SlideShare a Scribd company logo

Unicorn: The Ultimate CPU Emulator by Akshay Ajayan

C
Cysinfo Cyber Security Community

This document discusses the Unicorn CPU emulator engine. It provides an overview of CPU emulation and the challenges involved. Unicorn is presented as an open source, lightweight alternative to Qemu that supports multiple architectures. Its features like clean APIs, JIT compilation, and instrumentation capabilities are highlighted. Demos are shown of Unicorn being used in tools like Radare2 and Cuckoo. The document concludes with references for learning more about Unicorn.

Software
1 of 19
Downloaded 19 times
1
2
3
4
5
6
7
8
9
10
11
12
Most read
13
Most read
14
15
16
17
18
19
Most read
Unicorn: The Ultimate CPU Emulator Akshay Ajayan (@r00tus3r)
About me ➢ Akshay Ajayan (@r00tus3r) ➢ Third year B.Tech CSE Undergraduate ○ @Amrita Vishwa Vidyapeetham ➢ CTF Player ○ @teambi0s ➢ Focusing on Software Reverse Engineering
Agenda ➢ CPU Emulator ➢ Unicorn Engine ○ Challenges ○ Qemu vs Unicorn ➢ Demo ➢ Summary
CPU Emulator Emulates physical CPU using software only
Internals of a CPU Emulator ➢ Decode binary into separate instructions ➢ Emulate exactly what each instruction does ○ ISA Manual reference is required ○ Handle memory access & I/O upon requested ➢ Update CPU context after each step
Example of emulation ➢ Ex: 01D1 → add eax, ebx ○ load eax & ebx registers ○ add values of eax & ebx, then copy result to eax ○ update flags OF, SF, ZF, AF, CF, PF accordingly
Applications ➢ Emulate the code without needing to have a real CPU ➢ Safely analyze malware code, detect virus signature ➢ Verify code semantics in reversing
Unicorn Engine ➢ Open source CPU emulator framework ○ www.unicorn-engine.org ➢ Developed by: ○ Nguyen Anh Quynh ■ Computer Security Researcher ○ Dang Hoang Vu ■ Security engineer and researcher
Features ➢ Multi-architectures: Arm, Arm64 (Armv8), M68K, Mips, Sparc, & X86 (include X86_64) ➢ Clean/simple/lightweight architecture-neutral API ➢ Implemented in pure C language, with bindings for Perl, Rust, Python, Java, Go etc
➢ Native support for Windows & *nix (with Mac OSX, Linux, *BSD & Solaris confirmed) ➢ High performance by using JIT compiler technique ➢ Support fine-grained instrumentation at various levels
How was it built? ➢ Forked Qemu? ➢ Were there any challenges? ➢ How is it different?
Unicorn vs Qemu ➢ Independent and flexible framework ➢ Much more compact in size, lightweight in memory ➢ Thread-safe with multiple architectures supported in a single binary ➢ Provide interface for dynamic instrumentation ➢ And many more...
Showcase ➢ Radare2 ➢ Angr ➢ Usercorn ➢ Cuckoo ➢ Pwndbg ➢ ROPChain ➢ Unicorn.Js ➢ Pwntools
Intro to Unicorn API ➢ The core provides API in C ○ open & close Unicorn instance ○ start & stop emulation ○ read & write memory & registers ○ instrument with user-defined callbacks for instructions/single-step/memory event etc ➢ Bindings for multiple languages
Demo 1
Demo 2
Demo 3
Summary ➢ Open source CPU emulator framework ➢ Multi-architecture, Multi-platform ➢ Core in pure C, and support for multiple binding languages ➢ Build your own tools on top of it ➢ Allows instrumentation at various levels Questions? Ping @r00tus3r
References ➢ www.unicorn-engine.org ➢ www.unicorn-engine.org/BHUSA2015-unic orn.pdf ➢ www.eternal.red/2018/unicorn-engine-tuto rial

More Related Content

PPTX
DeViL - Detect Virtual Machine in Linux by Sreelakshmi
Cysinfo Cyber Security Community
 
PDF
EuroBSDCon 2021 - (auto)Installing BSD Systems
Vinícius Zavam
 
PPTX
Buffer overflows
Sandun Perera
 
PDF
FreeBSD hosting
punkt.de GmbH
 
PDF
Guest Agents: Support & Implementation
Mirantis
 
PDF
Porting Puppet to OpenBSD
Puppet
 
ODP
Enduro/X Middleware
Madars Vitolins
 
ODP
How to access your FIWARE Lab Instance.
José Ignacio Carretero Guarde
 
DeViL - Detect Virtual Machine in Linux by Sreelakshmi
Cysinfo Cyber Security Community
 
