Raised This Month: $ Target: $400
 0% 

Idea to find functions in memory


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
pRED*
Join Date: Dec 2006
Old 03-04-2010 , 17:30   Re: Idea to find functions in memory
Reply With Quote #1

I quite like this idea.

If you wanted to go down the route of building the call graph for the entire binary (as the others have assumed), then you'd want to make sure you cache the result and only rebuild it if the binary has changed.

You could probably write an extension for IDA to build this cache instead of writing your own code for it.

Alternatively you could just write a thin function that takes a function pointer and returns a list of [non-virtual] functions called by it. Then you can use this in situations where you know the result will be meaningful.

I've written a basic CFG parser which can be used to find the end of the function and could output all calls with only a tiny change. It embeds libdisasm which appears to be reasonably lightweight.

Let me know if you want me to dig it out. If the disasm lib turns out to be a bottleneck (unlikely) it wouldn't be hard to write a custom version for your needs.

Something to be aware of are is the massive possible difference between the linux and windows binaries. Calls which appear once in the original code, could appear multiple times in the assembly or not at all, and this would be entirely compiler specific.

tl;dr
pRED* is offline
joaquimandrade
Veteran Member
Join Date: Dec 2008
Location: Portugal
Old 03-04-2010 , 19:19   Re: Idea to find functions in memory
Reply With Quote #2

Quote:
Originally Posted by pRED* View Post
I quite like this idea.

If you wanted to go down the route of building the call graph for the entire binary (as the others have assumed), then you'd want to make sure you cache the result and only rebuild it if the binary has changed.

You could probably write an extension for IDA to build this cache instead of writing your own code for it.

Alternatively you could just write a thin function that takes a function pointer and returns a list of [non-virtual] functions called by it. Then you can use this in situations where you know the result will be meaningful.

I've written a basic CFG parser which can be used to find the end of the function and could output all calls with only a tiny change. It embeds libdisasm which appears to be reasonably lightweight.

Let me know if you want me to dig it out. If the disasm lib turns out to be a bottleneck (unlikely) it wouldn't be hard to write a custom version for your needs.

Something to be aware of are is the massive possible difference between the linux and windows binaries. Calls which appear once in the original code, could appear multiple times in the assembly or not at all, and this would be entirely compiler specific.

tl;dr
The number of calls shouldn't be considered, just if it calls or not. When writing the relations, restraints should be applied like:

PHP Code:

{
    
calls
    
{
        
(windows mod a,blinux mod b
        
Z
    
}

Also, and that would need "building the call graph for the entire binary" it should be possible to express the relation function refers string.

Basically, this idea is making into a programmatic way what one does manually normally to find functions.

About implementing it, I think it would be nice for sourcemod to have it but I'm not into it (still in amxmodx). If someone makes it I would gladly try to use it in amxmodx.

About the parser you built If you make it public I would like to see it but more for learning (and maybe use later) since I'm not planning on making this (I was more sharing the idea and hoping that someone with the knowledge did it for sourcemod).

I think that if the idea gets implemented it will be useful. Signature scanning is messy and use it cross-mod or cross-compiler is a pain.

Quote:
then you'd want to make sure you cache the result and only rebuild it if the binary has changed
Yes that would make it ok even if the process took some time to finish.
__________________

Last edited by joaquimandrade; 03-04-2010 at 19:21.
joaquimandrade is offline
devicenull
Veteran Member
Join Date: Mar 2004
Location: CT
Old 03-04-2010 , 22:38   Re: Idea to find functions in memory
Reply With Quote #3

Quote:
Originally Posted by joaquimandrade View Post
Yes that would make it ok even if the process took some time to finish.
You would be very surprised as what most server admins would consider ok. Perhaps we could include this with the updater? Servers check for a cached version matching their server binary. If they don't find one, they compute it an submit it?

In my experience, server admins will think there's a problem if their server takes any significant amount of time to restart (anything more then a minute or two)
__________________
Various bits of semi-useful code in a bunch of languages: http://code.devicenull.org/
devicenull is offline
joaquimandrade
Veteran Member
Join Date: Dec 2008
Location: Portugal
Old 03-04-2010 , 22:40   Re: Idea to find functions in memory
Reply With Quote #4

Quote:
Originally Posted by devicenull View Post
You would be very surprised as what most server admins would consider ok. Perhaps we could include this with the updater? Servers check for a cached version matching their server binary. If they don't find one, they compute it an submit it?

