A tool that take a snapshot of a ELF execution context and run it with unicorn-engine.

It captures memory, registers, mappings during runtime and deliver them to unicorn-engine.

• Take snapshot at specific address (or entry point)
• Take snapshot of process by PID
• Save/Load the context to/from file
• x86 AVX support with hooking
• Remote debugging via udbserver

Please checkout my blog to install the dependencies.

Just use make to compile.

make

I use a simple elf build/example as an example, you can input your name and it will say hello to you.

Use the following command, it will take a snapshot when hitting the entry point and start emulating it in unicorn.

./snapcorn build/example

In this example, you will see this:

...
[+] Getting FPU/MMX/SSE Registers (ST, XMM)...
[+] Getting AVX/AVX-512 Registers (YMM, ZMM, K)...
[+] Start Emulating
===========================================

And you can enter your name, it will say hello to you:

aaa
Hello, aaa
===========================================
[+] DONE

You can first execute your program, use ps aux to find the pid of that process (for example 12345), and attach to it with -p option:

./snapcorn -p 12345

For the above to snapshot method, you can both output the context to file with -o option:

./snapcorn -p 12345 -o out

You can use -l to load the context from the exported file and start the simulation:

./snapcorn -l out

You can use -gdb to start a gdb server at a specific port (for example 1234):

./snapcorn -l out -gdb 1234

• kernel support?
• more arch suport?

This project is licensed under GPLv2 and includes the following third-party software:

1. unicorn
   • License: GPLv2
   • Source code: https://github.com/unicorn-engine/unicorn
2. udbserver
   • License: MIT
   • Source code: https://github.com/unicorn-engine/unicorn
   • Note: Please refer to the LICENSE-udbserver.txt for details