Hi there is one ring3 program that dr cannot run

[jiqizaisikao]

I canot find any reason,this is the first time that i find ring3 program canot run under dr . Hi,thanks very much for your help,I have upload the programe on web http://pan.baidu.com/s/1c0XLk2W You can download it from the QQ folder

[derekbruening]

Without details on the failure and how to reproduce there is nothing actionable here

[jiqizaisikao]

Hi,thanks very much for your help,I have upload the programe on web http://pan.baidu.com/s/1c0XLk2W I have found that the program use int 2E for system call itself,after that instr ,the program run in err and unloaded the dll I have read some related source codes,is that because DR donot support multiple syscall method?there are some Assert() but it seem that it will not be satisfied。

[jiqizaisikao]

Hi,dr is realy good,and I have tried many DBI and find that dr is the best,and there was one programe protected by SE canot run under dr,and i found that it is because the programe use setthreadcontext unnomal,so i cut off the setthreadcontext pre_system_call in DR,then it run right.

[jiqizaisikao]

There is also one protected program can not run under dr fast,really is very slow,without dr it can run in 2 seconds ,but under dr it takes 2 hours.yes it is 2 hours.I have found that the program run dynamically and run too much self modifed codes.It seems that dr process exceptions for it fast at begin,but after a seconds dr process exceptions realy slow maybe 100-200 exceptions per second for SMC. that is the two difficulty problems i have encountered.But this time,the program that can not run under dr seems too difficulty for me to fix it .If you can find the reason ,please tell me ,I really realy Like DBI very much . I really like dr very much and i have taken much time to read the source code although there are so many things i canot understand.

[byron-hawkins]

We have an optimization for dynamically generated code that avoids the page faults, but it's still under development. It reduces overhead to about 2x vs. native speed on the Octane javascript benchmarks. I'm hoping to have it committed to the repository within a few weeks, it's just taking me a while to debug some issues that only occur at the very end of a long run.

[jiqizaisikao]

It seems that there is no easy way to run the app without dr if it have already run under in DR. there is one func dr_app_stop() but there is nothing in it ,

[zhaoqin]

dr_app_stop is actually a marker, if your program calls it and once DR sees it, DR will let the program run naively without DR.

On Sun, Jan 31, 2016 at 6:07 AM, jiqizaisikao notifications@github.com wrote:

It seems that there is no easy way to run the app without dr if it have already run under in DR. there is o func dr_app_stop() but that is nothing in it ,

— Reply to this email directly or view it on GitHub https://github.com/DynamoRIO/dynamorio/issues/1859#issuecomment-177468376 .

[derekbruening]

It seems that there is no easy way to run the app without dr if it have already run under in DR. there is one func dr_app_stop() but there is nothing in it ,

It's not 100% clear what you mean, but if you're talking about a detach feature where an app running under DR is removed from DR's control mid-run and continues to run natively, that is a feature we have supported in the past on Windows but it is not officially supported today and has likely bitrotted. Xref #95.

[derekbruening]

Please provide basic information on the failure to run this application: what operating system version? What version of DR? What is the failure message under DR release build? What about DR debug build?

[jiqizaisikao]

Hi,the program that cannot run under dr，the dr version is the lattest release version on win7 32 bit ,and I have found out part of the reasons ,becuase the app use multiple methods of syscall,I hooked the syscall that using int 2E and it run right,but then another problem happend the app creates threads endlessly。And the programe is protected by the author using Unusual method,as i said up,I want to use dr_app_stop to detach the app with dr at some points to find the problem.thanks for you help.

how to use dr_app_stop from client dll?I tried to redirect the app jmp to my own code buffer,and in my code buffer,i call dr_app_stop,and jump to the app again ,but it seems that it doesnot work well.

I tried it again today ,i found that when the app execute natively ,the app takes 3M memory cost，But when i run it under dr(after i hook the int2e syscall and redirect it ),it take 300M memory or more,it seems the app detect something and create lots of threads to do something that have not been done.

[derekbruening]

It sounds like you've analyzed and understand at least part of the problem running this app. We would welcome a contribution of a fix.

[derekbruening]

On Sat, Jan 30, 2016 at 10:53 PM, jiqizaisikao notifications@github.com wrote:

And I have written a windows GUI debug programe in c# to communicate with dr using process sharing memory.It can exchange data with dr using a client dll.So I can see the thread loaded unloaded at real time,module loaded unloded at realy time.And also It can send data to dr at real time.

Note that we already have the "drstats" GUI that displays statistics exported by DR while the app runs and displays custom stats stored by clients in shared memory: run the bin32/DRstats.exe GUI and run an app under the samples/bin32/stats.dll client. Xref https://github.com/DynamoRIO/dynamorio/blob/master/api/samples/stats.c.

I realy want to write one programe with dr to work like OD debugger ,it can run like a debugger but much more transparent and more powerfull!

We agree. Xref https://github.com/DynamoRIO/drmemory/wiki/Projects#advanced-debugging-tools

[jiqizaisikao]

It seems too difficulty to be transparent when using DBI,especially for special programs，in fact there is no way to run them under DR, is it more efficient to work like the open source tool Vbox。So the next thing for me to do is monitor the app from more low-level，I hope to have less influence for running,touch the codes as little as possible，i want to be a perfect watcher for program running not as one participant even this will lose some efficiency and control for the app, and also i want to combine the advantage of dr that having powerful control over the instrs of the app and lost not too much efficiency。So ,tools like vbox or vmware ,if they have the functions of DR,will it be perfect for binary program analysis？