# Dynamic Binary Instrumentation (DBI)

## What are they?

DBI system is an **application virtual machine** that interprets the ISA of a specific platform.

* Usually (but not always) coinciding with the one where the system runs.
* Offer instrumentation capabilities to monitor and alter instructions and data from an analysis tool component.
* Up to the level of a single instruction.

DBI systems expand standard Dynamic Binary Analysis tasks by:

* Fine-grained monitoring capabilities.
* Full control over data and instructions, potentially increasing Reverse Engineering Scope.

Uses:

* Measure performance,
* Detect vulnerabilities,
* Force code execution,
* Fuzz binary programs at the scale of a group of instructions.

## Caveats

DBI is vulnerable to specific attacks targeting the emulator.

* **Purpose**: avoid the use of emulators or induce incorrect results.
* Exploit the fact that DBI tools are slow.
* Exploit the fact that the system is emulated and differs from a real system.

Some approaches.

* Extensive loops Timing measurements.
* Timing measurements.
* Testing for system-specific behavior.

<figure><img src="/files/qM7iKN8961NwArD0Ryte" alt=""><figcaption></figcaption></figure>

Instrumentation.

* Insert code.

Dynamic Binary Instrumentation.

* "Running" Code.

## How do they work?

Rebuild a program binary code using some JIT technique.

* Insert trace points and hooks for inspection.
* Divert execution to **additional user-specified functions**.
* Monitor access to memory regions.
  * Potentially triggering callbacks on access.
* May reimplement access to IOs or even `syscalls` and interrupts.
* May create a fully Emulated Execution Environment.
  * Can be combined with an Emulation platform such as QEMU or Unicorn (a fork from QEMU).

Popular tools: valgrind, DynamoRIO, Intel PIN, DynInst, Qiling, Frida.

<figure><img src="/files/30jWKGX4u8xOAqu0eJdI" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://davidjosearaujo.gitbook.io/notes-mcs/reverse-engineering/emulation-and-instrumentation/dynamic-binary-instrumentation-dbi.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.