SlideShare a Scribd company logo

Ultimate CPU Emulator: Unicorn Engine

C
Cysinfo Cyber Security Community

This document discusses the Unicorn CPU emulator engine. It provides an overview of CPU emulation and the challenges involved. Unicorn is presented as an open source, lightweight alternative to Qemu that supports multiple architectures. Its features like clean APIs, JIT compilation, and instrumentation capabilities are highlighted. Demos are shown of Unicorn being used in tools like Radare2 and Cuckoo. The document concludes with references for learning more about Unicorn.

Software
1 of 19
Download to read offline
Unicorn: The Ultimate CPU Emulator Akshay Ajayan (@r00tus3r)
About me ➢ Akshay Ajayan (@r00tus3r) ➢ Third year B.Tech CSE Undergraduate ○ @Amrita Vishwa Vidyapeetham ➢ CTF Player ○ @teambi0s ➢ Focusing on Software Reverse Engineering
Agenda ➢ CPU Emulator ➢ Unicorn Engine ○ Challenges ○ Qemu vs Unicorn ➢ Demo ➢ Summary
CPU Emulator Emulates physical CPU using software only
Internals of a CPU Emulator ➢ Decode binary into separate instructions ➢ Emulate exactly what each instruction does ○ ISA Manual reference is required ○ Handle memory access & I/O upon requested ➢ Update CPU context after each step
Example of emulation ➢ Ex: 01D1 → add eax, ebx ○ load eax & ebx registers ○ add values of eax & ebx, then copy result to eax ○ update flags OF, SF, ZF, AF, CF, PF accordingly
Applications ➢ Emulate the code without needing to have a real CPU ➢ Safely analyze malware code, detect virus signature ➢ Verify code semantics in reversing
Unicorn Engine ➢ Open source CPU emulator framework ○ www.unicorn-engine.org ➢ Developed by: ○ Nguyen Anh Quynh ■ Computer Security Researcher ○ Dang Hoang Vu ■ Security engineer and researcher
Features ➢ Multi-architectures: Arm, Arm64 (Armv8), M68K, Mips, Sparc, & X86 (include X86_64) ➢ Clean/simple/lightweight architecture-neutral API ➢ Implemented in pure C language, with bindings for Perl, Rust, Python, Java, Go etc
➢ Native support for Windows & *nix (with Mac OSX, Linux, *BSD & Solaris confirmed) ➢ High performance by using JIT compiler technique ➢ Support fine-grained instrumentation at various levels
How was it built? ➢ Forked Qemu? ➢ Were there any challenges? ➢ How is it different?
Unicorn vs Qemu ➢ Independent and flexible framework ➢ Much more compact in size, lightweight in memory ➢ Thread-safe with multiple architectures supported in a single binary ➢ Provide interface for dynamic instrumentation ➢ And many more...
Showcase ➢ Radare2 ➢ Angr ➢ Usercorn ➢ Cuckoo ➢ Pwndbg ➢ ROPChain ➢ Unicorn.Js ➢ Pwntools
Intro to Unicorn API ➢ The core provides API in C ○ open & close Unicorn instance ○ start & stop emulation ○ read & write memory & registers ○ instrument with user-defined callbacks for instructions/single-step/memory event etc ➢ Bindings for multiple languages
Demo 1
Demo 2
Demo 3
Summary ➢ Open source CPU emulator framework ➢ Multi-architecture, Multi-platform ➢ Core in pure C, and support for multiple binding languages ➢ Build your own tools on top of it ➢ Allows instrumentation at various levels Questions? Ping @r00tus3r
References ➢ www.unicorn-engine.org ➢ www.unicorn-engine.org/BHUSA2015-unic orn.pdf ➢ www.eternal.red/2018/unicorn-engine-tuto rial

Recommended

DeViL - Detect Virtual Machine in Linux by Sreelakshmi
DeViL - Detect Virtual Machine in Linux by SreelakshmiDeViL - Detect Virtual Machine in Linux by Sreelakshmi
DeViL - Detect Virtual Machine in Linux by SreelakshmiCysinfo Cyber Security Community
 
EuroBSDCon 2021 - (auto)Installing BSD Systems
EuroBSDCon 2021 - (auto)Installing BSD SystemsEuroBSDCon 2021 - (auto)Installing BSD Systems
EuroBSDCon 2021 - (auto)Installing BSD SystemsVinícius Zavam
 
Buffer overflows
Buffer overflowsBuffer overflows
Buffer overflowsSandun Perera
 
FreeBSD hosting
FreeBSD hostingFreeBSD hosting
FreeBSD hostingpunkt.de GmbH
 
Guest Agents: Support & Implementation
Guest Agents: Support & ImplementationGuest Agents: Support & Implementation
Guest Agents: Support & ImplementationMirantis
 
Porting Puppet to OpenBSD
Porting Puppet to OpenBSD Porting Puppet to OpenBSD
Porting Puppet to OpenBSD Puppet
 
Enduro/X Middleware
Enduro/X MiddlewareEnduro/X Middleware
Enduro/X MiddlewareMadars Vitolins
 
How to access your FIWARE Lab Instance.
How to access your FIWARE Lab Instance.How to access your FIWARE Lab Instance.
How to access your FIWARE Lab Instance.José Ignacio Carretero Guarde
 

Recommended

DeViL - Detect Virtual Machine in Linux by Sreelakshmi
DeViL - Detect Virtual Machine in Linux by SreelakshmiDeViL - Detect Virtual Machine in Linux by Sreelakshmi
DeViL - Detect Virtual Machine in Linux by SreelakshmiCysinfo Cyber Security Community
 
EuroBSDCon 2021 - (auto)Installing BSD Systems
EuroBSDCon 2021 - (auto)Installing BSD SystemsEuroBSDCon 2021 - (auto)Installing BSD Systems
EuroBSDCon 2021 - (auto)Installing BSD SystemsVinícius Zavam
 
Buffer overflows
Buffer overflowsBuffer overflows
Buffer overflowsSandun Perera
 
FreeBSD hosting
FreeBSD hostingFreeBSD hosting
FreeBSD hostingpunkt.de GmbH
 
Guest Agents: Support & Implementation
Guest Agents: Support & ImplementationGuest Agents: Support & Implementation
Guest Agents: Support & ImplementationMirantis
 
Porting Puppet to OpenBSD
Porting Puppet to OpenBSD Porting Puppet to OpenBSD
Porting Puppet to OpenBSD Puppet
 
Enduro/X Middleware
Enduro/X MiddlewareEnduro/X Middleware
Enduro/X MiddlewareMadars Vitolins
 
How to access your FIWARE Lab Instance.
How to access your FIWARE Lab Instance.How to access your FIWARE Lab Instance.
How to access your FIWARE Lab Instance.José Ignacio Carretero Guarde
 
Workshop@naha_val3
Workshop@naha_val3Workshop@naha_val3
Workshop@naha_val3Shusaku Fukumine
 
Fundamental Virtualisasi di openSUSE
Fundamental Virtualisasi di openSUSEFundamental Virtualisasi di openSUSE
Fundamental Virtualisasi di openSUSEutianayuba
 
Workshop@naha val3
Workshop@naha val3Workshop@naha val3
Workshop@naha val3Shusaku Fukumine
 
How can OpenNebula fit your needs - OpenNebulaConf 2013
How can OpenNebula fit your needs - OpenNebulaConf 2013 How can OpenNebula fit your needs - OpenNebulaConf 2013
How can OpenNebula fit your needs - OpenNebulaConf 2013 Maxence Dunnewind
 
2. [Daily hack] Citrix_waf_bypass
2. [Daily hack] Citrix_waf_bypass2. [Daily hack] Citrix_waf_bypass
2. [Daily hack] Citrix_waf_bypassdefconmoscow
 
Maemo Development Environment
Maemo Development EnvironmentMaemo Development Environment
Maemo Development Environmentjtukkine
 
Adding Extended Attribute Support to NFS
Adding Extended Attribute Support to NFSAdding Extended Attribute Support to NFS
Adding Extended Attribute Support to NFSJames Morris
 
Plc2 2015 your own ide
Plc2 2015 your own idePlc2 2015 your own ide
Plc2 2015 your own ideSigasi
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 
Hacking the Linux Kernel - An Introduction
Hacking the Linux Kernel - An IntroductionHacking the Linux Kernel - An Introduction
Hacking the Linux Kernel - An IntroductionLevente Kurusa
 
Veil-Ordnance
Veil-OrdnanceVeil-Ordnance
Veil-OrdnanceVeilFramework
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensionsZoltan Balazs
 
