disassemble with drdecode + Unresolved external

[Gettica St]

Hi.

Just started with DynamoRIO API and I have a few questions.

First of all I would like to know is there way to disassemble a small part of code by random address?

Let's say I have some address that points in the middle of instruction and I want to disassemble 10 instructions before + current + 10 after it and put result in memory buffer.

The problem is that we need to point at opcode start address to get a valid disasm. But looks like DynamoRIO have some length-disassembler engine and can handle this situation.

So if drdecode can do it with its own functions plz tell me how to do it right way (and also fast way).

Second question is about "Unresolved external symbol '_vsnprintf'", there was more, but I've found '_dr_fpu_exception_init' and '_get_mmx_val' at ..\lib32\drhelper.lib but _vsnprintf imports from the ntdll_imports.lib as __vsnprintf (like from any other ms libs) and my linker fails...

I will be grateful for any help.

 

[Derek Bruening]

On Fri, Dec 15, 2017 at 6:46 AM, Gettica St <gettic...@gmail.com> wrote:

Hi.

Just started with DynamoRIO API and I have a few questions.

First of all I would like to know is there way to disassemble a small part of code by random address?

Let's say I have some address that points in the middle of instruction and I want to disassemble 10 instructions before + current + 10 after it and put result in memory buffer.

The problem is that we need to point at opcode start address to get a valid disasm. But looks like DynamoRIO have some length-disassembler engine and can handle this situation.

So if drdecode can do it with its own functions plz tell me how to do it right way (and also fast way).

Unless you want to look up the containing function using drsyms which will rely on debug info (unless this code is always in an exported function) and decode forward from the function entry (and deal w/ split functions), you would have to try increasing offsets backward until you hit some code sequences with zero invalid instructions, and if there are multiple it might take heuristics to decide which is the most likely if there is no other information to go on like observing actual execution or debug info.  (Usually it's pretty obvious which instruction stream is the right one.)  Our decoder just decodes from the PC it's given: it does not contain backward code discovery logic inside it so you would have to supply that as described.

Second question is about "Unresolved external symbol '_vsnprintf'", there was more, but I've found '_dr_fpu_exception_init' and '_get_mmx_val' at ..\lib32\drhelper.lib but _vsnprintf imports from the ntdll_imports.lib as __vsnprintf (like from any other ms libs) and my linker fails...

I will be grateful for any help.

Easiest is to use VS2013 which is what Appveyor is set up with and which is kept green.  We have not seen these particular errors: presumably they are from a toolchain or setup that is not part of our automated testing.