Can DynamoRIO pre-generate all instructions to memory and then execute the generated-instructions?
56 views
Skip to first unread message
Kris Zhou
May 9, 2012, 1:40:30 PM5/9/12
to DynamoRIO Users
Hi,
I'm a new user of DyanmoRIO. I've read related papers about DynamoRIO,
but there's still some questions confused me.
Can DynamoRIO pre-generate all instructions to memory and then execute
the generated-instructions? I mean, not just lazily transfers
instructions just-in-time, but all the instructions to be executed are
pre-cached in special executable memory, and the offset of each
instruction is changed. For example: the original instructions set
which should be loaded into memory would be like this:
7C901305 66:894A 02 mov word ptr ds:[edx+2],cx
7C901309 49 dec ecx
7C90130A 49 dec ecx
7C90130B 66:890A mov word ptr ds:[edx],cx
7C90130E 5F pop edi
After using our own client, swaping “dec ecx” to “sub ecx, 1”, the
real instruction set loaded into memory is like this:
7C901305 66:894A 02 mov word ptr ds:[edx+2],cx
7C901309 83E9 01 sub ecx,1
7C90130C 83E9 01 sub ecx,1
7C90130F 66:890A mov word ptr ds:[edx],cx
7C901312 5F pop edi
You can see all the offsets in the memory are changed, that's what I
wonder, can we achieve this goal by using my own client? Thank you for
your attention, your help would be much appreciated.
I'm a new user of DyanmoRIO. I've read related papers about DynamoRIO,
but there's still some questions confused me.
Can DynamoRIO pre-generate all instructions to memory and then execute
the generated-instructions? I mean, not just lazily transfers
instructions just-in-time, but all the instructions to be executed are
pre-cached in special executable memory, and the offset of each
instruction is changed. For example: the original instructions set
which should be loaded into memory would be like this:
7C901305 66:894A 02 mov word ptr ds:[edx+2],cx
7C901309 49 dec ecx
7C90130A 49 dec ecx
7C90130B 66:890A mov word ptr ds:[edx],cx
7C90130E 5F pop edi
After using our own client, swaping “dec ecx” to “sub ecx, 1”, the
real instruction set loaded into memory is like this:
7C901305 66:894A 02 mov word ptr ds:[edx+2],cx
7C901309 83E9 01 sub ecx,1
7C90130C 83E9 01 sub ecx,1
7C90130F 66:890A mov word ptr ds:[edx],cx
7C901312 5F pop edi
You can see all the offsets in the memory are changed, that's what I
wonder, can we achieve this goal by using my own client? Thank you for
your attention, your help would be much appreciated.
Reid Kleckner
May 9, 2012, 1:51:25 PM5/9/12
to dynamor...@googlegroups.com
No, this would be much more like something done as a post-link step. The typical post-link drawback is that you have to be very careful about identifying all of the control flow edges that jump into the middle of the instruction stream, so they can be updated.
Because DR does everything at runtime, it can just wait until it encounters these mid-stream jumps and just start a new basic block fragment from the new PC.
Any post-link transformation would also not have support for dynamically generated or self-modifying code, which DR can handle.
Reid
--
You received this message because you are subscribed to the Google Groups "DynamoRIO Users" group.
To post to this group, send email to dynamor...@googlegroups.com.
To unsubscribe from this group, send email to dynamorio-use...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/dynamorio-users?hl=en.
Qin Zhao
May 9, 2012, 1:55:25 PM5/9/12
to dynamor...@googlegroups.com
The ToT DynamoRIO can do the persist code cache, i.e. dump the code and load it in the future run.
Which might be what you want.
Qin--
Interested in Yoga? Be careful of The Yoga Cult or The Scary Yoga Obsession.
Which might be what you want.
Qin
Interested in Yoga? Be careful of The Yoga Cult or The Scary Yoga Obsession.
