Self modifying code

45 views
Skip to first unread message

Holger Unterbrink

unread,
Jun 5, 2025, 10:59:10 AMJun 5
to DynamoRIO Users
Hi, I went through the docs and the messages here referring to self modifying code, but I still not sure if I understand the issue. I am instrumenting a test program which is using div. self mod techniques. It is changing values e.g. "mov rax,1" to "mov rax,2" and it is also messing with the control flow by changing a jmp into a mov. My client looks similar to this (simplified):

drmgr_register_bb_instrumentation_event(NULL, event_bb_instr_global, NULL);

dr_emit_flags_t event_bb_instr_global(...) {
..
  dr_insert_clean_call(drcontext, bb, instr, (void *) process_instr_trace_instr, FALSE, 1, OPND_CREATE_INTPTR(instr_addr));
..
}

void process_instr_trace_instr(app_pc instr_addr_tmp) {
..
  instr_disassemble_to_buffer(dr_get_current_drcontext(), &instr, disasm_buf, disasm_buf_size);
  dr_printf("[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: "PFX"  %s\n",instr_addr, disasm_buf);
..
}

The instrumentation works fine the first time the self modifying function is called, DR prints out all instructions the right way they are executed, including the ones which where modified before execution.

DR also detects that there is self modifying code, it logs in debug mode: 
<writing to executable region.>
<self-modifying code.>

So far, so good, but the problem is this function which modifies itself (no modification is done outside this function) is called two times in the test target application and DR only instruments it the first time. The 2nd time the function is called it is not instrumented with the client code. 

Long story short:
I am now wondering if there is maybe a bug which I am too dumb to find in my client or is this expected behavior in DR for what ever reason ?  Any help is welcome.

 tia,
 Holger

Derek Bruening

unread,
Jun 6, 2025, 12:02:18 PMJun 6
to Holger Unterbrink, DynamoRIO Users
> The 2nd time the function is called it is not instrumented with the client code. 

Did DR lose control and nothing from that point on is run under DR control?  Use DR logs https://dynamorio.org/page_logging.html to try to see the exact sequence of events and whether DR is still running app code after the problematic point.

--
You received this message because you are subscribed to the Google Groups "DynamoRIO Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dynamorio-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/dynamorio-users/b78e2682-da6e-4c40-94b8-e4003c7fba6cn%40googlegroups.com.

Holger Unterbrink

unread,
Jun 13, 2025, 5:46:12 AMJun 13
to DynamoRIO Users
For me it looks like DR did not lose control after the function, at least the client lib outputs further logging and the target app is also properly further executed. Pls find below the logging I did, I am not sure if I am looking for the right things, pls advise if I should check anything else ? 

# --- anti_x.exe version where "small_function" is called 3 times" - Logging files ---

hunte@DellOld UCRT64 /c/tools/DynamoRIO-Windows-11.3.0/logs/anti_x.exe.11716.00000000-loglevel2-small_function ("smallfunction called 3 times" version)
$ grep -i 1400017C0 * | grep -v no_dynamic_options
anti_x.exe.0.15556.html:DYNAMORIO_OPTIONS: -code_api -probe_api "-loglevel" "2" -client_lib64 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "1400017C0" "-e" "1400017D6" "-m" "anti_x.exe"'
log.0.15556.html: (target 0x00000001400017c0 not in cache)
log.0.15556.html:d_r_dispatch: target = 0x00000001400017c0
log.0.15556.html:Fragment 2270, tag 0x00000001400017c0, flags 0x1000018, shared, tracehead, size 677:
log.0.15556.html:Entry into F2270(0x00000001400017c0).0x00000000c00a5008 (trace head)(shared)
log.0.15556.html:d_r_dispatch: target = 0x00000001400017c0
log.0.15556.html:Entry into F2270(0x00000001400017c0).0x00000000c00a5008 (trace head)(shared)
log.0.15556.html:d_r_dispatch: target = 0x00000001400017c0
log.0.15556.html:Entry into F2270(0x00000001400017c0).0x00000000c00a5008 (trace head)(shared)

# --- anti_x.exe version where "small_function" is only called 2 times" - Logging files ---
# Just for myself to verify that "d_r_dispatch" is called each time the function is called.

hunte@DellOld UCRT64 /c/tools/DynamoRIO-Windows-11.3.0/logs/anti_x.exe.14632.00000000-loglevel2-smallfunction
$ grep -i 1400017C0 * | grep -v no_dynamic_options
anti_x.exe.0.10416.html:DYNAMORIO_OPTIONS: -code_api -probe_api "-loglevel" "2" -client_lib64 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "1400017C0" "-e" "1400017D6" "-m" "anti_x.exe"'
log.0.10416.html: (target 0x00000001400017c0 not in cache)
log.0.10416.html:d_r_dispatch: target = 0x00000001400017c0
log.0.10416.html:Fragment 2257, tag 0x00000001400017c0, flags 0x1000018, shared, tracehead, size 673:
log.0.10416.html:Entry into F2257(0x00000001400017c0).0x00000000c00a4f40 (trace head)(shared)
log.0.10416.html:d_r_dispatch: target = 0x00000001400017c0
log.0.10416.html:Entry into F2257(0x00000001400017c0).0x00000000c00a4f40 (trace head)(shared)

==============================

# --- anti_x.exe version where "small_function" is called 3 times" - Debug cmd line output ---
# Client parameter "-s 1400017C0 -e 1400017D6" are the start and end of the "small_function" function.
# client library (small_client.dll) is marked with "[SIMPLECLIENT]"
# anti_X.exe output is marked with "[ANTI-X]"
# grep for it to filter out the debugging output
#
# You can see the small_function is properly instrumented and the client prints out the instructions:
# ---- snip from full output from below -----
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Start address reached: instr_addr 0x1400017c0 Process PID 11716 (anti_x.exe) Threat ID = 15556
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x00000001400017c0  sub    rsp, 0x18
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x00000001400017c4  mov    dword ptr [rsp], 0x00000000
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x00000001400017cb  mov    dword ptr [rsp+0x04], 0xdeadbeae
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x00000001400017d3  mov    eax, dword ptr [rsp]
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x00000001400017d6  inc    eax
[ANTI-X] small_function ret: 1
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x00000001400017c0  sub    rsp, 0x18
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x00000001400017c4  mov    dword ptr [rsp], 0x00000000
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x00000001400017cb  mov    dword ptr [rsp+0x04], 0xdeadbeae
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x00000001400017d3  mov    eax, dword ptr [rsp]
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x00000001400017d6  inc    eax
[ANTI-X] small_function ret: 1
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x00000001400017c0  sub    rsp, 0x18
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x00000001400017c4  mov    dword ptr [rsp], 0x00000000
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x00000001400017cb  mov    dword ptr [rsp+0x04], 0xdeadbeae
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x00000001400017d3  mov    eax, dword ptr [rsp]
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x00000001400017d6  inc    eax"
# --------- snip --------

# ---- Full output ----
hunte@DellOld UCRT64 /c/Users/hunte/source/repos/simple_client4
$ "C:\tools\DynamoRIO-Windows-11.3.0\bin64\drrun.exe" -debug -loglevel 2 -c "C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll" -s 1400017C0 -e 1400017D6 -m "anti_x.exe" -- "C:\Users\hunte\source\repos\anti_x\x64\Release\anti_x.exe"
<log dir=C:\tools\DynamoRIO-Windows-11.3.0\logs\anti_x.exe.11716.00000000>
<Starting application C:\Users\hunte\source\repos\anti_x\x64\Release\anti_x.exe (11716)>
<Running on newer-than-this-build "Microsoft Windows 10-2009 x64">
<Early threads found>
<Initial options = -no_dynamic_options -loglevel 2 -client_lib 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "1400017C0" "-e" "1400017D6" "-m" "anti_x.exe"' -client_lib64 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "1400017C0" "-e" "1400017D6" "-m" "anti_x.exe"' -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct >
<ignoring failure of private library KERNELBASE.dll entry (call reason=1)
>
<ignoring failure of private library simple_client.dll entry (call reason=1)
>
<ignoring failure of private library simple_client.dll entry (call reason=2)
>
<CURIOSITY : ((((ptr_uint_t)pe_size) + ((os_page_size())-1)) & (~((ptr_uint_t)(os_page_size())-1))) == view_size || check_filter("win32.partial_map.exe", get_short_name(get_application_name())) in file D:\a\dynamorio\dynamorio\core\win32\module.c line 4054
version 11.3.0, build 1
-no_dynamic_options -loglevel 2 -client_lib 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "1400017C0" "-e" "1400017D6" "-m" "anti_x.exe"' -client_lib64 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "1400017C0" "-e" "1400017D6" "-m" "anti_x.exe"' -c
0x000000000014ec40 0x00000000000000c4
0x00007ffc0c6a4000 0x00007ffc285fd9d0
0x00007ffc285d8640 0xccccccccccccccc3
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000
C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll=0x00000000e0010000
C:\WINDOWS/system32/KERNEL32.dll=0x0000000000a10000
C:\WINDOWS/system32/KERNELBASE.dll=0x0000000000ae0000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drwrap.dll=0x00000000e0040000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drmgr.dll=0x00000000e0060000>
<CURIOSITY : ((((ptr_uint_t)pe_size) + ((os_page_size())-1)) & (~((ptr_uint_t)(os_page_size())-1))) == view_size || check_filter("win32.partial_map.exe", get_short_name(get_application_name())) in file D:\a\dynamorio\dynamorio\core\win32\module.c line 4054
version 11.3.0, build 1
-no_dynamic_options -loglevel 2 -client_lib 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "1400017C0" "-e" "1400017D6" "-m" "anti_x.exe"' -client_lib64 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "1400017C0" "-e" "1400017D6" "-m" "anti_x.exe"' -c
0x000000000014ec40 0x00000000000000c4
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000
C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll=0x00000000e0010000
C:\WINDOWS/system32/KERNEL32.dll=0x0000000000a10000
C:\WINDOWS/system32/KERNELBASE.dll=0x0000000000ae0000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drwrap.dll=0x00000000e0040000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drmgr.dll=0x00000000e0060000>
<CURIOSITY : ((((ptr_uint_t)pe_size) + ((os_page_size())-1)) & (~((ptr_uint_t)(os_page_size())-1))) == view_size || check_filter("win32.partial_map.exe", get_short_name(get_application_name())) in file D:\a\dynamorio\dynamorio\core\win32\module.c line 4054
version 11.3.0, build 1
-no_dynamic_options -loglevel 2 -client_lib 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "1400017C0" "-e" "1400017D6" "-m" "anti_x.exe"' -client_lib64 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "1400017C0" "-e" "1400017D6" "-m" "anti_x.exe"' -c
0x000000000014ec40 0x00000000000000c4
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000
C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll=0x00000000e0010000
C:\WINDOWS/system32/KERNEL32.dll=0x0000000000a10000
C:\WINDOWS/system32/KERNELBASE.dll=0x0000000000ae0000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drwrap.dll=0x00000000e0040000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drmgr.dll=0x00000000e0060000>
<CURIOSITY : ((((ptr_uint_t)pe_size) + ((os_page_size())-1)) & (~((ptr_uint_t)(os_page_size())-1))) == view_size || check_filter("win32.partial_map.exe", get_short_name(get_application_name())) in file D:\a\dynamorio\dynamorio\core\win32\module.c line 4054
version 11.3.0, build 1
-no_dynamic_options -loglevel 2 -client_lib 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "1400017C0" "-e" "1400017D6" "-m" "anti_x.exe"' -client_lib64 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "1400017C0" "-e" "1400017D6" "-m" "anti_x.exe"' -c
0x000000000014ec40 0x00000000000000c4
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000
C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll=0x00000000e0010000
C:\WINDOWS/system32/KERNEL32.dll=0x0000000000a10000
C:\WINDOWS/system32/KERNELBASE.dll=0x0000000000ae0000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drwrap.dll=0x00000000e0040000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drmgr.dll=0x00000000e0060000>
<CURIOSITY : ((((ptr_uint_t)pe_size) + ((os_page_size())-1)) & (~((ptr_uint_t)(os_page_size())-1))) == view_size || check_filter("win32.partial_map.exe", get_short_name(get_application_name())) in file D:\a\dynamorio\dynamorio\core\win32\module.c line 4054
version 11.3.0, build 1
-no_dynamic_options -loglevel 2 -client_lib 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "1400017C0" "-e" "1400017D6" "-m" "anti_x.exe"' -client_lib64 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "1400017C0" "-e" "1400017D6" "-m" "anti_x.exe"' -c
0x000000000014ec40 0x00000000000000c4
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000
C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll=0x00000000e0010000
C:\WINDOWS/system32/KERNEL32.dll=0x0000000000a10000
C:\WINDOWS/system32/KERNELBASE.dll=0x0000000000ae0000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drwrap.dll=0x00000000e0040000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drmgr.dll=0x00000000e0060000>
<CURIOSITY : ((((ptr_uint_t)pe_size) + ((os_page_size())-1)) & (~((ptr_uint_t)(os_page_size())-1))) == view_size || check_filter("win32.partial_map.exe", get_short_name(get_application_name())) in file D:\a\dynamorio\dynamorio\core\win32\module.c line 4054
version 11.3.0, build 1
-no_dynamic_options -loglevel 2 -client_lib 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "1400017C0" "-e" "1400017D6" "-m" "anti_x.exe"' -client_lib64 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "1400017C0" "-e" "1400017D6" "-m" "anti_x.exe"' -c
0x000000000014ec40 0x00000000000000c4
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000
C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll=0x00000000e0010000
C:\WINDOWS/system32/KERNEL32.dll=0x0000000000a10000
C:\WINDOWS/system32/KERNELBASE.dll=0x0000000000ae0000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drwrap.dll=0x00000000e0040000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drmgr.dll=0x00000000e0060000>
