Memtracing specific functions
26 views
Skip to first unread message
typ1232
Sep 8, 2025, 5:04:05 PMSep 8
to DynamoRIO Users
Hi! I explored DynamoRIO a bit by reading, building a basic client and debugging a bit with WinDBG, but I could not figure out whether it is a good fit for what I'm aiming to do, yet.
Within a target application (no source code) I have a single function of interest that calls hundreds of other functions. I want to call this function with thousands of inputs and trace resulting memory accesses. I don't care about anything else in the app. It does not need to run from main() because the cascade of functions only needs a few global objects which are easy to set up manually.
Am I correct that there could be two widely different approaches?
- Use the high-level flow with drrun and a client that somehow makes sure to setup the function calls, catch crashes and run the drmemtrace next to that. I didn't find any API for actively changing control flow, it all seems to be about observing.
- Extract raw code from target application, setup environment and only surgically use low-level tools like the instrumentation API. Running with the code cache does not seem strictly necessary here - or not even possible if in the same process? This on the other hand seems to involve more manual work in terms of the setup and tracing the memory accesses myself.
Do you think DynamoRIO is suited for this task? Do you have some pointers on how to get started?
Within a target application (no source code) I have a single function of interest that calls hundreds of other functions. I want to call this function with thousands of inputs and trace resulting memory accesses. I don't care about anything else in the app. It does not need to run from main() because the cascade of functions only needs a few global objects which are easy to set up manually.
Am I correct that there could be two widely different approaches?
- Use the high-level flow with drrun and a client that somehow makes sure to setup the function calls, catch crashes and run the drmemtrace next to that. I didn't find any API for actively changing control flow, it all seems to be about observing.
- Extract raw code from target application, setup environment and only surgically use low-level tools like the instrumentation API. Running with the code cache does not seem strictly necessary here - or not even possible if in the same process? This on the other hand seems to involve more manual work in terms of the setup and tracing the memory accesses myself.
Do you think DynamoRIO is suited for this task? Do you have some pointers on how to get started?
Enrico Deiana
Sep 8, 2025, 5:39:14 PMSep 8
to DynamoRIO Users
As you pointed out, you could just `drrun -t drmemtrace -offline -- ${your_app_with_args}` to get an offline trace that you can then analyze the memory accesses of (have a look at our analyzers: https://dynamorio.org/sec_drcachesim_tools.html or build your own: https://dynamorio.org/sec_drcachesim_newtool.html).
> I didn't find any API for actively changing control flow
> I didn't find any API for actively changing control flow
Just a bit confused: why do you want to change the control flow if you only want to "trace resulting memory accesses. I don't care about anything else in the app"?
- Enrico
Derek Bruening
Sep 8, 2025, 5:42:51 PMSep 8
to typ1232, DynamoRIO Users
You can control the app's control flow, and there are existing projects that use DR to repeatedly execute a single function with different arguments. An example is Dr. Fuzz https://drmemory.org/page_drfuzz.html which is used in Dr. Memory's Fuzz Testing Mode https://drmemory.org/page_fuzzer.html.
--
You received this message because you are subscribed to the Google Groups "DynamoRIO Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dynamorio-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/dynamorio-users/5e602aa0-e6fe-47d7-a789-a0b05e9c1a50n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages