Instrumentation is a technique that adds extra code to a program or environment for monitoring or changing program behavior. It can be used for various purposes like performance analysis, automated debugging, error detection, and security testing. Instrumentation can be applied at different levels like source code, bytecode, or binary code. Common instrumentation techniques include static analysis, dynamic analysis, load-time instrumentation, and dynamic binary instrumentation. Instrumentation is useful for tasks like control flow analysis, vulnerability detection, malware analysis, and fuzzing.

1. Light and Dark side of Code
Instrumentation
Dmitriy “D1g1″ Evdokimov
DSecRG, Security Researcher

2. #whoami
• Security Researcher in DSecRG
– RE
– Fuzzing
– Mobile security
• Organizer: DCG #7812
• Editor in “XAKEP”
Digital Security Positive Hack Days 2012 2

3. Agenda
1. Instrumentation .
2. Instrumentation ..
3. Instrumentation …
4. Instrumentation ….
5. Instrumentation …..
6. Instrumentation ……
7. Instrumentation …….
Digital Security Positive Hack Days 2012 3

4. Intro
“It has been proved by scientists that a new
point of evolution, any technical progress
appears when a Man makes up a new type of
tool, but not a product.”
Digital Security Positive Hack Days 2012 4

5. Instrumentation
Instrumentation is a technique adding extra
code to an program/environment for
monitoring/change some program behavior.
Environment
Program Program
Own Own
extra extra
code code
Digital Security Positive Hack Days 2012 5

6. Why is it necessary?
Parallel optimization
Simulation
Memory debugging
Virtualization
Emulation
Software profiling
Performance analysis
Testing
Automated debugging Correctness checking
Error detection Collecting code metrics
Binary translation Optimization
Memory leak detection
Digital Security Positive Hack Days 2012 6

7. Instrumentation in information
security
Control flow analysis Security test case generation
Unpack Code coverage
Virtual patching Malware analysis Vulnerability detection
Privacy monitoring Taint analysis
Antivirus technology
Sandboxing Program shepherding
Data flow analysis Shellcode detection
Deobfuscation Fuzzing
Reverse engineering
Behavior based security Forensic
Transparent debugging
Data Structure Restoring
Security enforcement
Digital Security Positive Hack Days 2012 7

8. Analysis
Criterion Static analysis Dynamic analysis
Code vs. data Problem No problem
Code coverage Big (but not all) One way
Information about values No information All information
Self-modifying code Problem No problem
Interaction with the No Yes
environment
Unused code Analysis No analysis
JIT code Problem No problem
Digital Security Positive Hack Days 2012 8

9. Code Discovery
Memory
After static analysis 0101010110101001010010
Instr 1 After dynamic analysis
0101010101101010101010
Instr 2 Instr 3
1111010101110101000111
jump reg InstrDATA
4 Instr
1011100111001010101011
5 Instr 4 6
Instr Instr 7
5
jmp 0x0ABCD PADDING
0111010110100111100110
Instr 7 cont. Instr 8
1010101101110001001011
Instr 9 Instr 6 10
Instr
Digital Security Positive Hack Days 2012 9

10. The general scheme of code
instrumentation
1. Find points of instrumentation;
2. Insert instrumentation;
3. Take control from program;
4. Save context of the program;
5. Execute own code;
6. Restore context of the program;
7. Return control to program.
Digital Security Positive Hack Days 2012 10

11. Source Data
Source data
Source code Byte code Binary code
Digital Security Positive Hack Days 2012 11

12. Classification of target
instrumentation
Instrumentation
With source code Without source code
Source code Byte code Binary code
Linker/Compiler Byte code Executable file
Interpreter/VM Process
Environment
Dynamic binary instrumentation
Static binary modification
Byte code instrumentation
Link-time/Compilation-time
Source code instrumentation Environment
- Static
instrumentation
Hardware
- Load-time
Digital- Dynamic
Security Positive Hack Days 2012 12

13. Source code instrumentation
• Source code*
– Source code instrumentation
• Manual skills
• Plugins for IDE
– Link-time/Compilation-time instrumentation
• Options of linker/compiler
• Tools: Visual Studio Profiler, gcc, TAU, OPARI,
Diablo, Phoenix, LLVM, Rational Purify, Valgrind
*Unreal condition for security specialist =)
Digital Security Positive Hack Days 2012 13

14. Unmoral programming
Digital Security Positive Hack Days 2012 14

15. Byte code instrumentation
Byte code – intermediate representation
between source code and machine code.
…
Java VM Dalvik VM AVM/AVM2 CLR
Digital Security Positive Hack Days 2012 15

16. Instrumentation byte-code (I)
Source code Compilation Byte-code
Load
Virtual machine
Loader
JIT
Lib
Execute
Lib
Lib
Machine code
Digital Security Positive Hack Days 2012 16

