VOID Routine(RTN rtn, VOID *v)
{
RTN_Open(rtn);
RTN_NAME * rn = new RTN_NAME;
if (KnobOnly){
if(IMG_IsMainExecutable(SEC_Img(RTN_Sec(rtn))) \
/*&& std::strcmp(IMG_Name(SEC_Img(RTN_Sec(rtn))).c_str(),"/usr/lib/libSystem.B.dylib")!=0 \*/
|| std::strcmp(IMG_Name(SEC_Img(RTN_Sec(rtn))).c_str(),"/usr/lib/system/libsystem_malloc.dylib")==0)
{
funcList.push_back(RTN_Name(rtn));
cerr << "Getting "<< RTN_Name(rtn) <<endl ;
//RTN_Close(rtn);
//return ;
}
}
if(KnobOnly && find (funcList.begin(), funcList.end(), RTN_Name(rtn)) == funcList.end()){
cerr << "excluding : " << RTN_Name(rtn) ;
cerr << IMG_Name(SEC_Img(RTN_Sec(rtn))) << endl;
RTN_Close(rtn);
return;
}
// The RTN goes away when the image is unloaded, so save it now
// because we need it in the fin
rn->_name = RTN_Name(rtn);
rn->_image = IMG_Name(SEC_Img(RTN_Sec(rtn))).c_str();
rn->_address = RTN_Address(rtn);
//_address = RTN_Address(rtn);
// Insert a call at the entry point of a routine to increment the call count
RTN_InsertCall(rtn, IPOINT_BEFORE, (AFUNPTR)print, IARG_PTR, rn,IARG_FUNCARG_ENTRYPOINT_VALUE, 0, IARG_END);
RTN_InsertCall(rtn, IPOINT_AFTER, (AFUNPTR)ret,IARG_PTR,rn,IARG_FUNCRET_EXITPOINT_VALUE, IARG_END);
//INS_InsertCall(RTN_InsTail(rtn), IPOINT_BEFORE, (AFUNPTR)ret, IARG_END);
RTN_Close(rtn);
}
void img_load (IMG img, void *v)
{
struct event_imload *imevent;
char buffer[512];
size_t length;
/* fprintf(logfp, "load %s off=%08x low=%08x high=%08x start=%08x size=%08x\n",
IMG_Name(img).c_str(),
IMG_LoadOffset(img), IMG_LowAddress(img), IMG_HighAddress(img),
IMG_StartAddress(img), IMG_SizeMapped(img));*/
imevent = (struct event_imload *)buffer;
length = IMG_Name(img).length();
if (length > sizeof(buffer) - sizeof(struct event_imload))
length = sizeof(buffer) - sizeof(struct event_imload);
imevent->comm.type = ET_IMLOAD;
imevent->comm.tid = PIN_ThreadId();
imevent->struct_size = (int)((char *)imevent->name - (char *)imevent) + length + 1;
imevent->addr = IMG_LowAddress(img);
imevent->size = IMG_HighAddress(img) - IMG_LowAddress(img);
imevent->entry = IMG_Entry(img);
imevent->ismain = IMG_IsMainExecutable(img);
memcpy(imevent->name, IMG_Name(img).c_str(), length);
imevent->name[length] = '\0';
tb_write((event_common *)imevent, (size_t)imevent->struct_size);
osdep_iterate_symbols(img, process_symbol, (void *)&img);
tb_flush(PIN_ThreadId());
fprintf(logfp, "img+ %08x+%08x %s\n", IMG_StartAddress(img), IMG_SizeMapped(img), IMG_Name(img).c_str());
}
VOID Image(IMG img, VOID * v)
{
if ( (IMG_Name(img).find("ntdll.dll") != string::npos) ||
(IMG_Name(img).find("NTDLL.DLL") != string::npos) ||
(IMG_Name(img).find("NTDLL.dll") != string::npos) )
{
return;
}
if ( (IMG_Name(img).find("MSVCR") != string::npos) ||
(IMG_Name(img).find("msvcr") != string::npos) )
{ // _NLG_Return2 causes problems
return;
}
for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
{
for (RTN rtn = SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn))
{
if (RTN_Name(rtn).find(".text") != string::npos)
{
continue;
}
BOOL canBeProbed = RTN_IsSafeForProbedInsertion(rtn);
if (canBeProbed && RTN_Name(rtn)[0] != '_' && RTN_Name(rtn)[0] != '.')
