This document discusses code instrumentation techniques. It begins by introducing the speaker and defining instrumentation as adding extra code to a program or environment for monitoring or changing program behavior. It then covers various uses of instrumentation including debugging, testing, profiling, and security applications like malware analysis. The document categorizes instrumentation approaches as static, load-time, or dynamic depending on when the instrumentation is applied. It provides examples of instrumentation for different programming languages and environments like Java, .NET, and ActionScript.

1. Light and Dark side of Code
Instrumentation
Dmitriy “D1g1″ Evdokimov
DSecRG, Security Researcher

2. #whoami
• Security Researcher in DSecRG
– RE
– Fuzzing
– Mobile security
• Organizer: DCG #7812
• Editor in “XAKEP”
www.dsecrg.com CONFidence Krakow 2012 2

3. Agenda
1. Instrumentation .
2. Instrumentation ..
3. Instrumentation …
4. Instrumentation ….
5. Instrumentation …..
6. Instrumentation ……
7. Instrumentation …….
www.dsecrg.com CONFidence Krakow 2012 3

4. Intro
“It has been proved by scientists that a new
point of evolution, any technical progress
appears when a Man makes up a new type of
tool, but not a product.”
www.dsecrg.com CONFidence Krakow 2012 4

5. Instrumentation
Instrumentation is a technique adding extra
code to an program/environment for
monitoring/change some program behavior.
Environment
Program Program
Own Own
extra extra
code code
www.dsecrg.com CONFidence Krakow 2012 5

6. Why is it necessary?
Parallel optimization
Simulation
Memory debugging
Virtualization
Emulation
Software profiling
Performance analysis
Testing
Automated debugging Correctness checking
Error detection Collecting code metrics
Binary translation Optimization
Memory leak detection
www.dsecrg.com CONFidence Krakow 2012 6

7. Instrumentation in information
security
Control flow analysis Security test case generation
Unpack Code coverage
Virtual patching Malware analysis Vulnerability detection
Privacy monitoring Taint analysis
Antivirus technology
Sandboxing Program shepherding
Data flow analysis Shellcode detection
Deobfuscation Fuzzing
Reverse engineering
Behavior based security Forensic
Transparent debugging
Data Structure Restoring
Security enforcement
www.dsecrg.com CONFidence Krakow 2012 7

8. Analysis
Criterion Static analysis Dynamic analysis
Code vs. data Problem No problem
Code coverage Big (but not all) One way
Information about values No information All information
Self-modifying code Problem No problem
Interaction with the No Yes
environment
Unused code Analysis No analysis
JIT code Problem No problem
www.dsecrg.com CONFidence Krakow 2012 8

9. Code Discovery
Memory
After static analysis 0101010110101001010010
Instr 1 After dynamic analysis
0101010101101010101010
Instr 2 Instr 3
1111010101110101000111
jump reg InstrDATA
4 Instr
1011100111001010101011
5 Instr 4 6
Instr Instr 7
5
jmp 0x0ABCD PADDING
0111010110100111100110
Instr 7 cont. Instr 8
1010101101110001001011
Instr 9 Instr 6 10
Instr
www.dsecrg.com CONFidence Krakow 2012 9

10. The general scheme of code
instrumentation
1. Find points of instrumentation;
2. Insert instrumentation;
3. Take control from program;
4. Save context of the program;
5. Execute own code;
6. Restore context of the program;
7. Return control to program.
www.dsecrg.com CONFidence Krakow 2012 10

11. Source Data
Source data
Source code Byte code Binary code
www.dsecrg.com CONFidence Krakow 2012 11

12. Classification of target
instrumentation
Instrumentation
With source code Without source code
Source code Byte code Binary code
Linker/Compiler Byte code Executable file
Interpreter/VM Process
Environment
Dynamic binary instrumentation
Static binary modification
Byte code instrumentation
Link-time/Compilation-time
Source code instrumentation Environment
- Static
instrumentation
Hardware
- Load-time
- Dynamic
www.dsecrg.com CONFidence Krakow 2012 12

13. Source code instrumentation
• Source code*
– Source code instrumentation
• Manual skills
• Plugins for IDE
– Link-time/Compilation-time instrumentation
• Options of linker/compiler
• Tools: Visual Studio Profiler, gcc, TAU, OPARI,
Diablo, Phoenix, LLVM, Rational Purify, Valgrind
*Unreal condition for security specialist =)
www.dsecrg.com CONFidence Krakow 2012 13

14. Unmoral programming
www.dsecrg.com CONFidence Krakow 2012 14

15. Byte code instrumentation
Byte code – intermediate representation
between source code and machine code.
…
Java VM Dalvik VM AVM/AVM2 CLR
www.dsecrg.com CONFidence Krakow 2012 15

16. Instrumentation byte-code (I)
Source code Compilation Byte-code
Load
Virtual machine
Loader
JIT
Lib
Lib
Execute
Lib
Machine code
www.dsecrg.com CONFidence Krakow 2012 16

17. Instrumentation byte code (II)
• Byte-code
– Static instrumentation
• Static byte code instrumentation
– Load-time instrumentation
• Custom byte code loader
– Dynamic instrumentation
• Dynamic byte-code instrumentation
www.dsecrg.com CONFidence Krakow 2012 17

