项目作者: toshipiazza

项目描述 :
Dynamic Control Flow Recovery
高级语言: C++
项目地址: git://github.com/toshipiazza/drcfg.git
创建时间: 2017-06-14T01:31:58Z
项目社区:https://github.com/toshipiazza/drcfg

开源协议:MIT License

下载


drcfg

Constructs a CFG of the target program, without source. For motivation, see this blog
post
. This plugin implements the
following:

  • intercepts conditional branch instructions (cbr's)
  • intercepts control transfer instructions (cti's)
  • dumps output in json format

Usage

  1. $ drrun -c ./libcfg.so -- ../test/call.out
  2. {
  3. "branches": [
  4. <snip>
  5. {
  6. "address": 4194497,
  7. "targets": [
  8. 4194500
  9. ]
  10. },
  11. <snip>
  12. ]
  13. }

Options for drcfg are shown below:

  1. -only_from_app [ false] Only count app, not lib, instructions
  2. -instrument_ret [ false] Count return instructions as control flow instructions
  3. -racy [ false] Perform racy hashtable insertion
  4. -no_cbr [ false] Don't count conditional branch instructions
  5. -no_cti [ false] Don't count control transfer instructions
  6. -output [ ""] Output results to file

How to Build

  1. $ mkdir -p build && cd build
  2. $ cmake .. -DDynamoRIO_DIR=<path/to/dr/cmake></path>
  3. $ make -j4

TODO

Listed in relative order of importance

  • Implement cache flushing as per cbr.c, to remove instrumentation once a branch has
    1. or has not been taken. This will hopefully speed up applications considerably.
  • Optionally intercept only branches in main module (i.e. -only_from_app)
  • Dump json to a file
  • Optionally dump YAML
  • Optionally instrument return cti’s