{
RTN_InsertCallProbed( rtn, IPOINT_BEFORE, AFUNPTR(AtRtn), IARG_PTR, RTN_Name(rtn).c_str(), IARG_TSC, IARG_END);
}
}
}
}
// Image load callback - inserts the probes.
void ImgLoad(IMG img, void *v)
{
// Called every time a new image is loaded
if ( (IMG_Name(img).find("libncurses.so") != string::npos) ||
(IMG_Name(img).find("LIBNCURSES.SO") != string::npos) ||
(IMG_Name(img).find("LIBNCURSES.so") != string::npos) )
{
RTN rtngetch = RTN_FindByName(img, "getch");
if (RTN_Valid(rtngetch) && RTN_IsSafeForProbedReplacement(rtngetch))
{
OutFile << CurrentTime() << "Inserting probe for getch at " << RTN_Address(rtngetch) << endl;
OutFile.flush();
AFUNPTR fptr = (RTN_ReplaceProbed(rtngetch, AFUNPTR(mygetch)));
fptrgetch = (int (*)())fptr;
}
RTN rtnmvgetch = RTN_FindByName(img, "mvgetch");
if (RTN_Valid(rtnmvgetch) && RTN_IsSafeForProbedReplacement(rtnmvgetch))
{
OutFile << CurrentTime() << "Inserting probe for mvgetch at " << RTN_Address(rtnmvgetch) << endl;
OutFile.flush();
AFUNPTR fptr = (RTN_ReplaceProbed(rtnmvgetch, AFUNPTR(mymvgetch)));
fptrmvgetch = (int (*)(int, int))fptr;
}
}
// finished instrumentation
}
// Writes the image load event to the file "imgLog"
static void LogImageLoad(IMG img, void *v)
{
// Ensure that we can't overflow when we read it back.
ASSERTX (IMG_Name(img).length() < MAX_FILENAME_LENGTH);
ADDRESS_RANGE range = FindImageTextMargin(img);
// Log the data needed to restore it
fprintf(imgLog, "L '%s' %llx %lx %llx %d \n", IMG_Name(img).c_str(), (unsigned long long)range._low,
(long)(range._high - range._low), (unsigned long long)IMG_LoadOffset(img), (int)IMG_IsMainExecutable(img));
for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
{
if (SEC_Type(sec) != SEC_TYPE_EXEC)
{
continue;
}
for (RTN rtn=SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn))
{
if (RTN_IsArtificial(rtn))
{
continue;
}
fprintf(imgLog, "\t'%s' %llx\n", RTN_Name(rtn).c_str(), (unsigned long long)RTN_Address(rtn));
}
}
fprintf(imgLog, "%s", END_RTN_LIST);
}
// Writes the image unload event to the file "imgLog"
static void LogImageUnload(IMG img, void *)
{
ASSERTX (IMG_Name(img).length() < MAX_FILENAME_LENGTH);
// Log the unload event.
fprintf(imgLog, "U '%s'\n", IMG_Name(img).c_str());
}
// Save the image load event
static void LogImageLoad(IMG img, void *v)
{
// Ensure that we can't overflow when we read it back.
