Detecting the Loading and Unloading of Images (Image Instrumentation)+질문

//
// This tool prints a trace of image load and unload events
//

#include "pin.H"
#include <iostream>
#include <fstream>
#include <stdlib.h>

using namespace std;

KNOB<string> KnobOutputFile(KNOB_MODE_WRITEONCE, "pintool",
    "o", "imageload.out", "specify file name");

ofstream TraceFile;

// Pin calls this function every time a new img is loaded
// It can instrument the image, but this example does not
// Note that imgs (including shared libraries) are loaded lazily

VOID ImageLoad(IMG img, VOID *v)
{
    TraceFile << "Loading " << IMG_Name(img) << ", Image id = " << IMG_Id(img) << endl;
}

// Pin calls this function every time a new img is unloaded
// You can't instrument an image that is about to be unloaded
VOID ImageUnload(IMG img, VOID *v)
{
    TraceFile << "Unloading " << IMG_Name(img) << endl;
}

// This function is called when the application exits
// It closes the output file.
VOID Fini(INT32 code, VOID *v)
{
    if (TraceFile.is_open()) { TraceFile.close(); }
}

/* ===================================================================== */
/* Print Help Message                                                    */
/* ===================================================================== */

INT32 Usage()
{
    PIN_ERROR("This tool prints a log of image load and unload events\n"
             + KNOB_BASE::StringKnobSummary() + "\n");
    return -1;
}

/* ===================================================================== */
/* Main                                                                  */
/* ===================================================================== */

int main(int argc, char * argv[])
{
    // Initialize symbol processing
    PIN_InitSymbols();
    
    // Initialize pin
    if (PIN_Init(argc, argv)) return Usage();
    
    TraceFile.open(KnobOutputFile.Value().c_str());
    
    // Register ImageLoad to be called when an image is loaded
    IMG_AddInstrumentFunction(ImageLoad, 0);

    // Register ImageUnload to be called when an image is unloaded
    IMG_AddUnloadFunction(ImageUnload, 0);

    // Register Fini to be called when the application exits
    PIN_AddFiniFunction(Fini, 0);
    
    // Start the program, never returns
    PIN_StartProgram();
    
    return 0;
}

이미지 로딩 언로딩의 정보!

여기서 이미지란 우리가 아는 그 이미지가 아닌 dll과 같은 이미지 파일을 의미한다.

추가된 것은 시작할 때,

PIN_InitSymbols();

그리고 이전까지 INS_를 사용했다면, 이제 IMG_가 나온다.

ImageLoad 또는 ImageUnload가 이루어질때 불러지는 것!

이전과 다르게 InsertCall을 쓰지 않는다

여기서 생긴 질문은

INS_에서 함수를 호출할 때는 InsertCall을 쓰지만 IMG_일 때는 그런 과정이 없다는 것이다!

결과는 다음과 같다.

Loading C:\Users\김희연\Desktop\PinTool Project-temp-20180914T070328Z-001\PinTool Project-temp\helloworld.exe, Image id = 1

Loading C:\WINDOWS\System32\KERNELBASE.dll, Image id = 2

Loading C:\WINDOWS\System32\KERNEL32.DLL, Image id = 3

Loading C:\WINDOWS\SYSTEM32\ntdll.dll, Image id = 4

Loading C:\WINDOWS\SYSTEM32\VCRUNTIME140D.dll, Image id = 5

Loading C:\WINDOWS\SYSTEM32\ucrtbased.dll, Image id = 6

Loading C:\WINDOWS\System32\kernel.appcore.dll, Image id = 7

Loading C:\WINDOWS\System32\msvcrt.dll, Image id = 8

Loading C:\WINDOWS\System32\RPCRT4.dll, Image id = 9

Loading C:\WINDOWS\System32\SspiCli.dll, Image id = 10

Loading C:\WINDOWS\System32\CRYPTBASE.dll, Image id = 11

Loading C:\WINDOWS\System32\bcryptPrimitives.dll, Image id = 12

Loading C:\WINDOWS\System32\sechost.dll, Image id = 13

Unloading C:\Users\김희연\Desktop\PinTool Project-temp-20180914T070328Z-001\PinTool Project-temp\helloworld.exe

Unloading C:\WINDOWS\System32\KERNELBASE.dll

Unloading C:\WINDOWS\System32\KERNEL32.DLL

Unloading C:\WINDOWS\SYSTEM32\ntdll.dll

Unloading C:\WINDOWS\SYSTEM32\VCRUNTIME140D.dll

Unloading C:\WINDOWS\SYSTEM32\ucrtbased.dll

Unloading C:\WINDOWS\System32\kernel.appcore.dll

Unloading C:\WINDOWS\System32\msvcrt.dll

Unloading C:\WINDOWS\System32\RPCRT4.dll

Unloading C:\WINDOWS\System32\SspiCli.dll

Unloading C:\WINDOWS\System32\CRYPTBASE.dll

Unloading C:\WINDOWS\System32\bcryptPrimitives.dll

Unloading C:\WINDOWS\System32\sechost.dll

여기서 주목할 점은 로딩한 것들을 모두 언로딩한다는 점이다!