Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
I think this assembly is a memory read, it will trigger UC_HOOK_MEM_READ, but it does not trigger, an error is reported:
Invalid memory read (UC_ERR_READ_UNMAPPED)
Therefore I added: UC_HOOK_MEM_READ_UNMAPPED
mu.hook_add(UC_HOOK_MEM_WRITE|UC_HOOK_MEM_READ|UC_HOOK_MEM_READ_UNMAPPED, hook_mem)
It did trigger the hook,I modified the EIP, hoping to skip this assembly, I am sure that EIP has been modified by me, but it still reports an error and stops the simulation, error: Invalid memory read (UC_ERR_READ_UNMAPPED)
I am confused, I think i'm not wrong, can you help me?
one of assembly: (esi =1, and 0x5 is unmapped)
mov ebx, [esi+4]my unicorn code:
I think this assembly is a memory read, it will trigger UC_HOOK_MEM_READ, but it does not trigger, an error is reported:
Invalid memory read (UC_ERR_READ_UNMAPPED)Therefore I added: UC_HOOK_MEM_READ_UNMAPPED
mu.hook_add(UC_HOOK_MEM_WRITE|UC_HOOK_MEM_READ|UC_HOOK_MEM_READ_UNMAPPED, hook_mem)It did trigger the hook,I modified the EIP, hoping to skip this assembly, I am sure that EIP has been modified by me, but it still reports an error and stops the simulation, error:
Invalid memory read (UC_ERR_READ_UNMAPPED)I am confused, I think i'm not wrong, can you help me?