Call application function in client

[朱子睿]

Can I call application function in client using a function pointer point at it? I got the function pointer by dysym extension and some of them can work currently but others may not. It seems that when the application function return val or param has c++ container like std::string, the function pointer can not work as I want. I would like to know if there exists some other ways to call application function safely, or if there was some problem in my usage of it. Thanks a lot.

• Application Function
• Part of Client Code
  

[Derek Bruening]

It is inherently unsafe to share code with the application.  Please see https://dynamorio.org/transparency.html.  Application code should be run in an application context, not a client/tool context.  A client/tool can manipulate the code the application runs, but to directly invoke application code from a client/tool for its own purposes instead of advancing the application execution an isolated copy should be used such as provided by DR's private loader.

--
You received this message because you are subscribed to the Google Groups "DynamoRIO Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dynamorio-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dynamorio-users/007efec1-6e25-4bd6-85ba-d01297e17886n%40googlegroups.com.

[朱子睿]

But my purpose is to get something in application context, and the easiest way to get them is to call application function. Is that means the only way is to insert function call into application code and use hook to get its running information? I'm a newbie in dynamorio so I don't know what DR's private loader is. Will it server my purpose? If so, I will be appreciated if you can provide some tutorial about it. Sorry to bother you. lol

[Derek Bruening]

dr_switch_to_app_state_ex() can be used prior to examining application state from a client context, but calling an application function is still unsafe.  Think about what will happen if the application is in the middle of that same function when you call it.  Most functions are not re-entrant.  Best to obtain the information without running application code.

To view this discussion on the web visit https://groups.google.com/d/msgid/dynamorio-users/bb1e300c-9e9a-4635-8192-8219d9a52acfn%40googlegroups.com.

[朱子睿]

I tried calling dr_switch_to_app_state_ex() before calling application function, but it still stops responding and finaly causes a out of memory crash. I think maybe I should use drmgr_register_bb_app2app_event() to insert application function call into bb so that drclient can hook it as if it was called natively in application. I'll report the result later whether it works or not. Thanks a lot.

[朱子睿]

I tried to insert instr into bb in app2app callback, but application and client just crashed. I have tried to call a function without param successfully, but how to pass params to function confused me. I followed asm generated by Compiler Exploper to add instr. I would like to know if this method can reach the goal mentioned above. Thanks a lot.

app2app callback: https://pastebin.ubuntu.com/p/7rM2mJgDrV/

asm followed:

在2023年8月16日星期三 UTC+8 10:39:22<Derek Bruening> 写道：

[朱子睿]

I have successfully insert application function call into bb, but another problem occured. I found that the inserted application code reruned for many times. I thought it was because the inserted instrucments' address, but I really have no idea about the inner principle. 

Client code

Application code

console output