Unicorn Emulator 1.0.1 released

April 20, 2017 ~ hucktech ~ Leave a comment

Nguyen Anh Quynh announced the 1.0.1 release of the Unicorn CPU Emulator.

[unicorn-engine] Unicorn Emulator v1.0.1 is out!
We are excited to announce version 1.0.1 for Unicorn CPU Emulator framework! This is a stable release, in which we fixed some issues in the core, added some features on Arm, Arm64, Mips & X86. […]

https://www.freelists.org/post/unicorn-engine/Unicorn-Emulator-v101-is-out
http://www.unicorn-engine.org/Version-1.0.1
https://github.com/unicorn-engine/unicorn/releases/tag/1.0.1

http://www.keystone-engine.org
http://www.capstone-engine.org
http://www.unicorn-engine.org

Paradise: Windows x64 hooking library

February 11, 2017 ~ hucktech ~ Leave a comment

Paradise is a new open source x86/x86-64 hooking library. #CapstoneInside https://t.co/HuLrPwHTeF

— Capstone Engine (@capstone_engine) February 9, 2017

“x86/x86-64 hooking library”

Windows-centric, C++-based.

https://github.com/codectile/paradise

ROPMEMU

May 31, 2016 ~ hucktech ~ Leave a comment

ROPMEMU is finally available https://t.co/86EV6UvpJ2 cc @capstone_engine @unicorn_engine @volatility – AsiaCCS 2016

— emdel (@emd3l) May 31, 2016

w0w, Cisco just released ROPMEMU tool to analyze ROP chains! Powered by @capstone_engine & @unicorn_engine O/https://t.co/2m2BA6XNhp

— Capstone Engine (@capstone_engine) May 31, 2016

ROPMEMU is a framework to analyze, dissect and decompile complex code-reuse attacks. It adopts a set of different techniques to analyze ROP chains and reconstruct their equivalent code in a form that can be analyzed by traditional reverse engineering tools. In particular, it is based on memory forensics (as its input is a physical memory dump), code emulation (to faithfully rebuild the original ROP chain), multi-path execution (to extract the ROP chain payload), CFG recovery (to rebuild the original control flow), and a number of compiler transformations (to simplify the final instructions of the ROP chain). Specifically, the memory forensics part is based on Volatility plugins. The emulation and the multi-path part is implemented through the Unicorn emulator. […]

https://github.com/vrtadmin/ROPMEMU

https://github.com/vrtadmin/ROPMEMU/wiki

tool: Edb

September 3, 2015 ~ hucktech ~ Leave a comment

Edb is a system debugger, written by Evan Teran (@eteran). It’s been around for a while, but recently updated to use the Capstone engine, where I noticed it:

w0w, another debugger ditched its disassembler in favor of Capstone engine: Edb!https://t.co/Y25BwxiXZu

— Capstone Engine (@capstone_engine) September 3, 2015

Edb is a cross platform x86/x86-64 debugger, inspired by OllyDbg, but aims to function on x86 and x86-64 as well as multiple OS’s. Linux is the only officially supported platform at the moment, but FreeBSD, OpenBSD, OSX and Windows ports are underway with varying degrees of functionality. It is written in C++ using Qt. It contains these plugins: Analyzer, Assembler, BinaryInfo, BinarySearcher, Bookmarks, BreakpointManager, CheckVersion, DebuggerCore, DumpState, FunctionFinder, HardwareBreakpoints, HeapAnalyzer, OpcodeSearcher, ProcessProperties, ROPTool,References, and SymbolViewer.

Some security researchers may not know of OllyDbg, but only of Immunity Debugger (ImmyDbg), which is a fork of the GPL OllyDBg (but Immunity doesn’t seem to provide source…). Edb is also GPL-licensed, but source is easily available, and with Capstone backing it, looks to be very interesting!

https://github.com/eteran/edb-debugger
https://github.com/eteran/edb-debugger/wiki

EBC

August 4, 2015 ~ hucktech ~ Leave a comment

EBC, The EFI Byte Code, is a UEFI feature that supports Intel (Itanium, x86, and x64) instructions in a single bytecode. The Intel C Compiler can target EBC, and UEFI drivers can use EBC instead of native drivers, to save space (1 binary, instead of 3).

The other week I gave a firmware security tools talk at BlackLodgeResearch.org, and Vincent Zimmer of Intel showed up. I had a slide complaining that EBC is only supported by Intel C Compiler, a commercial-only product, and that the UEFI Forum should fund a ‘summer-of-code’-style effort to get EBC into GCC or LLVM CLang. After the talk, Vincent mentioned that ICC had to do a bit of unexpected work to generate EBC, and would blog about it. Well, he did blog about it, a few days ago, just catching up to it, and describe the problem.
http://vzimmer.blogspot.com/2015/08/efi-byte-code.html

If you know of someone on the LLVM CLang or GCC project, please try to add a request for EBC support.

Not only would it be nice to have LLVM CLang work with EBC to have an alternative to ICC, and for LLBVM’s Klee fuzzer (to fuzz UEFI via OVMF), but ALSO because the Capstone Framework RE tool uses LLVM’s intermediate form and would then get EBC support!!
http://www.capstone-engine.org/

Today, radare2, another RE tool, already has EBC support.
https://firmwaresecurity.com/2015/07/26/tool-mini-review-radare2/

If technically possible, it might be nice if ARM added AArch32 and AArch64 support, and EBC support in their compiler, so that EBC could actually target all UEFI platforms with a single blob. ARM/Linaro already has something that appears to overlap in some ways:
http://people.linaro.org/~christoffer.dall/arm-vm-spec-v1.0.txt

Also, there’s a C#/IL to EBC translation project on Github. If you get it to work, let me know!
https://github.com/nnliaohua/CIL2EBC-ToolChain