So after playing around with the included files I tried something more real (this oldish Cerber sample 17fcd7a7162298225b06d85d1d5a90ea) but looks like Unicorn fails to emulate that (maybe I just need to tweak emulation params).

$ python test.py
VERSION.dll is loaded @ 0x70000000
GDI32.dll is loaded @ 0x7000c000
ADVAPI32.dll is loaded @ 0x70073000
KERNEL32.dll is loaded @ 0x70114000
SHELL32.dll is loaded @ 0x70224000
ole32.dll is loaded @ 0x70fac000
USER32.dll is loaded @ 0x711af000
COMCTL32.dll is loaded @ 0x712a9000
stack: 0x5ff00000-0x60000000
ERROR: Invalid memory read (UC_ERR_READ_UNMAPPED)
eax: 0x00000000
ebx: 0x00000000
ecx: 0x00000000
edx: 0x00000000
edi: 0x00000000
esi: 0x00000000
esp: 0x5ffffe68
ebp: 0x60000000
eip: 0x80000011

DLLs have been harvested from a Win7 VM (SysWow64 directory).

Test script:

$ cat test.py
import unitracer
from unicorn.x86_const import *

uni = unitracer.Windows()

# add search path for dll
uni.dll_path.insert(0, "dlls")

# change stack
uni.STACK_BASE = 0x60000000
uni.STACK_SIZE = 0x10000000

# load binary
uni.load_pe('./samples/17fcd7a7162298225b06d85d1d5a90ea')

# add api hooks
def IsDebuggerPresent(ip, sp, ut):
    emu = ut.emu
    retaddr = ut.popstack()
    print "IsDebuggerPresent"
    emu.reg_write(UC_X86_REG_EAX, 0)
    ut.pushstack(retaddr)

uni.api_hooks['IsDebuggerPresent'] = IsDebuggerPresent

# suppress verbose output (disassemble)
uni.verbose = False
uni.start(0)

For more details and what not you can hit me on email.

Is quite common in malware to trigger exceptions, it would be nice having the capabilities of passing exceptions.

Hi icchy,

Thanks a lot for your great work here. I'm quite interested in this project and I tried a locky ransomware sample, and came across an error:

File "/tracecorn/example.py", line 17, in
uni.load_pe('./samples/locky/_00B10000.mem')
File "/tracecorn/unitracer/windows.py", line 370, in load_pe
self._init_ldr(dlls, exe_ldr)
File "/tracecorn/unitracer/windows.py", line 157, in _init_ldr
raise IOError, "{} does not exist".format(dll)

IOError: MPR.dll does not exist

The sample has the following DLLs imported:

['MPR.dll',
'urlmon.dll',
'WININET.dll',
'GDI32.dll',
'SHELL32.dll',
'KERNEL32.dll',
'NETAPI32.dll',
'ADVAPI32.dll',
'USER32.dll']

Could you give me some instructions on how to add DLLs. It seems like the project has 3 DLLs imported by default (kernel32, advapi32, urlmon).

Thanks!

Trying to execute the sample provided in README.md yields the following:

advapi32.dll is loaded @ 0x70000000
kernel32.dll is loaded @ 0x700a1000
urlmon.dll is loaded @ 0x701b1000
stack: 0x5ff00000-0x60000000
Traceback (most recent call last):
  File "_ctypes/callbacks.c", line 315, in 'calling callback function'
  File "/usr/local/lib/python2.7/site-packages/unicorn/unicorn.py", line 438, in _hookcode_cb
    cb(self, address, size, data)
  File "/Users/fernando/dev/python/unitracer/unitracer/windows.py", line 294, in _hook_code
    api_hooks[func].hook(self)
AttributeError: 'function' object has no attribute 'hook'

PEBからGetProcAddressのアドレスを取得してくるタイプのものが多いため

some tests are required to check whether unitracer works on exe and shellcode correctly

The name of your project is exactly the same as the trade name of the company: UniTracer BV.

Please change the name of your project to avoid confusing your users and their clients.

• マップされたイメージ (RVAベースで展開済のメモリ)

DLL

• APIとVirtualAddress(RVA)の対応

EXE

• 各要素の取得
  • ImageBase
  • BaseOfCode
  • BaseOfData
  • AddressOfEntryPoint
• IATの上書きはロードする側で行うので不要
  • ENTRY_IMPORTの情報(APIName, IAT offset)が必要

Windows, Linux 32/64 bitで対応したい
とりあえずWindows 32bitで動くようにする