How does dynamorio handle following scenario?
82 views
Skip to first unread message
Avalon
Sep 5, 2021, 9:26:17 AM9/5/21
to DynamoRIO Users
void __fastcall Function1(unsigned char* shellcode, unsigned long len) {
recv(SOCKET, shellcode, len, flags) ....
shellcode()
}
}
or
Function1
0x9394929 call ecx
Will the basic blocks of the code contained in ecx trigger bb_events?
e.g. will you be able to loop the code with instrlist_first, instr_get_next?
Message has been deleted
Avalon
Sep 5, 2021, 11:39:04 AM9/5/21
to DynamoRIO Users
What happens if another thread in the process does to a thread: SuspendThread, changes IP to address, ResumeThread - will Dynamorio find the code?
What happens if (the following example) will Dynamorio find the code?
0x9394927 or edx, ebx <-- some calculation
0x9394929 add eax, edx <-- some add
0x939492A jmp eax <-- and a jump!
Derek Bruening
Sep 6, 2021, 11:36:51 AM9/6/21
to dynamor...@googlegroups.com
It sounds like you're just asking whether DR follows indirect calls: the answer is yes (otherwise it would lose control on just about every single program).
--
You received this message because you are subscribed to the Google Groups "DynamoRIO Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dynamorio-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dynamorio-users/f2bae117-188c-4963-aff3-923ff68b9490n%40googlegroups.com.
Derek Bruening
Sep 6, 2021, 11:38:39 AM9/6/21
to dynamor...@googlegroups.com
On Sun, Sep 5, 2021 at 11:38 AM Avalon <patrick...@gmail.com> wrote:
What happens if another thread in the process does to a process SuspendThread, changes IP to address, ResumeThread - will Dynamorio find the code?
Yes, DR watches the NtSuspendThread, NtSetContextThread, and NtResumeThread system calls and maintains control on changes to the PC.
What happens if (the following example) will Dynamorio find the code?0x9394927 or edx, ebx <-- some calculation0x9394929 add eax, edx <-- some add0x939492A jmp eax <-- and a jump!
This is like your earlier question: yes, all indirect transfers are followed.
On Sunday, September 5, 2021 at 3:26:17 PM UTC+2 Avalon wrote:
--
You received this message because you are subscribed to the Google Groups "DynamoRIO Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dynamorio-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dynamorio-users/f1f52266-2244-43ec-a83a-1d9b83b28f44n%40googlegroups.com.
Avalon
Sep 6, 2021, 2:41:28 PM9/6/21
to DynamoRIO Users
Ok, it follows control through indirect calls, indirect transfers and thread context switches.
That sounds very promising.
" It sounds like you're just asking whether DR follows indirect calls: the answer is yes (otherwise it would lose control on just about every single program)."
So if it ever loses control, it's basically a bug that I can report on Github.
Thank you for the answers.
" It sounds like you're just asking whether DR follows indirect calls: the answer is yes (otherwise it would lose control on just about every single program)."
"
Yes, DR watches the NtSuspendThread, NtSetContextThread, and NtResumeThread system calls and maintains control on changes to the PC. "
Reply all
Reply to author
Forward
0 new messages