본문 바로가기

pintool30

total #include "pin.H" #include namespace WINDOWS { #include } #define PAGE_GUARD 0x100 //ZwQueryInformationProcess_debugflag VOID ZwQueryInformationProcess(ADDRINT insAddr, CONTEXT *ctx, ADDRINT ESP) { if(*(ADDRINT*)(ESP+8) == 0x1F) *(ADDRINT*)(ESP+8) = 0x00; } //NtQueryPerformanceCounter_function ADDRINT BeforeBuffer = 0x00; bool BufferFlag = 1; VOID QueryPerformanceCounter(ADDRINT insAddr, CONTEXT .. 2018. 10. 19.

ex2 0x1fe91c 2 0x0 1 10x78bed8 26 0x1ffb1c FilemonClass 130x7854d8 100 0x1ffb1c File Monitor - Sysinternals: www.sysinternals.com 500x78a818 42 0x1ffb1c PROCMON_WINDOW_CLASS 210x7854d8 106 0x1ffb1c Process Monitor - Sysinternals: www.sysinternals.com 530x7835b8 24 0x1ffb1c RegmonClass 120x7854d8 108 0x1ffb1c Registry Monitor - Sysinternals: www.sysinternals.com 540x7835b8 18 0x1ffb1c 18467-41 90x785.. 2018. 10. 17.

ex #include "pin.H"#include namespace WINDOWS{#include } FILE * trace;int start = 0;VOID print_argument(ADDRINT insAddr, CONTEXT *ctx, /*ADDRINT * arg0, ADDRINT * arg1, ADDRINT * arg2, ADDRINT * arg3, ADDRINT * arg4*/ADDRINT *pEAX){/*if (start) {fprintf(trace, "0x%x ", *arg0);fprintf(trace, "%d ", *arg1);fprintf(trace, "0x%x ", *arg2);fprintf(trace, "%s ", *arg3);fprintf(trace, "%d\n", *arg4);*arg1.. 2018. 10. 17.

memory break_inline #include "pin.H" #include #define PAGE_GUARD 0x100 VOID change_eax(ADDRINT insAddr, CONTEXT *ctx, ADDRINT * memory_protection_constant, ADDRINT * pEAX) { if ((*memory_protection_constant)&PAGE_GUARD) { *pEAX = 0; } } VOID ImageLoad(IMG img, VOID *v) { RTN print_rtn = RTN_FindByName(img, "VirtualProtect"); if (RTN_Valid(print_rtn)) { RTN_Open(print_rtn); RTN_InsertCall(print_rtn, IPOINT_AFTER, (A.. 2018. 10. 17.

RDTSC #include #include "pin.H" FILE *trace; bool flag = false; unsigned int EAX; VOID change_eax_for_RDTSC(ADDRINT insAddr, CONTEXT *ctx, ADDRINT * pEAX) { if (flag == false) { EAX = *pEAX; flag = true; } else { *pEAX = EAX + 10; } } VOID ImageLoad(IMG img, VOID *v) { if (IMG_IsMainExecutable(img)) { for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec)) { for (RTN rtn = SEC_RtnHead(se.. 2018. 10. 17.

내장함수의 리턴값 바꾸기 #include "pin.H" #include VOID change_eax(ADDRINT insAddr, CONTEXT *ctx, ADDRINT * pEAX) { *pEAX = 20; } VOID ImageLoad(IMG img, VOID *v) { RTN print_rtn = RTN_FindByName(img, "strlen"); if (RTN_Valid(print_rtn)) { RTN_Open(print_rtn); RTN_InsertCall(print_rtn, IPOINT_AFTER, (AFUNPTR)change_eax, IARG_ADDRINT, "change_eax", IARG_CONTEXT, IARG_REG_REFERENCE, REG_EAX, IARG_END); RTN_Close(print_rtn.. 2018. 10. 17.

helloworld출력 프로그램에서 출력하는 문자열 바꾸기 #include #include "pin.H" // This function is called before every instruction is executed VOID corrupt(ADDRINT ip,ADDRINT ESP) { if (ip == 0x12B17D3) { *(ADDRINT *)ESP = 0x12B6EEC; } } // Pin calls this function every time a new instruction is encountered VOID Instruction(INS ins, VOID *v) { // Insert a call to printip before every instruction, and pass it the IP INS_InsertCall(ins, IPOINT_BEFOR.. 2018. 10. 15.

Find executable img, section, code // // This tool prints a trace of image load and unload events // #include "pin.H" #include #include #include using namespace std; KNOB KnobOutputFile(KNOB_MODE_WRITEONCE, "pintool", "o", "imageload.out", "specify file name"); ofstream TraceFile; VOID print(VOID *ip, string *s) { TraceFile 2018. 10. 12.

Disassemble #include #include "pin.H"FILE * trace;// This function is called before every instruction is executed// and prints the IPVOID printip(VOID *ip) { fprintf(trace, "%p ", ip); }VOID printdisassembly(string *s) { fprintf(trace, "%s\n", s);}// Pin calls this function every time a new instruction is encounteredVOID Instruction(INS ins, VOID *v){ // Insert a call to printip before every instruction, an.. 2018. 10. 12.

이전 1 2 3 4 다음

티스토리툴바