Facing challenge in making some changes in GDB for my personal project

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Facing challenge in making some changes in GDB for my personal project

krishnan gosakan
Hi,
This is my first message in this mailing group. I am pretty new to gdb code
base. I am thinking of implementing something similar to findcrypt in IDA
pro in GDB. I first tried to script it in python but it took so long that
it is impractical. So, I decided to get the GDB source and make a few
modifications such that I can add a new command(like run,step etc..) which
does the same.
This command has two parts: It should do a single step execution. After
each step, I should disassemble the current instruction and find if any
crypto constants are used.
I am facing difficulty in disassembling the instructions. As far as I
analysed the source code, there is no option for returning the disassembled
information as some kind of object to caller. All that is available is
functions which can print the disassembled instruction. So, I would like to
know how I could get the disassembled instruction as some kind of object,
which I can use for future analysis.
Thank you in advance for any help.

Regards,
G.Krishnan.
Reply | Threaded
Open this post in threaded view
|

Re: Facing challenge in making some changes in GDB for my personal project

Ruslan Kabatsayev
Hi,

On Sun, 4 Aug 2019 at 19:14, krishnan gosakan
<[hidden email]> wrote:

>
> Hi,
> This is my first message in this mailing group. I am pretty new to gdb code
> base. I am thinking of implementing something similar to findcrypt in IDA
> pro in GDB. I first tried to script it in python but it took so long that
> it is impractical. So, I decided to get the GDB source and make a few
> modifications such that I can add a new command(like run,step etc..) which
> does the same.
> This command has two parts: It should do a single step execution. After
> each step, I should disassemble the current instruction and find if any
> crypto constants are used.
> I am facing difficulty in disassembling the instructions. As far as I
> analysed the source code, there is no option for returning the disassembled
> information as some kind of object to caller. All that is available is
> functions which can print the disassembled instruction. So, I would like to
> know how I could get the disassembled instruction as some kind of object,
> which I can use for future analysis.

I'm afraid binutils' disassembler doesn't provide such in-depth
information on the instructions as their operands, affected registers
etc.: it can only format the disassembly string.
I suggest you to try a specialized disassembler like e.g. Capstone [1]
to do the analysis. I have actually used it to implement some
instruction analysis in another debugger (EDB) and, although some
quirks are sometimes required, Capstone does do its job generally.

[1]: https://github.com/aquynh/capstone

Regards,
Ruslan

> Thank you in advance for any help.
>
> Regards,
> G.Krishnan.
Reply | Threaded
Open this post in threaded view
|

Re: Facing challenge in making some changes in GDB for my personal project

Ruslan Kabatsayev
In reply to this post by krishnan gosakan
On Mon, 5 Aug 2019 at 20:40, krishnan gosakan
<[hidden email]> wrote:
>
> Hi Ruslan Kabatsayev ,

Hi,
Please keep your replies to the mailing list directed at the mailing
list too, not exclusively to me (i.e. use the "Reply to All" function
of your mail client).

> Thanks for your response. I will definitely try Capstone for disassembly.
> But I have a few more queries related to gdb. Is there any special reason why binutils disassembler is designed such a way that the disassembly part and the printing part are tightly coupled.
> I think it is good if we keep these two parts separate. Is there any special reason why it is this way? I admit that this model is simplistic, but apart from that is there anything which makes these two parts together?

Generalizing the disassembler would make it more complex and much
larger for little reason: none of the programs using it are even close
to requiring this level of detail about the instructions. See e.g.
GDB, objdump, QEMU — they only need to dump textual representation of
the machine code, nothing more.

Other programs like EDB, radare2 and x64dbg indeed need this, and they
use other disassembly engines like Capstone or Zydis.

>
> Regards,
> G.Krishnan.
>
> On Mon, Aug 5, 2019 at 3:13 PM Ruslan Kabatsayev <[hidden email]> wrote:
>>
>> Hi,
>>
>> On Sun, 4 Aug 2019 at 19:14, krishnan gosakan
>> <[hidden email]> wrote:
>> >
>> > Hi,
>> > This is my first message in this mailing group. I am pretty new to gdb code
>> > base. I am thinking of implementing something similar to findcrypt in IDA
>> > pro in GDB. I first tried to script it in python but it took so long that
>> > it is impractical. So, I decided to get the GDB source and make a few
>> > modifications such that I can add a new command(like run,step etc..) which
>> > does the same.
>> > This command has two parts: It should do a single step execution. After
>> > each step, I should disassemble the current instruction and find if any
>> > crypto constants are used.
>> > I am facing difficulty in disassembling the instructions. As far as I
>> > analysed the source code, there is no option for returning the disassembled
>> > information as some kind of object to caller. All that is available is
>> > functions which can print the disassembled instruction. So, I would like to
>> > know how I could get the disassembled instruction as some kind of object,
>> > which I can use for future analysis.
>>
>> I'm afraid binutils' disassembler doesn't provide such in-depth
>> information on the instructions as their operands, affected registers
>> etc.: it can only format the disassembly string.
>> I suggest you to try a specialized disassembler like e.g. Capstone [1]
>> to do the analysis. I have actually used it to implement some
>> instruction analysis in another debugger (EDB) and, although some
>> quirks are sometimes required, Capstone does do its job generally.
>>
>> [1]: https://github.com/aquynh/capstone
>>
>> Regards,
>> Ruslan
>>
>> > Thank you in advance for any help.
>> >
>> > Regards,
>> > G.Krishnan.