Including register values in the trace

[gitttt]

Hi!

In your paper you write:

It is also possible to record the content of CPU registers but this would slow
down acquisition and increase the size of traces significantly

Does this mean TracerGrind / TracerPIN can do it already? Or does it mean, in principle, a DBI framework can do this?

If the first is the case: How can I tell the tracer to include the register values in the trace?
If the second is the case: Do you have any hints for me how to extend TracerGrind / TracerPIN to support the tracing of register values?

Thanks for your help!
Best regards

[doegox]

Hi Jan

No, the current plugins don't support it yet.

If you are ready to help, feel free to try :)
For PIN, see PIN_GetContextReg and PIN_GetPhysicalContextReg
You can also have a look at IDA Pro idapin plugin sourcecode:
https://www.hex-rays.com/products/ida/support/freefiles/idapin69.zip

For Valgrind I've no idea.
Best regards

[gitttt]

Thanks for the hints and the instant answer!

[gitttt]

What format would you suggest for a (hypothetical) trace including register values? E.g. the name of the register in ASCII text followed by the value in 'raw' bytes?

[doegox]

hmm you're talking about the bin log produced by TracerGrind?

For TracerGrind, see trace_protocol.h and add a MsgType in the enum, e.g. MSG_REG and a structure e.g.

typedef struct _MemoryMsg
{
    uint64_t exec_id;
    uint64_t ins_address;
    uint8_t regnamelength;
    char* regname;
    uint64_t length;
    uint8_t *data;
} RegMsg;

To reduce trace size, try to log only the registers that were written to, if any

For TracerPIN in human format, e.g. sth like this, one line per written register:

[X]       105        0x402586                                                        rax                size= 8 value=0x0000000000000028

([R] is already taken...)