In my experience, server admins will think there's a problem if their server takes any significant amount of time to restart (anything more then a minute or two)
The process would happen only once per update. I believe it's ok even if it takes minutes. Anyway this is the matter of someone implementing and seeing if its worth and like pred said it can be made without parsing the full library.

About the cache submission (or just retrieval), I guess it would be ok to have one (per library) available to download.
__________________

Last edited by joaquimandrade; 03-04-2010 at 22:43.
joaquimandrade is offline
Jamster
Veteran Member
Join Date: Jun 2008
Old 03-04-2010 , 22:54   Re: Idea to find functions in memory
Reply With Quote #5

Quote:
Originally Posted by devicenull View Post
You would be very surprised as what most server admins would consider ok. Perhaps we could include this with the updater? Servers check for a cached version matching their server binary. If they don't find one, they compute it an submit it?

In my experience, server admins will think there's a problem if their server takes any significant amount of time to restart (anything more then a minute or two)
Myself, I would love if this was a core option, disabled by default but then can be enabled for those of us who know what's involved.

This would be a great addition to SM in my opinion.
Jamster is offline
Fyren
FyrenFyrenFyrenFyrenFyren FyrenFyrenFyrenFyrenFyren FyrenFyrenFyrenFyrenFyren FyrenFyrenFyrenFyrenFyren
Join Date: Feb 2106
Old 03-05-2010 , 18:10   Re: Idea to find functions in memory
Reply With Quote #6

Quote:
Originally Posted by joaquimandrade View Post
The number of calls shouldn't be considered, just if it calls or not.
As pred said, there may not be a call at all in the binary for one OS while it may be there in the other, likely due to inlining.

This is an interesting idea, and I've pondered it myself, but I'm way too lazy.
Fyren is offline
joaquimandrade
Veteran Member
Join Date: Dec 2008
Location: Portugal
Old 03-05-2010 , 19:35   Re: Idea to find functions in memory
Reply With Quote #7

Quote:
Originally Posted by Fyren View Post
As pred said, there may not be a call at all in the binary for one OS while it may be there in the other, likely due to inlining.
Yes, I know. I considered that in the example I gave.

Quote:
Originally Posted by Fyren View Post
This is an interesting idea, and I've pondered it myself, but I'm way too lazy.
I hope that you or someone implement it. I would like to see it in action and see its pros and cons in practice.

Edit:

Another thing: I just thought that by having this tree one could do another kind of hooking. Hooking calls to functions instead of functions being called. Like, instead of hooking everytime X is called, just hooking when Y calls X. This can be nice for some kind of functions. It would only take the effort of patching the calls so they call instead a hook function and then calling forwards and call the original back. (Not an original idea but, this tree would make it easier)
__________________

Last edited by joaquimandrade; 03-05-2010 at 22:20.
joaquimandrade is offline
joaquimandrade
Veteran Member
Join Date: Dec 2008
Location: Portugal
Old 03-24-2010 , 21:39   Re: Idea to find functions in memory
Reply With Quote #8

Hello again. I'm interested in see the "CFG parser" that Pred talked about. If you, Pred, or someone that works with him can give me a link to it i will appreciate it. Thanks.
__________________
joaquimandrade is offline
pRED*
Join Date: Dec 2006
Old 03-25-2010 , 01:27   Re: Idea to find functions in memory
Reply With Quote #9

http://pred.ampaste.net/m751dedc4
pRED* is offline
joaquimandrade
Veteran Member
Join Date: Dec 2008
Location: Portugal
Old 04-20-2010 , 13:31   Re: Idea to find functions in memory
Reply With Quote #10

Hello again. I'm kind of experimenting on this with libdisasm and there is something I would like to ask you.

In the linux libraries many functions call first some unnamed function that seems to me like a helper function or something like that. Like:

PHP Code:
push    ebp
mov     ebp
esp
sub     esp
3Ch
push    edi
push    esi
push    ebx
call    sub_111638 
PHP Code:
sub_111638 proc near
mov     ebx
, [esp+0]
retn
sub_111638 endp 
And there is one different per function despite doing the same.

I guess I just have to discard them but what is the explanation for this?
__________________
joaquimandrade is offline
Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 07:09.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode