通过构建从结果objdump的一个控制流图 [英] Building a Control-flow Graph using results from Objdump
问题描述
我试图构建可通过调用返回的objdump的-d大会结果的控制流图。目前,我已经拿出最好的方法是把结果的每一行成一个链表,并分离出的内存地址,运code和操作数的每一行。我依靠objdump的结果的常规性(内存地址是字符2到重新presents每行的字符串中的字符7)分离出来。
I'm attempting to build a control-flow graph of the assembly results that are returned via a call to objdump -d . Currently the best method I've come up with is to put each line of the result into a linked list, and separate out the memory address, opcode, and operands for each line. I'm separating them out by relying on the regular nature of objdump results (the memory address is from character 2 to character 7 in the string that represents each line) .
一旦这样做我开始实际CFG指令。在CFG每个节点保存起始和结束存储器地址,一个指针到previous基本块,并指向任何子基本块。我再通过objdump的结果会和针对x86_64的所有控制流运算codeS数组比较运算code。如果运code是一个控制流之一,我记录的地址作为基本块的结束,并根据运code要么增加两个孩子指针(有条件的运算code)或者一个(来电或返回)。
Once this is done I start the actual CFG instruction. Each node in the CFG holds a starting and ending memory address, a pointer to the previous basic block, and pointers to any child basic blocks. I'm then going through the objdump results and comparing the opcode against an array of all control-flow opcodes in x86_64. If the opcode is a control-flow one, I record the address as the end of the basic block, and depending on the opcode either add two child pointers (conditional opcode) or one (call or return ) .
我在用C实现此过程中,它似乎像它会工作,但感觉很脆弱。没有任何人有任何建议,或任何我没有考虑到?
I'm in the process of implementing this in C, and it seems like it will work but feels very tenuous. Does anyone have any suggestions, or anything that I'm not taking into account?
感谢您抽出时间来阅读这个!
Thanks for taking the time to read this!
编辑:
的想法是用它来比较由DynamoRIO产生与预期的CFG的目标二进系统调用栈跟踪,我希望建立像这样将有利于这一点。我没有再使用什么是可用的,因为A)我真的没有,虽然它和B)我需要得到图形转换为有用的数据结构,所以我可以做比较的路径。我要去看看一些网页上你内衬公用事业,感谢指着我的方向是正确的。感谢您的意见,我真的AP preciate吧!
The idea is to use it to compare stack traces of system calls generated by DynamoRIO against the expected CFG for a target binary, I'm hoping that building it like this will facilitate that. I haven't re-used what's available because A) I hadn't really though about it and B) I need to get the graph into a usable data structure so I can do path comparisons. I'm going to take a look at some of the utilities on the page you lined to, thanks for pointing me in the right direction. Thanks for your comments, I really appreciate it!
推荐答案
您应该使用专为程序分析的IL。有几个。
You should use an IL that was designed for program analysis. There are a few.
该DynInst项目(dyninst.org)有一个升降机,可从ELF可执行文件转换成CFGS的功能/程序(或者它确实是我最后一次看)。 DynInst是用C ++编写。
The DynInst project (dyninst.org) has a lifter that can translate from ELF binaries into CFGs for functions/programs (or it did the last time I looked). DynInst is written in C++.
BinNavi使用从IDA(交互式反汇编)的输出中建立一个IL指出,IDA识别控制流图。我还建议IDA的副本,它会让你抽查CFGS视觉。一旦你BinNavi有一个程序,你可以得到一个函数/ CFG其IL重presentation。
BinNavi uses the ouput from IDA (the Interactive Disassembler) to build an IL out of control flow graphs that IDA identifies. I would also recommend a copy of IDA, it will let you spot check CFGs visually. Once you have a program in BinNavi you can get its IL representation of a function/CFG.
函数指针是只是静态识别控制流图的烦恼的开始。跳转表(在某些情况下开关case语句生成的类,在别人手)抛出一个扳手为好。每code分析框架,我知道那些在一个非常启发式重方法处理的。然后你有异常和异常处理,也自修改code。
Function pointers are just the start of your troubles for statically identifying the control flow graph. Jump tables (the kinds generated for switch case statements in certain cases, by hand in others) throw a wrench in as well. Every code analysis framework I know of deals with those in a very heuristics-heavy approach. Then you have exceptions and exception handling, and also self-modifying code.
祝你好运!你得到了很多信息了一丝DynamoRIO已经,我建议你使用尽可能多的信息,你可以从跟踪...
Good luck! You're getting a lot of information out of the DynamoRIO trace already, I suggest you utilize as much information as you can from that trace...
这篇关于通过构建从结果objdump的一个控制流图的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