17. Instrumentation byte code (II)
• Byte-code
– Static instrumentation
• Static byte code instrumentation
– Load-time instrumentation
• Custom byte code loader
– Dynamic instrumentation
• Dynamic byte code instrumentation
Digital Security Positive Hack Days 2012 17

18. Instrumentation Java (I)
Mechanisms:
• java.lang.instrument package;
• Java Platform Debugger Architecture (JPDA) .
Digital Security Positive Hack Days 2012 18

19. Instrumentation Java (II)
• Static instrumentation
– Modification *.class files
• Load-time instrumentation
– ClassFileLoadHook
– Custom ClassLoader
• Dynamic instrumentation
– ClassFileLoadHook -> RetransformClasses
Tools: Javassist, ObjectWeb ASM, BCEL, JOIE, reJ
JavaSnoop, Serp, JMangler
Digital Security Positive Hack Days 2012 19

20. Instrumentation .NET
• Static instrumentation
– Modification DLL files
• Load-time instrumentation
– AppDomain.Load()/Assembly.Load()
– Joint redirection
– Via event handler
Tools: ReFrameworker, MBEL, RAIL, Cecil
Digital Security Positive Hack Days 2012 20

21. Instrumentation ActionScript (I)
• ActionScript2
– AVM
– Tags that (can) contain bytecode:
• DefineButton (7), DefineButton2 (34), DefineSprite (39),
DoAction (12), DoInitAction (59), PlaceObject2 (26),
PlaceObject3 (70).
• ActionScript3
– AVM2
– Tags that (can) contain bytecode:
• DoABC (82), RawABC (72).
Digital Security Positive Hack Days 2012 21

22. AVM2 Architecture
AS3
.abc
function (x:int):int {
return x+10
}
.abc parser
MIR
JIT Compiler
.abc
@1 arg +8// argv
getlocal 1 Verifier
Bytecode MIR Code Generator
@2 load [@1+4]
pushint 10
@3 imm 10
add
@4 add (@2,@3)
returnvalue
Interpreter MD Code Generator
@5 ret @4 // @4:eax
(x86, PPC, ARM, etc.)
x86
Runtime System (Type System, Object Model)
mov eax,(eap+8)
mov eax,(eax+4)
add eax,10
Memory Manager/Garbage Collector
ret
Digital Security Positive Hack Days 2012 22

23. Instrumentation ActionScript (I)
AVM tag
Original SWF file
Header Tags
Instrumenteted
SWF file
Digital Security Positive Hack Days 2012 23

24. Instrumentation AVM (II)
• Static instrumentation
– Add :
• trace()
• dump()
• debug()
• debugfile()
• debugline()
– Modification:
• Create own class + change class name = hook!
Digital Security Positive Hack Days 2012 24

25. Instrumentation binary code
• The executable file • Environment
– Static code instrumentation – Modifying call table
• Static binary instrumentation • IDT, CPU MSRs, GDT, SSDT,
• Process IRP тable
– Debuggers • …
• Debugging API – Modifying OS options
– Modifying call table/other structure • SHIM
• IAT • LD_PRELOAD
• … • AppInt_DLLs
– Dynamic code instrumentation • DLL injection
• Dynamic binary instrumentation • …
• Hardware – Reproduction of the
– Hardware debug features environment
• Debug registers • Emulation
• Hardware debuggers • Virtualization
• …
Digital Security Positive Hack Days 2012 25

26. Static Binary Instrumentation (I)
Static binary instrumentation/Physical code
integration/Static binary code rewriting
Edited Header
Header
• Realization: Segment of Segment of
code code
– With reallocation:
Segment of Segment of
• Level of segment; data data
• Level of function; Extra segment
of code
– Without reallocation.
Extra segment
of data
Digital Security Positive Hack Days 2012 26

27. Static Binary Instrumentation (II)
Reallocation:
1) Function Displacement + Entry Point Linking;
2) Branch Conversion;
3) Instruction Padding;
4) Instrumentation.
Tools: DynInst, EEL, ATOM, PEBIL, ERESI, TAU,
Vulcan, BIRD, Aslan(4514N)
Digital Security Positive Hack Days 2012 27

28. Debuggers
• Breakpoints:
• Software
App Debugger
• Hardware
• Debugger + scripting: OS
• WinDBG + pykd
• OllyDBG + python = Immunity Debuggers Processor
• GDB + PythonGDB
• Python library's*: Buggery, IDAPython, ImmLIB, lldb, PyDBG,
PyDbgEng, pygdb , python-ptrace , vtrace, WinAppDbg, …
*See “Python Arsenal for Reverse Engineering”
Digital Security Positive Hack Days 2012 28

29. Dynamic Binary Instrumentation
Dynamic binary instrumentation/Virtual code
integration/Dynamic binary rewriting
DBI
App1 App2
OS
Processor
Tools: PIN, DynamoRIO, DynInst, Valgrind, BAP,
KEDR, Fit, ERESI, Detour, Vulcan, SpiderPig
Digital Security Positive Hack Days 2012 29