How Can OpenNebula Fit Your Needs: A European Project Feedback
How Can OpenNebula Fit Your Needs: A European Project FeedbackHow Can OpenNebula Fit Your Needs: A European Project Feedback
How Can OpenNebula Fit Your Needs: A European Project FeedbackNETWAYS
 
Introduction to .NET
Introduction to .NETIntroduction to .NET
Introduction to .NETLorenzo Dematté
 
Kernel Recipes 2013 - Kernel for your device
Kernel Recipes 2013 - Kernel for your deviceKernel Recipes 2013 - Kernel for your device
Kernel Recipes 2013 - Kernel for your deviceAnne Nicolas
 
Pentesting tricks - Out with Powershell, in with C#
Pentesting tricks - Out with Powershell, in with C#Pentesting tricks - Out with Powershell, in with C#
Pentesting tricks - Out with Powershell, in with C#Michelangelo Sidagni
 
Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013
Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013
Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013bsdvirt
 
Quickly Debug VM Failures in OpenStack
Quickly Debug VM Failures in OpenStackQuickly Debug VM Failures in OpenStack
Quickly Debug VM Failures in OpenStackLinuxCon ContainerCon CloudOpen China
 
Docker. Micro services for lazy developers
Docker. Micro services for lazy developersDocker. Micro services for lazy developers
Docker. Micro services for lazy developersEugene Krevenets
 
CodePackager - Pack and Unpack repositories to mobile storage
CodePackager - Pack and Unpack repositories to mobile storageCodePackager - Pack and Unpack repositories to mobile storage
CodePackager - Pack and Unpack repositories to mobile storageCheyin L
 
VASCAN - Docker and Security
VASCAN - Docker and SecurityVASCAN - Docker and Security
VASCAN - Docker and SecurityMichael Irwin
 
Heterogeneous multiprocessing on androd and i.mx7
Heterogeneous multiprocessing on androd and i.mx7Heterogeneous multiprocessing on androd and i.mx7
Heterogeneous multiprocessing on androd and i.mx7Kynetics
 

More Related Content

What's hot

Fundamental Virtualisasi di openSUSE
Fundamental Virtualisasi di openSUSEFundamental Virtualisasi di openSUSE
Fundamental Virtualisasi di openSUSEutianayuba
 
How can OpenNebula fit your needs - OpenNebulaConf 2013
How can OpenNebula fit your needs - OpenNebulaConf 2013 How can OpenNebula fit your needs - OpenNebulaConf 2013
How can OpenNebula fit your needs - OpenNebulaConf 2013 Maxence Dunnewind
 
2. [Daily hack] Citrix_waf_bypass
2. [Daily hack] Citrix_waf_bypass2. [Daily hack] Citrix_waf_bypass
2. [Daily hack] Citrix_waf_bypassdefconmoscow
 
Maemo Development Environment
Maemo Development EnvironmentMaemo Development Environment
Maemo Development Environmentjtukkine
 
Adding Extended Attribute Support to NFS
Adding Extended Attribute Support to NFSAdding Extended Attribute Support to NFS
Adding Extended Attribute Support to NFSJames Morris
 
Plc2 2015 your own ide
Plc2 2015 your own idePlc2 2015 your own ide
Plc2 2015 your own ideSigasi
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 
Hacking the Linux Kernel - An Introduction
Hacking the Linux Kernel - An IntroductionHacking the Linux Kernel - An Introduction
Hacking the Linux Kernel - An IntroductionLevente Kurusa
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensionsZoltan Balazs
 
How Can OpenNebula Fit Your Needs: A European Project Feedback
How Can OpenNebula Fit Your Needs: A European Project FeedbackHow Can OpenNebula Fit Your Needs: A European Project Feedback
How Can OpenNebula Fit Your Needs: A European Project FeedbackNETWAYS
 
Kernel Recipes 2013 - Kernel for your device
Kernel Recipes 2013 - Kernel for your deviceKernel Recipes 2013 - Kernel for your device
Kernel Recipes 2013 - Kernel for your deviceAnne Nicolas
 
Pentesting tricks - Out with Powershell, in with C#
Pentesting tricks - Out with Powershell, in with C#Pentesting tricks - Out with Powershell, in with C#
Pentesting tricks - Out with Powershell, in with C#Michelangelo Sidagni
 
Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013
Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013
Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013bsdvirt
 
Docker. Micro services for lazy developers
Docker. Micro services for lazy developersDocker. Micro services for lazy developers
Docker. Micro services for lazy developersEugene Krevenets
 
CodePackager - Pack and Unpack repositories to mobile storage
CodePackager - Pack and Unpack repositories to mobile storageCodePackager - Pack and Unpack repositories to mobile storage
CodePackager - Pack and Unpack repositories to mobile storageCheyin L
 

What's hot (20)

Workshop@naha_val3
Workshop@naha_val3Workshop@naha_val3
Workshop@naha_val3
 
Fundamental Virtualisasi di openSUSE
Fundamental Virtualisasi di openSUSEFundamental Virtualisasi di openSUSE
Fundamental Virtualisasi di openSUSE
 
Workshop@naha val3
Workshop@naha val3Workshop@naha val3
Workshop@naha val3
 
How can OpenNebula fit your needs - OpenNebulaConf 2013
How can OpenNebula fit your needs - OpenNebulaConf 2013 How can OpenNebula fit your needs - OpenNebulaConf 2013
How can OpenNebula fit your needs - OpenNebulaConf 2013
 
2. [Daily hack] Citrix_waf_bypass
2. [Daily hack] Citrix_waf_bypass2. [Daily hack] Citrix_waf_bypass
2. [Daily hack] Citrix_waf_bypass
 
Maemo Development Environment
Maemo Development EnvironmentMaemo Development Environment
Maemo Development Environment
 
Adding Extended Attribute Support to NFS
Adding Extended Attribute Support to NFSAdding Extended Attribute Support to NFS
Adding Extended Attribute Support to NFS
 
Plc2 2015 your own ide
Plc2 2015 your own idePlc2 2015 your own ide
Plc2 2015 your own ide
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
 
Hacking the Linux Kernel - An Introduction
Hacking the Linux Kernel - An IntroductionHacking the Linux Kernel - An Introduction
Hacking the Linux Kernel - An Introduction
 
Veil-Ordnance
Veil-OrdnanceVeil-Ordnance
Veil-Ordnance
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
 
How Can OpenNebula Fit Your Needs: A European Project Feedback
How Can OpenNebula Fit Your Needs: A European Project FeedbackHow Can OpenNebula Fit Your Needs: A European Project Feedback
How Can OpenNebula Fit Your Needs: A European Project Feedback
 
Introduction to .NET
Introduction to .NETIntroduction to .NET
Introduction to .NET
 
Kernel Recipes 2013 - Kernel for your device
Kernel Recipes 2013 - Kernel for your deviceKernel Recipes 2013 - Kernel for your device
Kernel Recipes 2013 - Kernel for your device
 
Pentesting tricks - Out with Powershell, in with C#
Pentesting tricks - Out with Powershell, in with C#Pentesting tricks - Out with Powershell, in with C#
Pentesting tricks - Out with Powershell, in with C#
 
Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013
Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013
Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013
 
Quickly Debug VM Failures in OpenStack
Quickly Debug VM Failures in OpenStackQuickly Debug VM Failures in OpenStack
Quickly Debug VM Failures in OpenStack
 
Docker. Micro services for lazy developers
Docker. Micro services for lazy developersDocker. Micro services for lazy developers
Docker. Micro services for lazy developers
 
CodePackager - Pack and Unpack repositories to mobile storage
CodePackager - Pack and Unpack repositories to mobile storageCodePackager - Pack and Unpack repositories to mobile storage
CodePackager - Pack and Unpack repositories to mobile storage
 

Similar to Ultimate CPU Emulator: Unicorn Engine

VASCAN - Docker and Security
VASCAN - Docker and SecurityVASCAN - Docker and Security
VASCAN - Docker and SecurityMichael Irwin
 
Heterogeneous multiprocessing on androd and i.mx7
Heterogeneous multiprocessing on androd and i.mx7Heterogeneous multiprocessing on androd and i.mx7
Heterogeneous multiprocessing on androd and i.mx7Kynetics
 
COMPILER DESIGN.pdf
COMPILER DESIGN.pdfCOMPILER DESIGN.pdf
COMPILER DESIGN.pdfAdiseshaK
 
[CB19] Semzhu-Project – A self-made new world of embedded hypervisors and att...
[CB19] Semzhu-Project – A self-made new world of embedded hypervisors and att...[CB19] Semzhu-Project – A self-made new world of embedded hypervisors and att...
[CB19] Semzhu-Project – A self-made new world of embedded hypervisors and att...CODE BLUE
 
