https://github.com/toshipiazza/drcfg
Dynamic Control Flow Recovery
https://github.com/toshipiazza/drcfg
cfg dynamorio
Last synced: about 1 year ago
JSON representation
Dynamic Control Flow Recovery
- Host: GitHub
- URL: https://github.com/toshipiazza/drcfg
- Owner: toshipiazza
- License: mit
- Created: 2017-06-14T01:31:58.000Z (almost 9 years ago)
- Default Branch: master
- Last Pushed: 2018-04-15T21:37:22.000Z (about 8 years ago)
- Last Synced: 2025-03-29T09:51:13.838Z (about 1 year ago)
- Topics: cfg, dynamorio
- Language: C++
- Size: 73.2 KB
- Stars: 24
- Watchers: 4
- Forks: 5
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
- License: LICENSE.md
Awesome Lists containing this project
README
drcfg
=====
Constructs a CFG of the target program, without source. For motivation, see this [blog
post](https://tpiazza.me/posts/2016-11-04-dynamorio_cfg.html). This plugin implements the
following:
- intercepts conditional branch instructions (`cbr's`)
- intercepts control transfer instructions (`cti's`)
- dumps output in json format
# Usage
```
$ drrun -c ./libcfg.so -- ../test/call.out
{
"branches": [
{
"address": 4194497,
"targets": [
4194500
]
},
]
}
```
Options for `drcfg` are shown below:
```
-only_from_app [ false] Only count app, not lib, instructions
-instrument_ret [ false] Count return instructions as control flow instructions
-racy [ false] Perform racy hashtable insertion
-no_cbr [ false] Don't count conditional branch instructions
-no_cti [ false] Don't count control transfer instructions
-output [ ""] Output results to file
```
# How to Build
```
$ mkdir -p build && cd build
$ cmake .. -DDynamoRIO_DIR=
$ make -j4
```
# TODO
Listed in relative order of importance
- [x] Implement cache flushing as per `cbr.c`, to remove instrumentation once a branch has
or has not been taken. This will hopefully speed up applications considerably.
- [x] Optionally intercept only branches in main module (i.e. `-only_from_app`)
- [x] Dump json to a file
- [ ] Optionally dump YAML
- [x] Optionally instrument return cti's