[SIMPLECLIENT] [DEBUG] [dr_client_main] argv[0] = C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll
[SIMPLECLIENT] [DEBUG] [dr_client_main] argv[1] = -s
[SIMPLECLIENT] [DEBUG] [dr_client_main] argv[2] = 1400017C0
[SIMPLECLIENT] [DEBUG] [dr_client_main] argv[3] = -e
[SIMPLECLIENT] [DEBUG] [dr_client_main] argv[4] = 1400017D6
[SIMPLECLIENT] [DEBUG] [dr_client_main] argv[5] = -m
[SIMPLECLIENT] [DEBUG] [dr_client_main] argv[6] = anti_x.exe
[SIMPLECLIENT] [DEBUG] [parse_cmd_opt] Start adress set to : 0x1400017c0
[SIMPLECLIENT] [DEBUG] [parse_cmd_opt] End address set to  : 0x1400017d6
[SIMPLECLIENT] [DEBUG] [parse_cmd_opt] Module to instrument : anti_x.exe
[SIMPLECLIENT] [DEBUG] [dr_client_main] DynamoRio initialized.
[SIMPLECLIENT] [DEBUG] [dr_client_main] Client DLL used  = C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll
[SIMPLECLIENT] [DEBUG] [dr_client_main] PID              = 11716 (0x2dc4)
[SIMPLECLIENT] [DEBUG] [dr_client_main] Processname      = anti_x.exe
[SIMPLECLIENT] [DEBUG] [dr_client_main] Disassembler syntax set to INTEL
[SIMPLECLIENT] [DEBUG] [dr_client_main] Initalization done.
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: dynamorio.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: simple_client.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: drwrap.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: drmgr.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: anti_x.exe:        <-- [instrumented]
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Successfully wrapped function at 0x0000000140001190
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: VCRUNTIME140.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: WINHTTP.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: KERNELBASE.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: ucrtbase.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: KERNEL32.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: SECHOST.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: ntdll.dll:
<CURIOSITY : instr_get_opcode(instr_new) != instr_get_opcode(instr_old) in file D:\a\dynamorio\dynamorio\core\win32\callback.c line 2082
version 11.3.0, build 1
-no_dynamic_options -disasm_mask 1 -loglevel 2 -client_lib 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "1400017C0" "-e" "1400017D6" "-m" "anti_x.exe"' -client_lib64 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "1400017C0" "-e" "1400017D6" "-m" "
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000
C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll=0x00000000e0010000
C:\WINDOWS/system32/KERNEL32.dll=0x0000000000a10000
C:\WINDOWS/system32/KERNELBASE.dll=0x0000000000ae0000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drwrap.dll=0x00000000e0040000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drmgr.dll=0x00000000e0060000>
<CURIOSITY : instr_new == instrlist_first(ilist) || instr_new == instr_get_next(instrlist_first(ilist)) in file D:\a\dynamorio\dynamorio\core\win32\callback.c line 2085
version 11.3.0, build 1
-no_dynamic_options -disasm_mask 1 -loglevel 2 -client_lib 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "1400017C0" "-e" "1400017D6" "-m" "anti_x.exe"' -client_lib64 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "1400017C0" "-e" "1400017D6" "-m" "
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000
C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll=0x00000000e0010000
C:\WINDOWS/system32/KERNEL32.dll=0x0000000000a10000
C:\WINDOWS/system32/KERNELBASE.dll=0x0000000000ae0000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drwrap.dll=0x00000000e0040000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drmgr.dll=0x00000000e0060000>
<Cleaning hooked Nt wrapper @0x00007ffc294a5540 sysnum=0x1d3>
<curiosity: rex.w on OPSZ_6_irex10_short4!>
[ANTI-X] Process ID is: 11716
[ANTI-X] Function address: 0x140001000
[ANTI-X] Function size: 110
[ANTI-X] CRC32: 6115FA29
[ANTI-X] [SUCCESS] CRC32 matches! Function code is ok.
[ANTI-X] Running a small loop
[ANTI-X] Running a larger loop
[ANTI-X] [SUCCESS] No debugger detected.
[ANTI-X] DR0: 0x0000000000000000
[ANTI-X] DR1: 0x0000000000000000
[ANTI-X] DR2: 0x0000000000000000
[ANTI-X] DR3: 0x0000000000000000
[ANTI-X] DR6 (status): 0x00000000
[ANTI-X] DR7 (control): 0x00000000
[ANTI-X] [SUCCESS] GetThreadContext: No hardware breakpoints detected.
[ANTI-X] CPU-cycles: 7558881
[ANTI-X] [INTEGRITY CHECK FAIL] Runtime is too long! Function might be debugged.
[ANTI-X] This function always returns TRUE
[SIMPLECLIENT] [DEBUG] [wrap_post_function] Setting function post wrap
[SIMPLECLIENT] [DEBUG] [wrap_post_function] Return value set to FALSE
[ANTI-X] This value is always true: false
[ANTI-X] The sum of 10 and 20 is 30
[ANTI-X] Function start : 0x140001000
[ANTI-X] Function end   : 0x14000109E
[ANTI-X] Function length: 153 Byte
[ANTI-X] Try bp at      : 0x14000107A
[ANTI-X] Calling small_function three times...
[SIMPLECLIENT] [DEBUG] [event_bb_instr_global] instrumenting: 0x1400017c0
[SIMPLECLIENT] [DEBUG] [event_bb_instr_global] instrumenting: 0x1400017c4
[SIMPLECLIENT] [DEBUG] [event_bb_instr_global] instrumenting: 0x1400017cb
[SIMPLECLIENT] [DEBUG] [event_bb_instr_global] instrumenting: 0x1400017d3
[SIMPLECLIENT] [DEBUG] [event_bb_instr_global] instrumenting: 0x1400017d6
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Start address reached: instr_addr 0x1400017c0 Process PID 11716 (anti_x.exe) Threat ID = 15556
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x00000001400017c0  sub    rsp, 0x18
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x00000001400017c4  mov    dword ptr [rsp], 0x00000000
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x00000001400017cb  mov    dword ptr [rsp+0x04], 0xdeadbeae
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x00000001400017d3  mov    eax, dword ptr [rsp]
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x00000001400017d6  inc    eax
[ANTI-X] small_function ret: 1
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x00000001400017c0  sub    rsp, 0x18
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x00000001400017c4  mov    dword ptr [rsp], 0x00000000
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x00000001400017cb  mov    dword ptr [rsp+0x04], 0xdeadbeae
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x00000001400017d3  mov    eax, dword ptr [rsp]
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x00000001400017d6  inc    eax
[ANTI-X] small_function ret: 1
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x00000001400017c0  sub    rsp, 0x18
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x00000001400017c4  mov    dword ptr [rsp], 0x00000000
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x00000001400017cb  mov    dword ptr [rsp+0x04], 0xdeadbeae
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x00000001400017d3  mov    eax, dword ptr [rsp]
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x00000001400017d6  inc    eax
[ANTI-X] small_function ret: 1
[ANTI-X] running decoded shellcode ...
[ANTI-X] Shellcode Done.

