sniper icon indicating copy to clipboard operation
sniper copied to clipboard

Published 20 hours ago verified publisher icon dcdelia

Track the Library Call and extract Prototype Information

Open 040840308 opened this issue 3 years ago • 2 comments

Hi,

   Nice work! I run sniper successfully! I found that it didn't extract the custom third-party library call information.
   Can sniper do this?

   Thanks

040840308 avatar Dec 15 '21 09:12 040840308

Hi, thanks for your interest and the appreciation! Right now the tool tracks only Win32 APIs, but the DBI version should be fairly simple to customize to track other libraries. For the instrumentation, the core part is located in src/image.cpp, with the method TRACER_LoadImage.

The boolean flag instrument in there is set to true only if the name of the DLL to monitor is part of the supportedDLLs array. That will allow you to enable the tracing of symbol names for virtually any DLL. Then the hasPrototypes flag is set to perform argument tracing according to the availability of prototype information, exposed to the instrumentation code through a hashmap dllArgsMapOfMap that provides pointers to parameter information (number, size, and type of args).

The user should provide a C file of the likes of those in src/prototypes/32bit/ (one file per library) and add its main array to the hashmap. For Win32 APIs, we generated such files programmatically using the python scripts that we make available in scripts/ and an SQLite database from automated analysis of header files (we borrowed the DBs of PyREBox). So if you have header information for third-party libraries, generating the prototypes should be fairly easy.

dcdelia avatar Dec 15 '21 17:12 dcdelia

Hi, thanks for your interest and the appreciation! Right now the tool tracks only Win32 APIs, but the DBI version should be fairly simple to customize to track other libraries. For the instrumentation, the core part is located in src/image.cpp, with the method TRACER_LoadImage.

The boolean flag instrument in there is set to true only if the name of the DLL to monitor is part of the supportedDLLs array. That will allow you to enable the tracing of symbol names for virtually any DLL. Then the hasPrototypes flag is set to perform argument tracing according to the availability of prototype information, exposed to the instrumentation code through a hashmap dllArgsMapOfMap that provides pointers to parameter information (number, size, and type of args).

The user should provide a C file of the likes of those in src/prototypes/32bit/ (one file per library) and add its main array to the hashmap. For Win32 APIs, we generated such files programmatically using the python scripts that we make available in scripts/ and an SQLite database from automated analysis of header files (we borrowed the DBs of PyREBox). So if you have header information for third-party libraries, generating the prototypes should be fairly easy.

OK, got it. I will have a try. Thanks

040840308 avatar Dec 16 '21 00:12 040840308