Hello,

I need to classify to some degree & anylize all the data allocated &
used in one program at run-time.
The application is a large one, comes in binary form only(Windows XP+)
- so source code is available.

Generally, there are about 20K-60K dynamic(that is, from heap)
allocations exist at any time.
Most of them are C++ objects.

I was successful in injecting a DLL into the target process at
startup, so that i can overwrite
the program's first to-be-executed instructions with the jump to the
custom routine - the start
of CPU emulator.

Why I thing I need an emulator here? - Well, interpreting every
instruction of execution flow via
CPU simulator allows me to easily track all memory read/write ops -
and this is exactly what
i need to anylize all program's dynamically allocated data blocks.

So I need to implement a simple CPU instructions simulator. Currently,
I'am at the very beginning
and trying to predict all the difficulties I will face and all hard
things to deal with. I'am
going to list them in the numbered list below with some general
thoughts - please comment one them.

1) The majority of CPU instructions effect only the CPU state(its
registers) and memory
state(on mem write). I see no problems in emulating them.

2) Now comes some special ops like "out" which i absolutely can't
emulate so I should execute them natively.
Some intructions expects certain registers to be initialized with
input arguments - so I have to
temporary switch my emulator to 'native mode' setup the input
registers, execute the instruction as-is
hoping there is no side affects like EIP changing and then switch back
to emulation mode - hope there
is no problems with such approach?

2.1) What about intructions which should be executed natively &
update EIP as the result - are
such kind of ops exists, and if yes how they can be handled?

3) application runs multiple threads - so I should hook thread start
routine (Windows: CreateThread)
to point it to CPU emulatior instead. Currently see no difficulties
with this.

If you think of anything else I overlooked? - your input is highly
welcome then!

Thank you, Dmitry

p.s. sorry for my somewhat bad Enlish - I'am doing my best with it

Have you seen this:
http://simh.trailing-edge.com/

dmitry sychov wrote:

As far as CPU emulation goes, you might find it easier to start with
something like QEMU.
http://fabrice.bellard.free.fr/qemu/license.html

As far as instrumenting an existing executable goes, you might find the
DymanicRIO would help. I don't know whether it is still publicly
available (it used to be), but even if not then it may be source of
good ideas:
http://www.cag.lcs.mit.edu/dynamorio/

But I also suspect that instumenting/emulating the whole application
may be difficult or counter-productive if all (all !!) you want to do
is track reads and writes to dynamically allocated memory. It might be
worth considering a different approach based on swizzling the pointers
into malloc()ed space (malloc() in a general sense of course). The
general idea is to replace every pointer into malloc() space with an
individually identifiable bitpattern which "points" into unmapped
memory, and install a hander for the invalid access notifications from
the OS, which you trap, decode, and cause the original instuction to
resume with the "correct" value from the memory at the correponding
real location. I don't know whether that is possible under Windows,
but I think it must be since similar techniques are used for quite a
lot of high performance systems. Please don't ask me for technical
details -- I don't know any ;-)

-- chris

I wrote:

A couple more links which may be relevant (not related to the above,
but similar ideas):

http://valgrind.org/docs/manual/tech-docs.html
http://bochs.sourceforge.net/

-- chris