#include <stdio.h> #include "pin.H" #include <iostream> #include <fstream> std::ofstream* out = 0; //======================================================= // Analysis routines //======================================================= // Move from memory to register ADDRINT DoLoad(REG reg, ADDRINT * addr) { *out << "Emulate loading from addr " << addr << " to " << REG_StringShort(reg) << endl; ADDRINT value; PIN_SafeCopy(&value, addr, sizeof(ADDRINT)); return value; } //======================================================= // Instrumentation routines //======================================================= VOID EmulateLoad(INS ins, VOID* v) { // Find the instructions that move a value from memory to a register if (INS_Opcode(ins) == XED_ICLASS_MOV && INS_IsMemoryRead(ins) && INS_OperandIsReg(ins, 0) && INS_OperandIsMemory(ins, 1)) { // op0 <- *op1 INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(DoLoad), IARG_UINT32, REG(INS_OperandReg(ins, 0)), IARG_MEMORYREAD_EA, IARG_RETURN_REGS, INS_OperandReg(ins, 0), IARG_END); // Delete the instruction INS_Delete(ins); } } /* ===================================================================== */ /* Print Help Message */ /* ===================================================================== */ INT32 Usage() { cerr << "This tool demonstrates the use of SafeCopy" << endl; cerr << endl << KNOB_BASE::StringKnobSummary() << endl; return -1; } /* ===================================================================== */ /* Main */ /* ===================================================================== */ int main(int argc, char * argv[]) { // Write to a file since cout and cerr maybe closed by the application out = new std::ofstream("safecopy.out"); // Initialize pin & symbol manager if (PIN_Init(argc, argv)) return Usage(); PIN_InitSymbols(); // Register EmulateLoad to be called to instrument instructions INS_AddInstrumentFunction(EmulateLoad, 0); // Never returns PIN_StartProgram(); return 0; }
PIN_SafeCopy()가 쓰인 첫 소스이다.
이 툴은 이 프로그램이 사용한 value를 읽고 쓸 수 있는 툴이다.
이 소스에서는 mov register<-address 인 instruction의 경우 DoLoad function을 불러오는데,
DoLoad안에 PIN_SafeCopy가 있고, value에 address안의 값을 넣는다.
질문
INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(DoLoad), IARG_UINT32, REG(INS_OperandReg(ins, 0)), IARG_MEMORYREAD_EA, IARG_RETURN_REGS, INS_OperandReg(ins, 0), IARG_END);
여기서 인자가 너무 많다. 내 생각에는 INS_OperandReg에서 operand를 반환하고 REG()를 씌워 operand중 register를 빼내고, IARG_MEMORYREAD_EA를 이용해서 address를 알아내는 것 같다.
'pintool' 카테고리의 다른 글
| Finding the Value of Function Arguments (0) | 2018.09.18 |
|---|---|
| Order of Instrumentation (0) | 2018.09.18 |
| Procedure Instruction Count (Routine Instrumentation) *질문 (0) | 2018.09.14 |
| More Efficient Instruction Counting (Trace Instrumentation) +질문 (0) | 2018.09.14 |
| Detecting the Loading and Unloading of Images (Image Instrumentation)+질문 (0) | 2018.09.14 |