
BlackBone: ManualMap: Calling entry point for 'cpudata.exe', Reason: 0

here the program exits, but it was not closed manually, it works normally for a while, and then closes spontaneously.

cpudata.zip

It was a debug version, on the release version the behavior is similar
unicorn_pe cpudata.exe
UC_MEM_FETCH_UNMAPPED from 140704527212688
UC_MEM_FETCH_UNMAPPED rip at 140704527212688
uc_emu_start return: 8
entrypoint return: 0
last rip: 167095a100b (cpudata.exe+100b)

Doesn't work with additional options at all - unicorn_pe controls.exe -disasm.
Doesn't start - unicorn_pe cpuid.exe

可以

变强了啊...

Put the .exe (and any dependencies) in the repo's releases section

Having to install VS2017 just for it to not throw many errors when trying to build is a bit tedious. Of course, it's not that bad and I very much appreciate the work of this project. But it would be very nice to just be able to download the program and dive right into things.

Can't relocate image, no relocation flag

Hi,

this situation must be handled internally by the emulator. If you edit the header manually, the emulation hangs.

unicorn_pe cpuid.exe -disasm
BlackBone: Allocate: Allocating at address 0x000002A6F2DC0000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x000002A6F2DD0000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x000002A6F2DE0000 (0x4000 bytes)
BlackBone: ManualMap: Mapping image 'cpuid.exe' with flags 0x1d001
BlackBone: ManualMap: Loading new image 'cpuid.exe'
BlackBone: ManualMap: Image base allocated at 0x000002a6f2df0000
BlackBone: ManualMap: Performing image copy
BlackBone: ManualMap: Relocating image 'cpuid.exe'
BlackBone: ManualMap: Can't relocate image, no relocation flag
BlackBone: Free: Free at address 0x000002A6F2DF0000
BlackBone: Free: Free at address 0x000002A6F2DC0000
BlackBone: Free: Free at address 0x000002A6F2DD0000
BlackBone: Free: Free at address 0x000002A6F2DE0000
failed to MapImage

cpuid_.zip

Doesn't compile with Visual Studio 2019? Requires patches to build with Visual Studio 2017?

git clone [email protected]:hzqst/unicorn_pe.git
cd unicorn_pe
"C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\Common7\Tools\VsDevCmd.bat"
MSBuild unicorn_pe.sln /p:Platform=x64

"C:\Users\Brandon\Desktop\unicorn_pe\unicorn_pe.sln" (default target) (1) ->
"C:\Users\Brandon\Desktop\unicorn_pe\unicorn_pe\unicorn_pe.vcxproj.metaproj" (default target) (2) ->
"C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj" (default target) (4) ->
(ClCompile target) ->
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\Include\HandleGuard.h(36,18): error C2039: 'addressof': is not a member of 'std' (compiling source file Misc\InitOnce.cpp) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.h(24,50): error C2039: 'wstring': is not a member of 'std' (compiling source file PE\ImageNET.cpp) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.h(24,57): error C2065: 'wstring': undeclared identifier (compiling source file PE\ImageNET.cpp) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.h(24,64): error C2039: 'wstring': is not a member of 'std' (compiling source file PE\ImageNET.cpp) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.h(24,71): error C2065: 'wstring': undeclared identifier (compiling source file PE\ImageNET.cpp) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.h(24,40): error C2923: 'std::pair': 'wstring' is not a valid template type argument for parameter '_Ty1' (compiling source file PE\ImageNET.cpp) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.h(24,40): error C2923: 'std::pair': 'wstring' is not a valid template type argument for parameter '_Ty2' (compiling source file PE\ImageNET.cpp) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.h(24,40): error C3203: 'pair': unspecialized class template can't be used as a template argument for template parameter '_Kty', expected a real type (compiling source file PE\ImageNET.cpp) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.h(35,41): error C2039: 'wstring': is not a member of 'std' (compiling source file PE\ImageNET.cpp) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.h(35,48): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int (compiling source file PE\ImageNET.cpp) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.h(35,48): error C2143: syntax error: missing ',' before '&' (compiling source file PE\ImageNET.cpp) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.h(48,31): error C2039: 'wstring': is not a member of 'std' (compiling source file PE\ImageNET.cpp) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.h(48,39): error C3646: 'GetImageRuntimeVer': unknown override specifier (compiling source file PE\ImageNET.cpp) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.h(48,59): error C2059: syntax error: 'const' (compiling source file PE\ImageNET.cpp) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.h(48,85): error C2238: unexpected token(s) preceding ';' (compiling source file PE\ImageNET.cpp) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.h(51,10): error C2039: 'wstring': is not a member of 'std' (compiling source file PE\ImageNET.cpp) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.h(51,18): error C3646: '_path': unknown override specifier (compiling source file PE\ImageNET.cpp) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.h(51,23): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int (compiling source file PE\ImageNET.cpp) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.cpp(18,10): error C2065: '_path': undeclared identifier [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.cpp(27,33): error C2039: 'wstring': is not a member of 'std' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.cpp(27,40): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.cpp(27,40): error C2143: syntax error: missing ',' before '&' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.cpp(32,5): error C2065: '_path': undeclared identifier [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.cpp(32,13): error C2065: 'path': undeclared identifier [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.cpp(53,37): error C2065: '_path': undeclared identifier [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.cpp(62,41): error C2065: '_path': undeclared identifier [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.cpp(143,6): error C2039: 'wstring': is not a member of 'std' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.cpp(143,24): error C2039: 'GetImageRuntimeVer': is not a member of 'blackbone::ImageNET' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.cpp(143,42): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.cpp(143,42): error C2146: syntax error: missing ';' before identifier 'GetImageRuntimeVer' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.cpp(144,1): error C2143: syntax error: missing ';' before '{' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\PE\ImageNET.cpp(144,1): error C2447: '{': missing function header (old-style formal list?) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\Process\ProcessModules.cpp(205,14): error C2039: 'inserter': is not a member of 'std' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\Process\ProcessModules.cpp(205,22): error C3861: 'inserter': identifier not found [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\Symbols\PDBHelper.h(3,10): fatal error C1083: Cannot open include file: 'dia2.h': No such file or directory (compiling source file Symbols\PDBHelper.cpp) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1504,61): error C2760: syntax error: unexpected token 'identifier', expected ';' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1504,9): error C7510: 'type': use of dependent type name must be prefixed with 'typename' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1506,9): error C2065: 'OriginalName': undeclared identifier [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1506,87): error C2059: syntax error: ';' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1507,9): error C2065: 'OriginalName': undeclared identifier [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1507,38): error C2065: 'OriginalName': undeclared identifier [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1508,9): error C2065: 'OriginalName': undeclared identifier [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1508,52): error C2065: 'OriginalName': undeclared identifier [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1508,91): error C2065: 'OriginalName': undeclared identifier [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1510,14): error C2371: 'status': redefinition; different basic types [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1510,56): error C2065: 'OriginalName': undeclared identifier [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1511,60): error C2065: 'OriginalName': undeclared identifier [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1511,76): error C2065: 'OriginalName': undeclared identifier [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1515,9): error C2065: 'DllName1': undeclared identifier [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1516,9): error C2065: 'DllName1': undeclared identifier [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1517,9): error C2065: 'DllName1': undeclared identifier [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1517,48): error C2065: 'DllName1': undeclared identifier [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1519,62): error C2065: 'DllName1': undeclared identifier [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1522,5): error C2059: syntax error: 'if' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1524,5): error C2059: syntax error: 'else' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1527,5): error C2059: syntax error: 'if' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1530,6): error C3927: '->': trailing return type is not allowed after a non-function declarator [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1530,6): error C3484: syntax error: expected '->' before the return type [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1530,7): error C3613: missing return type after '->' ('int' assumed) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1530,18): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1530,7): error C2146: syntax error: missing ';' before identifier 'GenPrologue' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1533,5): error C2059: syntax error: 'if' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1534,5): error C2143: syntax error: missing ';' before '{' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1534,5): error C2447: '{': missing function header (old-style formal list?) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1541,6): error C3927: '->': trailing return type is not allowed after a non-function declarator [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1541,6): error C3484: syntax error: expected '->' before the return type [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1541,7): error C3613: missing return type after '->' ('int' assumed) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1541,14): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1541,5): error C2086: 'int blackbone::a': redefinition [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1541,7): error C2146: syntax error: missing ';' before identifier 'GenCall' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1542,5): error C2143: syntax error: missing ';' before '{' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1542,5): error C2143: syntax error: missing ')' before ';' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1542,5): error C2447: '{': missing function header (old-style formal list?) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1549,7): error C2059: syntax error: ')' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1551,13): error C3927: '->': trailing return type is not allowed after a non-function declarator [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1551,13): error C3484: syntax error: expected '->' before the return type [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1551,14): error C3613: missing return type after '->' ('int' assumed) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1551,20): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1551,14): error C2146: syntax error: missing ';' before identifier 'remote' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1554,5): error C2059: syntax error: 'if' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1555,5): error C2143: syntax error: missing ';' before '{' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1555,5): error C2447: '{': missing function header (old-style formal list?) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1561,13): error C3927: '->': trailing return type is not allowed after a non-function declarator [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1561,13): error C3484: syntax error: expected '->' before the return type [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1561,14): error C3613: missing return type after '->' ('int' assumed) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1561,20): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1561,5): error C2086: 'int blackbone::_process': redefinition [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1561,14): error C2146: syntax error: missing ';' before identifier 'remote' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1562,6): error C3927: '->': trailing return type is not allowed after a non-function declarator [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1562,6): error C3484: syntax error: expected '->' before the return type [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1562,7): error C3613: missing return type after '->' ('int' assumed) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1562,18): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1562,5): error C2086: 'int blackbone::a': redefinition [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1562,7): error C2146: syntax error: missing ';' before identifier 'GenEpilogue' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1565,5): error C2059: syntax error: 'if' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1568,14): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1569,5): error C2059: syntax error: 'if' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1570,5): error C2143: syntax error: missing ';' before '{' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1570,5): error C2447: '{': missing function header (old-style formal list?) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1577,5): error C2059: syntax error: 'return' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1585,10): error C2653: 'MMap': is not a class or namespace name [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1585,42): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1585,42): error C2143: syntax error: missing ',' before '&' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1587,12): error C3861: 'Driver': identifier not found [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1587,33): error C2065: '_process': undeclared identifier [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1587,49): error C2065: 'imageMem': undeclared identifier [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1587,87): error C2065: 'imageMem': undeclared identifier [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1596,10): error C2653: 'MMap': is not a class or namespace name [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1596,35): error C2065: 'MemBlock': undeclared identifier [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1596,45): error C2065: 'imageMem': undeclared identifier [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1596,55): error C2275: 'size_t': illegal use of this type as an expression [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1596,62): error C2146: syntax error: missing ')' before identifier 'size' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1597,1): error C2143: syntax error: missing ';' before '{' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1597,1): error C2447: '{': missing function header (old-style formal list?) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1644,6): error C2653: 'MMap': is not a class or namespace name [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1646,5): error C3861: 'reset': identifier not found [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1647,5): error C2065: '_expMgr': undeclared identifier [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1648,5): error C2065: '_process': undeclared identifier [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1657,7): error C2653: 'MMap': is not a class or namespace name [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1683,1): error C2059: syntax error: '}' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\ManualMap\MMap.cpp(1683,1): error C2143: syntax error: missing ';' before '}' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\Symbols\PDBHelper.h(3,10): fatal error C1083: Cannot open include file: 'dia2.h': No such file or directory (compiling source file Symbols\SymbolLoader.cpp) [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]
  C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\Process\RPC\RemoteExec.cpp(465,88): error C2440: 'initializing': cannot convert from 'const wchar_t [50]' to 'wchar_t *' [C:\Users\Brandon\Desktop\unicorn_pe\Blackbone\src\BlackBone\BlackBone.vcxproj]

