|
From: John R. <jr...@bi...> - 2010-09-17 02:39:21
|
> How can my instrumentation code reliably detect function calls? 100% reliability is impossible, both theoretically and in practice. For instance, the code call L100 .asciz "How now, brown cow?" L100: usually is a position-independent PUSH of the address of a string. With suitable changes in the string and in the code at L100, it can be disguised arbitrarily well as a subroutine call. > I had thought I could look for an Ijk_Call JumpKind in either an > Ist_Exit statement or in the IRSB's jumpkind, but those don't seem to > catch everything. The particular code I want to catch is the > following (amd64-linux): > > 0x4004CD: call 0x4004DC > > ------ IMark(0x4004CD, 5) ------ > PUT(168) = 0x4004CD:I64 > t2 = Sub64(GET:I64(32),0x8:I64) > PUT(32) = t2 > STle(t2) = 0x4004D2:I64 > t3 = 0x4004DC:I64 > ====== AbiHint(Sub64(t2,0x80:I64), 128, t3) ====== > > 0x4004DC: pushq %rbp > > ------ IMark(0x4004DC, 1) ------ > PUT(168) = 0x4004DC:I64 > t4 = GET:I64(40) > t5 = Sub64(GET:I64(32),0x8:I64) > PUT(32) = t5 > STle(t5) = t4 > > I, for one, don't see anything in the call statement's IR that > indicates that control is being transferred as the result of a > function call. The discontinuity (5+ 0x4004CD) != 0x4004DC must be accomplished somewhere, such as in the capture of the value in t3. Not everything is printed pendantically. -- |