[DynInst_API:] Function Entry Point Recognition in Stripped Binaries

[Shuai Wang <wangshuai901@xxxxxxxxx>]

Dear list,

I am writing to ask how to use DynInst to recognize function entry points (memory addresses) in stripped binaries.

I successfully installed the 32-bit DynInst 9.10, and I use a DynInst script to iterate all the functions with the following commands to dump all the function entry point addresses from stripped binaries.

          Â.......

          Âvector<BPatch_module *> * modules = appImage->getModules();

          Â......Â

          Âvector<BPatch_function *> * funcs = (*module_iter)->getProcedures();

          Âvector<BPatch_function *>::iterator func_iter;

          Âfor(func_iter = funcs->begin(); func_iter != funcs->end(); ++func_iter) {

             char functionName[1024];

             (*func_iter)->getName(functionName, 1024);

             cout << "-- Function : " << functionName << " --" << endl;

          Â......Â

I extract the function entry point addresses from the function names. Â Â Â Â Â Â Â Â Â ÂÂ

I test some LLVM compiler CoreUtil binaries with O2 optimization level. And the precision/recall rate is general very good! ÂPrecision: 0.99; ÂRecall: 0.91

According to this paper, Section 6.2, on average DynInst can have over 0.97 precision, and 0.93 recall on 32-bit ELF binaries. It is very consistent with my test! But still, I am not sure whether I did everything correct.Â

So here are my questions:

1. It seems that by leveraging machine learning method to recognize functions, DynInst needs a training process before recognition, but I didn't do any training Â(although the results are pretty good), is there anything in particular I have to do before using DynInst?Â

2. If there is a "pre-trained" model installed in DynInst 9.10 already, what kind of binaries does this model include? For example, can I use it to test 32-bit ELF binaries compiled from LLVM with O3? or ICC with O3?Â

Am I clear enough? I appreciate if anyone can give me some help!

Sincerely,

Shuai