    3 Warning(s)
    123 Error(s)

Failure to emulate simple 64-bit test application.

OS: Windows 10, Version 1809
Created 64-bit console application to test, but it seems there is a failure somewhere within mapping the image.
I have attached images of the debug output and the test app code.

output: https://imgur.com/a/w32nxtg
test app code: https://imgur.com/a/nWPJoOB

Any ideas?

dump crashed

dump command is crashed

My guess is that the driver crashes while calling the wdfversionbind function. Is there any solution?

Got error when compiling project

Hi , i have
Windows 10 x64 PC
Project on Debug Mode with x64
Visual Studio 2017
Windows SDK 10.0.17763.0

I cant compile the project.

Severity Code Description Project File Line Suppression State
Error LNK2001 unresolved external symbol "struct asmjit::X86RegData const asmjit::x86RegData" (?x86RegData@asmjit@@3UX86RegData@1@B) unicorn_pe C:\Users\kadir\Desktop\unicorn_pe\unicorn_pe\emuapi.obj 1

Severity Code Description Project File Line Suppression State
Error (active) E2633 invalid nontype template argument of type "HANDLE" unicorn_pe C:\Users\kadir\Desktop\unicorn_pe\Blackbone\src\BlackBone\Include\HandleGuard.h 84

Severity Code Description Project File Line Suppression State
Error LNK2019 unresolved external symbol __imp_Disasm referenced in function "private: bool __cdecl blackbone::TraceHook::CheckBranching(struct blackbone::HookContext const &,unsigned __int64,unsigned __int64)" (?CheckBranching@TraceHook@blackbone@@AEAA_NAEBUHookContext@2@_K1@Z) BlackBone C:\Users\kadir\Desktop\unicorn_pe\Blackbone\src\BlackBone\TraceHook.obj 1

How can i compile the project ?

牛逼啊

The latest build has many errors

C0000005了,这个偏移我也没看出是哪个指针....

跑这个驱动出现的问题
mhyprot2.zip

关于__security_cookie的问题

clear

Any plan to support x86?

Thank you for your great project, any plan to support x86?

unicorn_pe load exe

ManualMap failed

After I compiled it myself, I used the compiled program to analyze a 64-bit sys I wrote, but so did the 64 bits exe file, which was always manualmap failed。

sys:
API emulation callback not registered: ntoskrnl.exe!DbgPrintEx
called from imagebase+0x1025
BlackBone: ManualMap: Unmapping image 'myfirstdriver.sys'
BlackBone: Free: Free at address 0x000001DCF04A0000
BlackBone: ManualMap: Unmapping image 'ntoskrnl.exe'
BlackBone: Free: Free at address 0x000001DCF26A0000
uc_emu_start return: 0
entrypoint return: ffff10a0c2ae0d4c
last rip: 1dcf04a101f (myfirstdriver.sys+101f)
BlackBone: Free: Free at address 0x000001DCF0470000
BlackBone: Free: Free at address 0x000001DCF0490000
BlackBone: Free: Free at address 0x000001DCF0480000

