1

In one of my analysis routines I received as input a void* pointer, which may or not may be a "good" pointer to a string.

To check the case of a bad pointer I use the IsBadPointer variant proposed here Most efficient replacement for IsBadReadPtr?

However, this is not completely reliable. So, I wanted to catch the RECEIVED_ACCESS_FAULT exception raised when it is tried to deference a bad pointer, change the value of the pointer to a good value and then continue with the execution.

So, to try this out I deferenced a global NULL pointer (string_pointer) in my analysis routine and I set the exception handler as follows:

    EXCEPT_HANDLING_RESULT ExceptionHandler(THREADID tid, EXCEPTION_INFO *pExceptInfo, PHYSICAL_CONTEXT *pPhysCtxt, VOID *v)
{
    EXCEPTION_CODE c = PIN_GetExceptionCode(pExceptInfo);
    EXCEPTION_CLASS cl = PIN_GetExceptionClass(c);
    std::cerr << "Exception class " << cl << endl;
    std::cerr << PIN_ExceptionToString(pExceptInfo) << endl;

    //Change string_pointer contents from NULL
    string_pointer = "<Invalid Memory>";

    return EHR_HANDLED;
}

Unfortunately, this does not work as the pin tool gets stucked in the exception handler. Any suggestions to fix this?

Hadi Brais
  • 22,259
  • 3
  • 54
  • 95
Simus
  • 319
  • 2
  • 18
  • Pin won't catch faults thrown in analysis code. You should use Hadi's solution and look for the terminating NULL yourself. – nitzanms Jun 01 '18 at 11:02

1 Answers1

1

You should always access application memory from your analysis routines using PIN_SafeCopy(), which is declared as follows:

size_t LEVEL_PINCLIENT::PIN_SafeCopy(VOID* dst, const VOID* src, size_t size)

The function returns the number of bytes successfully copied from the source buffer. So you can compare it to size to determine whether it was fully successful or not. PIN_SafeCopyEx() is a similar function that provides additional information in case of failure.

Hadi Brais
  • 22,259
  • 3
  • 54
  • 95
  • The problem is that I don't know how long the string is supposed to be in advance. That's why I ruled out safe copy and instead tried to solve this issue via exception handling. – Simus Jun 01 '18 at 07:56
  • @Simus You can still use `PIN_SafeCopy` in a loop until it returns zero. Although that seems wrong to me that you don't know the size. You should know the size or there should be some terminating character. – Hadi Brais Jun 01 '18 at 15:09
  • or until the returned value is smaller than `size`. – Hadi Brais Jun 01 '18 at 15:15