get written memory address for each instruction which writes memory

275 views
Skip to first unread message

Peter Bob

unread,
Dec 10, 2015, 5:18:41 AM12/10/15
to DynamoRIO Users
I am building a dynamorio tool which prints the instruction details and the memory address which was wirtten by this instruction alongside the new content of this memory address.

Therefore I am using the function "dr_insert_call_instrumentation" in "event_app_instruction" (drmgr_register_bb_instrumentation_event(NULL, event_app_instruction, NULL);)
The function which is called by "dr_insert_call_instrumentation" provides a target_addr which is in case of a "call" the written memory address. But for example if a "push" is executed the instruction also writes to the memory but then the target_addr is 0x00000000.

Now the question is, is there a possibility to get the memory address which is written for EACH instruction?

Best regards,
Peter

Igor R

unread,
Dec 10, 2015, 1:22:45 PM12/10/15
to DynamoRIO Users
You should instrument every instruction that has memory references, so dr_insert_call_instrumentation() wouldn't help you much.
I.e., you have to insert your meta-instructions before/after every application instruction for which instr_writes_memory() == true. 
As for "call" instruction, in pre-instr instrumentation you can simply predict the value that "call" would write to the stack, instead of reading it in post-instruction instrumentation (which is not possible) - thus saving the unnecessary effort.

Qin Zhao

unread,
Dec 10, 2015, 1:24:15 PM12/10/15
to dynamor...@googlegroups.com
On Thu, Dec 10, 2015 at 5:18 AM, Peter Bob <fro...@googlemail.com> wrote:
I am building a dynamorio tool which prints the instruction details and the memory address which was wirtten by this instruction alongside the new content of this memory address.

Therefore I am using the function "dr_insert_call_instrumentation" in "event_app_instruction" (drmgr_register_bb_instrumentation_event(NULL, event_app_instruction, NULL);)
The function which is called by "dr_insert_call_instrumentation" provides a target_addr which is in case of a "call" the written memory address. But for example if a "push" is executed the instruction also writes to the memory but then the target_addr is 0x00000000.

I am not sure if you are using the right function.
dr_insert_call_instrumentation is to insert a clean call to a call instruction, and the target is the call's target.
You can take look at the samples/memtrace_simple.c to see how to collect memory reference information.

 

Now the question is, is there a possibility to get the memory address which is written for EACH instruction?

Best regards,
Peter

--
You received this message because you are subscribed to the Google Groups "DynamoRIO Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dynamorio-use...@googlegroups.com.
To post to this group, send email to dynamor...@googlegroups.com.
Visit this group at http://groups.google.com/group/dynamorio-users.
For more options, visit https://groups.google.com/d/optout.



--
Interested in Yoga? Be careful of The Yoga Cult or The Scary Yoga Obsession.
More information from  Lorie Anderson and Rick Ross.

Peter Bob

unread,
Dec 12, 2015, 9:25:39 AM12/12/15
to DynamoRIO Users
Thanks for your reply, but how do i do that with other instructions than call? It would be much effort to analyze the instructions in order to predict the written memory references. Why is it not possible to read the memory exactly after the instruction is executed?

Peter Bob

unread,
Dec 12, 2015, 9:28:10 AM12/12/15
to DynamoRIO Users
I already looked at the memor_simple example but my problem was, how do i get the corresponding instruction to the memory reference?
My output should be like this:

push   rbp ;  Thread_ID: 2543;  as byte: 55 ;  Instr-Addr: 0x00007f6af790c066
writes Memory? 1/0  (if 1-->) memoryaddress:memoryContent
changed register:  RSP: 0x00007ffc5919a990

Igor R

unread,
Dec 12, 2015, 10:08:31 AM12/12/15
to DynamoRIO Users
I already looked at the memor_simple example but my problem was, how do i get the corresponding instruction to the memory reference?
My output should be like this:

push   rbp ;  Thread_ID: 2543;  as byte: 55 ;  Instr-Addr: 0x00007f6af790c066
writes Memory? 1/0  (if 1-->) memoryaddress:memoryContent
changed register:  RSP: 0x00007ffc5919a990



It goes the other way: for every instruction you can figure out its memory references.
For instance, like this:
    if (instr_writes_memory(instr))
      for (int i = 0; i < instr_num_dsts(instr); ++i)
        if (opnd_is_memory_reference(instr_get_dst(instr, i)))
          your_memory_refs.insert(instr_get_dst(instr, i));

Then for every mem reference you can insert instrumentation that would get the memory address at run-time:
  drutil_insert_get_mem_addr(drcontext, bb, instr, your_memref, reg_for_addr, scratch_reg);

Now, you have some metacode just before instr that loads to reg_for_addr the address of the memory being written.
With some more instrumentation *after* instr, you can get the pointee of this register and know what value was written.

Reply all
Reply to author
Forward
0 new messages