Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[← Prev[Date]  [Next →] [← Prev[Thread]  [Next →]

Re: [DynInst_API:] BPatch_dynamicTargetExpr on return statements

Date: Tue, 22 Sep 2015 15:07:08 +0000
From: Allison Morris <amorris@xxxxxxxxxxx>
Subject: Re: [DynInst_API:] BPatch_dynamicTargetExpr on return statements 
Hi Marc,

The dynamicTargetExpr was added a few years ago to assist in analyzing malicious binaries. We haven't significantly tested it in a while, and after I ran a quick test, it appears to be broken in the latest release. However, proper functionality should let you obtain the target address of the return. 

I'm going to look into this issue to see if we can find a fix. If you don't mind, can you also tell me which platform you are using and are you running Dyninst in normal or defensive mode?

Thanks,

Allison

________________________________________
From: Dyninst-api <dyninst-api-bounces@xxxxxxxxxxx> on behalf of Marc Brünink <marc@xxxxxxxxx>
Sent: Monday, September 21, 2015 5:28 AM
To: dyninst-api@xxxxxxxxxxx
Subject: [DynInst_API:] BPatch_dynamicTargetExpr on return statements

Dear all,

I am trying to understand BPatch_dynamicTargetExpr. Things I did:

1. Create an empty function.
    function (0x4015b9)
      Basic Block (4015b9 to 4015bf) (entry: 1) (exit: 1):
        4015b9  push RBP, RSP
        4015ba  mov RBP, RSP
        4015bd  pop RBP, RSP
        4015be  ret near [RSP]

2. Find the single exit point of the empty function.
    It is 4015be.

3. Insert a snippet to a function that receives a void* and print it.
    Pass dynamicTargetExpr() as argument

4. Alternative to 3:
     BPatchSnippetHandle* handle = process->insertSnippet(
        BPatch_arithExpr(BPatch_assign, *v, BPatch_dynamicTargetExpr()),
                                         *exit_points,
                                         BPatch_callAfter);
    with v being a BPatch_variableExpr that is a static void*.

I expected to get the target of the return.
I got pretty much random values.

Currently I am using the little bit outdated version 5d54538 from 15th
April.

Questions:
1. Can I use dynamicTargetExpr on return statements?
2. If yes, how to use dynamicTargetExpr?
3. What constraints exist regarding the usage of dynamicTargetExpr?
4. Is this a known issue that is fixed in newer version?

Marc


_______________________________________________
Dyninst-api mailing list
Dyninst-api@xxxxxxxxxxx
https://lists.cs.wisc.edu/mailman/listinfo/dyninst-api
[← Prev in Thread] Current Thread [Next in Thread→]
Previous by Date:  Re: [DynInst_API:] Some documentation patches + code sample, Bill Williams
Next by Date:  Re: [DynInst_API:] Some documentation patches + code sample, Alin MÃndroc
Previous by Thread:  [DynInst_API:] BPatch_dynamicTargetExpr on return statements, Marc BrÃnink
Next by Thread:  Re: [DynInst_API:] BPatch_dynamicTargetExpr on return statements, Marc Brünink
Indexes:  [Date] [Thread]