18. Instrumentation Java (I)
Mechanisms:
• java.lang.instrument package;
• Java Platform Debugger Architecture (JPDA) .
www.dsecrg.com CONFidence Krakow 2012 18

19. Instrumentation Java (II)
• Static instrumentation
– Modification *.class files
• Load-time instrumentation
– ClassFileLoadHook
– Custom ClassLoader
• Dynamic instrumentation
– ClassFileLoadHook -> RetransformClasses
Tools: Javassist, ObjectWeb ASM, BCEL, JOIE, reJ
JavaSnoop, Serp, JMangler
www.dsecrg.com CONFidence Krakow 2012 19

20. Instrumentation .NET
• Static instrumentation
– Modification DLL files
• Load-time instrumentation
– AppDomain.Load()/Assembly.Load()
– Joint redirection
– Via event handler
Tools: ReFrameworker, MBEL, RAIL, Cecil
www.dsecrg.com CONFidence Krakow 2012 20

21. Instrumentation ActionScript (I)
• ActionScript2
– AVM
– Tags that (can) contain bytecode:
• DefineButton (7), DefineButton2 (34), DefineSprite (39),
DoAction (12), DoInitAction (59), PlaceObject2 (26),
PlaceObject3 (70).
• ActionScript3
– AVM2
– Tags that (can) contain bytecode:
• DoABC (82), RawABC (72).
www.dsecrg.com CONFidence Krakow 2012 21

22. AVM2 Architecture
AS3
.abc
function (x:int):int {
return x+10
}
.abc parser
MIR
JIT Compiler
.abc
@1 arg +8// argv
getlocal 1 Verifier
Bytecode MIR Code Generator
@2 load [@1+4]
pushint 10
@3 imm 10
add
@4 add (@2,@3)
returnvalue
Interpreter MD Code Generator
@5 ret @4 // @4:eax
(x86, PPC, ARM, etc.)
x86
Runtime System (Type System, Object Model)
mov eax,(eap+8)
mov eax,(eax+4)
add eax,10
Memory Manager/Garbage Collector
ret
www.dsecrg.com CONFidence Krakow 2012 22

23. Instrumentation ActionScript (I)
AVM tag
Original SWF file
Header Tags
Instrumenteted
SWF file
www.dsecrg.com CONFidence Krakow 2012 23

24. Instrumentation AVM (II)
• Static instrumentation
– Add :
• trace()
• dump()
• debug()
• debugfile()
• debugline()
– Modification:
• Create own class + change class name = hook!
www.dsecrg.com CONFidence Krakow 2012 24

25. Instrumentation binary code
• The executable file • Environment
– Static code instrumentation – Modifying call table
• Static binary instrumentation • IDT, CPU MSRs, GDT, SSDT,
• Process IRP тable
– Debuggers • …
• Debugging API – Modifying OS options
– Modifying call table/other structure • SHIM
• IAT • LD_PRELOAD
• … • AppInt_DLLs
– Dynamic code instrumentation • DLL injection
• Dynamic binary instrumentation • …
• Hardware – Reproduction of the
– Hardware debug features environment
• Debug registers • Emulation
• Hardware debuggers • Virtualization
• …
www.dsecrg.com CONFidence Krakow 2012 25

26. Static Binary Instrumentation (I)
Static binary instrumentation/Physical code
integration/Static binary code rewriting
Edited Header
Header
• Realization: Segment of Segment of
code code
– With reallocation:
Segment of Segment of
• Level of segment; data data
• Level of function; Extra segment
of code
– Without reallocation.
Extra segment
of data
www.dsecrg.com CONFidence Krakow 2012 26

27. Static Binary Instrumentation (II)
Reallocation:
1) Function Displacement + Entry Point Linking;
2) Branch Conversion;
3) Instruction Padding;
4) Instrumentation.
Tools: DynInst, EEL, ATOM, PEBIL, ERESI, TAU,
Vulcan, BIRD, Aslan(4514N)
www.dsecrg.com CONFidence Krakow 2012 27

28. Debuggers
• Breakpoints:
• Software
App Debugger
• Hardware
• Debugger + scripting: OS
• WinDBG + pykd
• OllyDBG + python = Immunity Debuggers Processor
• GDB + PythonGDB
• Python library's*: Buggery, IDAPython, ImmLIB, lldb, PyDBG,
PyDbgEng, pygdb , python-ptrace , vtrace, WinAppDbg, …
*See “Python Arsenal for Reverse Engineering”
www.dsecrg.com CONFidence Krakow 2012 28

29. Dynamic Binary Instrumentation
Dynamic binary instrumentation/Virtual code
integration/Dynamic binary rewriting
DBI
App1 App2
OS
Processor
Tools: PIN, DynamoRIO, DynInst, Valgrind, BAP,
KEDR, Fit, ERESI, Detour, Vulcan, SpiderPig
www.dsecrg.com CONFidence Krakow 2012 29

