dr_register_kernel_xfer_event

dynamorio_sys

Function dr_register_kernel_xfer_event 

Source 
pub unsafe extern "C" fn dr_register_kernel_xfer_event(
    func: Option<unsafe extern "C" fn(drcontext: *mut c_void, info: *const dr_kernel_xfer_info_t)>,
)
Expand description

Registers a callback function for the kernel transfer event. DR calls \p func whenever the kernel is about to directly transfer control without an explicit user-mode control transfer instruction. This includes the following scenarios, which are distinguished by \p type:

  • On UNIX, a signal is about to be delivered to an application handler. This event differs from a dr_register_signal_event() callback in that the latter is called regardless of whether the application has a handler, and it does not provide the target context of any handler.
  • On UNIX, a signal return system call is about to be invoked.
  • On Windows, the asynchronous procedure call dispatcher is about to be invoked.
  • On Windows, the callback dispatcher is about to be invoked.
  • On Windows, the exception dispatcher is about to be invoked.
  • On Windows, the NtContinue system call is about to be invoked.
  • On Windows, the NtSetContextThread system call is about to be invoked.
  • On Windows, the NtCallbackReturn system call is about to be invoked.
  • On Windows, interrupt 0x2b is about to be invoked.
  • The client requests redirection using dr_redirect_execution() or #DR_SIGNAL_REDIRECT.

The prior context, if known, is provided in \p info->source_mcontext; if unknown, \p info->source_mcontext is NULL. Multimedia state is typically not provided in \p info->source_mcontext, which is reflected in its \p flags.

The target program counter and stack are provided in \p info->target_pc and \p info->target_xsp. Further target state can be examined by calling dr_get_mcontext() and modified by calling dr_set_mcontext(). Changes to the target state, including the pc, are supported for all cases except NtCallbackReturn and interrupt 0x2b. However, dr_get_mcontext() and dr_set_mcontext() are limited for the Windows system calls NtContinue and NtSetContextThread to the ContextFlags set by the application: dr_get_mcontext() will adjust the dr_mcontext_t.flags to reflect what’s available, and dr_set_mcontext() will only set what’s also set in ContextFlags. Given the disparity in how Ebp/Rbp is handled (in #DR_MC_INTEGER but in CONTEXT_CONTROL), clients that care about that register are better off using system call events instead of kernel transfer events to take actions on these two system calls.

This is a convenience event: all of the above events can be detected using combinations of other events. This event is meant to be used to identify all changes in the program counter that do not arise from explicit control flow instructions.