exe:
LdrLoadDllByName failed to MapImage dxcore.dll, status C0000034
BlackBone: Allocate: Allocating at address 0x000001D1A5B80000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x000001D1A5B90000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x000001D1A5BA0000 (0x4000 bytes)
BlackBone: ManualMap: Mapping image 'ext-ms-win-gdi-desktop-l1-1-0.dll' with flags 0x1d001
BlackBone: ManualMap: Failed to load image 'ext-ms-win-gdi-desktop-l1-1-0.dll'/0x0000000000000000. Status 0xC0000034
BlackBone: Free: Free at address 0x000001D1A5B80000
BlackBone: Free: Free at address 0x000001D1A5B90000
BlackBone: Free: Free at address 0x000001D1A5BA0000
LdrLoadDllByName failed to MapImage ext-ms-win-gdi-desktop-l1-1-0.dll, status C0000034
BlackBone: ManualMap: Performing security cookie initializtion for image 'user32.dll'
BlackBone: ManualMap: Performing security cookie initializtion for image 'test.exe'
BlackBone: Free: Decommit at address 0x000001D1A9E45000 (0x1000 bytes)
BlackBone: Free: Decommit at address 0x000001D1A9B83000 (0x1000 bytes)
unknown API called
called from imagebase+0x70e7c
BlackBone: ManualMap: Unmapping image 'test.exe'
BlackBone: Free: Free at address 0x000001D1A7380000
BlackBone: ManualMap: Unmapping image 'user32.dll'
BlackBone: Free: Free at address 0x000001D1A99F0000
BlackBone: ManualMap: Unmapping image 'gdi32.dll'
BlackBone: Free: Free at address 0x000001D1A9E20000
uc_emu_start return: 0
entrypoint return: 1
last rip: 1d1a73f0e76 (test.exe+70e76)

Modular project architecture

Hi,

what if we switch to a modular architecture so that software modules are not compiled in a single file.

Regards,

Running unicorn_pe.exe under itself crashes

I've tried to do a sanity check by running unicorn_pe under itself hoping to see the usage message.

unicorn_pe crashed with an access violation on unicorn_pe.cpp:60 (I'm assuming that the access violation occurs on ((LDR_DATA_TABLE_ENTRY_BASE_T*)modInfo.ldpPtr)->EntryPoint

Debug vs Release - the release version does not display any logs

Hi,

the release version does not display any logs, it is not always profitable to work on the debug version, because there is no optimization in it.

Best Regards

Failed to compile BlackBone in the latest repo, but succeed to compile BlackBone from official repo.

Failed to compile BlackBone in latest repo.
Succeed to compile BlackBone from https://github.com/DarthTon/Blackbone

Tons of errors 'xxx' is not a member of 'std', which can be solved by adding #include <functional> to Winheaders.h.
But some other errors in MMap.cpp, RemoteExec.cpp, and PDBHelper.h require extra fix.

using Microsoft Visual Studio Community 2019 Version 16.9.1

Did not generate

The program was created successfully but there is no exe in the directory

dll模块地址重叠

unicorn_pe/unicorn_pe/unicorn_pe.cpp

Lines 55 to 62 in b6be005

    
           if (type == blackbone::PreCallback) 
        
           { 
        
           	uint64_t desiredBase = ctx->m_LoadModuleBase; 
        
           	uint64_t desiredNextLoadBase = PAGE_ALIGN_64k((uint64_t)ctx->m_LoadModuleBase + (uint64_t)modInfo.size + 0x10000ull); 
        
           	ctx->m_LoadModuleBase = desiredNextLoadBase; 
        
           	return blackbone::LoadData(blackbone::MT_Default, blackbone::Ldr_None, ctx->m_LoadModuleBase); 
        
           }

实际上在blackbone::PreCallback事件中，modInfo.size一直都是0，modInfo.size并没有起到预期的作用。

unicorn_pe/Blackbone/src/BlackBone/ManualMap/MMap.cpp

Lines 854 to 868 in b6be005

    
             if (_mapCallback != nullptr) 
        
             { 
        
                 ModuleData tmpData; 
        
                 tmpData.baseAddress = 0; 
        
                 tmpData.manual = ((pImage->flags & ManualImports) != 0); 
        
                 tmpData.fullPath = path; 
        
                 tmpData.name = Utils::ToLower( Utils::StripPath( path ) ); 
        
                 tmpData.size = 0; 
        
                 tmpData.type = pImage->ldrEntry.type; 
        
           tmpData.entryPoint = 0; 
        
           tmpData.ldrPtr = 0; 
        
           tmpData.imgPtr = 0; 
        
                 data = _mapCallback( PreCallback, _userContext, _process, tmpData ); 
        
             }

如果加载的模块大小超过0x10000，那么就会出现下面的情况。

很显然这些ImageBase是错误的

ImageName	ImageBase	ImageSize
"ntdll.dll"	0x0000000180030000	0x001f5000
"kernelbase.dll"	0x0000000180020000	0x002c8000
"kernel32.dll"	0x0000000180050000	0x000be000

