i have written a pintool. it implements a stack for a program while instructions are executed. In case a call instruction is encountered it pushes the address of next instruction in sequence to stack. when the called procedure is completed and the return instruction is encountered it verifies the target address in ret instruction is equal to the top of stack and pop out the top.
normally the number of call instructions should be equal to return instructions. but this tool monitors a larger number of return instructions. how is this possible? what is the problem? how can i solve it?
edit 1:
code for pintool
VOID f_jump(int a, int b)
{
s.push(b);
cout<<s.top()<<"\t";
icount1++;
}
VOID f_ret(int a, int b)
{
if (b==s.top())
{
cout<<s.top();
s.pop();
cout<<"\tOK"<<endl;
}
else
cout<<"Exploit\t"<<endl<<s.top()<<"\t"<<b<<endl;
icount2++;
}
VOID Instruction(INS ins, VOID *v)
{
if( INS_IsCall(ins) )
{
INS_InsertCall(ins,IPOINT_TAKEN_BRANCH,AFUNPTR(f_jump),
IARG_BRANCH_TARGET_ADDR,IARG_RETURN_IP, IARG_END);
}
if( INS_IsRet(ins) )
{
INS_InsertCall(ins,IPOINT_BEFORE,AFUNPTR(f_ret),
IARG_INST_PTR,IARG_BRANCH_TARGET_ADDR, IARG_END);
}
}
i run it on various binaries and processes but the problem remained the same. please help.
You can have longjmp, C++ exceptions or exit calls in a function call, which makes you miss the return instructions of that function call.
This has been discussed many times here