Hi Derek, Team,
stupid question, I am using the following code in my client (started via drrun). I tested it with 3-4 samples and it seems to work, but could you double check if you see any caveats or issues with the implementation ? The goal is to parse certain fields of the PE header of the sample which is instrumented with the DynamoRIO client app.
drrun.exe" -no_follow_children -c tracer.dll" -s 140001490 -e 1400014B9 -m hello_world_x64.exe -- hello_world_x64.exe
....
dr_insert_clean_call(drcontext, bb, instr, process_instr_trace_instr, FALSE, 2, OPND_CREATE_INTPTR(instr_addr), OPND_CREATE_INTPTR(trace_para));
....
void __cdecl process_instr_trace_instr(app_pc instr_addr_tmp, S_TRACE_PARA* tr)
{
void* drcontext;
size_t instr_addr = (size_t) instr_addr_tmp;
drcontext = dr_get_current_drcontext();
dr_mcontext_t mc = { sizeof(mc),DR_MC_ALL };
dr_get_mcontext(drcontext, &mc);
if (instr_addr == tr->start) instr_trace_start_reached = TRUE;
if (instr_addr == tr->end) instr_trace_end_reached = TRUE;
if ((instr_trace_start_reached == TRUE) && (first_time)) {
DWORD pid;
HMODULE hMods[1024];
DWORD cbNeeded;
IMAGE_DOS_HEADER dosHeader;
SIZE_T bytesRead;
pid = (DWORD) dr_get_process_id();
dr_printf("[TRACER] [DEBUG] [process_instr_trace_instr] Start address reached: instr_addr %zx Process PID %u (%s) Threat ID = %u \n",
instr_addr, pid, dr_get_application_name(), dr_get_thread_id(drcontext), dr_lookup_module((byte *)instr_addr));
first_time = FALSE;
HANDLE hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, pid);
if (hProcess == NULL) {
dr_printf("[ERROR] Get Process handle failed\n");
dr_exit_process(1);
}
if (EnumProcessModules(hProcess, hMods, sizeof(hMods), &cbNeeded)) {
LPVOID baseAddress = hMods[0];
// DOS Header
if (!ReadProcessMemory(hProcess, baseAddress, &dosHeader, sizeof(dosHeader), &bytesRead)) {
dr_printf("[ERROR] [process_instr_trace_instr] Reading DOS-Headers failed: %lu\n", GetLastError());
CloseHandle(hProcess);
dr_exit_process(1);
}
if (dosHeader.e_magic != IMAGE_DOS_SIGNATURE) {
dr_printf("[ERROR] [process_instr_trace_instr] Invalid DOS-Header.\n");
CloseHandle(hProcess);
dr_exit_process(1);
}
// NT Headers
IMAGE_NT_HEADERS ntHeaders;
LPVOID ntHeaderAddress = (LPBYTE)baseAddress + dosHeader.e_lfanew;
if (!ReadProcessMemory(hProcess, ntHeaderAddress, &ntHeaders, sizeof(ntHeaders), &bytesRead)) {
dr_printf("[ERROR] [process_instr_trace_instr] Reading NT-Headers failed: %lu\n", GetLastError());
CloseHandle(hProcess);
dr_exit_process(1);
}
if (ntHeaders.Signature != IMAGE_NT_SIGNATURE) {
dr_printf("[ERROR] [process_instr_trace_instr] Invalid NT-Header.\n");
CloseHandle(hProcess);
dr_exit_process(1);
}
dr_printf("[TRACER] [DEBUG] [process_instr_trace_instr] Image Base : %p\n", baseAddress);
dr_printf("[TRACER] [DEBUG] [process_instr_trace_instr] Entry Point: %p\n", (long long) baseAddress + ntHeaders.OptionalHeader.AddressOfEntryPoint);
dr_printf("[TRACER] [DEBUG] [process_instr_trace_instr] Image Size : 0x%X\n", ntHeaders.OptionalHeader.SizeOfImage);
}
}
thx a lot in advanced,
Peter