Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[← Prev[Date]  [Next →] [← Prev[Thread]  [Next →]

Re: [DynInst_API:] BPatch_dynamicTargetExpr on return statements

Date: Wed, 23 Sep 2015 20:30:19 +0000
From: Allison Morris <amorris@xxxxxxxxxxx>
Subject: Re: [DynInst_API:] BPatch_dynamicTargetExpr on return statements 
Marc,

I believe this is the first time we have tried using dynamicTargetExpr on x86_64 Linux. As I mentioned before, this was created for use in defensive mode, which is only supported on 32-bit Windows. I have found a bug in our code generation for this expression, but I haven't tested the 64-bit version yet. It looks like that will also be a quick fix, and I should be able to produce a patch soon. 

Best,

Allison

________________________________________
From: Marc Brünink <marc@xxxxxxxxx>
Sent: Tuesday, September 22, 2015 8:30 PM
To: Allison Morris; dyninst-api@xxxxxxxxxxx
Subject: Re: [DynInst_API:] BPatch_dynamicTargetExpr on return statements

Dear Allison,

I am using the normal mode. At least I never told dyninst to use
defensive mode. I am running on a x86_64. It is a 3.13.0-37-generic
Linux kernel.

Marc


On 22/09/2015 23:07, Allison Morris wrote:
> Hi Marc,
>
> The dynamicTargetExpr was added a few years ago to assist in analyzing malicious binaries. We haven't significantly tested it in a while, and after I ran a quick test, it appears to be broken in the latest release. However, proper functionality should let you obtain the target address of the return.
>
> I'm going to look into this issue to see if we can find a fix. If you don't mind, can you also tell me which platform you are using and are you running Dyninst in normal or defensive mode?
>
> Thanks,
>
> Allison
>
> ________________________________________
> From: Dyninst-api <dyninst-api-bounces@xxxxxxxxxxx> on behalf of Marc Brünink <marc@xxxxxxxxx>
> Sent: Monday, September 21, 2015 5:28 AM
> To: dyninst-api@xxxxxxxxxxx
> Subject: [DynInst_API:] BPatch_dynamicTargetExpr on return statements
>
> Dear all,
>
> I am trying to understand BPatch_dynamicTargetExpr. Things I did:
>
> 1. Create an empty function.
>      function (0x4015b9)
>        Basic Block (4015b9 to 4015bf) (entry: 1) (exit: 1):
>          4015b9  push RBP, RSP
>          4015ba  mov RBP, RSP
>          4015bd  pop RBP, RSP
>          4015be  ret near [RSP]
>
> 2. Find the single exit point of the empty function.
>      It is 4015be.
>
> 3. Insert a snippet to a function that receives a void* and print it.
>      Pass dynamicTargetExpr() as argument
>
> 4. Alternative to 3:
>       BPatchSnippetHandle* handle = process->insertSnippet(
>          BPatch_arithExpr(BPatch_assign, *v, BPatch_dynamicTargetExpr()),
>                                           *exit_points,
>                                           BPatch_callAfter);
>      with v being a BPatch_variableExpr that is a static void*.
>
> I expected to get the target of the return.
> I got pretty much random values.
>
> Currently I am using the little bit outdated version 5d54538 from 15th
> April.
>
> Questions:
> 1. Can I use dynamicTargetExpr on return statements?
> 2. If yes, how to use dynamicTargetExpr?
> 3. What constraints exist regarding the usage of dynamicTargetExpr?
> 4. Is this a known issue that is fixed in newer version?
>
> Marc
>
>
> _______________________________________________
> Dyninst-api mailing list
> Dyninst-api@xxxxxxxxxxx
> https://lists.cs.wisc.edu/mailman/listinfo/dyninst-api
>
[← Prev in Thread] Current Thread [Next in Thread→]
Previous by Date:  Re: [DynInst_API:] Some documentation patches + code sample, Bill Williams
Next by Date:  [DynInst_API:] Dyninst not found when building Test Suite, Knapp, Rashawn L
Previous by Thread:  Re: [DynInst_API:] BPatch_dynamicTargetExpr on return statements, Marc Brünink
Next by Thread:  Re: [DynInst_API:] BPatch_dynamicTargetExpr on return statements, Allison Morris
Indexes:  [Date] [Thread]