How to get disassemble instructions of program?

[kevin....@gmail.com]

Hi~

I am a beginner with Dynamorio, There is some doubt about disassemble instructions.

I have found a series of api in document ,like instr_disassemble(), disassemble and so on.But when i use them , there is nothing printed on my outfile. Why?

my code :

static dr_emit_flags_t

event_app_instruction(void *drcontext, void *tag, instrlist_t *bb,

instr_t *instr, bool for_trace,

bool translating, void *user_data)

{

if (!instr_is_app(instr))

return DR_EMIT_DEFAULT;

per_thread_t *data;

data = drmgr_get_tls_field(drcontext, tls_idx);

instr_t *ins;

disassemble_set_syntax(DR_DISASM_INTEL);

for (instr = instrlist_first(bb); instr != NULL; instr = instr_get_next(instr))

{

ins = instr_clone(drcontext, instr);

instr_make_persistent(drcontext, ins);

instr_disassemble(drcontext, ins, data->logf); // data->logf is my outfile

dr_fprintf(data->logf, "\r\n"); 

}

dr_insert_clean_call(drcontext, bb, instr, (void *)clean_call, false, 0);

return DR_EMIT_DEFAULT;

}

I learned instr_disassemble() could print the instruction instr to file outfile. But nothing in my outfile. who can point out my error? 

Thanks advance!

[Derek Bruening]

Maybe data->logf doesn't point at an open file?  It's hard to say with no code shown for that.  It's also odd to shadow the instr parameter with a local variable, to walk the whole list in the per-instruction event, and to clone instructions but not free them.  Did you run with -debug?  That should always be the first step.  It will complain about the memory leaks and perhaps about other errors.

--
You received this message because you are subscribed to the Google Groups "DynamoRIO Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dynamorio-users+unsubscribe@googlegroups.com.
To post to this group, send email to dynamorio-users@googlegroups.com.
Visit this group at https://groups.google.com/group/dynamorio-users.
For more options, visit https://groups.google.com/d/optout.

[kevin....@gmail.com]

data->logf is open since I print other things to it, and it works. Really, I don't know how to run with -debug, I debug the *.dll with the way of printing log, is there anyway for me to debug with setting stop point?  And how to print a instr to file? dr_print_instr() ?

To unsubscribe from this group and stop receiving emails from it, send an email to dynamorio-use...@googlegroups.com.
To post to this group, send email to dynamor...@googlegroups.com.

[Derek Bruening]

Please see https://github.com/DynamoRIO/dynamorio/wiki/Debugging

To unsubscribe from this group and stop receiving emails from it, send an email to dynamorio-users+unsubscribe@googlegroups.com.
To post to this group, send email to dynamorio-users@googlegroups.com.

[kevin....@gmail.com]

Thanks for your link, 

When I get windbg to use dynamorio symbols, there appears an memory access error in script, details are as follow：

command is："d:\Program Files (x86)\Debugging Tools for Windows (x86)\windbg.exe"  d:\dynamorio\build\bin32\drrun.exe -- d:\testHelloWorld-BAK.exe

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86

Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: dynamorio\build\bin32\drrun.exe -- D:\testHelloWorld-BAK.exe

Symbol search path is: SRV*C:\symbols*

Executable search path is: 

ModLoad: 01280000 01317000   drrun.exe

ModLoad: 77620000 777a0000   ntdll.dll

ModLoad: 75330000 75440000   C:\Windows\syswow64\kernel32.dll

ModLoad: 76cf0000 76d37000   C:\Windows\syswow64\KERNELBASE.dll

ModLoad: 5f9e0000 5fa76000   d:\dynamorio\build\bin32\drconfiglib.dll

ModLoad: 75530000 755d1000   C:\Windows\syswow64\ADVAPI32.dll

ModLoad: 76c40000 76cec000   C:\Windows\syswow64\msvcrt.dll

ModLoad: 762c0000 762d9000   C:\Windows\SysWOW64\sechost.dll

ModLoad: 75440000 75530000   C:\Windows\syswow64\RPCRT4.dll

ModLoad: 74cc0000 74d20000   C:\Windows\syswow64\SspiCli.dll

ModLoad: 74cb0000 74cbc000   C:\Windows\syswow64\CRYPTBASE.dll

ModLoad: 5f840000 5f8a8000   d:\dynamorio\build\bin32\drinjectlib.dll

(25ddc.25e68): Break instruction exception - code 80000003 (first chance)

eax=00000000 ebx=00000000 ecx=7c380000 edx=0020e3c8 esi=fffffffe edi=00000000

eip=776c0e14 esp=0037f430 ebp=0037f45c iopl=0         nv up ei pl zr na pe nc

cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246

ntdll!LdrpDoDebuggerBreak+0x2c:

