Reverse Engineering Asked by tturbox on August 24, 2020
So i’ve been trying to write a pintool that monitors call/ret instructions but i’ve noticed that threre was a significant inconsistency between the two. For example ret instructions without previous call.
I’ve run the tool in a console application from which a number of inconsistencies can be observed. Below are the first 3 log entries showing this inconsistency:
1. Call from ntdll!LdrpCallInitRoutine+0x69, expected to return to 7ff88f00502a
2. RETURN to 7ff88f00502a
//call from ntdll!LdrpInitializeNode+0x1ac which is supposed to return at 7ff88f049385 is missing (the previous instruction)
3. RETURN to 7ff88f049385 (ntdll!LdrpInitializeNode+0x1b1)
The above are the first 3 log entries for the call/ret instructions. As one can see, the monitoring appears to start a bit late, at the call found at ntdll!LdrpCallInitRoutine+0x69
, after which it returned to the expected address but then returned to 7ff88f049385 without first tracking the call found in the previous instruction.
Any ideas of what could be the fault?
The program is traced with INS_AddInstrumentFunction
with a callback that more or less does:
if INS_IsCall(ins) INS_InsertCall(ins,...
if INS_IsRet(ins) INS_InsertCall(ins,...
I’ve tried the same program on Linux which worked as expected, without any mismatch.
Any ideas of the reason behind this behavior?
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP