DynamoRIO is a system for runtime code manipulation that is efficient, transparent, and comprehensive, able to observe and manipulate every executed instruction in an unmodified application running on a stock operating system and commodity hardware.
DynamoRIO operates in user mode on a target process. It acts as a process virtual machine, interposing between the application and the operating system. It has a complete view of the application code stream and acts as a runtime control point, allowing custom tools to be embedded inside it:
The application itself, along with the underlying operating system and hardware, remain unchanged. DynamoRIO operates in native (non-virtual) environments as well as inside guest operating systems running on virtual machines. Tools created on top of DynamoRIO will operate without change whether the underlying operating system is native or a virtual machine guest.
DynamoRIO operates by shifting an application's execution from its original instructions to a code cache, where the instructions can be freely modified. DynamoRIO occupies the address space with the application and has full control over execution, taking over whenever control leaves the code cache or when the operating system directly transfers control to the application (kernel-mediated control transfers):
DynamoRIO copies the application code one dynamic basic block at a time into its basic block code cache. A block that directly targets another block already resident in the cache is linked to that block to avoid the cost of returning to the DynamoRIO dispatcher.
Frequently executed sequences of basic blocks are combined into traces, which are placed in a separate code cache. DynamoRIO makes these traces available via its interface for convenient access to hot application code streams.
The following figure shows the flow of control between the components of DynamoRIO and its code caches:
The context switch is between DynamoRIO's operational state and the machine state of the application: both are still within the same process.
Indirect branches require dynamic resolution of their targets, which is performed via an inlined table lookup or a compare to a known target inlined into a trace.
Transparency is an important requirement for DynamoRIO and its clients. The subject is fully covered in Client Transparency.
The canonical reference for DynamoRIO is:
- Derek Bruening.
Efficient, Transparent, and Comprehensive Runtime Code Manipulation.
Ph.D. Thesis, MIT, September 2004.
See Academic Publications for other publications involving DynamoRIO.