30. Dynamic Binary Instrumentation
• Dynamic Binary Instrumentation (DBI) is a process control and
analysis technique that involves injecting instrumentation code
into a running process.
• Dynamic binary analysis (DBA) tools such as profilers and
checkers help programmers create better software.
• Dynamic binary instrumentation (DBI) frameworks make it easy
to build new DBA tools.
•DBA tools consist:
– instrumentation routines;
– analysis routines.
www.dsecrg.com CONFidence Krakow 2012 30

31. Kinds of DBI
Mode: Mode of work:
– user-mode; - Start to finish;
– kernel-mode. - Attach.
Modes of execution:
Functionality
JIT
– Interpretation-mode;
– Probe-mode; Probe
– JIT-mode. Performance
www.dsecrg.com CONFidence Krakow 2012 31

32. DBI Frameworks*
Frameworks OS Arch Modes Features
PIN Linux, x86, x86-64, JIT, Probe Attach mode
Windows, Itanium, ARM
MacOS
DynamoRIO Linux, x86, x86-64 JIT, Probe Runtime
Windows optimization
DynInst Linux, x86, x86-64, Probe Static &
FreeBSD, ppc32, ARM, Dynamic binary
Windows ppc64 instrumentation
Valgrind Linux, MacOS x86, x86-64, JIT IR – VEX,
ppc32, ARM, Heavyweight
ppc64 DBA tools
*For more details see “DBI:Intro” presentation from ZeroNights conference
www.dsecrg.com CONFidence Krakow 2012 32

33. Start work with DBI
www.dsecrg.com CONFidence Krakow 2012 33

34. Levels of granularity
• Instruction;
• Basic Block*;
• Trace/Superblock;
• Function;
• Section;
• Events;
• Binary image.
www.dsecrg.com CONFidence Krakow 2012 34

35. Self-modifying code & DBI
Detect:
– Written-protecting code pages
– Checking store address
– Inserting extra code
www.dsecrg.com CONFidence Krakow 2012 35

36. Overhead
O=X+Y
Y = N*Z
Z = K+L
O – Tool Overhead;
X – Instrumentation Routines Overhead;
Y – Analysis Routines Overhead;
N – Frequency of Calling Analysis Routine;
Z – Work Performed in the Analysis Routine;
K – Work Required to Transition to Analysis Routine;
L – Work Performed Inside the Analysis Routine.
www.dsecrg.com CONFidence Krakow 2012 36

37. Rewriting instructions
• Platforms:
– with fixed-length instruction;
– with variable-length instructions.
www.dsecrg.com CONFidence Krakow 2012 37

38. Rewriting code (I)
• Easy / simple / boring / regular example
– Rewriting prolog function
www.dsecrg.com CONFidence Krakow 2012 38

39. Rewriting code (II)
• Hardcore example:
– Mobile phone firmware rewriting
Bootloader
reboot
Flash
SHELLCODE 1 AMSS
Malicious SMS
GSM
Baseband processor
www.dsecrg.com CONFidence Krakow 2012 39

40. Instrumentation in ARM
ARM modes:
– ARM
• Length(instr) = 4 byte
– Thumb
• Length(instr) = 2 byte
– Thumb2
• Length(instr) = 2/4 byte
– Jazzle
For more detail see “A Dynamic Binary Instrumentation Engine for the ARM
Architecture” presentation.
www.dsecrg.com CONFidence Krakow 2012 40

41. Emulation
App1 OS
Emulator
OS
Processor
www.dsecrg.com CONFidence Krakow 2012 41

42. Instrumentation & Bochs
• Bochs can be called with instrumentation support.
• C++ callbacks occur when certain events happen:
– Poweron/Reset/Shutdown;
– Branch Taken/Not Taken/Unconditional;
– Opcode Decode (All relevant fields, lengths);
– Interrupt /Exception;
– Cache /TLB Flush/Prefetch;
– Memory Read/Write.
• “bochs-python-instrumentation” patch by Ero Carrera
www.dsecrg.com CONFidence Krakow 2012 42

43. Virtualization
App1 OS
App1 OS
VMM
VMM OS
Processor Processor
Native VMM Hosted VMM
*VMM - Virtual Machine Monitor
www.dsecrg.com CONFidence Krakow 2012 43

44. Instrumentation & virtualization
Stages:
1. Save the VM-exit reason information in the VMCS;
2. Save guest context information;
3. Load the host-state area;
4. Transfer control to the hypervisor;
5. Run own code.
*VMCS - Virtual Machine Control Structure
www.dsecrg.com CONFidence Krakow 2012 44

45. Instrumentation in
Mobile World
Mobile Platform Language Executable file format
Android Java Dex
iOS Objective-C Mach-O
Windows Phone .NET PE
www.dsecrg.com CONFidence Krakow 2012 45

46. Conclusion
One can implement instrumentation of everything!
www.dsecrg.com CONFidence Krakow 2012 46

47. Contact
Twitter: @evdokimovds
E-mail: d.evdokimov@dsecrg.com
www.dsecrg.com CONFidence Krakow 2012 47

48. Windows 8
• Apps:
– C++ & DirectX
– C# & XAML
– HTML & JavaScript & CSS
www.dsecrg.com CONFidence Krakow 2012 48