Multi-Processor computing with OpenMP
Multi-Processor computing with OpenMPMulti-Processor computing with OpenMP
Multi-Processor computing with OpenMPStefan Coetzee
 
Engineer Engineering Software
Engineer Engineering SoftwareEngineer Engineering Software
Engineer Engineering SoftwareYung-Yu Chen
 
Memory Forensics in AWS
Memory Forensics in AWSMemory Forensics in AWS
Memory Forensics in AWSMarcVilanova1
 
Everything as code
Everything as codeEverything as code
Everything as codeHepsiburada
 
Embedded platform choices
Embedded platform choicesEmbedded platform choices
Embedded platform choicesTavish Naruka
 
Introduction to Ewasm - crosslink taipei 2019
Introduction to Ewasm - crosslink taipei 2019Introduction to Ewasm - crosslink taipei 2019
Introduction to Ewasm - crosslink taipei 2019hydai
 
EcoreTools-Next: Executable DSL made (more) accessible
EcoreTools-Next: Executable DSL made (more) accessibleEcoreTools-Next: Executable DSL made (more) accessible
EcoreTools-Next: Executable DSL made (more) accessibleCédric Brun
 
Craftsmanship in Computational Work
Craftsmanship in Computational WorkCraftsmanship in Computational Work
Craftsmanship in Computational WorkYung-Yu Chen
 
10 Reasons Why Java Now Rocks More Than Ever
10 Reasons Why Java Now Rocks More Than Ever10 Reasons Why Java Now Rocks More Than Ever
10 Reasons Why Java Now Rocks More Than EverGeert Bevin
 
Zephyr RTOS in One Hour | HARDWARIO @ IoT North UK
Zephyr RTOS in One Hour | HARDWARIO @ IoT North UKZephyr RTOS in One Hour | HARDWARIO @ IoT North UK
Zephyr RTOS in One Hour | HARDWARIO @ IoT North UKHARDWARIO
 
Leveraging Android's Linux Heritage at AnDevCon IV
Leveraging Android's Linux Heritage at AnDevCon IVLeveraging Android's Linux Heritage at AnDevCon IV
Leveraging Android's Linux Heritage at AnDevCon IVOpersys inc.
 

Similar to Ultimate CPU Emulator: Unicorn Engine (20)

VASCAN - Docker and Security
VASCAN - Docker and SecurityVASCAN - Docker and Security
VASCAN - Docker and Security
 
Heterogeneous multiprocessing on androd and i.mx7
Heterogeneous multiprocessing on androd and i.mx7Heterogeneous multiprocessing on androd and i.mx7
Heterogeneous multiprocessing on androd and i.mx7
 
COMPILER DESIGN.pdf
COMPILER DESIGN.pdfCOMPILER DESIGN.pdf
COMPILER DESIGN.pdf
 
[CB19] Semzhu-Project – A self-made new world of embedded hypervisors and att...
[CB19] Semzhu-Project – A self-made new world of embedded hypervisors and att...[CB19] Semzhu-Project – A self-made new world of embedded hypervisors and att...
[CB19] Semzhu-Project – A self-made new world of embedded hypervisors and att...
 
Multi-Processor computing with OpenMP
Multi-Processor computing with OpenMPMulti-Processor computing with OpenMP
Multi-Processor computing with OpenMP
 
Engineer Engineering Software
Engineer Engineering SoftwareEngineer Engineering Software
Engineer Engineering Software
 
Containers > VMs
Containers > VMsContainers > VMs
Containers > VMs
 
Hands on OpenCL
Hands on OpenCLHands on OpenCL
Hands on OpenCL
 
Memory Forensics in AWS
Memory Forensics in AWSMemory Forensics in AWS
Memory Forensics in AWS
 
Everything as code
Everything as codeEverything as code
Everything as code
 
Explore asp.net core 3.0 features
Explore asp.net core 3.0 featuresExplore asp.net core 3.0 features
Explore asp.net core 3.0 features
 
Embedded platform choices
Embedded platform choicesEmbedded platform choices
Embedded platform choices
 
Introduction to Ewasm - crosslink taipei 2019
Introduction to Ewasm - crosslink taipei 2019Introduction to Ewasm - crosslink taipei 2019
Introduction to Ewasm - crosslink taipei 2019
 
