0

Is there some way to track every single function call happening in my app at run-time? So even if I were to open my app in a debugger and add a call instruction, I could catch that too?

One way I could think of is putting a page guard on the .text portion of my program and inside a vectored exception handler I check if the next instruction is a call instruction and set a single step flag if so, but I am not sure if I could even do that without either breaking my program or just making it incredibly slow with all the virtualprotect calls.

So is my idea somehow do-able or is there some other way to do it?

orORorOR
  • 143
  • 9
  • Profiling usually does something like that. What is the real problem you need to solve? Why do you need something like this? – Some programmer dude Jun 26 '20 at 21:45
  • It's not to solve an issue, I'm just trying to see if I could protect a program against hooks or other exploits by making sure the calls happening are approved by my program (kind of like control flow guard) – orORorOR Jun 26 '20 at 21:46
  • Dig through this: https://gcc.gnu.org/onlinedocs/gcc-8.4.0/gcc/Instrumentation-Options.html specifically `-finstrument-functions`. But this won't help you to protect against hooks, as it is instrumenting in compile-time. – Eugene Sh. Jun 26 '20 at 21:50
  • Look at CFI and other ROP/JOP/COP type prevention. It's quite a rabbit hole :) – Michael Dorgan Jun 26 '20 at 21:57
  • You might be able to write a script driving a debugger like gdb to step through the code and a second script to filter the output for calls. – David G. Pickett Jun 26 '20 at 22:07
  • yes. its called logger! use logger and log all functions and log all the data that you need into a text file. – Adam Jun 26 '20 at 22:33
  • Even if you manage to record all function calls and to include a check that only the expected sequence is used, what should a hacker prevent to not only patch or inject a hook and at the same time manipulate your check? -- After nearly 40 years of programming I think there is no way to protect software against manipulation purely with software. – the busybee Jun 27 '20 at 17:50

0 Answers0