"kernel32.LocalAlloc" 0x00000001800684c0

BlackBone缺少BeaEngineCheetah64.lib依赖

加上吧

ManualMap Driver失败

是不是这波update blackbone #10 把之前能mmap driver的代码给冲了

older version of VMProtect (about 2.x) use rax but eax as NtQuerySystemInformation result

//VMProtect 2.x
NtQuerySystemInformation class 11 return 0
fffff8000045be48			ret		
fffff8000001699e			test		bl, al
fffff800000169a0			cmc		
fffff800000169a1			jmp		0xfffff8000000cb03
fffff8000000cb03			jmp		0xfffff8000000ba81
fffff8000000ba81			or		rax, rax  <---damn VMProtect
fffff8000000ba84			jmp		0xfffff800000100c7
fffff800000100c7			jmp		0xfffff800000130b9
fffff800000130b9			jne		0xfffff8000000bd7d

//VMProtect 3.x
NtQuerySystemInformation class 11 return 0
fffff80000a2ec40			ret		
fffff8000023008e			mov		rbp, qword ptr [rsp + 0x50]
fffff80000230093			jmp		0xfffff8000038a8af
fffff8000038a8af			test		eax, eax <---fixed
fffff8000038a8b1			jmp		0xfffff8000038a8b6
fffff8000038a8b6			js		0xfffff8000038ac1b

This will cause a failure load for some VMProtect packed drivers since high dword of rax might be non-zero.
We have to return rax but eax in EmuNtQuerySystemInformation also, to fix this.