EuroBSDCon 2021 - (auto)Installing BSD Systems
Vinícius Zavam
 
Buffer overflows
Sandun Perera
 
FreeBSD hosting
punkt.de GmbH
 
Guest Agents: Support & Implementation
Mirantis
 
Porting Puppet to OpenBSD
Puppet
 
Enduro/X Middleware
Madars Vitolins
 
How to access your FIWARE Lab Instance.
José Ignacio Carretero Guarde
 

What's hot (20)

ZIP
Workshop@naha_val3
Shusaku Fukumine
 
PDF
Fundamental Virtualisasi di openSUSE
utianayuba
 
ZIP
Workshop@naha val3
Shusaku Fukumine
 
PDF
How can OpenNebula fit your needs - OpenNebulaConf 2013
Maxence Dunnewind
 
PDF
2. [Daily hack] Citrix_waf_bypass
defconmoscow
 
PPT
Maemo Development Environment
jtukkine
 
PDF
Adding Extended Attribute Support to NFS
James Morris
 
PDF
Plc2 2015 your own ide
Sigasi
 
PDF
AV Evasion with the Veil Framework
VeilFramework
 
PDF
Hacking the Linux Kernel - An Introduction
Levente Kurusa
 
PDF
Veil-Ordnance
VeilFramework
 
PDF
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
Zoltan Balazs
 
PDF
How Can OpenNebula Fit Your Needs: A European Project Feedback
NETWAYS
 
PPTX
Introduction to .NET
Lorenzo Dematté
 
PDF
Kernel Recipes 2013 - Kernel for your device
Anne Nicolas
 
PPTX
Pentesting tricks - Out with Powershell, in with C#
Michelangelo Sidagni
 
PDF
Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013
bsdvirt
 
PDF
Quickly Debug VM Failures in OpenStack
LinuxCon ContainerCon CloudOpen China
 
ODP
Docker. Micro services for lazy developers
Eugene Krevenets
 
PDF
CodePackager - Pack and Unpack repositories to mobile storage
Cheyin L
 
Workshop@naha_val3
Shusaku Fukumine
 
Fundamental Virtualisasi di openSUSE
utianayuba
 
Workshop@naha val3
Shusaku Fukumine
 
How can OpenNebula fit your needs - OpenNebulaConf 2013
Maxence Dunnewind
 
2. [Daily hack] Citrix_waf_bypass
defconmoscow
 
Maemo Development Environment
jtukkine
 
Adding Extended Attribute Support to NFS
James Morris
 
Plc2 2015 your own ide
Sigasi
 
AV Evasion with the Veil Framework
VeilFramework
 
Hacking the Linux Kernel - An Introduction
Levente Kurusa
 
Veil-Ordnance
VeilFramework
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
Zoltan Balazs
 
How Can OpenNebula Fit Your Needs: A European Project Feedback
NETWAYS
 
Introduction to .NET
Lorenzo Dematté
 
Kernel Recipes 2013 - Kernel for your device
Anne Nicolas
 
Pentesting tricks - Out with Powershell, in with C#
Michelangelo Sidagni
 
Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013
bsdvirt
 
Quickly Debug VM Failures in OpenStack
LinuxCon ContainerCon CloudOpen China
 
Docker. Micro services for lazy developers
Eugene Krevenets
 
CodePackager - Pack and Unpack repositories to mobile storage
Cheyin L
 
Ad

Similar to Unicorn: The Ultimate CPU Emulator by Akshay Ajayan (20)

PDF
VASCAN - Docker and Security
Michael Irwin
 
PDF
Heterogeneous multiprocessing on androd and i.mx7
Kynetics
 
PDF
COMPILER DESIGN.pdf
AdiseshaK
 
PDF
[CB19] Semzhu-Project – A self-made new world of embedded hypervisors and att...
CODE BLUE
 
PDF
Multi-Processor computing with OpenMP
Stefan Coetzee
 
PDF
Engineer Engineering Software
Yung-Yu Chen
 
PDF
Containers > VMs
David Timothy Strauss
 
PPTX
Hands on OpenCL
Vladimir Starostenkov
 
PDF
Memory Forensics in AWS
MarcVilanova1
 
PDF
Everything as code
Hepsiburada
 
PPTX
Explore asp.net core 3.0 features
iFour Technolab Pvt. Ltd.
 
