5

I have written this pintool:

#include "pin.H"
#include <iostream>
#include <fstream>

VOID Instruction(INS ins, VOID *v)
{
        cout << INS_Disassemble(ins) << endl;
}

VOID Fini(INT32 code, VOID *v)
{
        cout << "Fin" << endl;
}

int main(int argc, char *argv[])
{
    if( PIN_Init(argc,argv) )
    {
            cout << "Erreur PIN_Init" << endl;
            return 0;
    }

    INS_AddInstrumentFunction(Instruction, 0);
    PIN_AddFiniFunction(Fini, 0);
    PIN_StartProgram();

    return 0;
}

I am printing all instructions. What i want to do now is to display instructions address (EIP)

How can i do this ?

Thanks

Bob5421
  • 7,757
  • 14
  • 81
  • 175
  • jingpu's tool on github appears to work for me https://github.com/jingpu/pintools/blob/master/source/tools/SimpleExamples/trace.cpp – plafratt May 19 '23 at 16:24

2 Answers2

3
#include "pin.H"
#include <iostream>
#include <fstream>
#include <string>

VOID DisplayInstruction(ADDRINT instructionAddress,string assemblyCode)
{
    cout<<std::hex<<instructionAddress<<":"<<std::dec<<assemblyCode<<"\n";
}

VOID Instruction(INS ins, VOID *v)
{       
    INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)DisplayInstruction,
                   IARG_INST_PTR, IARG_REG_VALUE,
                   new string(INS_Assemble(ins)), IARG_END);
}

VOID Fini(INT32 code, VOID *v)
{
    cout << "Fin" << endl;
}

int main(int argc, char *argv[])
{
    if( PIN_Init(argc,argv) )
    {
        cout << "Erreur PIN_Init" << endl;
        return 0;
    }

    INS_AddInstrumentFunction(Instruction, 0);
    PIN_AddFiniFunction(Fini, 0);
    PIN_StartProgram();

    return 0;
}
fbahr
  • 853
  • 1
  • 8
  • 13
Bernard Nongpoh
  • 1,028
  • 11
  • 20
  • thanks is there a way to filter instructions which are in shared libraries ? – Bob5421 Sep 11 '18 at 12:22
  • PIN_LockClient(); IMG image=IMG_FindByAddress(INS_Address(ins)); PIN_UnlockClient(); if (IMG_Valid(image) && IMG_IsMainExecutable(image)) { // Place your code here } – Bernard Nongpoh Sep 11 '18 at 12:26
  • There is something strange: I have tried your code: It seems to work. But if i my target program contains a loop, i only see instructions for one iteration. What i want to do is to trace EACH instructions... – Bob5421 Sep 11 '18 at 19:19
  • Your requirement is to perform Dynamic Analysis. What I have shown you is Static Analysis which is once at instrumentation time only. – Bernard Nongpoh Sep 12 '18 at 05:06
0

You will need to add an analysis routine, and to pass IARG_REG_VALUE to that routine.

 VOID your_analysis_function(VOID * ip)
   {
        out << "ip:" << ip << endl;
   }    
   VOID Instruction(INS ins, VOID *v)
   {
       INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)your_analysis_function,
        IARG_INST_PTR, IARG_REG_VALUE, IARG_END);
   }
mn1
  • 400
  • 3
  • 8
  • Thanks. In fact i do not really understand if the binary is really launched or if pintools just compute a symbolic exécution. What happens with addresses if my binary is PIE ? – Bob5421 Jul 30 '18 at 18:29
  • I'm not sure what you mean by "binary is launched". The instrumentation function happens during Pin jitting while the analysis function happens when the code is executed under Pin. If you see "ip:" in your output, then your binary is actually running (under Pin). – mn1 Jul 31 '18 at 18:52
  • In other words, is there a way for binary to détect instrumentation ? – Bob5421 Aug 01 '18 at 06:48
  • 1
    Pin is a *dynamic* binary instrumentation engine - that means it actually launches and runs the binary. As for detection, while Pin creates an execution environment that matches the binary's expectations, it doesn't camouflage itself, so it's easily detectable. – nitzanms Aug 07 '18 at 06:50
  • @Bob5421 here you can find a detailed study: https://re.public.polimi.it/retrieve/handle/11311/1030092/266288/polino-arancino-2017.pdf – Simone Aonzo Apr 16 '21 at 14:01