Redirect execution

[Nicola Bottura]

Hi everyone,

what I'm trying to do is to redirect the execution of the target program from a post callback of a specific Windows API  to another API that I previously encountered.

But after the redirection I want to let the target program execute normally forward, reaching again the first API that led the program to a redirection, so, a sort of rewind of the program.

What I did until now was trying with drwrap_redirect_execution, but after executing the API from where I want to restart the program, it exits normally without reaching again the first API.

This may be a dumb question but I'm stucked in here and I don't know what to do and I'm not even sure this thing is possible to be honest.

Thanks for you help, best regards,
Nicola

[assad.hashm...@gmail.com]

Hi Nicola,

Can provide more details of the drwrap client code you are using?

Can you clarify what it is exactly you want to do?

A rewind suggests a significant change in the sequence of target program execution which may require more than the drwrap extension.

Depending on what it is exactly you want to do, you may have to detect a relevant event to trigger the change in target program execution sequence.

[Nicola Bottura]

Hi Assad,

sorry if I wasn't clear and thank you for the reply.

Essentially what I want to do is similar to what WinAfl does, but instead of redircting to a specific function that I want to fuzz and then exit, I want to fuzz that function and then continue with the normal execution of the program as if the redirection behaves like a jump back in the program's code so that after this operation it can continue with the execution.

The jump back happens when I hit a specific api that I wrapped, for example strcmp.

Let's say that strcmp is encountered in the program, I jump back to another API that I have seen previously and for which I have saved the mcontext details when I first hit it, then it  continues with the execution and so reach again strcmp and check its arguments if they are changed.

I don't want to put togheter the wrapping and also the instruction modification, seems like a mess to me, so I wonder if there is a more elegant way to do this with drwrap because at the end what I want to do is analyse the APIs that I encounte so I must use it.

Up to now the code I used is pretty standard, I have the load event where I decide which function wrap and then the pre/post-execution functions for each of them where I do the stuff.

As previously said until now I tried with drwrap_redirect_execution since I'm taking inspiration from WinAfl.

Have a nice day,
Nicola

[Derek Bruening]

drwrap_redirect_execution() is the right approach.  That is what drfuzz uses to repeatedly execute the same function over and over: https://github.com/DynamoRIO/drmemory/blob/master/drfuzz/drfuzz.c#L756

Since this is only restoring the register state, memory is *not* being rewound, and so all kinds of things could go wrong when restoring across arbitrary application execution (drfuzz has constraints on what the repeated function can do to avoid these problems).  I would guess that's what the problem is: you're correctly restoring the registers, but the program depends on memory values which are not being restored.  You would likely have to debug the code leading to the exit to figure out which memory values it needs.  You could conceivably checkpoint and restore those as well.

--
You received this message because you are subscribed to the Google Groups "DynamoRIO Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dynamorio-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dynamorio-users/e58abb72-f5d5-4d0b-882d-dd57461966ben%40googlegroups.com.