<writing to executable region.>
<self-modifying code.>
[ANTI-X] Selfmod return value: 0x3 (should be 0x3)
[ANTI-X] Selfmod return value: 0x0 (should be 0x0)
[ANTI-X] triggering an exception...
[ANTI-X] Exception caught: Access Violation (0xC0000005)
[ANTI-X] Exception triggert.
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: RPCRT4.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: WS2_32.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: msvcrt.dll:
<CURIOSITY : (((0)) && get_mcontext(dcontext)->xsp >= (reg_t)dcontext->app_stack_limit) || (!((0)) && get_mcontext(dcontext)->xsp >= (reg_t)((void *)__readgsqword(BASE_STACK_TIB_OFFSET))) in file D:\a\dynamorio\dynamorio\core\dispatch.c line 1089
version 11.3.0, build 1
-no_dynamic_options -disasm_mask 1 -loglevel 2 -client_lib 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "1400017C0" "-e" "1400017D6" "-m" "anti_x.exe"' -client_lib64 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "1400017C0" "-e" "1400017D6" "-m" "
0x000000000014a0d0 0x0000000000000000
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000
C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll=0x00000000e0010000
C:\WINDOWS/system32/KERNEL32.dll=0x0000000000a10000
C:\WINDOWS/system32/KERNELBASE.dll=0x0000000000ae0000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drwrap.dll=0x00000000e0040000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drmgr.dll=0x00000000e0060000>
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: ADVAPI32.dll:
<ignoring failure of private library simple_client.dll entry (call reason=2)
>
<get_ldr_module_by_pc w/o holding LoaderLock>
<ignoring failure of private library simple_client.dll entry (call reason=2)
>
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: combase.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: webio.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: MSWSOCK.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: IPHLPAPI.DLL:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: WINNSI.DLL:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: NSI.dll:
<ignoring failure of private library simple_client.dll entry (call reason=2)
>
<ignoring failure of private library simple_client.dll entry (call reason=2)
>
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: SspiCli.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: DNSAPI.dll:
<ignoring failure of private library simple_client.dll entry (call reason=2)
>
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: rasadhlp.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: fwpuclnt.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: SCHANNEL.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: ncrypt.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: NTASN1.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: bcrypt.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: ncryptsslp.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: bcryptPrimitives.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: CRYPT32.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: MSASN1.dll:
<ignoring failure of private library simple_client.dll entry (call reason=2)
>
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: DPAPI.dll:
[ANTI-X] Successfully received data from server.
[ANTI-X] Done.
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 11716 (anti_x.exe) module loaded: AppCore.dll:
<Stopping application C:\Users\hunte\source\repos\anti_x\x64\Release\anti_x.exe (11716)>
[SIMPLECLIENT] [DEBUG] [event_exit] Number of instrumented instructions: 5
<ignoring failure of private library simple_client.dll entry (call reason=0)
>
<ignoring failure of private library KERNELBASE.dll entry (call reason=0)
>
<Failed to suspend attached-but-never-scheduled thread 8864>
<Failed to suspend attached-but-never-scheduled thread 13236>
<Failed to suspend attached-but-never-scheduled thread 18168>

# ------------- End full output -----------------


======================================================================================================================

Self modifying function instrumented

=======================================================================================================================

# CLient options for instrumenting the first 5 instructions of the self modifying code (start 140001E4B, end 140001E5D)
# the 2nd instruction gets overwritten by the self mod code.
# It looks like the d_r_dispatch is called twice as expected, but for some reason the code is not instrumented.

hunte@DellOld UCRT64 /c/tools/DynamoRIO-Windows-11.3.0/logs/anti_x.exe.9100.00000000-loglevel2-selfmod-func
$ grep -i 140001E4B * | grep -v no_dynamic_options
anti_x.exe.0.12504.html:DYNAMORIO_OPTIONS: -code_api -probe_api "-loglevel" "2" -client_lib64 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "140001E4B" "-e" "140001E5D" "-m" "anti_x.exe"'
log.0.12504.html:       xdx = 0x0000000140001e4b
log.0.12504.html:syscall: NtQueryVirtualMemory base=0x0000000140001e4b => 0x0
log.0.12504.html: (target 0x0000000140001e4b not in cache)
log.0.12504.html:d_r_dispatch: target = 0x0000000140001e4b
log.0.12504.html:Fragment 2314, tag 0x0000000140001e4b, flags 0x9000030, shared, size 649:
log.0.12504.html:Entry into F2314(0x0000000140001e4b).0x00000000c002410c (shared)
log.0.12504.html:Exit from F2314(0x0000000140001e4b).0x00000000c002438a (shared)        [anti_x.exe]
log.0.12504.html: (target 0x0000000140001e4b not in cache)
log.0.12504.html:d_r_dispatch: target = 0x0000000140001e4b
log.0.12504.html:Fragment 2336, tag 0x0000000140001e4b, flags 0x80086b0, private, size 441, cannot be trace:
log.0.12504.html:Entry into F2336(0x0000000140001e4b).0x00000000c006a740
log.0.12504.html:Exit from F2336(0x0000000140001e4b).0x00000000c006a880         [anti_x.exe]


-----
# Command line output:

# ---- Interesting part of the cmd output ---

# --- snip from full output from below ---
[ANTI-X] small_function ret: 1
[ANTI-X] small_function ret: 1
[ANTI-X] small_function ret: 1
[ANTI-X] running decoded shellcode ...
[ANTI-X] Shellcode Done.
[SIMPLECLIENT] [DEBUG] [event_bb_instr_global] instrumenting: 0x140001e4b
[SIMPLECLIENT] [DEBUG] [event_bb_instr_global] instrumenting: 0x140001e4c
[SIMPLECLIENT] [DEBUG] [event_bb_instr_global] instrumenting: 0x140001e53
[SIMPLECLIENT] [DEBUG] [event_bb_instr_global] instrumenting: 0x140001e5a
[SIMPLECLIENT] [DEBUG] [event_bb_instr_global] instrumenting: 0x140001e5d
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Start address reached: instr_addr 0x140001e4b Process PID 9100 (anti_x.exe) Threat ID = 12504
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x0000000140001e4b  push   rbx
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x0000000140001e4c  mov    rax, 0x00001234
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x0000000140001e53  mov    rbx, 0x00001234
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x0000000140001e5a  cmp    rax, rbx
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x0000000140001e5d  jz     0x0000000140001e68

