Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[← Prev[Date]  [Next →] [← Prev[Thread]  [Next →]

Re: [DynInst_API:] BPatch_dynamicTargetExpr on return statements

Date: Wed, 23 Sep 2015 09:30:57 +0800
From: Marc Brünink <marc@xxxxxxxxx>
Subject: Re: [DynInst_API:] BPatch_dynamicTargetExpr on return statements 
Dear Allison,
I am using the normal mode. At least I never told dyninst to use defensive mode. I am running on a x86_64. It is a 3.13.0-37-generic Linux kernel. 

Marc


On 22/09/2015 23:07, Allison Morris wrote:

Hi Marc,

The dynamicTargetExpr was added a few years ago to assist in analyzing malicious binaries. We haven't significantly tested it in a while, and after I ran a quick test, it appears to be broken in the latest release. However, proper functionality should let you obtain the target address of the return.

I'm going to look into this issue to see if we can find a fix. If you don't mind, can you also tell me which platform you are using and are you running Dyninst in normal or defensive mode?

Thanks,

Allison

________________________________________
From: Dyninst-api <dyninst-api-bounces@xxxxxxxxxxx> on behalf of Marc Brünink <marc@xxxxxxxxx>
Sent: Monday, September 21, 2015 5:28 AM
To: dyninst-api@xxxxxxxxxxx
Subject: [DynInst_API:] BPatch_dynamicTargetExpr on return statements

Dear all,

I am trying to understand BPatch_dynamicTargetExpr. Things I did:

1. Create an empty function.
     function (0x4015b9)
       Basic Block (4015b9 to 4015bf) (entry: 1) (exit: 1):
         4015b9  push RBP, RSP
         4015ba  mov RBP, RSP
         4015bd  pop RBP, RSP
         4015be  ret near [RSP]

2. Find the single exit point of the empty function.
     It is 4015be.

3. Insert a snippet to a function that receives a void* and print it.
     Pass dynamicTargetExpr() as argument

4. Alternative to 3:
      BPatchSnippetHandle* handle = process->insertSnippet(
         BPatch_arithExpr(BPatch_assign, *v, BPatch_dynamicTargetExpr()),
                                          *exit_points,
                                          BPatch_callAfter);
     with v being a BPatch_variableExpr that is a static void*.

I expected to get the target of the return.
I got pretty much random values.

Currently I am using the little bit outdated version 5d54538 from 15th
April.

Questions:
1. Can I use dynamicTargetExpr on return statements?
2. If yes, how to use dynamicTargetExpr?
3. What constraints exist regarding the usage of dynamicTargetExpr?
4. Is this a known issue that is fixed in newer version?

Marc


_______________________________________________
Dyninst-api mailing list
Dyninst-api@xxxxxxxxxxx
https://lists.cs.wisc.edu/mailman/listinfo/dyninst-api
[← Prev in Thread] Current Thread [Next in Thread→]
Previous by Date:  Re: [DynInst_API:] Some documentation patches + code sample, Alin MÃndroc
Next by Date:  Re: [DynInst_API:] Some documentation patches + code sample, Bill Williams
Previous by Thread:  Re: [DynInst_API:] BPatch_dynamicTargetExpr on return statements, Allison Morris
Next by Thread:  Re: [DynInst_API:] BPatch_dynamicTargetExpr on return statements, Allison Morris
Indexes:  [Date] [Thread]