ASSERTX (IMG_Name(img).length() < MAX_FILENAME_LENGTH);
// Log the data needed to restore it
fprintf (imgLog, "L '%s' 0x%lx \n", IMG_Name(img).c_str(), (unsigned long)IMG_LoadOffset(img));
}
static VOID ImageLoad(IMG img, VOID *v)
{
static UINT32 mallocCount = 0;
PROTO protoMalloc = PROTO_Allocate(PIN_PARG(void *), CALLINGSTD_DEFAULT,
"malloc", PIN_PARG(size_t), PIN_PARG_END());
RTN rtnMalloc = RTN_FindByName(img, "malloc");
if (RTN_Valid(rtnMalloc))
{
TraceFile << "probing malloc #" << mallocCount << " in " << IMG_Name(img) << std::endl;
RTN_ReplaceSignatureProbed(rtnMalloc, AFUNPTR(MallocProbe),
IARG_PROTOTYPE, protoMalloc,
IARG_ORIG_FUNCPTR,
IARG_UINT32, static_cast<UINT32>(mallocCount),
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
#if defined(TARGET_IPF)
IARG_REG_VALUE, REG_TP,
#else
IARG_ADDRINT, static_cast<ADDRINT>(0),
#endif
IARG_END);
mallocCount++;
}
PROTO_Free(protoMalloc);
static UINT32 freeCount = 0;
PROTO protoFree = PROTO_Allocate(PIN_PARG(void), CALLINGSTD_DEFAULT,
"free", PIN_PARG(void *), PIN_PARG_END());
RTN freeRtn = RTN_FindByName(img, "free");
if (RTN_Valid(freeRtn))
{
TraceFile << "probing free #" << freeCount << " in " << IMG_Name(img) << std::endl;
RTN_ReplaceSignatureProbed(freeRtn, AFUNPTR(FreeProbe),
IARG_PROTOTYPE, protoFree,
IARG_ORIG_FUNCPTR,
IARG_UINT32, static_cast<UINT32>(freeCount),
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
#if defined(TARGET_IPF)
IARG_REG_VALUE, REG_TP,
#else
IARG_ADDRINT, static_cast<ADDRINT>(0),
#endif
IARG_END);
freeCount++;
}
PROTO_Free(protoFree);
}
static VOID
LogImageLoad(IMG img)
{
const string name = IMG_Name(img);
ADDRINT low = IMG_LowAddress(img);
ADDRINT high = IMG_HighAddress(img);
EmitLibraryLoadEvent(PIN_ThreadId(), IMG_Name(img),
IMG_LowAddress(img), IMG_HighAddress(img));
}
// - Get initial entropy
// - Get PE section data
// - Add filtered library
void imageLoadCallback(IMG img,void *){
Section item;
static int va_hooked = 0;
//get the initial entropy of the PE
//we have to consder only the main executable and avìvoid the libraries
if(IMG_IsMainExecutable(img)){
ProcInfo *proc_info = ProcInfo::getInstance();
//get the address of the first instruction
proc_info->setFirstINSaddress(IMG_Entry(img));
//get the program name
proc_info->setProcName(IMG_Name(img));
//get the initial entropy
MYINFO("----------------------------------------------");
float initial_entropy = proc_info->GetEntropy();
proc_info->setInitialEntropy(initial_entropy);
MYINFO("----------------------------------------------");
//retrieve the section of the PE
for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
item.name = SEC_Name(sec);
item.begin = SEC_Address(sec);
item.end = item.begin + SEC_Size(sec);
proc_info->insertSection(item);
}
//DEBUG
proc_info->PrintSections();
}
//build the filtered libtrary list
FilterHandler *filterH = FilterHandler::getInstance();
ADDRINT startAddr = IMG_LowAddress(img);
ADDRINT endAddr = IMG_HighAddress(img);
const string name = IMG_Name(img);
if(!IMG_IsMainExecutable(img) && filterH->isKnownLibrary(name)){
/* searching for VirtualAlloc */
RTN rtn = RTN_FindByName( img, "VirtualAlloc");
if(rtn != RTN_Invalid()){
MYINFO("BECCATO LA VIRTUAL ALLOC\n");
ADDRINT va_address = RTN_Address(rtn);
MYINFO("Address of VirtualAlloc: %08x\n" , va_address);
RTN_Open(rtn);
RTN_InsertCall(rtn, IPOINT_AFTER, (AFUNPTR)VirtualAllocHook , IARG_G_ARG0_CALLEE , IARG_G_ARG1_CALLEE , IARG_G_RESULT0, IARG_END);
RTN_Close(rtn);
}
filterH->addLibrary(name,startAddr,endAddr);
}
}
VOID ImageLoad(IMG img, VOID *v)
{
if ( IMG_Name(img) == TARLIB ) {
// cout << IMG_Name(img) << " " << hex << IMG_LowAddress(img) << " " << IMG_HighAddress(img) << " "
// << IMG_NumRegions(img) << endl;
start = IMG_LowAddress(img);
end = IMG_HighAddress(img);
Stat << hex << start << ":" << end << endl;
cout << hex << start << ":" << end <<" "<< (start + FFI_CALL_UNIX64) << " " << (start+FF64END) << endl;
}
Stat << hex << IMG_Name(img) << " " << IMG_LowAddress(img) << " " << IMG_HighAddress(img) << " " <<endl;// IMG_NumRegions(img) << endl;
}
VOID ImageLoad (IMG img, VOID *v)
{
outfile << "Loaded image " << IMG_Name(img) << std::endl;
if (IMG_Name(img).find("bundle") == std::string::npos)
return;
for( SYM sym = IMG_RegsymHead(img); SYM_Valid(sym); sym = SYM_Next(sym) )
{
outfile << IMG_Name(img) << "::" << SYM_Name(sym) << std::endl;
}
}
void ImageLoad (IMG img, void *context)
{
fprintf (stderr, "Notified of load of %s at [%p,%p]\n",
IMG_Name(img).c_str(),
(char *)IMG_LowAddress(img), (char *)IMG_HighAddress(img));
// See if this is ntdll.dll
char szName[_MAX_FNAME];
char szExt[_MAX_EXT];
_splitpath_s (IMG_Name(img).c_str(),
NULL, 0,
NULL, 0,
szName, _MAX_FNAME,
szExt, _MAX_EXT);
strcat_s (szName, _MAX_FNAME, szExt);
if (0 != _stricmp ("ntdll.dll", szName))
return;
RTN rtn = RTN_FindByName (img, "RtlAllocateHeap");
if (RTN_Invalid() == rtn)
{
fprintf (stderr, "Failed to find RtlAllocateHeap in %s\n",
IMG_Name(img).c_str());
return;
}
fprintf(stderr,"Replacing\n");
PROTO protoRtlAllocateHeap =
PROTO_Allocate (PIN_PARG(void *),
CALLINGSTD_STDCALL,
"RtlAllocateHeap",
PIN_PARG(WINDOWS::PVOID), // HeapHandle
PIN_PARG(WINDOWS::ULONG), // Flags
PIN_PARG(WINDOWS::SIZE_T), // Size
PIN_PARG_END());
RTN_ReplaceSignature (rtn, (AFUNPTR)replacement_RtlAllocateHeap,
IARG_PROTOTYPE, protoRtlAllocateHeap,
IARG_ORIG_FUNCPTR,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_FUNCARG_ENTRYPOINT_VALUE, 1,
IARG_FUNCARG_ENTRYPOINT_VALUE, 2,
IARG_CONTEXT,
IARG_END);
PROTO_Free (protoRtlAllocateHeap);
}
// - Get initial entropy
// - Get PE section data
// - Add filtered library
// - Add protected libraries
void imageLoadCallback(IMG img,void *){
Section item;
static int va_hooked = 0;
ProcInfo *proc_info = ProcInfo::getInstance();
FilterHandler *filterHandler = FilterHandler::getInstance();
//get the initial entropy of the PE
//we have to consder only the main executable and avìvoid the libraries
if(IMG_IsMainExecutable(img)){
ADDRINT startAddr = IMG_LowAddress(img);
ADDRINT endAddr = IMG_HighAddress(img);
