#include "pin.H"
#include <iostream>
namespace WINDOWS
{
#include <windows.h>
}
#define PAGE_GUARD 0x100
//ZwQueryInformationProcess_debugflag
VOID ZwQueryInformationProcess(ADDRINT insAddr, CONTEXT *ctx, ADDRINT ESP)
{
if(*(ADDRINT*)(ESP+8) == 0x1F) *(ADDRINT*)(ESP+8) = 0x00;
}
//NtQueryPerformanceCounter_function
ADDRINT BeforeBuffer = 0x00;
bool BufferFlag = 1;
VOID QueryPerformanceCounter(ADDRINT insAddr, CONTEXT *ctx, ADDRINT ESP)
{
if(BufferFlag)
{
BeforeBuffer = *(ADDRINT*)(ESP+4);
BufferFlag = 0;
}
*(ADDRINT*)(ESP+4) = BeforeBuffer;
}
//MemoryBreak_inline
VOID change_return_value_VitrualProtect(ADDRINT insAddr, CONTEXT *ctx, ADDRINT * memory_protection_constant, ADDRINT * pEAX)
{
if ((*memory_protection_constant)&PAGE_GUARD) {
*pEAX = 0;
}
}
//RDTSC_function
bool flag = false;
unsigned int EAX;
VOID change_return_value_RDTSC(ADDRINT insAddr, CONTEXT *ctx, ADDRINT * pEAX) {
if (flag == false) {
EAX = *pEAX;
flag = true;
}
else {
*pEAX = EAX + 10;
}
}
VOID ImageLoad(IMG img, VOID *v)
{
//ZwQueryInformationProcess_debugflag
RTN ZwQueryInformationProcess_rtn = RTN_FindByName(img, "ZwQueryInformationProcess");
if (RTN_Valid(ZwQueryInformationProcess_rtn))
{
RTN_Open(ZwQueryInformationProcess_rtn);
RTN_InsertCall(ZwQueryInformationProcess_rtn, IPOINT_BEFORE, (AFUNPTR)ZwQueryInformationProcess,
IARG_ADDRINT, "ZwQueryInformationProcess",
IARG_CONTEXT,
IARG_REG_VALUE, REG_ESP,
IARG_END);
RTN_Close(ZwQueryInformationProcess_rtn);
}
//NtQueryPerformanceCounter_function
RTN QueryPerformanceCounter_rtn = RTN_FindByName(img, "QueryPerformanceCounter");
if (RTN_Valid(QueryPerformanceCounter_rtn))
{
RTN_Open(QueryPerformanceCounter_rtn);
RTN_InsertCall(QueryPerformanceCounter_rtn, IPOINT_BEFORE, (AFUNPTR)QueryPerformanceCounter,
IARG_ADDRINT, "QueryPerformanceCounter",
IARG_CONTEXT,
IARG_REG_VALUE, REG_ESP,
IARG_REG_VALUE, REG_ECX,
IARG_END);
RTN_Close(QueryPerformanceCounter_rtn);
}
//MemoryBreak_inline
RTN VirtualProtect_rtn = RTN_FindByName(img, "VirtualProtect");
if (RTN_Valid(VirtualProtect_rtn))
{
RTN_Open(VirtualProtect_rtn);
RTN_InsertCall(VirtualProtect_rtn, IPOINT_AFTER, (AFUNPTR)change_return_value_VitrualProtect,
IARG_ADDRINT, "change_return_value_VitrualProtect",
IARG_CONTEXT,
IARG_FUNCARG_ENTRYPOINT_REFERENCE, 2,
IARG_REG_REFERENCE, REG_EAX,
IARG_END);
RTN_Close(VirtualProtect_rtn);
}
//RDTSC_function
if (IMG_IsMainExecutable(img)) {
for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec)) {
for (RTN rtn = SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn)) {
RTN_Open(rtn);
for (INS ins = RTN_InsHead(rtn); INS_Valid(ins); ins = INS_Next(ins)) {
if (INS_Opcode(ins) == XED_ICLASS_RDTSC) {
INS_InsertPredicatedCall(ins, IPOINT_AFTER, (AFUNPTR)change_return_value_RDTSC,
IARG_ADDRINT, "change_return_value_RDTSC",
IARG_CONTEXT,
IARG_REG_REFERENCE, REG_EAX,
IARG_END);
}
}
RTN_Close(rtn);
}
}
}
}
int main(INT32 argc, CHAR *argv[])
{
PIN_InitSymbols();
if (PIN_Init(argc, argv)) return -1;
IMG_AddInstrumentFunction(ImageLoad, 0);
PIN_StartProgram();
return 0;
}