From ae8e34173adec2f9390b7b0274c248875975ce84 Mon Sep 17 00:00:00 2001 From: samothtronicien Date: Sun, 31 Jul 2016 03:19:52 +0200 Subject: [PATCH] added tests with enter/leave --- tests/unit/Makefile | 6 +- tests/unit/test_x86_shl_enter_leave.c | 487 ++++++++++++++++++++++++++ 2 files changed, 490 insertions(+), 3 deletions(-) create mode 100644 tests/unit/test_x86_shl_enter_leave.c diff --git a/tests/unit/Makefile b/tests/unit/Makefile index 81b35898..39f2747d 100644 --- a/tests/unit/Makefile +++ b/tests/unit/Makefile @@ -13,7 +13,7 @@ endif ALL_TESTS = test_sanity test_x86 test_mem_map test_mem_high test_mem_map_ptr \ test_tb_x86 test_multihook test_pc_change test_x86_soft_paging \ - test_hookcounts test_hang test_x86_shl + test_hookcounts test_hang test_x86_shl_enter_leave .PHONY: all all: ${ALL_TESTS} @@ -36,7 +36,7 @@ test: ${ALL_TESTS} ./test_x86_soft_paging ./test_hookcounts ./test_hang - ./test_x86_shl + ./test_x86_shl_enter_leave test_sanity: test_sanity.c test_x86: test_x86.c @@ -49,7 +49,7 @@ test_pc_change: test_pc_change.c test_x86_soft_paging: test_x86_soft_paging.c test_hookcounts: test_hookcounts.c test_hang: test_hang.c -test_x86_shl: test_x86_shl.c +test_x86_shl_enter_leave: test_x86_shl_enter_leave.c ${ALL_TESTS}: ${CC} ${CFLAGS} -o $@ $^ diff --git a/tests/unit/test_x86_shl_enter_leave.c b/tests/unit/test_x86_shl_enter_leave.c new file mode 100644 index 00000000..5844a4c9 --- /dev/null +++ b/tests/unit/test_x86_shl_enter_leave.c @@ -0,0 +1,487 @@ +#include +#include + +#include "unicorn_test.h" + + +#define OK(x) uc_assert_success(x) + +#define CF_MASK (1<<0) +#define PF_MASK (1<<2) +#define ZF_MASK (1<<6) +#define SF_MASK (1<<7) +#define OF_MASK (1<<11) +#define ALL_MASK (OF_MASK|SF_MASK|ZF_MASK|PF_MASK|CF_MASK) +#define NO_MASK 0xFFFFFFFF + +typedef struct _reg_value +{ + uint32_t regId, regValue, mask; +} reg_value; + +typedef struct _instruction +{ + const char* asmStr; + const uint8_t* code; + uint32_t codeSize; + const reg_value* values; + uint32_t nbValues; + uint32_t addr; +} instruction; + +typedef struct _block +{ + instruction* insts[255]; + uint32_t nbInsts; + uint32_t size; +} block; + +/******************************************************************************/ + +#define CAT2(X, Y) X ## Y +#define CAT(X, Y) CAT2(X, Y) + +#define ADD_INSTRUCTION(BLOCK, CODE_ASM, CODE, REGVALUES) \ + const uint8_t CAT(code, __LINE__)[] = CODE; \ + const reg_value CAT(regValues, __LINE__)[] = REGVALUES; \ + inst = newInstruction(CAT(code, __LINE__), sizeof(CAT(code, __LINE__)), CODE_ASM, CAT(regValues, __LINE__), sizeof(CAT(regValues, __LINE__)) / sizeof(reg_value)); \ + addInstructionToBlock(BLOCK, inst); + +#define V(...) { __VA_ARGS__ } + +/******************************************************************************/ + +instruction* newInstruction(const uint8_t * _code, uint32_t _codeSize, const char* _asmStr, const reg_value* _values, uint32_t _nbValues); +void addInstructionToBlock(block* _b, instruction* _i); +uint32_t loadBlock(uc_engine *_uc, block* _block, uint32_t _at); +void freeBlock(block* _block); +const char* getRegisterName(uint32_t _regid); +uint32_t getRegisterValue(uc_engine *uc, uint32_t _regid); +instruction* getInstruction(block * _block, uint32_t _addr); + +/******************************************************************************/ + +void hook_code_test_i386_shl(uc_engine *uc, uint64_t address, uint32_t size, void *user_data) +{ + uint32_t i; + block* b = (block*)user_data; + instruction* currInst = getInstruction(b, (uint32_t)address); + assert_true(currInst != NULL); + + print_message("|\teip=%08x - %s\n", (uint32_t)address, currInst->asmStr); + + for (i = 0; i < currInst->nbValues; i++) + { + if (currInst->values[i].regId == UC_X86_REG_INVALID) continue; + + uint32_t regValue = getRegisterValue(uc, currInst->values[i].regId); + print_message("|\t\ttesting %s : ", getRegisterName(currInst->values[i].regId)); + assert_int_equal(regValue & currInst->values[i].mask, currInst->values[i].regValue); + print_message("ok\n"); + } + + if (currInst->code[0] == 0xCC) + OK(uc_emu_stop(uc)); +} + +bool hook_mem_invalid(uc_engine *uc, uc_mem_type type, uint64_t addr, int size, int64_t value, void *user_data) +{ + switch (type) + { + default: + print_message("hook_mem_invalid: UC_HOOK_MEM_INVALID type: %d at 0x%" PRIx64 "\n", type, addr); break; + case UC_MEM_READ_UNMAPPED: + print_message("hook_mem_invalid: Read from invalid memory at 0x%" PRIx64 ", data size = %u\n", addr, size); break; + case UC_MEM_WRITE_UNMAPPED: + print_message("hook_mem_invalid: Write to invalid memory at 0x%" PRIx64 ", data size = %u, data value = 0x%" PRIx64 "\n", addr, size, value); break; + case UC_MEM_FETCH_PROT: + print_message("hook_mem_invalid: Fetch from non-executable memory at 0x%" PRIx64 "\n", addr); break; + case UC_MEM_WRITE_PROT: + print_message("hook_mem_invalid: Write to non-writeable memory at 0x%" PRIx64 ", data size = %u, data value = 0x%" PRIx64 "\n", addr, size, value); break; + case UC_MEM_READ_PROT: + print_message("hook_mem_invalid: Read from non-readable memory at 0x%" PRIx64 ", data size = %u\n", addr, size); break; + } + return false; +} + +#define ADDR_CODE 0x100000 +#define ADDR_STACK 0x200000 + +static void test_i386_shl_cl(void **state) +{ + uc_engine *uc; + uc_hook trace1; + + // Initialize emulator in X86-32bit mode + OK(uc_open(UC_ARCH_X86, UC_MODE_32, &uc)); + OK(uc_mem_map(uc, ADDR_CODE, 0x1000, UC_PROT_ALL)); + + { + block block; + instruction* inst; + + block.nbInsts = 0; + + ADD_INSTRUCTION(&block, "mov ebx, 3Ch", + V(0xBB, 0x3C, 0x00, 0x00, 0x00), + V(V(UC_X86_REG_INVALID, 0x0, NO_MASK))); + ADD_INSTRUCTION(&block, "mov cl, 2", + V(0xB1, 0x02), + V(V(UC_X86_REG_EBX, 0x3C, NO_MASK))); + ADD_INSTRUCTION(&block, "shl ebx, cl", + V(0xD3, 0xE3), + V(V(UC_X86_REG_EBX, 0x3C, NO_MASK), V(UC_X86_REG_CL, 0x2, NO_MASK))); + ADD_INSTRUCTION(&block, "lahf", + V(0x9F), + V(V(UC_X86_REG_EBX, 0xF0, NO_MASK), V(UC_X86_REG_CL, 0x2, NO_MASK), V(UC_X86_REG_EFLAGS, 0x4, ALL_MASK))); + ADD_INSTRUCTION(&block, "int3", + V(0xCC), + V(V(UC_X86_REG_AH, 0x4, PF_MASK), V(UC_X86_REG_EBX, 0xF0, NO_MASK), V(UC_X86_REG_CL, 0x2, NO_MASK), V(UC_X86_REG_EFLAGS, 0x4, ALL_MASK))); + + loadBlock(uc, &block, ADDR_CODE); + + // initialize machine registers + uint32_t zero = 0; + OK(uc_reg_write(uc, UC_X86_REG_EAX, &zero)); + OK(uc_reg_write(uc, UC_X86_REG_EBX, &zero)); + OK(uc_reg_write(uc, UC_X86_REG_ECX, &zero)); + OK(uc_reg_write(uc, UC_X86_REG_EDX, &zero)); + + OK(uc_hook_add(uc, &trace1, UC_HOOK_CODE, hook_code_test_i386_shl, &block, 1, 0)); + OK(uc_hook_add(uc, &trace1, UC_HOOK_MEM_INVALID, hook_mem_invalid, NULL, 1, 0)); + + // emulate machine code in infinite time + OK(uc_emu_start(uc, ADDR_CODE, ADDR_CODE + block.size, 0, 0)); + + freeBlock(&block); + } + + uc_close(uc); +} + +static void test_i386_shl_imm(void **state) +{ + uc_engine *uc; + uc_hook trace1; + + // Initialize emulator in X86-32bit mode + OK(uc_open(UC_ARCH_X86, UC_MODE_32, &uc)); + OK(uc_mem_map(uc, ADDR_CODE, 0x1000, UC_PROT_ALL)); + + { + block block; + instruction* inst; + + block.nbInsts = 0; + + ADD_INSTRUCTION(&block, "mov ebx, 3Ch", + V(0xBB, 0x3C, 0x00, 0x00, 0x00), + V(V(UC_X86_REG_INVALID, 0x0, NO_MASK))); + ADD_INSTRUCTION(&block, "shl ebx, 2", + V(0xC1, 0xE3, 0x02), + V(V(UC_X86_REG_EBX, 0x3C, NO_MASK))); + ADD_INSTRUCTION(&block, "lahf", + V(0x9F), + V(V(UC_X86_REG_EBX, 0xF0, NO_MASK), V(UC_X86_REG_EFLAGS, 0x4, ALL_MASK))); + ADD_INSTRUCTION(&block, "int3", + V(0xCC), + V(V(UC_X86_REG_AH, 0x4, PF_MASK), V(UC_X86_REG_EBX, 0xF0, NO_MASK), V(UC_X86_REG_EFLAGS, 0x4, ALL_MASK))); + + loadBlock(uc, &block, ADDR_CODE); + + // initialize machine registers + uint32_t zero = 0; + OK(uc_reg_write(uc, UC_X86_REG_EAX, &zero)); + OK(uc_reg_write(uc, UC_X86_REG_EBX, &zero)); + OK(uc_reg_write(uc, UC_X86_REG_ECX, &zero)); + OK(uc_reg_write(uc, UC_X86_REG_EDX, &zero)); + + OK(uc_hook_add(uc, &trace1, UC_HOOK_CODE, hook_code_test_i386_shl, &block, 1, 0)); + OK(uc_hook_add(uc, &trace1, UC_HOOK_MEM_INVALID, hook_mem_invalid, NULL, 1, 0)); + + // emulate machine code in infinite time + OK(uc_emu_start(uc, ADDR_CODE, ADDR_CODE + block.size, 0, 0)); + + freeBlock(&block); + } + + uc_close(uc); +} + +static void test_i386_enter_leave(void **state) +{ + uc_engine *uc; + uc_hook trace1; + + // Initialize emulator in X86-32bit mode + OK(uc_open(UC_ARCH_X86, UC_MODE_32, &uc)); + OK(uc_mem_map(uc, ADDR_CODE, 0x1000, UC_PROT_ALL)); + OK(uc_mem_map(uc, ADDR_STACK - 0x1000, 0x1000, UC_PROT_ALL)); + + { + block block; + instruction* inst; + + block.nbInsts = 0; + + ADD_INSTRUCTION(&block, "mov esp, 0x200000", + V(0xBC, 0x00, 0x00, 0x20, 0x00), + V(V(UC_X86_REG_INVALID, 0x0, NO_MASK))); + ADD_INSTRUCTION(&block, "mov eax, 1", + V(0xB8, 0x01, 0x00, 0x00, 0x00), + V(V(UC_X86_REG_ESP, 0x200000, NO_MASK))); + ADD_INSTRUCTION(&block, "call 0x100015", + V(0xE8, 0x06, 0x00, 0x00, 0x00), + V(V(UC_X86_REG_EAX, 0x1, NO_MASK), V(UC_X86_REG_ESP, 0x200000, NO_MASK))); + ADD_INSTRUCTION(&block, "mov eax, 3", + V(0xB8, 0x03, 0x00, 0x00, 0x00), + V(V(UC_X86_REG_EAX, 0x2, NO_MASK))); + ADD_INSTRUCTION(&block, "int3", + V(0xCC), + V(V(UC_X86_REG_EAX, 0x3, NO_MASK))); + ADD_INSTRUCTION(&block, "enter 0x10,0", + V(0xC8, 0x10, 0x00, 0x00), + V(V(UC_X86_REG_ESP, 0x200000 - 4, NO_MASK))); + ADD_INSTRUCTION(&block, "mov eax, 2", + V(0xB8, 0x02, 0x00, 0x00, 0x00), + V(V(UC_X86_REG_ESP, 0x200000 - 4 - 4 - 0x10, NO_MASK), V(UC_X86_REG_EBP, 0x200000 - 4 - 4, NO_MASK))); + ADD_INSTRUCTION(&block, "leave", + V(0xC9), + V(V(UC_X86_REG_EAX, 0x2, NO_MASK), V(UC_X86_REG_INVALID, 0x0, NO_MASK))); + ADD_INSTRUCTION(&block, "mov eax, 2", + V(0xB8, 0x02, 0x00, 0x00, 0x00), + V(V(UC_X86_REG_INVALID, 0x0, NO_MASK))); + ADD_INSTRUCTION(&block, "ret", + V(0xC3), + V(V(UC_X86_REG_ESP, 0x200000 - 4, NO_MASK))); + + loadBlock(uc, &block, ADDR_CODE); + + // initialize machine registers + uint32_t zero = 0; + OK(uc_reg_write(uc, UC_X86_REG_EAX, &zero)); + OK(uc_reg_write(uc, UC_X86_REG_EBX, &zero)); + OK(uc_reg_write(uc, UC_X86_REG_ECX, &zero)); + OK(uc_reg_write(uc, UC_X86_REG_EDX, &zero)); + + OK(uc_hook_add(uc, &trace1, UC_HOOK_CODE, hook_code_test_i386_shl, &block, 1, 0)); + OK(uc_hook_add(uc, &trace1, UC_HOOK_MEM_INVALID, hook_mem_invalid, NULL, 1, 0)); + + // emulate machine code in infinite time + OK(uc_emu_start(uc, ADDR_CODE, ADDR_CODE + block.size, 0, 0)); + + freeBlock(&block); + } + + uc_close(uc); +} + +static void test_i386_enter_nested_leave(void **state) +{ + uc_engine *uc; + uc_hook trace1; + + // Initialize emulator in X86-32bit mode + OK(uc_open(UC_ARCH_X86, UC_MODE_32, &uc)); + OK(uc_mem_map(uc, ADDR_CODE, 0x1000, UC_PROT_ALL)); + OK(uc_mem_map(uc, ADDR_STACK - 0x1000, 0x1000, UC_PROT_ALL)); + + { + block block; + instruction* inst; + + block.nbInsts = 0; + + ADD_INSTRUCTION(&block, "mov esp, 0x200000", + V(0xBC, 0x00, 0x00, 0x20, 0x00), + V(V(UC_X86_REG_INVALID, 0x0, NO_MASK))); + ADD_INSTRUCTION(&block, "mov eax, 1", + V(0xB8, 0x01, 0x00, 0x00, 0x00), + V(V(UC_X86_REG_ESP, 0x200000, NO_MASK))); + ADD_INSTRUCTION(&block, "call 0x100015", + V(0xE8, 0x06, 0x00, 0x00, 0x00), + V(V(UC_X86_REG_EAX, 0x1, NO_MASK), V(UC_X86_REG_ESP, 0x200000, NO_MASK))); + ADD_INSTRUCTION(&block, "mov eax, 3", + V(0xB8, 0x03, 0x00, 0x00, 0x00), + V(V(UC_X86_REG_EAX, 0x2, NO_MASK))); + ADD_INSTRUCTION(&block, "int3", + V(0xCC), + V(V(UC_X86_REG_EAX, 0x3, NO_MASK))); + ADD_INSTRUCTION(&block, "enter 0x10,1", + V(0xC8, 0x10, 0x00, 0x01), + V(V(UC_X86_REG_ESP, 0x200000 - 4, NO_MASK))); + ADD_INSTRUCTION(&block, "mov eax, 2", + V(0xB8, 0x02, 0x00, 0x00, 0x00), + V(V(UC_X86_REG_ESP, 0x200000 - 4 - 2*4 - 0x10, NO_MASK), V(UC_X86_REG_EBP, 0x200000 - 4 - 4, NO_MASK))); + ADD_INSTRUCTION(&block, "leave", + V(0xC9), + V(V(UC_X86_REG_EAX, 0x2, NO_MASK))); + ADD_INSTRUCTION(&block, "ret", + V(0xC3), + V(V(UC_X86_REG_ESP, 0x200000 - 4, NO_MASK))); + + loadBlock(uc, &block, ADDR_CODE); + + // initialize machine registers + uint32_t zero = 0; + OK(uc_reg_write(uc, UC_X86_REG_EAX, &zero)); + OK(uc_reg_write(uc, UC_X86_REG_EBX, &zero)); + OK(uc_reg_write(uc, UC_X86_REG_ECX, &zero)); + OK(uc_reg_write(uc, UC_X86_REG_EDX, &zero)); + + OK(uc_hook_add(uc, &trace1, UC_HOOK_CODE, hook_code_test_i386_shl, &block, 1, 0)); + OK(uc_hook_add(uc, &trace1, UC_HOOK_MEM_INVALID, hook_mem_invalid, NULL, 1, 0)); + + // emulate machine code in infinite time + OK(uc_emu_start(uc, ADDR_CODE, ADDR_CODE + block.size, 0, 0)); + + freeBlock(&block); + } + + uc_close(uc); +} + +/******************************************************************************/ + +int main(void) { + const struct CMUnitTest tests[] = { + + cmocka_unit_test(test_i386_shl_cl), + cmocka_unit_test(test_i386_shl_imm), + cmocka_unit_test(test_i386_enter_leave), + cmocka_unit_test(test_i386_enter_nested_leave), + }; + return cmocka_run_group_tests(tests, NULL, NULL); +} + +/******************************************************************************/ + +instruction* newInstruction(const uint8_t * _code, uint32_t _codeSize, const char* _asmStr, const reg_value* _values, uint32_t _nbValues) +{ + instruction* inst = (instruction*)malloc(sizeof(instruction)); + + inst->asmStr = _asmStr; + inst->code = _code; + inst->codeSize = _codeSize; + inst->values = _values; + inst->nbValues = _nbValues; + + return inst; +} + +void addInstructionToBlock(block* _b, instruction* _i) +{ + _b->insts[_b->nbInsts++] = _i; +} + +uint32_t loadBlock(uc_engine *_uc, block* _block, uint32_t _at) +{ + uint32_t