How to avoid std functions being instrumented by /Gh compile option?

Question

How to avoid std functions being instrumented by /Gh compile option?

Kohit _ 41

I am using /Gh and /GH options to analyse my program.
However, compile with these options may hook those std functions which I'm not concerned but causing a lot extra time cost.
How can I avoid compiler to hook std functions?

update:
I’ve read some msvc stl source code and find out that it’s difficult to avoid being hook because most of the stl source code are implemented in header files.
But gcc have compile options like -nostdinc++ -nodefaultlibs
a libc++ usage example:
$ g++ -nostdinc++ -I<libcxx-install-prefix>/include/c++/v1 \
test.cpp -nodefaultlibs -lc++ -lc++abi -lm -lc -lgcc_s -lgcc

Viorel 122.5K Reputation points

2020-11-04T14:57:22.167+00:00

What things do you have inside of _penter and _pexit?

If you can identify the needed functions at runtime from the body of _penter and _pexit, maybe you can modify (replace programmatically with ‘nop’ instructions) certain portions of unneeded functions. Then extra time will happen on first call only.
Kohit _ 41 Reputation points

2020-11-04T16:04:49.237+00:00

About 500,000 std function calls in each runtime, identify these functions in _penter certainly help, but there will still have 500k extra _penter calls in each runtime, its still a lot of time.
Viorel 122.5K Reputation points

2020-11-04T16:57:32.63+00:00

Do you really achieve 500 000 different std functions (not calls of the same functions) in your program?
Kohit _ 41 Reputation points

2020-11-04T17:23:41.787+00:00

no, I mean total 500k std function call, mostly the same function.
Jeanine Zhang-MSFT 11,356 Reputation points Microsoft External Staff

2020-11-05T02:41:06.553+00:00

@Kohit _ ,

mostly the same function.

I agree with Viorel, you could modify (replace programmatically with ‘nop’ instructions) certain portions of unneeded functions. Then extra time will happen on first call only.
Kohit _ 41 Reputation points

2020-11-05T02:54:51.317+00:00

It's that solution Viorel-1 mentioned looks like this:

notstdfunc(){
_penter() // /Gh

_pexit() // /GH
}

stdfunc(){
_penter() // /Gh

_pexit() // /GH
}

_penter(){
if (is stdfunc) {
return
}
do_analyse()
}

what I want to achieve is:

notstdfunc(){
_penter() // /Gh

_pexit() // /GH
}

stdfunc(){

}

_penter(){
do_analyse()
}
Jeanine Zhang-MSFT 11,356 Reputation points Microsoft External Staff

2020-11-05T08:13:54.217+00:00

But gcc have compile options like -nostdinc++ -nodefaultlibs

@Kohit _ ,I suggest you could try to use /nodefaultlib:LibName.
Kohit _ 41 Reputation points

2020-11-05T10:36:23.497+00:00

As I said before, most of the stl implementation were in the header files, not in the outside library file.
RLWA32 49,536 Reputation points

2020-11-05T11:42:00.537+00:00

If you cannot work around the undesirable hooking of std functions maybe you could move the functions that you do want to instrument into a dll and then use Detours to hook them.

Accepted answer

0 additional answers

Your answer

Viorel 122.5K Reputation points

2020-11-04T14:57:22.167+00:00

What things do you have inside of _penter and _pexit?

If you can identify the needed functions at runtime from the body of _penter and _pexit, maybe you can modify (replace programmatically with ‘nop’ instructions) certain portions of unneeded functions. Then extra time will happen on first call only.
Kohit _ 41 Reputation points

2020-11-04T16:04:49.237+00:00

About 500,000 std function calls in each runtime, identify these functions in _penter certainly help, but there will still have 500k extra _penter calls in each runtime, its still a lot of time.
Viorel 122.5K Reputation points

2020-11-04T16:57:32.63+00:00

Do you really achieve 500 000 different std functions (not calls of the same functions) in your program?
Kohit _ 41 Reputation points

2020-11-04T17:23:41.787+00:00

no, I mean total 500k std function call, mostly the same function.
Jeanine Zhang-MSFT 11,356 Reputation points Microsoft External Staff

2020-11-05T02:41:06.553+00:00

@Kohit _ ,

mostly the same function.

I agree with Viorel, you could modify (replace programmatically with ‘nop’ instructions) certain portions of unneeded functions. Then extra time will happen on first call only.
Kohit _ 41 Reputation points

2020-11-05T02:54:51.317+00:00

It's that solution Viorel-1 mentioned looks like this:

notstdfunc(){
_penter() // /Gh

_pexit() // /GH
}

stdfunc(){
_penter() // /Gh

_pexit() // /GH
}

_penter(){
if (is stdfunc) {
return
}
do_analyse()
}

what I want to achieve is:

notstdfunc(){
_penter() // /Gh

_pexit() // /GH
}

stdfunc(){

}

_penter(){
do_analyse()
}
Jeanine Zhang-MSFT 11,356 Reputation points Microsoft External Staff

2020-11-05T08:13:54.217+00:00

But gcc have compile options like -nostdinc++ -nodefaultlibs

@Kohit _ ,I suggest you could try to use /nodefaultlib:LibName.
Kohit _ 41 Reputation points

2020-11-05T10:36:23.497+00:00

As I said before, most of the stl implementation were in the header files, not in the outside library file.
RLWA32 49,536 Reputation points

2020-11-05T11:42:00.537+00:00

If you cannot work around the undesirable hooking of std functions maybe you could move the functions that you do want to instrument into a dll and then use Detours to hook them.

Answer 1

If you like to research the idea of self-modifying code, then try an experiment for Visual Studio 2019:

/*  
  
Configuration:  
  
	- Debug, Win32  
  
Compiler options:  
  
	- "Additional options": /Gh  
  
Linker options:  
  
	- "Enable Incremental Linking": NO  
  
*/  
  
#include <Windows.h>  
#include <iostream>  
#include <cassert>  
  
  
void f1()  
{  
	printf( "f1\n" );  
}  
  
void __stdcall MyHook( unsigned char* retAddress )  
{  
	//return; // uncomment to disable self-modification  
  
	unsigned char* address_of_call_penter = retAddress - 5;  
	unsigned char code = address_of_call_penter[0];  
	assert( code = 0xE8 );  
  
	unsigned char* address_of_f1 = (unsigned char*)&f1;  
  
	if( address_of_call_penter != address_of_f1 )  
	{  
		// remove 'call _penter', replace with 'nop'  
  
		MEMORY_BASIC_INFORMATION mbi;  
		BOOL b;  
		b = VirtualQuery( address_of_call_penter, &mbi, sizeof( mbi ) );  
  
		DWORD old_protect;  
		b = VirtualProtect( mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &old_protect );  
  
		*(unsigned*)address_of_call_penter = 0x90909090;  
		( (char*)address_of_call_penter )[4] = 0x90;  
  
		b = VirtualProtect( mbi.BaseAddress, mbi.RegionSize, old_protect, &old_protect );  
	}  
}  
  
  
bool recursive_call = false;  
int counter = 0;  
  
extern "C" void __declspec( naked ) __cdecl _penter( void )  
{  
	_asm  
	{  
		pushad  
	}  
  
  
	if( !recursive_call )  
	{  
		recursive_call = true;  
  
		printf( "_penter %i\n", ++counter );  
  
		__asm  
		{  
			mov eax, [esp + ( 8 ) * 4]  
			push eax  
			call MyHook  
		}  
  
		recursive_call = false;  
	}  
  
	_asm  
	{  
		popad  
		ret  
	}  
}  
  
  
int main()  
{  
	printf( "Calling 'f1'\n" );  
	f1();  
	printf( "Returned from 'f1'\n" );  
  
	return 0;  
}

The mandatory Project Properties are shown in the comment.

It includes a sample “f1” function. If _penter is called for other function, like printf, then the call is removed (replaced with ‘nop’ instructions). The next time printf will not invoke _penter. It is possible to deal with more than just one “f1” function.

The program displays “_penter” five times. When “//return” is uncommented to disable the self-modification, then _penter is called 12 times.

To detect undesirable recursive infinite calls in single-threaded environment it uses a simple flag; see also: https://learn.microsoft.com/en-us/answers/questions/123941/gh-causing-infinite-loop.html.

Works with STL functions too.

Kohit _ 41 Reputation points

2020-11-07T04:52:20.547+00:00

Wow, this is cool!

Share via

How to avoid std functions being instrumented by /Gh compile option?

0 additional answers

Your answer