Questions about VMX-root Mode compatibility of the unicorn engine

[SinaKarvandi]

Hi,
First of all thanks for the great project!

We are trying to add the unicorn engine into the @HyperDbg debugger to enhance our virtualization support for certain instructions. For example, we want to change our single instruction instrumentation behavior of the '!monitor' command based on emulation to offer faster virtualization experience by removing extra VM-exits.

So, I have several questions I appreciate it if you could answer them.

1. Is unicorn-engine supported for WDK-based (kernel-mode) projects?

2. Generally, we want to use the unicorn engine to emulate MOV instructions including other variants that access the memory (PUSH, CALL, etc.). The problem here is, based on limitations and design constraints, the instructions should not access the memory directly, and instead accessing the memory (read/write) both user-mode and kernel-mode needs to be performed through HyperDbg's memory management routines. From what I can see in the example, the unicorn engine provided a callback for MMIO. Can we use it in a way to intercept all reads/writes to the memory or is unicorn engine support this kind of callbacks?

3. Are unicorn engine codes considered safe (won't access any memory that might be paged out). I couldn't quite understand it from the source code, but I saw that there are callbacks for invalid memory access. From what I knew, in the user-mode, there is no way for the process to understand whether an address is valid or invalid without accessing it and throwing #PF exceptions, and eventually going to SEH routines (other than canonical checks). Are unicorn engine detects whether the memory is valid or not by using page-faults (SEH/try/catch])?

Thanks again,

[wtdcode]

1, it depends, Unicorn is just a CPU emulator and thus you could do anything with it.
2. Yes.
3. No. The situation is a bit subtle. Unicorn relies on two syscall: mmap and malloc where the first one can be replaced be static memory and the latter one could be hijacked by whatever you wish.

You seem to misunderstand how unicorn works. In a nutshell, Unicorn is never a Hypervisor that executes instructions on the real CPU but instead a Dynamic Binary Translator which emulates every instruction.