|
From: Yan <ya...@ya...> - 2015-11-09 00:07:53
|
Hi William, In every direct jump that I've seen, the target address ends up coming from an IRConst, usually being passed through a temp or two on the way. On top of this, the indirect jump is always the default exit of a basic block (the conditional Exit IRStmt only supports an IRConst destination). The way that we deal with identifying indirect jumps in PyVEX is by iterating through the statements, from the end of the basic block, in reverse, looking for the WrTmp that had written the exit. If it's a direct jump, the IRExpr that it writes should be a Const. If it's something else, from what we've seen empirically, the jump is indirect. The relevant piece of PyVEX is https://github.com/angr/pyvex/blob/master/pyvex/__init__.py#L225, if you're interested. You'll have to translate that to C, of course :-) - Yan On Sun, Nov 8, 2015 at 9:49 AM, William Good <app...@li...> wrote: > I would like to instrument on indirect function calls in my tool. I have > obtained the VEX corresponding to the indirect function call: > > > 0x400B87: call* %rax > > ------ IMark(0x400B87, 2, 0) ------ > t7 = 64to32(GET:I64(16)) > t8 = GET:I64(16) > t9 = Sub64(GET:I64(48),0x8:I64) > PUT(48) = t9 > STle(t9) = 0x400B89:I64 > ====== AbiHint(Sub64(t9,0x80:I64), 128, t8) ====== > PUT(184) = t8 > PUT(184) = GET:I64(184); exit-Call > > In the original assembly, the address of the indirect function is in %rax > (which is offset 16 in libvex_guest_amd64.h). Is there a pattern/strategy > for detecting indirect function calls? > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Valgrind-developers mailing list > Val...@li... > https://lists.sourceforge.net/lists/listinfo/valgrind-developers > > |