What IARG_EXPLICIT_MEMORY_EA should be used for?

2

I am willing to instrument lea instructions, followed by a call to PIN_SafeCopy() to capture the content of the memory. I tried with IARG_MEMORY_READ_EA but it did not work. So I move to IARG_EXPLICIT_MEMORY_EA as it is written in the fine manual that it is usefull to instrument lea instructions.

But it is not working neither. Taking the following instruction:

 lea eax, ptr [r11+0x1]

The address I get with IARG_EXPLICIT_MEMORY_EA is 0x00000088 which I cannot use with PIN_SafeCopy()

My question is: Is IARG_EXPLICIT_MEMORY_EA intended to compute the effective address of a lea instruction (that is loaded into the register) or is it something else ?

I would understand that there is no real need to compute the effective address as it is the job of the instruction itself...still I want to make sure my understanding is correct.

Bonus question: what's the difference between IARG_MEMORYREAD_EA|IARG_MEMORYWRITE_EA and IARG_MEMORYOP_EA ?

x86
profiling
instrumentation
intel-pin
asked on Stack Overflow Jul 14, 2019 by Heyji • edited Jul 15, 2019 by Hadi Brais

1 Answer

3

IARG_EXPLICIT_MEMORY_EA represents the effective address of an explicit memory operand, which is a memory operand that is specified by dedicated bits in the instruction encoding. In x86, there can be at most one explicit memory operand. lea does have an explicit memory operand, but many other instructions may also have explicit memory operands. push, pop, and string instructions have implicit memory operands. IARG_EXPLICIT_MEMORY_EA is only valid if INS_HasExplicitMemoryReference is true.

The essential difference between lea and other instructions that have memory operands is that lea does not use its memory operand to access memory. In fact, the effective address calculated using lea may not even be a memory address. lea has advantages over other (combinations of) instructions for doing arithmetic. So if the effective address in lea eax, ptr [r11+0x1] is 0x00000088, then lea is probably being used to just add r11 and 0x1 and store the result in eax. The effective address is not actually being used to access memory (in a later instruction).

My question is: Is IARG_EXPLICIT_MEMORY_EA intended to compute the effective address of a lea instruction (that is loaded into the register) or is it something else ?

Yes, but not just lea. The effective address of any instruction with an explicit memory operand can be captured using IARG_EXPLICIT_MEMORY_EA and passed to an analysis routine.

If you are only interested in lea, then use INS_IsLea before injecting a call to an analysis routine.

Bonus question: what's the difference between IARG_MEMORYREAD_EA|IARG_MEMORYWRITE_EA and IARG_MEMORYOP_EA ?

There is no such a thing as IARG_MEMORYREAD_EA|IARG_MEMORYWRITE_EA. The value of IARG_MEMORYREAD_EA|IARG_MEMORYWRITE_EA may or may not be equal to IARG_MEMORYOP_EA and it could mean any of the IARG_* arguments or nothing.

Note that IARG_MEMORYREAD_EA, IARG_MEMORYWRITE_EA, IARG_MEMORYREAD2_EA, and IARG_MEMORYOP_EA represent explicit or implicit memory operands that are actually used by the instruction to access memory. IARG_MEMORYREAD_EA is only valid if INS_IsMemoryRead is true. IARG_MEMORYWRITE_EA is only valid if INS_IsMemoryWrite is true. IARG_MEMORYREAD2_EA is only valid if INS_HasMemoryRead2 is true. Finally, IARG_MEMORYOP_EA is only valid if at least one of INS_IsMemoryRead or INS_IsMemoryWrite are true.

answered on Stack Overflow Jul 15, 2019 by Hadi Brais

User contributions licensed under CC BY-SA 3.0