-
Notifications
You must be signed in to change notification settings - Fork 5
/
cti.cpp
50 lines (44 loc) · 1.61 KB
/
cti.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#include "dr_api.h"
#include "cti.h"
#include "cfg_impl.h"
#include "app.h"
#include "droption.h"
#include <cstdint>
static droption_t<bool> instrument_ret
(DROPTION_SCOPE_CLIENT, "instrument_ret", false,
"Count return instructions as control flow instructions", "");
static void
at_cti(uintptr_t src, uintptr_t targ)
{
safe_insert(src, targ);
}
dr_emit_flags_t
cti_event_app_instruction(void *drcontext, void *tag, instrlist_t *bb, instr_t *instr,
bool for_trace, bool translating, void *user_data)
{
if (!instr_is_cti(instr))
return DR_EMIT_DEFAULT;
if (instr_is_cbr(instr)) {
// we already handle cbr's, more efficiently
return DR_EMIT_DEFAULT;
}
if (app_should_ignore_tag(tag))
return DR_EMIT_DEFAULT;
app_pc src = instr_get_app_pc(instr);
if (instr_is_return(instr)) {
// checking returns could help construct a more complete CFG in the case that
// we see obfuscated control flow, i.e. returning to a different place than to
// the original caller.
if (instrument_ret.get_value()) {
dr_insert_clean_call(drcontext, bb, instr, (void *)at_cti, false, 2,
OPND_CREATE_INTPTR(src), OPND_CREATE_MEMPTR(DR_REG_XSP, 0));
}
return DR_EMIT_DEFAULT;
}
opnd_t target_opnd = instr_get_target(instr);
if (opnd_is_reg(target_opnd) || opnd_is_memory_reference(target_opnd)) {
dr_insert_clean_call(drcontext, bb, instr, (void *)at_cti, false, 2,
OPND_CREATE_INTPTR(src), target_opnd);
}
return DR_EMIT_DEFAULT;
}