Derek Bruening
May 9, 2012, 1:59:38 PM5/9/12
to dynamor...@googlegroups.com
Agreed. It's hard to tell why you're trying to do this, but a persisted code cache from a prior run that is loaded in a subsequent run may be what you want. See dr_register_persist_ro(), etc. (http://code.google.com/p/dynamorio/source/browse/trunk/core/x86/instrument.h#4359)
- Derek
Kris Zhou
May 11, 2012, 2:07:55 AM5/11/12
to DynamoRIO Users
Hi, thank you all, I'll look into it and hava a try. What I want to do
is something like binary rewriting or probe-based instrumentation, in
order to provide exploit mitigation, post-link may be a alternative
way.
Best wishes,
-Kris
On 5月10日, 上午1时59分, Derek Bruening <bruen...@google.com> wrote:
> Agreed. It's hard to tell why you're trying to do this, but a persisted
> code cache from a prior run that is loaded in a subsequent run may be what
> you want. See dr_register_persist_ro(), etc. (http://code.google.com/p/dynamorio/source/browse/trunk/core/x86/instr...
> )
> > Interested in Yoga? Be careful of *The Yoga Cult*<http://www.sabrinaerdely.com/docs/YogaCult.pdf> or
> > *The Scary Yoga Obsession<http://www.glamour.com/magazine/2009/12/the-scary-yoga-obsession?prin...>
> > .*
> > More information from Lorie Anderson<http://www.selectsmart.com/ilchilee.html>
> > and *Rick Ross* <http://www.rickross.com/groups/dti.html>.
is something like binary rewriting or probe-based instrumentation, in
order to provide exploit mitigation, post-link may be a alternative
way.
Best wishes,
-Kris
On 5月10日, 上午1时59分, Derek Bruening <bruen...@google.com> wrote:
> Agreed. It's hard to tell why you're trying to do this, but a persisted
> code cache from a prior run that is loaded in a subsequent run may be what
> )
>
> - Derek
>
>
>
>
>
>
>
> On Wed, May 9, 2012 at 1:55 PM, Qin Zhao <qin.z...@gmail.com> wrote:
> > The ToT DynamoRIO can do the persist code cache, i.e. dump the code and
> > load it in the future run.
> > Which might be what you want.
>
> > Qin
>
> > On Wed, May 9, 2012 at 1:51 PM, Reid Kleckner <r...@google.com> wrote:
>
> >> No, this would be much more like something done as a post-link step. The
> >> typical post-link drawback is that you have to be very careful about
> >> identifying all of the control flow edges that jump into the middle of the
> >> instruction stream, so they can be updated.
>
> >> Because DR does everything at runtime, it can just wait until it
> >> encounters these mid-stream jumps and just start a new basic block fragment
> >> from the new PC.
>
> >> Any post-link transformation would also not have support for dynamically
> >> generated or self-modifying code, which DR can handle.
>
> >> Reid
>
> - Derek
>
>
>
>
>
>
>
> On Wed, May 9, 2012 at 1:55 PM, Qin Zhao <qin.z...@gmail.com> wrote:
> > The ToT DynamoRIO can do the persist code cache, i.e. dump the code and
> > load it in the future run.
> > Which might be what you want.
>
> > Qin
>
> > On Wed, May 9, 2012 at 1:51 PM, Reid Kleckner <r...@google.com> wrote:
>
> >> No, this would be much more like something done as a post-link step. The
> >> typical post-link drawback is that you have to be very careful about
> >> identifying all of the control flow edges that jump into the middle of the
> >> instruction stream, so they can be updated.
>
> >> Because DR does everything at runtime, it can just wait until it
> >> encounters these mid-stream jumps and just start a new basic block fragment
> >> from the new PC.
>
> >> Any post-link transformation would also not have support for dynamically
> >> generated or self-modifying code, which DR can handle.
>
> >> Reid
>
> > *The Scary Yoga Obsession<http://www.glamour.com/magazine/2009/12/the-scary-yoga-obsession?prin...>
> > .*
> > More information from Lorie Anderson<http://www.selectsmart.com/ilchilee.html>
> > and *Rick Ross* <http://www.rickross.com/groups/dti.html>.
Reply all
Reply to author
Forward
0 new messages