Loading...
Loading...
Compare original and translation side by side
| Category | Examples | Simulation Strategy |
|---|---|---|
| libc | | Hook address, implement logic in Python (bump allocator for malloc) |
| JNI | | Build fake JNIEnv function table in UC memory, write RET stubs at each entry, hook stub addresses |
| Syscalls | | Hook |
| C++ runtime | | Hook and simulate |
| Library calls | | Hook and return success/stub |
UC_HOOK_CODE| 分类 | 示例 | 模拟策略 |
|---|---|---|
| libc | | 挂钩对应地址,在Python中实现逻辑(为malloc实现 bump 分配器) |
| JNI | | 在UC内存中构建伪造的JNIEnv函数表,在每个入口点写入RET存根,为存根地址添加钩子 |
| Syscalls | | 挂钩 |
| C++ runtime | | 挂钩并模拟 |
| 库调用 | | 挂钩并返回成功/存根值 |
UC_HOOK_CODE| Callback | Purpose |
|---|---|
| Intercept import calls by address; instruction-level trace (use sparingly, narrow range only) |
| Block-level trace (preferred over instruction trace) |
| Auto-map missing pages to recover from unmapped access errors |
| Trace memory access on targeted data ranges only |
| Intercept SVC/INT for syscall simulation |
| 回调 | 用途 |
|---|---|
| 按地址拦截导入调用;指令级跟踪(谨慎使用,仅限定小范围) |
| 块级跟踪(优先于指令级跟踪使用) |
| 自动映射缺失页面,从未映射访问错误中恢复 |
| 仅在目标数据范围内跟踪内存访问 |
| 拦截SVC/INT以实现系统调用模拟 |
| Arch | Uc Const | Mode | SP | LR | Args | Return | Syscall |
|---|---|---|---|---|---|---|---|
| ARM64 | | | SP | X30 | X0-X7 | X0 | X8 + SVC #0 |
| ARM32 | | | SP | LR | R0-R3 | R0 | R7 + SVC #0 |
| x86-64 | | | RSP | (stack) | RDI,RSI,RDX,RCX,R8,R9 | RAX | RAX + syscall |
| x86-32 | | | ESP | (stack) | (stack) | EAX | EAX + int 0x80 |
| MIPS32 | | | $sp | $ra | $a0-$a3 | $v0 | $v0 + syscall |
| 架构 | Uc常量 | 模式 | SP | LR | 参数 | 返回值 | 系统调用 |
|---|---|---|---|---|---|---|---|
| ARM64 | | | SP | X30 | X0-X7 | X0 | X8 + SVC #0 |
| ARM32 | | | SP | LR | R0-R3 | R0 | R7 + SVC #0 |
| x86-64 | | | RSP | (栈) | RDI,RSI,RDX,RCX,R8,R9 | RAX | RAX + syscall |
| x86-32 | | | ESP | (栈) | (栈) | EAX | EAX + int 0x80 |
| MIPS32 | | | $sp | $ra | $a0-$a3 | $v0 | $v0 + syscall |