30. Dynamic Binary Instrumentation
• Dynamic Binary Instrumentation (DBI) is a process control and
analysis technique that involves injecting instrumentation code
into a running process.
• Dynamic binary analysis (DBA) tools such as profilers and
checkers help programmers create better software.
• Dynamic binary instrumentation (DBI) frameworks make it easy
to build new DBA tools.
•DBA tools consist:
– instrumentation routines;
– analysis routines.
Digital Security Positive Hack Days 2012 30

31. Kinds of DBI
Mode: Mode of work:
– user-mode; - Start to finish;
– kernel-mode. - Attach.
Functionality
Modes of execution: JIT
– Interpretation-mode;
– Probe-mode; Probe
– JIT-mode. Performance
Digital Security Positive Hack Days 2012 31

32. DBI Frameworks*
Frameworks OS Arch Modes Features
PIN Linux, x86, x86-64, JIT, Probe Attach mode
Windows, Itanium, ARM
MacOS
DynamoRIO Linux, x86, x86-64 JIT, Probe Runtime
Windows optimization
DynInst Linux, x86, x86-64, Probe Static &
FreeBSD, ppc32, ARM, Dynamic binary
Windows ppc64 instrumentation
Valgrind Linux, MacOS x86, x86-64, JIT IR – VEX,
ppc32, ARM, Heavyweight
ppc64 DBA tools
*For more details see “DBI:Intro” presentation from ZeroNights conference
Digital Security Positive Hack Days 2012 32

33. Start work with DBI
Digital Security Positive Hack Days 2012 33

34. Levels of granularity
• Instruction;
• Basic Block*;
• Trace/Superblock;
• Function;
• Section;
• Events;
• Binary image.
Digital Security Positive Hack Days 2012 34

35. Self-modifying code & DBI
Detect:
– Written-protecting code pages
– Checking store address
– Inserting extra code
Digital Security Positive Hack Days 2012 35

36. Overhead
O=X+Y
Y = N*Z
Z = K+L
O – Tool Overhead;
X – Instrumentation Routines Overhead;
Y – Analysis Routines Overhead;
N – Frequency of Calling Analysis Routine;
Z – Work Performed in the Analysis Routine;
K – Work Required to Transition to Analysis Routine;
L – Work Performed Inside the Analysis Routine.
Digital Security Positive Hack Days 2012 36

37. Rewriting instructions
• Platforms:
– with fixed-length instruction;
– with variable-length instructions.
Digital Security Positive Hack Days 2012 37

38. Rewriting code (I)
• Easy / simple / boring / regular example
– Rewriting prolog function
Digital Security Positive Hack Days 2012 38

39. Rewriting code (II)
• Hardcore example:
– Mobile phone firmware rewriting
Bootloader
reboot
Flash
SHELLCODE 1 AMSS
Malicious SMS
GSM
Baseband processor
Digital Security Positive Hack Days 2012 39

40. Instrumentation in ARM
ARM modes:
– ARM
• Length(instr) = 4 byte
– Thumb
• Length(instr) = 2 byte
– Thumb2
• Length(instr) = 2/4 byte
– Jazzle
For more detail see “A Dynamic Binary Instrumentation Engine for the ARM
Architecture” presentation.
Digital Security Positive Hack Days 2012 40

41. Emulation
App1 OS
Emulator
OS
Processor
Digital Security Positive Hack Days 2012 41

42. Instrumentation & Bochs
• Bochs can be called with instrumentation support.
• C++ callbacks occur when certain events happen:
– Poweron/Reset/Shutdown;
– Branch Taken/Not Taken/Unconditional;
– Opcode Decode (All relevant fields, lengths);
– Interrupt /Exception;
– Cache /TLB Flush/Prefetch;
– Memory Read/Write.
• “bochs-python-instrumentation” patch by Ero Carrera
Digital Security Positive Hack Days 2012 42

43. Virtualization
App1 OS
App1 OS
VMM
VMM OS
Processor Processor
Native VMM Hosted VMM
*VMM - Virtual Machine Monitor
Digital Security Positive Hack Days 2012 43

44. Instrumentation & virtualization
Stages:
1. Save the VM-exit reason information in the VMCS;
2. Save guest context information;
3. Load the host-state area;
4. Transfer control to the hypervisor;
5. Run own code.
*VMCS - Virtual Machine Control Structure
Digital Security Positive Hack Days 2012 44

45. Instrumentation in
Mobile World
Mobile Platform Language Executable file format
Android Java Dex
iOS Objective-C Mach-O
Windows Phone .NET PE
Digital Security Positive Hack Days 2012 45

46. Conclusion
One can implement instrumentation of everything!
Digital Security Positive Hack Days 2012 46

47. Contact
Twitter: @evdokimovds
E-mail: d.evdokimov@dsecrg.com
Digital Security Positive Hack Days 2012 47