proc_info->setMainIMGAddress(startAddr, endAddr);
//get the address of the first instruction
proc_info->setFirstINSaddress(IMG_Entry(img));
//get the program name
proc_info->setProcName(IMG_Name(img));
//get the initial entropy
MYINFO("----------------------------------------------");
float initial_entropy = proc_info->GetEntropy();
proc_info->setInitialEntropy(initial_entropy);
MYINFO("----------------------------------------------");
//create Report File
Report::getInstance()->initializeReport(proc_info->getProcName(), startAddr, endAddr , initial_entropy);
//retrieve the section of the PE
for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
item.name = SEC_Name(sec);
item.begin = SEC_Address(sec);
item.end = item.begin + SEC_Size(sec);
proc_info->insertSection(item);
}
proc_info->PrintSections();
}
//build the filtered libtrary list
ADDRINT startAddr = IMG_LowAddress(img);
ADDRINT endAddr = IMG_HighAddress(img);
const string name = IMG_Name(img);
if(!IMG_IsMainExecutable(img)){
//*** If you need to protect other sections of other dll put them here ***
// check if there are some fuction that has top be hooked in this DLL
hookFun.hookDispatcher(img);
// check if we have to filter this library during thwe instrumentation
proc_info->addLibrary(name,startAddr,endAddr);
if(filterHandler->IsNameInFilteredArray(name)){
filterHandler->addToFilteredLibrary(name,startAddr,endAddr);
MYINFO("Added to the filtered array the module %s\n" , name);
}
}
}
// Pin calls this function every time a new rtn is executed
VOID Routine(RTN rtn, VOID *v)
{
// Allocate a counter for this routine
RTN_COUNT * rc = new RTN_COUNT;
// The RTN goes away when the image is unloaded, so save it now
// because we need it in the fini
rc->_name = RTN_Name(rtn);
rc->_image = StripPath(IMG_Name(SEC_Img(RTN_Sec(rtn))).c_str());
rc->_address = RTN_Address(rtn);
rc->_icount = 0;
rc->_rtnCount = 0;
// Add to list of routines
rc->_next = RtnList;
RtnList = rc;
RTN_Open(rtn);
// Insert a call at the entry point of a routine to increment the call count
RTN_InsertCall(rtn, IPOINT_BEFORE, (AFUNPTR)docount, IARG_PTR, &(rc->_rtnCount), IARG_END);
// For each instruction of the routine
for (INS ins = RTN_InsHead(rtn); INS_Valid(ins); ins = INS_Next(ins))
{
// Insert a call to docount to increment the instruction counter for this rtn
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)docount, IARG_PTR, &(rc->_icount), IARG_END);
}
RTN_Close(rtn);
}
VOID ImageLoad( IMG img, VOID *v )
{
RTN rtn;
fprintf( LogFile, "Loaded %s\r\n", IMG_Name( img ).c_str() );
// UDP
if ( (rtn = RTN_FindByName( img, "recvfrom" )) != RTN_Invalid() )
{
HookRecvFrom( img );
}
if ( (rtn = RTN_FindByName( img, "sendto" )) != RTN_Invalid() )
{
HookSendTo( img );
}
// TCP
if ( (rtn = RTN_FindByName( img, "recv" )) != RTN_Invalid() )
{
HookRecv( img );
}
if ( (rtn = RTN_FindByName( img, "send" )) != RTN_Invalid() )
{
HookSend( img );
}
/*
Uncomment if necessary, untested though!
if ( (rtn = RTN_FindByName( img, "WSASendTo" )) != RTN_Invalid() )
{
HookWSASendTo( img, (AFUNPTR)replacementWSASendTo, "WSASendTo" );
}
*/
}
VOID Image(IMG img, VOID *v){
char szFilePath[260];
unsigned long index;
GetLock(&lock, 1);
if (process_start != 0){
ReleaseLock(&lock);
return;
}
if (IMG_Valid(img)){
memset(szFilePath, 0, sizeof(szFilePath));
strncpy(szFilePath, IMG_Name(img).c_str(), sizeof(szFilePath)-1);
index = 0;
while (szFilePath[index] != 0){
szFilePath[index] = tolower(szFilePath[index]);
index++;
}
if (strstr(szFilePath, KnobProcessToTrace.Value().c_str())){
process_start = IMG_LowAddress(img);
process_end = IMG_HighAddress(img);
}
}
ReleaseLock(&lock);
}
VOID MemWrite(THREADID tid, ADDRINT ea, ADDRINT eip )
{
IMG imgR;
string retName = "ANON", rR = "unknown";
thread_data_t *tdata = get_tls(tid);
list<ADDRINT>::const_iterator sp_iter;
for (sp_iter = tdata->data_sp.begin(); sp_iter != tdata->data_sp.end(); sp_iter++) {
if ( *sp_iter == ea )
break;
}
if ( sp_iter != tdata->data_sp.end() ) {
PIN_LockClient();
imgR = IMG_FindByAddress((ADDRINT)eip);
PIN_UnlockClient();
if ( IMG_Valid(imgR) ) {
retName = IMG_Name(imgR);
}
rR = RTN_FindNameByAddress((ADDRINT)eip);
OutFile[tid] << tid << hex << "return address overwrite!!! " << ea << " "
<< eip << " " << retName << " " << rR << endl;
}
}
BaseIRBuilder::BaseIRBuilder(__uint address, const std::string &dis) {
RTN rtn;
SEC sec;
IMG img;
this->address = address;
this->branchTaken = false;
this->branchTargetAddress = 0;
this->disas = dis;
this->needSetup = false;
this->nextAddress = 0;
this->imageName = "unknown";
this->sectionName = "unknown";
rtn = RTN_FindByAddress(address);
if (RTN_Valid(rtn)) {
sec = RTN_Sec(rtn);
if (SEC_Valid(sec)) {
this->sectionName = SEC_Name(sec);
img = SEC_Img(sec);
if (IMG_Valid(img)) {
this->baseAddress = IMG_LowAddress(img);
this->imageName = IMG_Name(img);
}
}
}
this->offset = this->address - this->baseAddress;
this->routineName = RTN_FindNameByAddress(address);
if (this->routineName.empty())
this->routineName = "unknown";
}
VOID AddPthreadsCallbacks(IMG img) {
RTN rtn;
rtn = RTN_FindByName(img, "pthread_join");
if (RTN_Valid(rtn)) {
cerr << IMG_Name(img) << ": pthread_join" << endl;
RTN_Open(rtn);
RTN_InsertCall(rtn,
IPOINT_BEFORE,
AFUNPTR(PTHREAD_beforeJoin),
IARG_THREAD_ID,
IARG_FUNCARG_ENTRYPOINT_VALUE,
0,
IARG_CALL_ORDER,
CALL_ORDER_FIRST,
IARG_END);
RTN_InsertCall(rtn,
IPOINT_AFTER,
AFUNPTR(PTHREAD_afterJoin),
IARG_THREAD_ID,
IARG_CALL_ORDER,
CALL_ORDER_LAST,
IARG_END);
RTN_Close(rtn);
}
}
VOID ImageUnload(IMG img, VOID *v)
{
if (inMain)
{
cout << "Unloaded " << IMG_Name(img) << endl;
}
}
/*
* Called when a new image is loaded.
* Currently only acts when the main executable is loaded to set exename global.
*/
static void ImageLoad(IMG img, VOID * v) {
// XXX: check if this works correctly when execv() is used.
if (IMG_IsMainExecutable(img)) {
exename = path_resolve(IMG_Name(img));
pid = getpid();
PROVLOG_EXEC(exename, pid);
// Add stdin/stdout/stderr to watched file descriptors.
// This should take place while loading the image in order to have
// exename available.
if ( atoi(TrackStdin.Value().c_str()) ) {
ufd_t ufd = ufdmap.get(STDIN_FILENO);
std::string fdn = fdname(STDIN_FILENO);
fdset.insert(STDIN_FILENO);
LOG( "Watching fd" + decstr(STDIN_FILENO) + " (" + fdn + ").\n");
PROVLOG_OPEN(ufd, fdn, fcntl(STDIN_FILENO, F_GETFL), 0);
}
if ( atoi(TrackStdout.Value().c_str()) ) {
ufd_t ufd = ufdmap.get(STDOUT_FILENO);
std::string fdn = fdname(STDOUT_FILENO);
fdset.insert(STDOUT_FILENO);
LOG( "Watching fd" + decstr(STDOUT_FILENO) + " (" + fdn + ").\n");
PROVLOG_OPEN(ufd, fdn, fcntl(STDOUT_FILENO, F_GETFL), 0);
}
if ( atoi(TrackStderr.Value().c_str()) ) {
ufd_t ufd = ufdmap.get(STDERR_FILENO);
std::string fdn = fdname(STDERR_FILENO);
fdset.insert(STDERR_FILENO);
LOG( "Watching fd" + decstr(STDERR_FILENO) + " (" + fdn + ").\n");
PROVLOG_OPEN(ufd, fdn, fcntl(STDERR_FILENO, F_GETFL), 0);
}
}
}
VOID ImageLoad(IMG img, VOID *v)
{
printf ("ImageLoad %s\n", IMG_Name(img).c_str());
for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
{
for (RTN rtn = SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn))
{
if (strcmp(RTN_Name(rtn).c_str(), "_dl_debug_state") == 0)
{
printf (" RTN %s at %p\n", RTN_Name(rtn).c_str(), reinterpret_cast<void *>(RTN_Address(rtn)));
printf (" ** found _dl_debug_state\n");
dl_debug_state_Addr = RTN_Address(rtn);
justFoundDlDebugState = TRUE;
}
else if (justFoundDlDebugState)
{
printf (" RTN %s at %p\n", RTN_Name(rtn).c_str(), reinterpret_cast<void *>(RTN_Address(rtn)));
dl_debug_state_AddrEnd = RTN_Address(rtn);
justFoundDlDebugState = FALSE;
printf (" ** _dl_debug_state from %p to %p\n", reinterpret_cast<void *>(dl_debug_state_Addr), reinterpret_cast<void *>(dl_debug_state_AddrEnd));
}
}
}
}
VOID Image(IMG img, VOID *v)
{
// Skip all images, but kernel32.dll
if (!CmpBaseImageName(IMG_Name(img), "kernel32.dll"))
{
return;
}
// hook the functions in the image. If these functions are called then it means
// that pin has not lost control.
RTN rtn = RTN_FindByName(img, "OutputDebugStringA");
if (RTN_Valid(rtn))
{
RTN_Open(rtn);
RTN_InsertCall(rtn, IPOINT_BEFORE, AFUNPTR(BeforeOutputDebugString), IARG_END);
RTN_Close(rtn);
}
rtn = RTN_FindByName(img, "OutputDebugStringW");
if (RTN_Valid(rtn))
{
RTN_Open(rtn);
RTN_InsertCall(rtn, IPOINT_BEFORE, AFUNPTR(BeforeOutputDebugString), IARG_END);
RTN_Close(rtn);
}
}
/*****************************************************************************
函 数 名 : rtn
功能描述 : Pin calls this function every time a new rtn is executed
输入参数 : RTN rtn
VOID * v
输出参数 : 无
返 回 值 :
调用函数 :
被调函数 :
修改历史 :
1.日 期 : 2012年5月16日
作 者 : @zhi
修改内容 : 新生成函数
*****************************************************************************/
VOID rtn(RTN rtn, VOID * v)
{
//干掉系统的动态连接库, 即IMG为/lib/*
if(EXCEPT_SEC == IMG_Name(SEC_Img(RTN_Sec(rtn)))
.substr(0, EXCEPT_SEC.size()))
{
return;
}
RTN_Open(rtn);
if ( g_backTraceFlg )
{
//第一次进入,回溯已调用的函数(附加到进程模式)
//, 参数为待执行函数的函数名,函数起始地址,函数EBP(函数初始未压栈)
RTN_InsertCall(rtn, IPOINT_BEFORE,
(AFUNPTR)traceBack,
//IARG_PTR, RTN_Name(rtn).c_str(),
//IARG_ADDRINT, RTN_Address(rtn),
IARG_REG_VALUE, REG_STACK_PTR,
IARG_REG_VALUE, REG_EBP, IARG_END);
}
RTN_InsertCall(rtn, IPOINT_BEFORE,
(AFUNPTR)funcPackage,
IARG_PTR, RTN_Name(rtn).c_str(),
IARG_ADDRINT, RTN_Address(rtn),
IARG_REG_VALUE, REG_EBP,
//IARG_REG_VALUE, REG_STACK_PTR, IARG_END);
IARG_END);
RTN_Close(rtn);
}
/* ===================================================================== */
VOID ImageLoad(IMG img, VOID *v)
{
BOOL jitMode = (v==0);
if (IMG_IsMainExecutable(img))
{
fprintf(stdout, "Image %s is loaded in %s mode\n", IMG_Name(img).c_str(), (jitMode?"JIT":"PROBE"));
}
}
// Called every time a new image is loaded
// Look for routines that we want to probe
VOID ImageLoad(IMG img, VOID *v)
{
const ANNOTATION *ann = 0;
USIZE num = 0;
printf("Processing %s\n", IMG_Name(img).c_str());
for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
{
if (SEC_Name(sec) == "MyAnnot")
{
ann = reinterpret_cast<const ANNOTATION*>(SEC_Data(sec));
num = SEC_Size(sec) / sizeof(ANNOTATION);
}
}
if (ann)
{
printf("Found annotations: \n");
for (UINT32 i = 0; i < num; i++)
{
ADDRINT addr = ann[i].addr;
ADDRINT val = ann[i].value;
printf("\t%p %p\t", Addrint2VoidStar(addr), Addrint2VoidStar(val));
if (PIN_IsSafeForProbedInsertion(addr))
{
PIN_InsertCallProbed(addr, AFUNPTR(Notification), IARG_ADDRINT, val, IARG_END);
printf(" - OK\n");
}
else
{
printf(" - Failed\n");
}
}
// Set the write line function, from the image of the annotations (i.e. the main executable).
RTN writeRtn = RTN_FindByName(img, "write_line");
if (RTN_Valid(writeRtn))
{
writeFun = (void (*)(char *))RTN_Funptr(writeRtn);
}
}
printf("Completed %s\n", IMG_Name(img).c_str());
}
void DoReplacementFunc( IMG img, char * funcName)
{
RTN rtnToReplace;
printf ("Image %s\n", IMG_Name(img).c_str());
for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
{
for (RTN rtn = SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn))
{
printf (" Rtn: %s %s\n", RTN_Name(rtn).c_str(), funcName);
if (strstr( RTN_Name(rtn).c_str(), funcName))
{
//printf (" found\n");
foundFunc = true;
rtnToReplace = rtn;
break;
}
}
if (foundFunc)
{
break;
}
}
if (!foundFunc)
{
return;
}
printf ( "Found %s %x\n", funcName, RTN_Address(rtnToReplace));
// commented out so that absence of pdb file will not cause failure
if (RTN_IsSafeForProbedReplacement(rtnToReplace))
{
printf ( "RTN_ReplaceSignatureProbed on %s\n", funcName);
foundFunc = true;
PROTO protoOfStdCallFunction1ToBeReplacedByPin
= PROTO_Allocate( PIN_PARG(void *),
CALLINGSTD_STDCALL,
"protoOfStdCallFunction1ToBeReplacedByPin",
PIN_PARG(char),
PIN_PARG(int),
PIN_PARG(char),
PIN_PARG(int),
PIN_PARG_END() );
RTN_ReplaceSignatureProbed(rtnToReplace, AFUNPTR(ReplacementFunc),
IARG_PROTOTYPE, protoOfStdCallFunction1ToBeReplacedByPin,
IARG_ORIG_FUNCPTR,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_FUNCARG_ENTRYPOINT_VALUE, 1,
IARG_FUNCARG_ENTRYPOINT_VALUE, 2,
IARG_FUNCARG_ENTRYPOINT_VALUE, 3,
IARG_END);
PROTO_Free( protoOfStdCallFunction1ToBeReplacedByPin );
}
}
static IMG FindNamedImg(const string& imgName)
{
// Visit every loaded image
for (IMG img= APP_ImgTail(); IMG_Valid(img); img = IMG_Prev(img))
{
if (IMG_Name(img) == imgName)
return img;
}
return IMG_Invalid();
}
static void reportError(ADDRINT addr)
{
fprintf (stderr, "BAD Fetch from 0x%08x\n", addr);
for (IMG img= APP_ImgHead(); IMG_Valid(img); img = IMG_Next(img))
{
fprintf (stderr, "%-30s: 0x%08x:0x%08x\n", IMG_Name(img).c_str(),
IMG_LowAddress(img),IMG_HighAddress(img));
}
exit (-1);
}