Thread: Idea to find functions in memory
View Single Post
joaquimandrade
Veteran Member
joaquimandrade's Avatar
Join Date: Dec 2008
Location: Portugal
Old 03-04-2010 , 19:19   Re: Idea to find functions in memory
Reply With Quote #6
Quote:
Originally Posted by pRED* View Post
I quite like this idea.

If you wanted to go down the route of building the call graph for the entire binary (as the others have assumed), then you'd want to make sure you cache the result and only rebuild it if the binary has changed.

You could probably write an extension for IDA to build this cache instead of writing your own code for it.

Alternatively you could just write a thin function that takes a function pointer and returns a list of [non-virtual] functions called by it. Then you can use this in situations where you know the result will be meaningful.

I've written a basic CFG parser which can be used to find the end of the function and could output all calls with only a tiny change. It embeds libdisasm which appears to be reasonably lightweight.

Let me know if you want me to dig it out. If the disasm lib turns out to be a bottleneck (unlikely) it wouldn't be hard to write a custom version for your needs.

Something to be aware of are is the massive possible difference between the linux and windows binaries. Calls which appear once in the original code, could appear multiple times in the assembly or not at all, and this would be entirely compiler specific.

tl;dr
The number of calls shouldn't be considered, just if it calls or not. When writing the relations, restraints should be applied like:

PHP Code:

{
    calls
    {
        (windows mod a,blinux mod b
        Z
    }
Also, and that would need "building the call graph for the entire binary" it should be possible to express the relation function refers string.

Basically, this idea is making into a programmatic way what one does manually normally to find functions.

About implementing it, I think it would be nice for sourcemod to have it but I'm not into it (still in amxmodx). If someone makes it I would gladly try to use it in amxmodx.

About the parser you built If you make it public I would like to see it but more for learning (and maybe use later) since I'm not planning on making this (I was more sharing the idea and hoping that someone with the knowledge did it for sourcemod).

I think that if the idea gets implemented it will be useful. Signature scanning is messy and use it cross-mod or cross-compiler is a pain.

Quote:
then you'd want to make sure you cache the result and only rebuild it if the binary has changed
Yes that would make it ok even if the process took some time to finish.
__________________
Last edited by joaquimandrade; 03-04-2010 at 19:21.
joaquimandrade is offline