Implement rdtsc hook

2026-01-18 03:13:55 +00:00 · 2024-09-02 17:16:29 +02:00
parent 679fecda4e
commit daff0d1e13
5 changed files with 17 additions and 6 deletions
--- a/deps/unicorn
+++ b/deps/unicorn
--- a/src/emulator/emulator.hpp
+++ b/src/emulator/emulator.hpp
@@ -9,7 +9,7 @@ struct emulator_hook;

 using memory_operation = memory_permission;

-using hook_callback = std::function<void()>;
+using hook_callback = std::function<bool()>;

 using simple_memory_hook_callback = std::function<void(uint64_t address, size_t size)>;
 using complex_memory_hook_callback = std::function<void(uint64_t address, size_t size, memory_operation operation)>;
--- a/src/emulator/x64_emulator.hpp
+++ b/src/emulator/x64_emulator.hpp
@@ -6,6 +6,8 @@ enum class x64_hookable_instructions
 {
 	syscall,
 	cpuid,
+	rdtsc,
+	rdtscp,
 };

 using x64_emulator = typed_emulator<uint64_t, x64_register, x64_register::rip,
--- a/src/unicorn_emulator/unicorn_x64_emulator.cpp
+++ b/src/unicorn_emulator/unicorn_x64_emulator.cpp
@@ -25,6 +25,10 @@ namespace unicorn
 				return UC_X86_INS_SYSCALL;
 			case x64_hookable_instructions::cpuid:
 				return UC_X86_INS_CPUID;
+			case x64_hookable_instructions::rdtsc:
+				return UC_X86_INS_RDTSC;
+			case x64_hookable_instructions::rdtscp:
+				return UC_X86_INS_RDTSCP;
 			}

 			throw std::runtime_error("Bad instruction for mapping");
@@ -251,9 +255,9 @@ namespace unicorn
 				const auto uc_instruction = map_hookable_instruction(
 					static_cast<x64_hookable_instructions>(instruction_type));

-				function_wrapper<void, uc_engine*> wrapper([c = std::move(callback)](uc_engine*)
+				function_wrapper<int, uc_engine*> wrapper([c = std::move(callback)](uc_engine*)
 				{
-					c();
+					return c() ? 1 : 0;
 				});

 				unicorn_hook hook{*this};
--- a/src/windows_emulator/main.cpp
+++ b/src/windows_emulator/main.cpp
@@ -625,6 +625,13 @@ namespace
 		emu->hook_instruction(x64_hookable_instructions::syscall, [&]
 		{
 			dispatcher.dispatch(*emu, context);
+			return true;
+		});
+
+		emu->hook_instruction(x64_hookable_instructions::rdtsc, [&]
+		{
+			puts("RDTSC Hook");
+			return true;
 		});

 		watch_object(*emu, context.teb);
@@ -657,10 +664,8 @@ namespace

 		emu->reg(x64_register::rcx, execution_context.value());
 		emu->reg(x64_register::rdx, context.ntdll.image_base);
-
 		emu->reg(x64_register::rip, entry1);

-
 		try
 		{
 			if (use_gdb)