<writing to executable region.>
<self-modifying code.>
[ANTI-X] Selfmod return value: 0x3 (should be 0x3)
[ANTI-X] Selfmod return value: 0x0 (should be 0x0)
[ANTI-X] triggering an exception...
[ANTI-X] Exception caught: Access Violation (0xC0000005)
[ANTI-X] Exception triggert.
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: RPCRT4.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: WS2_32.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: msvcrt.dll:
# --- snip ---

# ----- Full output ----
hunte@DellOld UCRT64 /c/Users/hunte/source/repos/simple_client4
$ "C:\tools\DynamoRIO-Windows-11.3.0\bin64\drrun.exe" -debug -loglevel 2 -c "C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll" -s 140001E4B -e 140001E5D -m "anti_x.exe" -- "C:\Users\hunte\source\repos\anti_x\x64\Release\anti_x.exe"
<log dir=C:\tools\DynamoRIO-Windows-11.3.0\logs\anti_x.exe.9100.00000000>
<Starting application C:\Users\hunte\source\repos\anti_x\x64\Release\anti_x.exe (9100)>
<Running on newer-than-this-build "Microsoft Windows 10-2009 x64">
<Early threads found>
<Initial options = -no_dynamic_options -loglevel 2 -client_lib 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "140001E4B" "-e" "140001E5D" "-m" "anti_x.exe"' -client_lib64 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "140001E4B" "-e" "140001E5D" "-m" "anti_x.exe"' -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct >
<ignoring failure of private library KERNELBASE.dll entry (call reason=1)
>
<ignoring failure of private library simple_client.dll entry (call reason=1)
>
<ignoring failure of private library simple_client.dll entry (call reason=2)
>
<CURIOSITY : ((((ptr_uint_t)pe_size) + ((os_page_size())-1)) & (~((ptr_uint_t)(os_page_size())-1))) == view_size || check_filter("win32.partial_map.exe", get_short_name(get_application_name())) in file D:\a\dynamorio\dynamorio\core\win32\module.c line 4054
version 11.3.0, build 1
-no_dynamic_options -loglevel 2 -client_lib 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "140001E4B" "-e" "140001E5D" "-m" "anti_x.exe"' -client_lib64 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "140001E4B" "-e" "140001E5D" "-m" "anti_x.exe"' -c
0x000000000014ec40 0x00000000000000c8
0x00007ffc0c6a4000 0x00007ffc285fd9d0
0x00007ffc285d8640 0xccccccccccccccc3
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000
C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll=0x00000000e0010000
C:\WINDOWS/system32/KERNEL32.dll=0x0000000000a10000
C:\WINDOWS/system32/KERNELBASE.dll=0x0000000000ae0000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drwrap.dll=0x00000000e0040000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drmgr.dll=0x00000000e0060000>
<CURIOSITY : ((((ptr_uint_t)pe_size) + ((os_page_size())-1)) & (~((ptr_uint_t)(os_page_size())-1))) == view_size || check_filter("win32.partial_map.exe", get_short_name(get_application_name())) in file D:\a\dynamorio\dynamorio\core\win32\module.c line 4054
version 11.3.0, build 1
-no_dynamic_options -loglevel 2 -client_lib 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "140001E4B" "-e" "140001E5D" "-m" "anti_x.exe"' -client_lib64 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "140001E4B" "-e" "140001E5D" "-m" "anti_x.exe"' -c
0x000000000014ec40 0x00000000000000c8
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000
C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll=0x00000000e0010000
C:\WINDOWS/system32/KERNEL32.dll=0x0000000000a10000
C:\WINDOWS/system32/KERNELBASE.dll=0x0000000000ae0000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drwrap.dll=0x00000000e0040000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drmgr.dll=0x00000000e0060000>
<CURIOSITY : ((((ptr_uint_t)pe_size) + ((os_page_size())-1)) & (~((ptr_uint_t)(os_page_size())-1))) == view_size || check_filter("win32.partial_map.exe", get_short_name(get_application_name())) in file D:\a\dynamorio\dynamorio\core\win32\module.c line 4054
version 11.3.0, build 1
-no_dynamic_options -loglevel 2 -client_lib 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "140001E4B" "-e" "140001E5D" "-m" "anti_x.exe"' -client_lib64 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "140001E4B" "-e" "140001E5D" "-m" "anti_x.exe"' -c
0x000000000014ec40 0x00000000000000c8
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000
C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll=0x00000000e0010000
C:\WINDOWS/system32/KERNEL32.dll=0x0000000000a10000
C:\WINDOWS/system32/KERNELBASE.dll=0x0000000000ae0000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drwrap.dll=0x00000000e0040000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drmgr.dll=0x00000000e0060000>
<CURIOSITY : ((((ptr_uint_t)pe_size) + ((os_page_size())-1)) & (~((ptr_uint_t)(os_page_size())-1))) == view_size || check_filter("win32.partial_map.exe", get_short_name(get_application_name())) in file D:\a\dynamorio\dynamorio\core\win32\module.c line 4054
version 11.3.0, build 1
-no_dynamic_options -loglevel 2 -client_lib 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "140001E4B" "-e" "140001E5D" "-m" "anti_x.exe"' -client_lib64 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "140001E4B" "-e" "140001E5D" "-m" "anti_x.exe"' -c
0x000000000014ec40 0x00000000000000c8
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000
C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll=0x00000000e0010000
C:\WINDOWS/system32/KERNEL32.dll=0x0000000000a10000
C:\WINDOWS/system32/KERNELBASE.dll=0x0000000000ae0000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drwrap.dll=0x00000000e0040000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drmgr.dll=0x00000000e0060000>
<CURIOSITY : ((((ptr_uint_t)pe_size) + ((os_page_size())-1)) & (~((ptr_uint_t)(os_page_size())-1))) == view_size || check_filter("win32.partial_map.exe", get_short_name(get_application_name())) in file D:\a\dynamorio\dynamorio\core\win32\module.c line 4054
version 11.3.0, build 1
-no_dynamic_options -loglevel 2 -client_lib 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "140001E4B" "-e" "140001E5D" "-m" "anti_x.exe"' -client_lib64 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "140001E4B" "-e" "140001E5D" "-m" "anti_x.exe"' -c
0x000000000014ec40 0x00000000000000c8
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000
C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll=0x00000000e0010000
C:\WINDOWS/system32/KERNEL32.dll=0x0000000000a10000
C:\WINDOWS/system32/KERNELBASE.dll=0x0000000000ae0000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drwrap.dll=0x00000000e0040000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drmgr.dll=0x00000000e0060000>
<CURIOSITY : ((((ptr_uint_t)pe_size) + ((os_page_size())-1)) & (~((ptr_uint_t)(os_page_size())-1))) == view_size || check_filter("win32.partial_map.exe", get_short_name(get_application_name())) in file D:\a\dynamorio\dynamorio\core\win32\module.c line 4054
version 11.3.0, build 1
-no_dynamic_options -loglevel 2 -client_lib 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "140001E4B" "-e" "140001E5D" "-m" "anti_x.exe"' -client_lib64 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "140001E4B" "-e" "140001E5D" "-m" "anti_x.exe"' -c
0x000000000014ec40 0x00000000000000c8
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000
C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll=0x00000000e0010000
C:\WINDOWS/system32/KERNEL32.dll=0x0000000000a10000
C:\WINDOWS/system32/KERNELBASE.dll=0x0000000000ae0000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drwrap.dll=0x00000000e0040000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drmgr.dll=0x00000000e0060000>
[SIMPLECLIENT] [DEBUG] [dr_client_main] argv[0] = C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll
[SIMPLECLIENT] [DEBUG] [dr_client_main] argv[1] = -s
[SIMPLECLIENT] [DEBUG] [dr_client_main] argv[2] = 140001E4B
[SIMPLECLIENT] [DEBUG] [dr_client_main] argv[3] = -e
[SIMPLECLIENT] [DEBUG] [dr_client_main] argv[4] = 140001E5D
[SIMPLECLIENT] [DEBUG] [dr_client_main] argv[5] = -m
[SIMPLECLIENT] [DEBUG] [dr_client_main] argv[6] = anti_x.exe
[SIMPLECLIENT] [DEBUG] [parse_cmd_opt] Start adress set to : 0x140001e4b
[SIMPLECLIENT] [DEBUG] [parse_cmd_opt] End address set to  : 0x140001e5d
[SIMPLECLIENT] [DEBUG] [parse_cmd_opt] Module to instrument : anti_x.exe
[SIMPLECLIENT] [DEBUG] [dr_client_main] DynamoRio initialized.
[SIMPLECLIENT] [DEBUG] [dr_client_main] Client DLL used  = C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll
[SIMPLECLIENT] [DEBUG] [dr_client_main] PID              = 9100 (0x238c)
[SIMPLECLIENT] [DEBUG] [dr_client_main] Processname      = anti_x.exe
[SIMPLECLIENT] [DEBUG] [dr_client_main] Disassembler syntax set to INTEL
[SIMPLECLIENT] [DEBUG] [dr_client_main] Initalization done.
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: dynamorio.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: simple_client.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: drwrap.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: drmgr.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: anti_x.exe: <-- [instrumented]
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Successfully wrapped function at 0x0000000140001190
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: VCRUNTIME140.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: WINHTTP.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: KERNELBASE.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: ucrtbase.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: KERNEL32.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: SECHOST.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: ntdll.dll:
<CURIOSITY : instr_get_opcode(instr_new) != instr_get_opcode(instr_old) in file D:\a\dynamorio\dynamorio\core\win32\callback.c line 2082
version 11.3.0, build 1
-no_dynamic_options -disasm_mask 1 -loglevel 2 -client_lib 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "140001E4B" "-e" "140001E5D" "-m" "anti_x.exe"' -client_lib64 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "140001E4B" "-e" "140001E5D" "-m" "
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000
C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll=0x00000000e0010000
C:\WINDOWS/system32/KERNEL32.dll=0x0000000000a10000
C:\WINDOWS/system32/KERNELBASE.dll=0x0000000000ae0000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drwrap.dll=0x00000000e0040000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drmgr.dll=0x00000000e0060000>
<CURIOSITY : instr_new == instrlist_first(ilist) || instr_new == instr_get_next(instrlist_first(ilist)) in file D:\a\dynamorio\dynamorio\core\win32\callback.c line 2085
version 11.3.0, build 1
-no_dynamic_options -disasm_mask 1 -loglevel 2 -client_lib 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "140001E4B" "-e" "140001E5D" "-m" "anti_x.exe"' -client_lib64 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "140001E4B" "-e" "140001E5D" "-m" "
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000
C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll=0x00000000e0010000
C:\WINDOWS/system32/KERNEL32.dll=0x0000000000a10000
C:\WINDOWS/system32/KERNELBASE.dll=0x0000000000ae0000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drwrap.dll=0x00000000e0040000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drmgr.dll=0x00000000e0060000>
<Cleaning hooked Nt wrapper @0x00007ffc294a5540 sysnum=0x1d3>
<curiosity: rex.w on OPSZ_6_irex10_short4!>
[ANTI-X] Process ID is: 9100
[ANTI-X] Function address: 0x140001000
[ANTI-X] Function size: 110
[ANTI-X] CRC32: 6115FA29
[ANTI-X] [SUCCESS] CRC32 matches! Function code is ok.
[ANTI-X] Running a small loop
[ANTI-X] Running a larger loop
[ANTI-X] [SUCCESS] No debugger detected.
[ANTI-X] DR0: 0x0000000000000000
[ANTI-X] DR1: 0x0000000000000000
[ANTI-X] DR2: 0x0000000000000000
[ANTI-X] DR3: 0x0000000000000000
[ANTI-X] DR6 (status): 0x00000000
[ANTI-X] DR7 (control): 0x00000000
[ANTI-X] [SUCCESS] GetThreadContext: No hardware breakpoints detected.
[ANTI-X] CPU-cycles: 8102686
[ANTI-X] [INTEGRITY CHECK FAIL] Runtime is too long! Function might be debugged.
[ANTI-X] This function always returns TRUE
[SIMPLECLIENT] [DEBUG] [wrap_post_function] Setting function post wrap
[SIMPLECLIENT] [DEBUG] [wrap_post_function] Return value set to FALSE
[ANTI-X] This value is always true: false
[ANTI-X] The sum of 10 and 20 is 30
[ANTI-X] Function start : 0x140001000
[ANTI-X] Function end   : 0x14000109E
[ANTI-X] Function length: 153 Byte
[ANTI-X] Try bp at      : 0x14000107A
[ANTI-X] Calling small_function three times...
[ANTI-X] small_function ret: 1
[ANTI-X] small_function ret: 1
[ANTI-X] small_function ret: 1
[ANTI-X] running decoded shellcode ...
[ANTI-X] Shellcode Done.
[SIMPLECLIENT] [DEBUG] [event_bb_instr_global] instrumenting: 0x140001e4b
[SIMPLECLIENT] [DEBUG] [event_bb_instr_global] instrumenting: 0x140001e4c
[SIMPLECLIENT] [DEBUG] [event_bb_instr_global] instrumenting: 0x140001e53
[SIMPLECLIENT] [DEBUG] [event_bb_instr_global] instrumenting: 0x140001e5a
[SIMPLECLIENT] [DEBUG] [event_bb_instr_global] instrumenting: 0x140001e5d
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Start address reached: instr_addr 0x140001e4b Process PID 9100 (anti_x.exe) Threat ID = 12504
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x0000000140001e4b  push   rbx
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x0000000140001e4c  mov    rax, 0x00001234
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x0000000140001e53  mov    rbx, 0x00001234
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x0000000140001e5a  cmp    rax, rbx
[SIMPLECLIENT] [DEBUG] [process_instr_trace_instr] Disasm: 0x0000000140001e5d  jz     0x0000000140001e68

<writing to executable region.>
<self-modifying code.>
[ANTI-X] Selfmod return value: 0x3 (should be 0x3)
[ANTI-X] Selfmod return value: 0x0 (should be 0x0)
[ANTI-X] triggering an exception...
[ANTI-X] Exception caught: Access Violation (0xC0000005)
[ANTI-X] Exception triggert.
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: RPCRT4.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: WS2_32.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: msvcrt.dll:
<CURIOSITY : (((0)) && get_mcontext(dcontext)->xsp >= (reg_t)dcontext->app_stack_limit) || (!((0)) && get_mcontext(dcontext)->xsp >= (reg_t)((void *)__readgsqword(BASE_STACK_TIB_OFFSET))) in file D:\a\dynamorio\dynamorio\core\dispatch.c line 1089
version 11.3.0, build 1
-no_dynamic_options -disasm_mask 1 -loglevel 2 -client_lib 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "140001E4B" "-e" "140001E5D" "-m" "anti_x.exe"' -client_lib64 'C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll;0;"-s" "140001E4B" "-e" "140001E5D" "-m" "
0x000000000014a0d0 0x0000000000000000
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000
C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll=0x00000000e0010000
C:\WINDOWS/system32/KERNEL32.dll=0x0000000000a10000
C:\WINDOWS/system32/KERNELBASE.dll=0x0000000000ae0000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drwrap.dll=0x00000000e0040000
C:\tools\DynamoRIO-Windows-11.3.0/ext\lib64\debug/drmgr.dll=0x00000000e0060000>
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: ADVAPI32.dll:
<ignoring failure of private library simple_client.dll entry (call reason=2)
>
<get_ldr_module_by_pc w/o holding LoaderLock>
<ignoring failure of private library simple_client.dll entry (call reason=2)
>
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: combase.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: webio.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: MSWSOCK.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: IPHLPAPI.DLL:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: WINNSI.DLL:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: NSI.dll:
<ignoring failure of private library simple_client.dll entry (call reason=2)
>
<ignoring failure of private library simple_client.dll entry (call reason=2)
>
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: SspiCli.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: DNSAPI.dll:
<ignoring failure of private library simple_client.dll entry (call reason=2)
>
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: rasadhlp.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: fwpuclnt.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: SCHANNEL.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: ncrypt.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: NTASN1.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: bcrypt.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: ncryptsslp.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: bcryptPrimitives.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: CRYPT32.dll:
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: MSASN1.dll:
<ignoring failure of private library simple_client.dll entry (call reason=2)
>
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: DPAPI.dll:
[ANTI-X] Successfully received data from server.
[ANTI-X] Done.
[SIMPLECLIENT] [DEBUG] [event_module_load_trace_instr] Process PID 9100 (anti_x.exe) module loaded: AppCore.dll:
<Stopping application C:\Users\hunte\source\repos\anti_x\x64\Release\anti_x.exe (9100)>
[SIMPLECLIENT] [DEBUG] [event_exit] Number of instrumented instructions: 5
<ignoring failure of private library simple_client.dll entry (call reason=0)
>
<ignoring failure of private library KERNELBASE.dll entry (call reason=0)
>
<Failed to suspend attached-but-never-scheduled thread 3348>
<Failed to suspend attached-but-never-scheduled thread 16668>
<Failed to suspend attached-but-never-scheduled thread 10208>

hunte@DellOld UCRT64 /c/Users/hunte/source/repos/simple_client4

Holger Unterbrink

unread,
Jun 13, 2025, 5:51:38 AMJun 13
to DynamoRIO Users
The logs above show two different runs, first time the client instruments a function called small_function, this one is called 3 (2 old version) times in the target app (anti-x) and everything works like expected, the instructions of this functions are printed out three times, every time the function is called. The 2nd run is where the problematic self modifying code is called. In that case the client only prints out the instructions the first time, the 2nd time the function is called it is executed, like you can see in the [Anti-X] output, but the instrumentation does not work and its instructions are not printed out. 

Derek Bruening

unread,
Jun 14, 2025, 11:15:54 AMJun 14
to Holger Unterbrink, DynamoRIO Users
I'm not sure I follow the details here ("called 3 (2 old version)" sounds like the code mod happened but then "The 2nd run is where the problematic self modifying code is called": but how is there an "old version" in the first run then?): but the log tells you when it asks the client for instrumentation.  Look for lines like this:

before instrumentation:
TAG  0x00007fa2db77d5c0
 +0    L3 @0x00007fa0972afe48  48 89 e7             mov    %rsp -> %rdi
...
END 0x00007fa2db77d5c0
...
after instrumentation:
TAG  0x00007fa2db77d5c0
 +0    L3 @0x00007fa0972afe48  48 89 e7             mov    %rsp -> %rdi
...
END 0x00007fa2db77d5c0

Note that d_r_dispatch is *not* called between every block: once blocks are linked together it is bypassed.
But if the self-modification is detected a new block should be created and you should see the "after instrumentation": do you see that, and it does not have all your clean calls?

To view this discussion visit https://groups.google.com/d/msgid/dynamorio-users/908a0ca7-1b83-44fe-9e61-ec72834650can%40googlegroups.com.

Holger Unterbrink

unread,
Jun 17, 2025, 4:03:29 AMJun 17
to DynamoRIO Users
the first two logs I posted are from a function which is properly instrumented and logged (just to compare it to the failed run), it is called small_function and just has a few instructions and does NOT do any selfmod. I've run the "ddrun.exe -c myclient -- antix.exe" two times, ones with a version of antix where this small_function is called 2 times and one version where this function is called three times. Both runs work as expected and DR is properly instrumenting the function every time it is called.

The problematic selfmod function logging is found below this in the log text. It is marked with:


======================================================================================================================

Self modifying function instrumented

=======================================================================================================================
 
... everything below that in the logging I posted, belongs to the run where I am instrumenting the self modifying function. That one is called two times at run time, the first one works as expected, the 2nd one is not instrumented. I have mailed you the src code of the client and antix.exe in case you have time to look into it, that might makes things more clear.

Derek Bruening

unread,
Jun 18, 2025, 10:18:29 PMJun 18
to Holger Unterbrink, DynamoRIO Users
Does your client look for that particular start-of-block PC?  DR will tail-duplicate basic blocks if self-modification is detected, so a new block starting part way through the original will be created.

To view this discussion visit https://groups.google.com/d/msgid/dynamorio-users/74bca7fa-3210-46c1-8edc-7eeebf6a8bd8n%40googlegroups.com.

Holger Unterbrink

unread,
Jun 19, 2025, 8:50:34 AMJun 19
to DynamoRIO Users
I am not 100% sure if I understand what you mean. Yes, the client instruments only the instructions between "start PC" and "end PC" (pls see below)

Client is run via:
"C:\tools\DynamoRIO-Windows-11.3.0\bin64\drrun.exe" -c "C:\Users\hunte\source\repos\simple_client4\build\Release\simple_client.dll" -s 140001E5B -e 140001F02 -m "anti_x.exe" -- "C:\Users\hunte\source\repos\anti_x\x64\Release\anti_x.exe"

DR client looks like this:

--- snip ---
bool start_reached = FALSE;
bool end_reached   = FALSE;

// trace_para->start ; trace_para->end are cmd line args for start (first) instr to instrument and end(last) instr to instrument
...
drmgr_register_bb_instrumentation_event(NULL, event_bb_instr_global, NULL);
...
dr_emit_flags_t event_bb_instr_global(void* drcontext, void* tag, instrlist_t* bb, instr_t* instr, bool for_trace, bool translating, void* user_data) {
size_t instr_addr;
instr_addr = (size_t) instr_get_app_pc(instr);

if (instr_is_app(instr)) {

if (instr_addr == trace_para->start) start_reached = TRUE;

if ((start_reached == TRUE) && (end_reached == FALSE)) {
dr_printf("[SIMPLECLIENT] [DEBUG] [event_bb_instr_global] instrumenting: 0x%zx\n", instr_addr);  

dr_insert_clean_call(drcontext, bb, instr, (void *) process_instr_trace_instr, FALSE, 1, OPND_CREATE_INTPTR(instr_addr));
instr_instructions_counter += 1;
        }
if (instr_addr == trace_para->end) end_reached = TRUE;
}
return DR_EMIT_DEFAULT;
}
--- snip ---

The debug string "[SIMPLECLIENT] [DEBUG] [event_bb_instr_global] instrumenting: 0x140001e5b" is only printed out once. The 2nd call of selfmodify() 

The target app with the self modifying function (one part is modified before it is executed, one is modified after it was executed, you can see it is patching control flow/BB irrelevant instructions like mov AND also a jmp, which might change BB logic):

C code, calls the selfmodify() function two times, the selfmod works, first time it prints out "... 0x3", 2nd time it prints out "... 0x0":
printf("[ANTI-X] Selfmod return value: 0x%x (should be 0x3)\n", selfmodify());
printf("[ANTI-X] Selfmod return value: 0x%x (should be 0x0)\n", selfmodify());

selfmodify PROC
    push    rbx               ; Save RBX              
                           
postpatch:
    mov     rax, 1234h      ; <-- gets post-patched with 'mov rax, 1'
    mov     rbx, 1234h      ; Load second value into RBX
    cmp     rax, rbx            ; Compare RAX and RBX
    je      equal_label       ; Jump if equal (ZF = 1)                            
    mov     rax, 0h            ;                                                  
    jmp     end_label        ;                                                  

equal_label:
    mov    rax, 1h           ; rax = 1h                                          
    inc       rax               ; rax = 2h
    call      somefunc1         ; rax = 666h
    nop
    lea        rsi, prepatch               ; Pre-Exec Patch
    mov     byte ptr [rsi],   048h      ; 48 C7 C0 03 00 00 00 = 'mov rax, 3'
    mov     byte ptr [rsi+1], 0C7h    
    mov     byte ptr [rsi+2], 0C0h    
    mov     byte ptr [rsi+3], 003h    
    mov     byte ptr [rsi+4], 000h
    mov     byte ptr [rsi+5], 000h
    mov     byte ptr [rsi+6], 000h
    nop
    nop
    inc     rax                       ; rax = 4h
    dec    rax                       ; rax = 3h
    inc     rax                       ; rax = 4h
    dec    rax                       ; rax = 3h

prepatch:
    jmp     end_label         ; <-- gets pre-patched with: 'mov rax, 3'
    nop                               ; 2nd run: rax = 0h                      
    nop
    nop
    nop
    nop
    test    rax, rax                 ; always set ZF = 0
    jz        int_leav                ; Anti-Disassembler trick make a 'jmp,nop,nop' out of a 'mov'
    jnz      int_leav+3           ; Anti-Disassembler trick make a 'jmp,nop,nop' out of a 'mov'      

int_leav:
    db      048h, 0C7h, 0C0h, 0ebh, 00Ch, 090h, 090h        ; eb 09 = jmp by 7bytes ('inc rax' two instr below)
    mov    rbx, 0deadbeefh
    inc rax                                                                            ;   jmp addr   rax = 1h
    dec     rax                                                                             ;  rax = 0h      

end_label:
    push    rsi                                   ; Save RSI
    lea     rsi, postpatch                  ; Post-Exec Patch  
    mov     byte ptr [rsi],   048h      ; 48 C7 C0 00 00 00 00  mov     rax, 1
    mov     byte ptr [rsi+1], 0C7h    
    mov     byte ptr [rsi+2], 0C0h    
    mov     byte ptr [rsi+3], 001h    
    mov     byte ptr [rsi+4], 000h
    mov     byte ptr [rsi+5], 000h
    mov     byte ptr [rsi+6], 000h

    pop rsi               ; Restore RSI
    pop     rbx              ; Restore RBX
    ret
selfmodify ENDP

Derek Bruening

unread,
Jun 19, 2025, 11:18:49 AMJun 19
to Holger Unterbrink, DynamoRIO Users
I see your client is using global variables to decide when it has seen the start and the end, which I believe is the source of the problem.  Remember the difference between transformation time and execution time (see https://github.com/DynamoRIO/dynamorio/releases/download/release_7_0_0_rc1/DynamoRIO-tutorial-feb2017.pdf slide 89) and that a block can be flushed and re-created.  Your end_reached variable is set to true on the first block that contains the end.  But when that block is flushed (here due to the modification of the app code) that variable remains true and when your instrumentation code is invoked on a new block containing the start your own conditional "end_reached == FALSE" prevents inserting instrumentation when the start is seen again.

Holger Unterbrink

unread,
Jun 20, 2025, 7:12:09 AMJun 20
to DynamoRIO Users
Doh, I think you are right. I ll check, thx for the hint !
Reply all
Reply to author
Forward
0 new messages