PDF
Embedded platform choices
Tavish Naruka
 
PDF
Introduction to Ewasm - crosslink taipei 2019
hydai
 
ODP
EcoreTools-Next: Executable DSL made (more) accessible
Cédric Brun
 
PDF
Craftsmanship in Computational Work
Yung-Yu Chen
 
PDF
Linux-Internals-and-Networking
Emertxe Information Technologies Pvt Ltd
 
PDF
10 Reasons Why Java Now Rocks More Than Ever
Geert Bevin
 
PDF
Zephyr RTOS in One Hour | HARDWARIO @ IoT North UK
HARDWARIO
 
PDF
Leveraging Android's Linux Heritage at AnDevCon IV
Opersys inc.
 
PPTX
Java vs .Net
Tejasvi Rastogi
 
VASCAN - Docker and Security
Michael Irwin
 
Heterogeneous multiprocessing on androd and i.mx7
Kynetics
 
COMPILER DESIGN.pdf
AdiseshaK
 
[CB19] Semzhu-Project – A self-made new world of embedded hypervisors and att...
CODE BLUE
 
Multi-Processor computing with OpenMP
Stefan Coetzee
 
Engineer Engineering Software
Yung-Yu Chen
 
Containers > VMs
David Timothy Strauss
 
Hands on OpenCL
Vladimir Starostenkov
 
Memory Forensics in AWS
MarcVilanova1
 
Everything as code
Hepsiburada
 
Explore asp.net core 3.0 features
iFour Technolab Pvt. Ltd.
 
Embedded platform choices
Tavish Naruka
 
Introduction to Ewasm - crosslink taipei 2019
hydai
 
EcoreTools-Next: Executable DSL made (more) accessible
Cédric Brun
 
Craftsmanship in Computational Work
Yung-Yu Chen
 
Linux-Internals-and-Networking
Emertxe Information Technologies Pvt Ltd
 
10 Reasons Why Java Now Rocks More Than Ever
Geert Bevin
 
Zephyr RTOS in One Hour | HARDWARIO @ IoT North UK
HARDWARIO
 
Leveraging Android's Linux Heritage at AnDevCon IV
Opersys inc.
 
Java vs .Net
Tejasvi Rastogi
 
Ad

More from Cysinfo Cyber Security Community (20)

PDF
Understanding Malware Persistence Techniques by Monnappa K A
Cysinfo Cyber Security Community
 
PDF
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Cysinfo Cyber Security Community
 
PDF
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Cysinfo Cyber Security Community
 
PPTX
Emerging Trends in Cybersecurity by Amar Prusty
Cysinfo Cyber Security Community
 
PDF
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
Cysinfo Cyber Security Community
 
PDF
Closer look at PHP Unserialization by Ashwin Shenoi
Cysinfo Cyber Security Community
 
PDF
The Art of Executing JavaScript by Akhil Mahendra
Cysinfo Cyber Security Community
 
PDF
Reversing and Decrypting Malware Communications by Monnappa
Cysinfo Cyber Security Community
 
PPTX
Analysis of android apk using adhrit by Abhishek J.M
Cysinfo Cyber Security Community
 
PDF
Understanding evasive hollow process injection techniques monnappa k a
Cysinfo Cyber Security Community
 
PPTX
Security challenges in d2d communication by ajithkumar vyasarao
Cysinfo Cyber Security Community
 
PPTX
S2 e (selective symbolic execution) -shivkrishna a
Cysinfo Cyber Security Community
 
PPTX
Dynamic binary analysis using angr siddharth muralee
Cysinfo Cyber Security Community
 
PPTX
Bit flipping attack on aes cbc - ashutosh ahelleya
Cysinfo Cyber Security Community
 
PDF
Security Analytics using ELK stack
Cysinfo Cyber Security Community
 
PDF
Linux Malware Analysis
Cysinfo Cyber Security Community
 
ODP
Introduction to Binary Exploitation
Cysinfo Cyber Security Community
 
PDF
ATM Malware: Understanding the threat
Cysinfo Cyber Security Community
 
PPTX
XXE - XML External Entity Attack
Cysinfo Cyber Security Community
 
PPT
Image (PNG) Forensic Analysis
Cysinfo Cyber Security Community
 
Understanding Malware Persistence Techniques by Monnappa K A
Cysinfo Cyber Security Community
 
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Cysinfo Cyber Security Community
 
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Cysinfo Cyber Security Community
 
Emerging Trends in Cybersecurity by Amar Prusty
Cysinfo Cyber Security Community
 
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
Cysinfo Cyber Security Community
 
Closer look at PHP Unserialization by Ashwin Shenoi
Cysinfo Cyber Security Community
 
The Art of Executing JavaScript by Akhil Mahendra
Cysinfo Cyber Security Community
 
Reversing and Decrypting Malware Communications by Monnappa
Cysinfo Cyber Security Community
 
Analysis of android apk using adhrit by Abhishek J.M
Cysinfo Cyber Security Community
 
Understanding evasive hollow process injection techniques monnappa k a
Cysinfo Cyber Security Community
 
