CHANGELOG¶
Next Version¶
Fix android compilation (#126)
Fix instrumentation of Pusha and Popa on X86 (#127)
Fix getBBMemoryAccess (#128)
Improve the documentation of getBBMemoryAccess
Add recordMemoryAccess callback before any InstCallback
Refactor ExecBlockManager to work with unaligned instruction on X86 and X86-64 (#129)
Drop early support for ARM. The support hasn’t been tested since 0.6.2.
Rework cmake package export to import X86 and X86_64 version of QBDI in one CMake (#146 and #132)
Add
QBDI::VM::getCachedInstAnalysis()
to retrieve an InstAnalysis from an address. The address must be cached in the VM. (#148)Change in
InstAnalysis
andOperandAnalysis
(#153):Add
InstAnalysis.flagsAccess
to determine if the instruction uses or sets the flags (EFLAGS
register). The analysisANALYSIS_OPERANDS
is needed to use this field.Change
InstAnalysis.mayLoad
andInstAnalysis.mayStore
definition. The field will be true if QBDI detects memory access for the instruction.Add
InstAnalysis.loadSize
andInstAnalysis.storeSize
. If the instruction will read or write the memory, the expected size of the access is given by these fields. The analysisANALYSIS_INSTRUCTION
is needed to use this field.Add
InstAnalysis.condition
. With the update of LLVM, the mnemonic for conditional jump (likeJE_4
) are merged in a unique mnemonicJCC_4
. This new field will contain the condition. The analysisANALYSIS_INSTRUCTION
is needed to use this field. A new enumConditionType
has all the possible value.Add
OPERANDFLAG_IMPLICIT
forOperandAnalysis.flag
. An operand will have this flag when a register is implicit to the instruction.Add
OPERAND_FPR
forOperandAnalysis.type
. This type is used for floating point registers. For this type,OperandAnalysis.regCtxIdx
is the offset inFPRState
or -1 when an offset cannot be provided.Add
OPERAND_SEG
forOperandAnalysis.type
. This type is used for segments or other unsupported register (likeSSP
).Change type of
OperandAnalysis.regCtxIdx
to signed integer. When the value is less than 0, the index is invalid.Change algorithm for
OperandAnalysis
. The typeOPERAND_INVALID
may be present in the list of operands when a register is unset with the current instruction. Many operands may describe the used of the same register when a register is used multiple times for different purposes by the instruction.
Add Instrumentation Callback
QBDI_InstrumentDataCBK
andQBDI::InstrumentDataCBK
(#151)The Instrumentation Callback receives an InstAnalysis of each instruction during the instrumentation process. Based on this analysis, the callback may insert custom InstCallback for each instruction.
The call order of the callback has changed for the PREINST callback. If an instruction has multiple callbacks in PREINST position, they will be called in the reverse order of registration.
Internal update:
Reduce LLVM library included in QBDI static library and reduce QBDI package size (#139 and #70)
Refactor code and switch to cpp17 (#140)
Use Github Actions to build dev-next package of QBDI (linux and android) and PyQBDI (linux) (#147)
Rewrite frida-qbdi.js and use sphinx-js for frida-QBDI documentation (#146). A version of frida greater or equals to 14.0 is needed to run frida-qbdi.js (need support of ES2019).
Version 0.7.1¶
2020-02-27 QBDI Team <qbdi@quarkslab.com>
Version 0.7.0¶
2019-09-10 QBDI Team <qbdi@quarkslab.com>
Add support for the x86 architecture
Add new platforms related to Android: android-X86 and android-X86_64
Improve
MemoryMap
structure by adding the module’s full path if available (#62, #71)Create docker images for QBDI (available on DockerHub qbdi/qbdi) (#56)
Fix and improve operands analysis involved in memory accesses (#58) :
In the previous version, the output of the instruction analysis for some instructions did not contain the information related to memory accesses.
For instance, the operand analysis of
cmp MEM, IMM
misses information about the first operand:cmp dword ptr [rbp + 4 * rbx - 4], 12345678 [0] optype: 1, value : 12345678, size: 8, regOff: 0, regCtxIdx: 0, regName: (null), regaccess : 0
This issue has been fixed and the
OperandAnalysis
structure contains a new attribute:flag
, which is used to distinctOperandAnalysis
involved in memory accesses from the others.Here is an example of output:
cmp dword ptr [rbp + 4*rbx - 4], 12345678 [0] optype: 2, flag: 1, value : 48, size: 8, regOff: 0, regCtxIdx: 14, regName: RBP, regaccess : 1 [1] optype: 1, flag: 1, value : 4, size: 8, regOff: 0, regCtxIdx: 0, regName: (null), regaccess : 0 [2] optype: 2, flag: 1, value : 49, size: 8, regOff: 0, regCtxIdx: 1, regName: RBX, regaccess : 1 [3] optype: 1, flag: 1, value : -4, size: 8, regOff: 0, regCtxIdx: 0, regName: (null), regaccess : 0 [4] optype: 1, flag: 0, value : 12345678, size: 4, regOff: 0, regCtxIdx: 0, regName: (null), regaccess : 0 mov rax, qword ptr [rbp - 4] [0] optype: 2, flag: 0, value : 47, size: 8, regOff: 0, regCtxIdx: 0, regName: RAX, regaccess : 2 [1] optype: 2, flag: 1, value : 48, size: 8, regOff: 0, regCtxIdx: 14, regName: RBP, regaccess : 1 [2] optype: 1, flag: 1, value : 1, size: 8, regOff: 0, regCtxIdx: 0, regName: (null), regaccess : 0 [3] optype: 1, flag: 1, value : -4, size: 8, regOff: 0, regCtxIdx: 0, regName: (null), regaccess : 0 mov rax, qword ptr [4*rbx] [0] optype: 2, flag: 0, value : 47, size: 8, regOff: 0, regCtxIdx: 0, regName: RAX, regaccess : 2 [1] optype: 1, flag: 1, value : 4, size: 8, regOff: 0, regCtxIdx: 0, regName: (null), regaccess : 0 [2] optype: 2, flag: 1, value : 49, size: 8, regOff: 0, regCtxIdx: 1, regName: RBX, regaccess : 1 [3] optype: 1, flag: 1, value : 0, size: 8, regOff: 0, regCtxIdx: 0, regName: (null), regaccess : 0 jne -6115 [0] optype: 1, flag: 2, value : -6115, size: 4, regOff: 0, regCtxIdx: 0, regName: (null), regaccess : 0 lea rax, [rbp + 4*rbx - 4] [0] optype: 2, flag: 0, value : 47, size: 8, regOff: 0, regCtxIdx: 0, regName: RAX, regaccess : 2 [1] optype: 2, flag: 4, value : 48, size: 8, regOff: 0, regCtxIdx: 14, regName: RBP, regaccess : 1 [2] optype: 1, flag: 4, value : 4, size: 8, regOff: 0, regCtxIdx: 0, regName: (null), regaccess : 0 [3] optype: 2, flag: 4, value : 49, size: 8, regOff: 0, regCtxIdx: 1, regName: RBX, regaccess : 1 [4] optype: 1, flag: 4, value : -4, size: 8, regOff: 0, regCtxIdx: 0, regName: (null), regaccess : 0
Version 0.6.2¶
2018-10-19 Cedric TESSIER <ctessier@quarkslab.com>
Version 0.6.1¶
2018-03-22 Charles HUBAIN <chubain@quarkslab.com>
Fixing a performance regression with the addCodeAddrCB (#42):
Since 0.6, this API would trigger a complete cache flush forcing the engine to regenerate all the instrumented code after each call. Since this API is used inside VM:run(), this had the effect of completely canceling precaching optimization where used.
Fixing support for AVX host without AVX2 support (#19):
Context switching was wrongly using AVX2 instructions instead of AVX instructions causing segfaults under hosts supporting AVX but not AVX2.
Version 0.6¶
2018-03-02 Charles HUBAIN <chubain@quarkslab.com>
Important performance improvement in the core engine (#30) This slightly changes the behavior of VMEvents.
Fix the addCodeAddrCB API (#37)
atexit and getCurrentProcessMap in python bindings (#35)
Fix getInstAnalysis on BASIC_BLOCK_ENTRY (#28)
Various documentation improvements (#34, #37, #38, #40) and an API uniformisation (#29)
Version 0.5 RC3¶
2017-12-10 Cedric TESSIER <ctessier@quarkslab.com>
Introducing pyqbdi, full featured python bindings based on QBDIPreload library
Revising variadic API to include more friendly prototypes
Various bug, compilation and documentation fixes
Version 0.5 RC2¶
2017-10-30 Charles HUBAIN <chubain@quarkslab.com>
Apache 2 licensing
New QBDIPreload library for easier dynamic injection under linux and macOS
Various bug, compilation and documentation fixes
Big tree cleanup
Version 0.5 RC1¶
2017-10-09 Charles HUBAIN <chubain@quarkslab.com>
New Frida bindings
Upgrade to LLVM 5.0
Support for AVX registers
New callback helpers on mnemonics and memory accesses
Basic block precaching API
Automatic cache invalidation when a new instrumentation is added
Instruction and sequence level cache avoids needless retranslation
Upgrade of the validator which now supports Linux and macOS
Version 0.4¶
2017-01-06 Charles HUBAIN <chubain@quarkslab.com>
Basic Instruction Shadows concept
Memory access PatchDSL statements with support under X86_64 (non SIMD memory access only)
Shadow based memory access API and instrumentation
C and C++ API stabilization
Out-of-tree build and SDK
Overhaul of the entire documentation with a complete PatchDSL explanation and a split between user and developer documentation.
Version 0.3¶
2016-04-29 Charles HUBAIN <chubain@quarkslab.com>
Partial ARM support, sufficient to run simple program e.g cat, ls, …
Instrumentation filtering system, ExecBroker, allowing the engine to switch between non instrumented and instrumented execution
Complex execution validation system under linux which allows to do instruction per instruction compared execution between a non instrumented and an instrumented instance of a program
New callback system for Engine related event e.g basic block entry / exit, ExecBroker transfer / return.
New (internal) logging system, LogSys, which allows to do priority and tag based filtering of the debug logs.
Version 0.2¶
2016-01-29 Charles HUBAIN <chubain@quarkslab.com>
Upgrade to LLVM 3.7
Complete X86_64 patching support
Support of Windows X86_64
Basic callback based instrumentation
Usable C++ and C API
User documentation with examples
Uniformisation of PatchDSL
Version 0.1¶
2015-10-09 Charles HUBAIN <chubain@quarkslab.com>
Ported the PatchDSL from the minijit PoC
Corrected several design flaws in the PatchDSL
Implemented a comparated execution test setup to prove the execution via the JIT yields the same registers and stack state as a normal execution
Basic patching working for ARM and X86_64 architectures as shown by the compared execution tests
Version 0.0¶
2015-09-17 Charles HUBAIN <chubain@quarkslab.com>
Working dependency system for LLVM and Google Test
ExecBlock working and tested on linux-X86_64, linux-ARM, android-ARM and macOS-X86_64
Deployed buildbot infrastructure for automated build and test on linux-X86_64 and linux-ARM