dynStruct

dynStruct is a tool using dynamoRio to monitor memory accesses of an ELF binary via a data gatherer, and use this data to recover structures of the original code.

dynStruct can also be used to quickly find where and by which function a member of a structure is written or read.

Structure recovery

The python script dynStruct.py do the structure recovery and can start the web_ui.

The idea behind the structure recovery is to have a quick idea of the structures used by the program.

It’s impossible to recover exactly the structures used in the original source code, so some choices had to be made. To recover the size of members dynStruct.py look at the size of the accesses for a particular offset, it keeps the more used size if 2 or more size are used the same number of time it keeps the smaller size.

The default types are int<size>_t, all the default names are offset_<offset_in_the_struct>. Some offset in blocks have no read or write accesses in the ouput of the dynStruct dynamoRIO client, so the empty offset is fill with an array called pad_offset<offset_in_the_struct>, all padding is uint8_t. An array is detected, 5 or more consecutive members of a struct with the same size is considered as an array. Array is named array_<offset_in_the_struct>. The last thing that is detected is an array of structure, named struct_array_<offset_in_the_struct>

dynStruct also records the assembly instruction which does the access and a context instruction, the context instruction is the next one in the case of reading access and the previous one in the case of write access.
This context allows to recover the type of structure members, the recovered type is a pointer (when possible with commentary for struct pointer and array pointer), function pointer, double, float, signed integer and unsigned integer. When a type is recovered it replace the type in the default type of the structural member.
This context analysis if not 100% reliable but is usually right.

The recovery of struct try to be the most compact as possible, the output will look like :

struct struct_14{

	int32_t array_0x0[5];

	struct {

		int64_t offset_0x0;

		int8_t offset_0x8;

		int8_t pad_offset_0x9[7];

	}struct_array_0x14[2];

} 

The recovery process can take a few minutes if there are large blocks.

Install & Use

Copyright (c) 2016 Daniel Mercier