Memory access monitor for c programs

Question

I am trying to track down memory accesses to heap allocated memory.

For example, if I have the following code:

void set_value(int* buffer, size_t pos, int value) {
    buffer[pos] = value;
}
int main(void) {    
    int* buffer = malloc(BUFF_SIZE * sizeof(int));
    set_value(buffer, 2, 10);
    set_value(buffer, 3, 12);

    free(buffer);
    return 0;
}

I am mainly interested in the functions that access the memory and the address of the content that have been modified.

I have tried to use multiple memory tools like ptrace, strace, ASan, Dmalloc, but I didn't achieve the result.

Another idea was to modify the memory change the protection of the memory using mprotect and writing the handlers for Page Faults. I made the memory read-only and when a write occurs, the handler modifies the page protection and let the function to write the content in memory, but after that I cannot made the page read only again, for futher accesses.

Do you have any tips on how to monitor every write made to the heap memory?

Answer 1

If you're willing to monitor every memory access, I'd suggest to take a look at the packages such as PIN [1] and/or DynInst [2]. Both are dynamic binary instrumentation packages that allow you to modify an application binary to inject the code you want. In this case, both tools allow you to instrument every single instruction and know the address they reference (if they are loads/stores). Then, if you're only interested in memory allocated by malloc (or realloc, or calloc) you can also instrument these routines to capture their entry parameters and exit values to determine the region of memory of interest. Both tools provide similar functionalities. I'd say that their main difference is that PIN specifically focuses to Intel processors while DynInst is an open source project that supports different processor architectures (Intel, IBM-Power, ARM).

Since instrumentation may be costly in this particular scenario that instruments every instruction and you can afford to sample memory references, I'd suggest you to explore the PEBS infrastructure [3] from recent Intel processors (AMD processors have something similar named IBS). PEBS can be used from the perf tool available within the Linux OS [4] (I don't know if it is available on other OSeS)

[1] PIN https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool

[2] DynInst http://www.dyninst.org

[3] Intel Manual Section 18.4.4 Precise Event Based Sampling (PEBS) http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-vol-3b-part-2-manual.pdf

[4] Linux perf to sample memory addresses https://lwn.net/Articles/531766/