Security challenges in d2d communication by ajithkumar vyasarao
Cysinfo Cyber Security Community
 
S2 e (selective symbolic execution) -shivkrishna a
Cysinfo Cyber Security Community
 
Dynamic binary analysis using angr siddharth muralee
Cysinfo Cyber Security Community
 
Bit flipping attack on aes cbc - ashutosh ahelleya
Cysinfo Cyber Security Community
 
Security Analytics using ELK stack
Cysinfo Cyber Security Community
 
Linux Malware Analysis
Cysinfo Cyber Security Community
 
Introduction to Binary Exploitation
Cysinfo Cyber Security Community
 
ATM Malware: Understanding the threat
Cysinfo Cyber Security Community
 
XXE - XML External Entity Attack
Cysinfo Cyber Security Community
 
Image (PNG) Forensic Analysis
Cysinfo Cyber Security Community
 

Recently uploaded (20)

PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PPTX
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PPTX
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
PDF
iTop VPN Free 5.6.0.5262 Crack latest version 2025
itskinga12
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PDF
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
PDF
Cost to Outsource Software Development in 2025
Omega Incorporations- Best Software Development Company
 
PPTX
assetexplorer- product-overview - presentation
nonameist3434
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
iTop VPN Free 5.6.0.5262 Crack latest version 2025
itskinga12
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
System and Network Administration Chapter 2
jaramharo
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
Cost to Outsource Software Development in 2025
Omega Incorporations- Best Software Development Company
 
assetexplorer- product-overview - presentation
nonameist3434
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 

Unicorn: The Ultimate CPU Emulator by Akshay Ajayan

  • 2. About me ➢ Akshay Ajayan (@r00tus3r) ➢ Third year B.Tech CSE Undergraduate ○ @Amrita Vishwa Vidyapeetham ➢ CTF Player ○ @teambi0s ➢ Focusing on Software Reverse Engineering
  • 3. Agenda ➢ CPU Emulator ➢ Unicorn Engine ○ Challenges ○ Qemu vs Unicorn ➢ Demo ➢ Summary
  • 4. CPU Emulator Emulates physical CPU using software only
  • 5. Internals of a CPU Emulator ➢ Decode binary into separate instructions ➢ Emulate exactly what each instruction does ○ ISA Manual reference is required ○ Handle memory access & I/O upon requested ➢ Update CPU context after each step
  • 6. Example of emulation ➢ Ex: 01D1 → add eax, ebx ○ load eax & ebx registers ○ add values of eax & ebx, then copy result to eax ○ update flags OF, SF, ZF, AF, CF, PF accordingly
  • 7. Applications ➢ Emulate the code without needing to have a real CPU ➢ Safely analyze malware code, detect virus signature ➢ Verify code semantics in reversing
  • 8. Unicorn Engine ➢ Open source CPU emulator framework ○ www.unicorn-engine.org ➢ Developed by: ○ Nguyen Anh Quynh ■ Computer Security Researcher ○ Dang Hoang Vu ■ Security engineer and researcher
  • 9. Features ➢ Multi-architectures: Arm, Arm64 (Armv8), M68K, Mips, Sparc, & X86 (include X86_64) ➢ Clean/simple/lightweight architecture-neutral API ➢ Implemented in pure C language, with bindings for Perl, Rust, Python, Java, Go etc
  • 10. ➢ Native support for Windows & *nix (with Mac OSX, Linux, *BSD & Solaris confirmed) ➢ High performance by using JIT compiler technique ➢ Support fine-grained instrumentation at various levels
  • 11. How was it built? ➢ Forked Qemu? ➢ Were there any challenges? ➢ How is it different?
  • 12. Unicorn vs Qemu ➢ Independent and flexible framework ➢ Much more compact in size, lightweight in memory ➢ Thread-safe with multiple architectures supported in a single binary ➢ Provide interface for dynamic instrumentation ➢ And many more...
  • 13. Showcase ➢ Radare2 ➢ Angr ➢ Usercorn ➢ Cuckoo ➢ Pwndbg ➢ ROPChain ➢ Unicorn.Js ➢ Pwntools
  • 14. Intro to Unicorn API ➢ The core provides API in C ○ open & close Unicorn instance ○ start & stop emulation ○ read & write memory & registers ○ instrument with user-defined callbacks for instructions/single-step/memory event etc ➢ Bindings for multiple languages
  • 18. Summary ➢ Open source CPU emulator framework ➢ Multi-architecture, Multi-platform ➢ Core in pure C, and support for multiple binding languages ➢ Build your own tools on top of it ➢ Allows instrumentation at various levels Questions? Ping @r00tus3r