search

DynamoRIO / dynamorio

Dynamic Instrumentation Tool Platform
Other
2.62k stars 554 forks source link

How to disable DR’s randomization policy to code cache? #2786

Open penhoi opened 6 years ago

penhoi commented 6 years ago

My PC is Intel-x86-64, running Ubuntu 16.04. My project needs to instrument all system-calls issued by the target application. Therefore, i need to modify the source code of Dynamorio to put an extra hook before each syscall-instruction. I intend to find out that piece of source code with debugging tricks. In detail, i will first determine who puts the syscall-instruction into code cache by setting watchpoints, and then trace reversely.

However, i found that the address space of code caches is randomized, even when the system-wide ASLR is disabled and GDB's disable-randomize is off. For example, in the first run, the "uname" system call is invoked at address 0x0000000052505016, and it is 0x00000000474b5016 in the second run. This makes me failed to set watchpoints. So my question is how can i disable DR’s randomization policy to code cache? Is there an option?

derekbruening commented 6 years ago

On Sat, Dec 23, 2017 at 2:40 AM, penhoi notifications@github.com wrote:

My PC is Intel-x86-64, running Ubuntu 16.04. My project needs to instrument all system-calls issued by the target application. Therefore, i need to modify the source code of Dynamorio to put an extra hook before each syscall-instruction.

DynamoRIO provides a system call event that already gives you a control point for every system call. There is no need to modify the source code.

I intend to find out that piece of source code with debugging tricks. In detail, i will first determine who puts the syscall-instruction into code cache by setting watchpoints, and then trace reversely.

However, i found that the address space of code caches is randomized, even when the system-wide ASLR is disabled and GDB's disable-randomize is off. For example, in the first run, the "uname" system call is invoked at address 0x0000000052505016, and it is 0x00000000474b5016 in the second run. This makes me failed to set watchpoints. So my question is how can i disable DR’s randomization policy to code cache? Is there an option?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/DynamoRIO/dynamorio/issues/2786, or mute the thread https://github.com/notifications/unsubscribe-auth/AGNUMjKFoM_wOV3n_lZ7PzqQDL_Us8szks5tDK5vgaJpZM4RLmlH .

penhoi commented 6 years ago

Thank you @derekbruening . I will find and analysis that piece of code according to your answer.

I thought I failed to depict my goal correctly. My project should strictly ensure that all system-calls are issued (i.e. executing the syscall-instruction) at hardcoded code-points. Here, the system-calls are referred to all those issued on behalf of Dynamorio and target application. There is no problem for that part of Dynamorio. But, as have depicted, it has problem for that part of target app.

Currently, I am trying to get rid of all syscall-instructions from code cache, and meanwhile direct the control-flow to the "syscall-ready routine" of Dynamorio. I do not known whether or not this is a good solution, so I ask you dynamorio developers for help. Could you give me some suggestions? Thanks.

derekbruening commented 6 years ago

It is not clear what you are trying to do: add a monitoring layer that watches DynamoRIO itself? Normally you'd monitor just the app, and DR is already capable of routing all of the app's system calls through a single point (rather, one point per type of gateway): just disable syscall inlining in the code cache: -no_inline_ignored_syscalls, or have your client set the syscall filter for every syscall, which will accomplish the same thing.

On Sun, Dec 24, 2017 at 12:48 AM, penhoi notifications@github.com wrote:

Thank you @derekbruening https://github.com/derekbruening . I will find and analysis that piece of code according to your answer.

I thought I failed to depict my goal correctly. My project should strictly ensure that all system-calls are issued (i.e. executing the syscall-instruction) at hardcoded code-points. Here, the system-calls are referred to all those issued on behalf of Dynamorio and target application. There is no problem for that part of Dynamorio. But, as have depicted, it has problem for that part of target app.

Currently, I am trying to get rid of all syscall-instructions from code cache, and meanwhile direct the control-flow to the "syscall-ready routine" of Dynamorio. I do not known whether or not this is a good solution, so I ask you dynamorio developers for help. Could you give me some suggestions? Thanks.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/DynamoRIO/dynamorio/issues/2786#issuecomment-353766884, or mute the thread https://github.com/notifications/unsubscribe-auth/AGNUMtK0JIEliA_YOCiQTaJKLAGCSJFSks5tDeWdgaJpZM4RLmlH .

penhoi commented 6 years ago

Thank you @derekbruening! My project should strictly prohibit syscall-instructions be appeared and executed within a code cache. It seems "-no_inline_ignored_syscalls" is what i need. Thank you.

penhoi commented 6 years ago

I found that this option is no use for me. What i really need is to stop ASLR enforced by dynamorio. Thanks.