Thanks for your interests in Dyninst.
Dear All,
I am Deeban, grad student from germany. I am interested
to learn about disassembling binary and learn more on binary analysis. I am currently trying to see how Dyninst identifies and list jump-tables in a
particular binary. I had earlier done it with angr. In that initially we
need to build the CFG and cfg.jumptables() command gives a dict
indexed by the first basic block address of the jump table (where the
indirect jump is). Is there similar way to do in dyninst? I have few queries related:
Jumptable analysis:
1, From your github docs I understand we must use patchAPI for this case (static instrumentation). I have installed dyninst using spack and then I am trying to run the example in patchAPI src but I am not sure how to compile and run them. Is there any basic tutorial link/issue on how to run the examples in different API after installing dyninst using spack?
The ParseAPI of Dyninst implements a static analysis to resolve jump table targets, which works well on x86, Power and ARM. ParseAPI does not specifically provide an API for querying jump tables. However, you can iterate every function and every basic blocks to find whether a basic block ends with a jump table.
By design, Dyninst does not need any instrumentation for resolving jump tables. If you find jump tables that are not properly resolved, you file a bug report on the Dyninst github webpage as an issue (
https://github.com/dyninst/dyninst).
If you are interested in using instrumentation (regardless of static instrumentation or dynamic instrumentation) for resolving indirect calls or indirect tail calls, you can use BPatch_dynamicTargetExpr() provided in the BPatch level interface. I donât think you need to use PatchAPI for control flow related instrumentation.
2, It would be great to know if there is a built in command for building cfg and getting the jumptables for a particular
binary.
The ParseAPI example contains the code needed to construct the CFG and iterate functions and basic blocks.
Noreturn analysis:
I am also interested in identifying no-return functions using dyninst. (i.e (1)
does not have a return (instruction) AND (2) does not tail-call into
a return function.) From this issue I assume that we need to use parseAPI in order to instrument a program to identify no return functions. If there is any built in command for this also please do let me know. Otherwise I will write some code for this.
The following interface returns whether it is a non-returning function.
I am not sure
whether it is correct to ask this here or to ask in git platforms.
Being amateur in this field I would highly appreciate any kind of
inputs you guys would provide for usage of dyninst. Apologies if my questions are very naive. Getting started is the key and your reply will be really helpful for me to move forward and contribute.
There are some ParseAPI example code here:
Thank you very much for taking your time to read my mail. Feel free to share any comments you would like to provide on this.
Have a great day!
Thanks and Regards,
Deeban babu
_______________________________________________
Dyninst-api mailing list
Dyninst-api@xxxxxxxxxxxhttps://lists.cs.wisc.edu/mailman/listinfo/dyninst-api
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}