win10 1909 dependency on NToskrnl.exe failed to load failed to MapImage

BlackBone: Allocate: Allocating at address 0x0000016844F30000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x0000016844F40000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x0000016844F50000 (0x4000 bytes)
BlackBone: ManualMap: Mapping image 'dump.XR.sys' with flags 0x1d001
BlackBone: ManualMap: Loading new image 'dump.XR.sys'
BlackBone: ManualMap: Image base allocated at 0x0000016846a60000
BlackBone: ManualMap: Performing image copy
BlackBone: ManualMap: Relocating image 'dump.xr.sys'
BlackBone: ManualMap: Loading new dependency 'ntoskrnl.exe'
BlackBone: ManualMap: Dependency path resolved to 'C:\WINDOWS\system32\ntoskrnl.exe'
BlackBone: ManualMap: Loading new image 'C:\WINDOWS\system32\ntoskrnl.exe'
BlackBone: ManualMap: Image base allocated at 0x0000016849be0000
BlackBone: ManualMap: Performing image copy
BlackBone: ManualMap: Relocating image 'c:\windows\system32\ntoskrnl.exe'
BlackBone: ManualMap: Loading new dependency 'werkernel.sys'
BlackBone: ManualMap: Dependency path resolved to 'werkernel.sys'
BlackBone: ManualMap: Loading new image 'werkernel.sys'
BlackBone: ManualMap: Image base allocated at 0x0000016845240000
BlackBone: ManualMap: Performing image copy
BlackBone: ManualMap: Relocating image 'werkernel.sys'
BlackBone: ManualMap: Loading new dependency 'ksecdd.sys'
BlackBone: ManualMap: Dependency path resolved to 'ksecdd.sys'
BlackBone: ManualMap: Loading new image 'ksecdd.sys'
BlackBone: ManualMap: Image base allocated at 0x0000016845260000
BlackBone: ManualMap: Performing image copy
BlackBone: ManualMap: Relocating image 'ksecdd.sys'
BlackBone: ManualMap: Loading new dependency 'hal.dll'
BlackBone: ManualMap: Dependency path resolved to 'C:\WINDOWS\system32\hal.dll'
BlackBone: ManualMap: Loading new image 'C:\WINDOWS\system32\hal.dll'
BlackBone: ManualMap: Image base allocated at 0x0000016846b10000
BlackBone: ManualMap: Performing image copy
BlackBone: ManualMap: Relocating image 'c:\windows\system32\hal.dll'
BlackBone: ManualMap: Loading new dependency 'kdcom.dll'
BlackBone: ManualMap: Dependency path resolved to 'c:\windows\system32\kdcom.dll'
BlackBone: ManualMap: Loading new image 'c:\windows\system32\kdcom.dll'
BlackBone: ManualMap: Image base allocated at 0x0000016845290000
BlackBone: ManualMap: Performing image copy
BlackBone: ManualMap: Relocating image 'c:\windows\system32\kdcom.dll'
BlackBone: ManualMap: Performing security cookie initializtion for image 'kdcom.dll'
BlackBone: ManualMap: Loading new dependency 'pshed.dll'
BlackBone: ManualMap: Dependency path resolved to 'c:\windows\system32\pshed.dll'
BlackBone: ManualMap: Loading new image 'c:\windows\system32\pshed.dll'
BlackBone: ManualMap: Image base allocated at 0x0000016846d70000
BlackBone: ManualMap: Performing image copy
BlackBone: ManualMap: Relocating image 'c:\windows\system32\pshed.dll'
BlackBone: ManualMap: Performing security cookie initializtion for image 'pshed.dll'
BlackBone: ManualMap: Performing security cookie initializtion for image 'hal.dll'
BlackBone: ManualMap: Loading new dependency 'msrpc.sys'
BlackBone: ManualMap: Dependency path resolved to 'msrpc.sys'
BlackBone: ManualMap: Loading new image 'msrpc.sys'
BlackBone: ManualMap: Image base allocated at 0x000001684b310000
BlackBone: ManualMap: Performing image copy
BlackBone: ManualMap: Relocating image 'msrpc.sys'
BlackBone: ManualMap: Performing security cookie initializtion for image 'msrpc.sys'
BlackBone: ManualMap: Performing security cookie initializtion for image 'ksecdd.sys'
BlackBone: ManualMap: Performing security cookie initializtion for image 'werkernel.sys'
BlackBone: ManualMap: Loading new dependency 'tm.sys'
BlackBone: ManualMap: Dependency path resolved to 'tm.sys'
BlackBone: ManualMap: Loading new image 'tm.sys'
BlackBone: ManualMap: Image base allocated at 0x000001684b640000
BlackBone: ManualMap: Performing image copy
BlackBone: ManualMap: Relocating image 'tm.sys'
BlackBone: ManualMap: Loading new dependency 'clfs.sys'
BlackBone: ManualMap: Dependency path resolved to 'clfs.sys'
BlackBone: ManualMap: Loading new image 'clfs.sys'
BlackBone: ManualMap: Image base allocated at 0x000001684b670000
BlackBone: ManualMap: Performing image copy
BlackBone: ManualMap: Relocating image 'clfs.sys'
BlackBone: ManualMap: Performing security cookie initializtion for image 'clfs.sys'
BlackBone: ManualMap: Performing security cookie initializtion for image 'tm.sys'
BlackBone: ManualMap: Failed to get import 'TraceInitSystem' from image 'ntoskrnl.exe'
BlackBone: Free: Free at address 0x0000016849BE0000
BlackBone: ManualMap: Failed to load dependency 'C:\WINDOWS\system32\ntoskrnl.exe'. Status 0xc0000225
BlackBone: Free: Free at address 0x0000016846A60000
BlackBone: Free: Free at address 0x0000016844F30000
BlackBone: Free: Free at address 0x0000016844F40000
BlackBone: Free: Free at address 0x0000016844F50000
failed to MapImage

Unicorn 2.0 - Qemu 5 Support

Hi,

do you plan to update the emulator and fix memory allocation errors?

Thanks!