i, j, offset; + + for (i = 0, offset = 0; i < _block->nbInsts; i++) + { + const uint32_t codeSize = _block->insts[i]->codeSize; + const uint8_t* code = _block->insts[i]->code; + _block->insts[i]->addr = _at + offset; + print_message("load: %08X: ", _block->insts[i]->addr); + for (j = 0; j < codeSize; j++) print_message("%02X ", code[j]); + for (j = 0; j < 15 - codeSize; j++) print_message(" "); + print_message("%s\n", _block->insts[i]->asmStr); + OK(uc_mem_write(_uc, _at + offset, code, codeSize)); + offset += codeSize; + } + _block->size = offset; + return offset; +} + +void freeBlock(block* _block) +{ + uint32_t i; + for (i = 0; i < _block->nbInsts; i++) + free(_block->insts[i]); +} + +instruction* getInstruction(block* _block, uint32_t _addr) +{ + uint32_t i; + for (i = 0; i < _block->nbInsts; i++) + { + if (_block->insts[i]->addr == _addr) + return _block->insts[i]; + } + return NULL; +} + +const char* getRegisterName(uint32_t _regid) +{ + switch (_regid) + { + //8 + case UC_X86_REG_AH: return "AH"; + case UC_X86_REG_AL: return "AL"; + case UC_X86_REG_BH: return "BH"; + case UC_X86_REG_BL: return "BL"; + case UC_X86_REG_CL: return "CL"; + case UC_X86_REG_CH: return "CH"; + case UC_X86_REG_DH: return "DH"; + case UC_X86_REG_DL: return "DL"; + //16 + case UC_X86_REG_AX: return "AX"; + case UC_X86_REG_BX: return "BX"; + case UC_X86_REG_CX: return "CX"; + case UC_X86_REG_DX: return "DX"; + //32 + case UC_X86_REG_EAX: return "EAX"; + case UC_X86_REG_EBX: return "EBX"; + case UC_X86_REG_ECX: return "ECX"; + case UC_X86_REG_EDX: return "EDX"; + case UC_X86_REG_EDI: return "EDI"; + case UC_X86_REG_ESI: return "ESI"; + case UC_X86_REG_EBP: return "EBP"; + case UC_X86_REG_ESP: return "ESP"; + case UC_X86_REG_EIP: return "EIP"; + case UC_X86_REG_EFLAGS: return "EFLAGS"; + + default: fail(); + } + return "UNKNOWN"; +} + +uint32_t getRegisterValue(uc_engine *uc, uint32_t _regid) +{ + switch (_regid) + { + //8 + case UC_X86_REG_AH: case UC_X86_REG_AL: + case UC_X86_REG_BH: case UC_X86_REG_BL: + case UC_X86_REG_CL: case UC_X86_REG_CH: + case UC_X86_REG_DH: case UC_X86_REG_DL: + { + uint8_t val = 0; + OK(uc_reg_read(uc, _regid, &val)); + return val; + } + //16 + case UC_X86_REG_AX: case UC_X86_REG_BX: + case UC_X86_REG_CX: case UC_X86_REG_DX: + { + uint16_t val = 0; + OK(uc_reg_read(uc, _regid, &val)); + return val; + } + //32 + case UC_X86_REG_EAX: case UC_X86_REG_EBX: + case UC_X86_REG_ECX: case UC_X86_REG_EDX: + case UC_X86_REG_EDI: case UC_X86_REG_ESI: + case UC_X86_REG_EBP: case UC_X86_REG_ESP: + case UC_X86_REG_EIP: case UC_X86_REG_EFLAGS: + { + uint32_t val = 0; + OK(uc_reg_read(uc, _regid, &val)); + return val; + } + + default: fail(); + } + return 0; +}