EcoreTools-Next: Executable DSL made (more) accessible
EcoreTools-Next: Executable DSL made (more) accessibleEcoreTools-Next: Executable DSL made (more) accessible
EcoreTools-Next: Executable DSL made (more) accessible
 
Craftsmanship in Computational Work
Craftsmanship in Computational WorkCraftsmanship in Computational Work
Craftsmanship in Computational Work
 
Linux-Internals-and-Networking
Linux-Internals-and-NetworkingLinux-Internals-and-Networking
Linux-Internals-and-Networking
 
10 Reasons Why Java Now Rocks More Than Ever
10 Reasons Why Java Now Rocks More Than Ever10 Reasons Why Java Now Rocks More Than Ever
10 Reasons Why Java Now Rocks More Than Ever
 
Zephyr RTOS in One Hour | HARDWARIO @ IoT North UK
Zephyr RTOS in One Hour | HARDWARIO @ IoT North UKZephyr RTOS in One Hour | HARDWARIO @ IoT North UK
Zephyr RTOS in One Hour | HARDWARIO @ IoT North UK
 
Leveraging Android's Linux Heritage at AnDevCon IV
Leveraging Android's Linux Heritage at AnDevCon IVLeveraging Android's Linux Heritage at AnDevCon IV
Leveraging Android's Linux Heritage at AnDevCon IV
 
Java vs .Net
Java vs .NetJava vs .Net
Java vs .Net
 

More from Cysinfo Cyber Security Community

Understanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K AUnderstanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K ACysinfo Cyber Security Community
 
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram KharviUnderstanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram KharviCysinfo Cyber Security Community
 
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TKGetting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TKCysinfo Cyber Security Community
 
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiA look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiCysinfo Cyber Security Community
 
Reversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by MonnappaReversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by MonnappaCysinfo Cyber Security Community
 
Understanding evasive hollow process injection techniques monnappa k a
Understanding evasive hollow process injection techniques monnappa k aUnderstanding evasive hollow process injection techniques monnappa k a
Understanding evasive hollow process injection techniques monnappa k aCysinfo Cyber Security Community
 
Security challenges in d2d communication by ajithkumar vyasarao
Security challenges in d2d communication by ajithkumar vyasaraoSecurity challenges in d2d communication by ajithkumar vyasarao
Security challenges in d2d communication by ajithkumar vyasaraoCysinfo Cyber Security Community
 

More from Cysinfo Cyber Security Community (20)

Understanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K AUnderstanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K A
 
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram KharviUnderstanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
 
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TKGetting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
 
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar PrustyEmerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
 
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiA look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
 
Closer look at PHP Unserialization by Ashwin Shenoi
Closer look at PHP Unserialization by Ashwin ShenoiCloser look at PHP Unserialization by Ashwin Shenoi
Closer look at PHP Unserialization by Ashwin Shenoi
 
The Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil MahendraThe Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil Mahendra
 
Reversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by MonnappaReversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by Monnappa
 
Analysis of android apk using adhrit by Abhishek J.M
Analysis of android apk using adhrit by Abhishek J.M Analysis of android apk using adhrit by Abhishek J.M
Analysis of android apk using adhrit by Abhishek J.M
 
Understanding evasive hollow process injection techniques monnappa k a
Understanding evasive hollow process injection techniques monnappa k aUnderstanding evasive hollow process injection techniques monnappa k a
Understanding evasive hollow process injection techniques monnappa k a
 
Security challenges in d2d communication by ajithkumar vyasarao
Security challenges in d2d communication by ajithkumar vyasaraoSecurity challenges in d2d communication by ajithkumar vyasarao
Security challenges in d2d communication by ajithkumar vyasarao
 
S2 e (selective symbolic execution) -shivkrishna a
S2 e (selective symbolic execution) -shivkrishna aS2 e (selective symbolic execution) -shivkrishna a
S2 e (selective symbolic execution) -shivkrishna a
 
Dynamic binary analysis using angr siddharth muralee
Dynamic binary analysis using angr siddharth muraleeDynamic binary analysis using angr siddharth muralee
Dynamic binary analysis using angr siddharth muralee
 
Bit flipping attack on aes cbc - ashutosh ahelleya
Bit flipping attack on aes cbc - ashutosh ahelleyaBit flipping attack on aes cbc - ashutosh ahelleya
Bit flipping attack on aes cbc - ashutosh ahelleya
 
