The value of BPatch_registerExpr(BPatch_register reg)

[jianghaizhi]

I create a snippet through these codes:
BPatch_snippet *registervalue = new BPatch_registerExpr(regs[0]);
Then, this snippet is inserted to the binary and I get a new rewritten binary. I will run the new binary and print the registervalue.

May I know the registervalue is a runtime value or it's just a static estimation?

[mxz297]

It should be the runtime value for that register.

[jianghaizhi]

Thank you! @mxz297

How about the value of BPatch_dynamicTargetExpr() ?

call *%RAX
This is an indirect call in a rewritten binary. Is it right for me to use BPatch_dynamicTargetExpr() to get the legitimate call target? I wonder if it is always the same as BPatch_registerExpr(RAX) (The runtime value of RAX).

[wrwilliams]

dynamicTargetExpr is more portable across call sites if you want the target; prefer the closest match of abstractions to what you actually want when writing Dyninst snippets.

[jianghaizhi]

Thank you for your explanation. @wrwilliams

I want to do a simple CFI monitor. First, I need to get the legitimate call target before running the rewritten binary. Then I need to get the runtime call target and compare it with the legitimate one.

As you explained, BPatch_registerExpr(RAX) and dynamicTargetExpr will both get the runtime value.
Am I right?

Is there any way to get the legitimate call target?

Thank you!

[wrwilliams]

You'd need some sort of static analysis to determine which functions are legal to call from each call site (or overapproximate and just require that calls go to legitimate function entry points). We don't currently perform a precise analysis and assume internally that any indirect call may target any function; this can clearly be improved on.

[jianghaizhi]

Thank you @wrwilliams