Regards,

Loading kernel driver

I'm trying to use the emulator to unpack a kernel driver. When loading the sys file, BlackBone fails to map the image (it tries to load dependencies such as ntoskrnl -> werkenerl -> clfs etc...). Did I missed something ?

compile was fine but its say failed to MapImage how should i do?

this is the full information about run it, thanks

F:\Git Strore\unicorn_pe\x64\Debug>unicorn_pe.exe TestErrorDriver.sys
BlackBone: PDB: Failed to load msdia140.dll, error 0x0000007e
BlackBone: PDB: blackbone::PDBHelper::Init: (CoCreateDiaDataSource()) failed with HRESULT 0x8007007e
BlackBone: PatternData: LdrProtectMrdata not found
BlackBone: Allocate: Allocating at address 0x0000020952150000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x0000020952160000 (0x1000 bytes)
BlackBone: Allocate: Allocating at address 0x0000020952170000 (0x4000 bytes)
BlackBone: ManualMap: Mapping image 'TestErrorDriver.sys' with flags 0x1d001
BlackBone: ManualMap: Loading new image 'TestErrorDriver.sys'
BlackBone: ManualMap: Image base allocated at 0x0000020952180000
BlackBone: ManualMap: Performing image copy
BlackBone: ManualMap: Relocating image 'testerrordriver.sys'
BlackBone: ManualMap: Loading new dependency 'ntoskrnl.exe'
BlackBone: ManualMap: Dependency path resolved to 'C:\WINDOWS\system32\ntoskrnl.exe'
BlackBone: ManualMap: Loading new image 'C:\WINDOWS\system32\ntoskrnl.exe'
BlackBone: ManualMap: Image base allocated at 0x0000020954490000
BlackBone: ManualMap: Performing image copy
BlackBone: ManualMap: Relocating image 'c:\windows\system32\ntoskrnl.exe'
BlackBone: ManualMap: Failed to get import 'KsrQueryMetadata' from image 'ntoskrnl.exe'
BlackBone: Free: Free at address 0x0000020954490000
BlackBone: ManualMap: Failed to load dependency 'C:\WINDOWS\system32\ntoskrnl.exe'. Status 0xc0000225
BlackBone: Free: Free at address 0x0000020952180000
BlackBone: Free: Free at address 0x0000020952150000
BlackBone: Free: Free at address 0x0000020952160000
BlackBone: Free: Free at address 0x0000020952170000
failed to MapImage

There is a question about MapImageToEngine which is similar to the previous

(My English is not well, please forgive me)
I tried to running uncorn_pe as "uncorn_pe.exe test.exe -disasm" under the DEBUG mode，but when I step to

ctx->MapImageToEngine(modInfo.name, (PVOID)modInfo.baseAddress, modInfo.size, modInfo.baseAddress, ((LDR_DATA_TABLE_ENTRY_BASE_T*)(modInfo.ldrPtr))->EntryPoint); (uncorn_pe.cpp ; line: 60)

it crashed. I checked the "watches" and found that the error appeared in "ldrPtr"，because it is a "nullptr".

Is my operation wrong and how could I fix it?

Looking forward to your reply, thanks.

unicorn_pe project

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.

	if (type == blackbone::PreCallback)
	{
	uint64_t desiredBase = ctx->m_LoadModuleBase;
	uint64_t desiredNextLoadBase = PAGE_ALIGN_64k((uint64_t)ctx->m_LoadModuleBase + (uint64_t)modInfo.size + 0x10000ull);
	ctx->m_LoadModuleBase = desiredNextLoadBase;

	return blackbone::LoadData(blackbone::MT_Default, blackbone::Ldr_None, ctx->m_LoadModuleBase);
	}

	if (_mapCallback != nullptr)
	{
	ModuleData tmpData;
	tmpData.baseAddress = 0;
	tmpData.manual = ((pImage->flags & ManualImports) != 0);
	tmpData.fullPath = path;
	tmpData.name = Utils::ToLower( Utils::StripPath( path ) );
	tmpData.size = 0;
	tmpData.type = pImage->ldrEntry.type;
	tmpData.entryPoint = 0;
	tmpData.ldrPtr = 0;
	tmpData.imgPtr = 0;

	data = _mapCallback( PreCallback, _userContext, _process, tmpData );
	}