Security Analytics using ELK stack
Security Analytics using ELK stack Security Analytics using ELK stack
Security Analytics using ELK stack
 
Linux Malware Analysis
Linux Malware Analysis Linux Malware Analysis
Linux Malware Analysis
 
Introduction to Binary Exploitation
Introduction to Binary Exploitation Introduction to Binary Exploitation
Introduction to Binary Exploitation
 
ATM Malware: Understanding the threat
ATM Malware: Understanding the threat ATM Malware: Understanding the threat
ATM Malware: Understanding the threat
 
XXE - XML External Entity Attack
XXE - XML External Entity Attack XXE - XML External Entity Attack
XXE - XML External Entity Attack
 
Image (PNG) Forensic Analysis
Image (PNG) Forensic Analysis Image (PNG) Forensic Analysis
Image (PNG) Forensic Analysis
 

Recently uploaded

Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLionel Briand
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxRTS corp
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Rob Geurden
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...Akihiro Suda
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identityteam-WIBU
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfInnovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfYashikaSharma391629
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 

Recently uploaded (20)

Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
 
Advantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your BusinessAdvantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your Business
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfInnovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 

Ultimate CPU Emulator: Unicorn Engine

  • 2. About me ➢ Akshay Ajayan (@r00tus3r) ➢ Third year B.Tech CSE Undergraduate ○ @Amrita Vishwa Vidyapeetham ➢ CTF Player ○ @teambi0s ➢ Focusing on Software Reverse Engineering
  • 3. Agenda ➢ CPU Emulator ➢ Unicorn Engine ○ Challenges ○ Qemu vs Unicorn ➢ Demo ➢ Summary
  • 4. CPU Emulator Emulates physical CPU using software only
  • 5. Internals of a CPU Emulator ➢ Decode binary into separate instructions ➢ Emulate exactly what each instruction does ○ ISA Manual reference is required ○ Handle memory access & I/O upon requested ➢ Update CPU context after each step
  • 6. Example of emulation ➢ Ex: 01D1 → add eax, ebx ○ load eax & ebx registers ○ add values of eax & ebx, then copy result to eax ○ update flags OF, SF, ZF, AF, CF, PF accordingly
  • 7. Applications ➢ Emulate the code without needing to have a real CPU ➢ Safely analyze malware code, detect virus signature ➢ Verify code semantics in reversing
  • 8. Unicorn Engine ➢ Open source CPU emulator framework ○ www.unicorn-engine.org ➢ Developed by: ○ Nguyen Anh Quynh ■ Computer Security Researcher ○ Dang Hoang Vu ■ Security engineer and researcher
  • 9. Features ➢ Multi-architectures: Arm, Arm64 (Armv8), M68K, Mips, Sparc, & X86 (include X86_64) ➢ Clean/simple/lightweight architecture-neutral API ➢ Implemented in pure C language, with bindings for Perl, Rust, Python, Java, Go etc
  • 10. ➢ Native support for Windows & *nix (with Mac OSX, Linux, *BSD & Solaris confirmed) ➢ High performance by using JIT compiler technique ➢ Support fine-grained instrumentation at various levels
  • 11. How was it built? ➢ Forked Qemu? ➢ Were there any challenges? ➢ How is it different?
  • 12. Unicorn vs Qemu ➢ Independent and flexible framework ➢ Much more compact in size, lightweight in memory ➢ Thread-safe with multiple architectures supported in a single binary ➢ Provide interface for dynamic instrumentation ➢ And many more...
  • 13. Showcase ➢ Radare2 ➢ Angr ➢ Usercorn ➢ Cuckoo ➢ Pwndbg ➢ ROPChain ➢ Unicorn.Js ➢ Pwntools
  • 14. Intro to Unicorn API ➢ The core provides API in C ○ open & close Unicorn instance ○ start & stop emulation ○ read & write memory & registers ○ instrument with user-defined callbacks for instructions/single-step/memory event etc ➢ Bindings for multiple languages
  • 18. Summary ➢ Open source CPU emulator framework ➢ Multi-architecture, Multi-platform ➢ Core in pure C, and support for multiple binding languages ➢ Build your own tools on top of it ➢ Allows instrumentation at various levels Questions? Ping @r00tus3r