776c0e14 cc              int     3

0:000> .childdbg 1

Processes created by the current process will be debugged

0:000> g

ModLoad: 73f90000 73fdc000   C:\Windows\SysWOW64\apphelp.dll

Symbol search path is: SRV*C:\symbols*

Executable search path is: 

ModLoad: 000d0000 000d6000   testHelloWorld.exe

ModLoad: 77620000 777a0000   ntdll.dll

ModLoad: 75330000 75440000   C:\Windows\syswow64\kernel32.dll

ModLoad: 76cf0000 76d37000   C:\Windows\syswow64\KERNELBASE.dll

ModLoad: 6d2f0000 6d3de000   C:\Windows\SysWOW64\MSVCR120.dll

(25968.258fc): Break instruction exception - code 80000003 (first chance)

eax=00000000 ebx=00000000 ecx=ad610000 edx=0025df18 esi=fffffffe edi=00000000

eip=776c0e14 esp=004ef8f0 ebp=004ef91c iopl=0         nv up ei pl zr na pe nc

cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246

ntdll!LdrpDoDebuggerBreak+0x2c:

776c0e14 cc              int     3

1:001> l+s

Source options are 4:

     4/s - List source code at prompt

1:001> l+t

Source options are 5:

     1/t - Step/trace by source line

     4/s - List source code at prompt

1:001> $><D:\dynamorio\tools\windbg-scripts\load_syms

Memory access error at ') = b1d2ae58) {;    .if (dwo(@$t1 + 4) = ca50c356) {;        .if (dwo(@$t1 + 8) = 63000089) {;            .if (dwo(@$t1 + c) = 3fa898f0) {;                aS /c ${/v:loadpriv} .printf "%ma", @$t1 + 2c;                .block { ${loadpriv} };                ad ${/v:loadpriv};            } .else {;                .echo "DynamoRIO not detected";            };        } .else {;            .echo "DynamoRIO not detected";        };    } .else {;        .echo "DynamoRIO not detected";    };} .else {;    .echo "DynamoRIO not detected";};'

As document says, script will fail if the process is not running under DynamoRIO or if it has not finished DynamoRIO initialization, but i still don't understand how to solve this error...

[Derek Bruening]

It looks like you are in drrun.exe, which is just a launcher process.  You need to be in the child, your target app: that's what's run under DR, not drrun.exe.

To unsubscribe from this group and stop receiving emails from it, send an email to dynamorio-users+unsubscribe@googlegroups.com.
To post to this group, send email to dynamorio-users@googlegroups.com.

[Derek Bruening]

Actually I see you did walk into the child, but are too early: DR is not even loaded yet (the default injection via drrun is not very early).

[kevin....@gmail.com]

When DR is loaded? How can i know it? Is dynamorio.dll or something other loaded?

[kevin....@gmail.com]

Accually, I find the link :https://groups.google.com/forum/#!searchin/DynamoRIO-Users/windbg%7Csort:relevance/dynamorio-users/HqIh4NYJFAM/6X0ES48nKucJ, and follow step by step.  It seems work!

On Monday, March 13, 2017 at 12:50:32 PM UTC+8, Derek Bruening wrote:

[Derek Bruening]

Yes, attaching at a -msgbox_mask point and then running the load_syms scripts is in some ways simpler and is typically how we debug on Windows.  The debugging wiki page talks about -msgbox_mask but perhaps could make it clearer that it is a simpler way to get to the right place.

To unsubscribe from this group and stop receiving emails from it, send an email to dynamorio-users+unsubscribe@googlegroups.com.
To post to this group, send email to dynamorio-users@googlegroups.com.