/*
* ImageLoad
* Replace native malloc, realloc, free functions with my custum functions
* so that I can get mem allocation informations.
*/
VOID ImageLoad(IMG img, VOID *v)
{
RTN mallocRtn = RTN_FindByName(img, "malloc");
if (RTN_Valid(mallocRtn))
{
PROTO proto_malloc = PROTO_Allocate( PIN_PARG(void *), CALLINGSTD_DEFAULT,
"malloc", PIN_PARG(size_t), PIN_PARG_END() );
RTN_ReplaceSignature(
mallocRtn, AFUNPTR( Malloc ),
IARG_PROTOTYPE, proto_malloc,
IARG_CONTEXT,
IARG_ORIG_FUNCPTR,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_CALL_ORDER, CALL_ORDER_FIRST,
IARG_END);
}
RTN reallocRtn = RTN_FindByName(img, "realloc");
if (RTN_Valid(reallocRtn))
{
PROTO proto_realloc = PROTO_Allocate( PIN_PARG(void *), CALLINGSTD_DEFAULT,
"realloc", PIN_PARG(void *), PIN_PARG(size_t), PIN_PARG_END() );
RTN_ReplaceSignature(
reallocRtn, AFUNPTR( Realloc ),
IARG_PROTOTYPE, proto_realloc,
IARG_CONTEXT,
IARG_ORIG_FUNCPTR,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_FUNCARG_ENTRYPOINT_VALUE, 1,
IARG_CALL_ORDER, CALL_ORDER_FIRST+1,
IARG_END);
}
RTN freeRtn = RTN_FindByName(img, "free");
if (RTN_Valid(freeRtn))
{
PROTO proto_free = PROTO_Allocate( PIN_PARG(void), CALLINGSTD_DEFAULT,
"free", PIN_PARG(void *), PIN_PARG_END() );
RTN_ReplaceSignature(
freeRtn, AFUNPTR( Free ),
IARG_PROTOTYPE, proto_free,
IARG_CONTEXT,
IARG_ORIG_FUNCPTR,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_CALL_ORDER, CALL_ORDER_FIRST+2,
IARG_END);
}
}
VOID Image(IMG img, void *v)
{
RTN rtn = RTN_FindByName(img, "ReplacedXmmRegs");
if (RTN_Valid(rtn))
{
PROTO proto = PROTO_Allocate(PIN_PARG(int), CALLINGSTD_DEFAULT, "ReplacedXmmRegs", PIN_PARG_END());
RTN_ReplaceSignature(rtn, AFUNPTR(REPLACE_ReplacedXmmRegs),
IARG_PROTOTYPE, proto,
(KnobUseIargConstContext)?IARG_CONST_CONTEXT:IARG_CONTEXT,
IARG_THREAD_ID,
IARG_ORIG_FUNCPTR,
IARG_END);
PROTO_Free(proto);
printf ("TOOL found and replaced ReplacedXmmRegs\n");
fflush (stdout);
RTN rtn = RTN_FindByName(img, "ExecutedAtFunc");
if (RTN_Valid(rtn))
{
executeAtAddr = RTN_Address(rtn);
printf ("TOOL found ExecutedAtFunc for later PIN_ExecuteAt\n");
fflush (stdout);
}
rtn = RTN_FindByName(img, "DumpXmmRegsAtException");
if (RTN_Valid(rtn))
{
dumpXmmRegsAtExceptionAddr = RTN_Address(rtn);
printf ("TOOL found DumpXmmRegsAtException for later Exception\n");
fflush (stdout);
}
}
}
static VOID Trace(TRACE trace, VOID *v)
{
RTN rtn = TRACE_Rtn(trace);
if (!RTN_Valid(rtn) || RTN_Name(rtn) != watch_rtn)
{
return;
}
if (TRACE_Address(trace) == RTN_Address(rtn))
{
// Pin does not support issuing an RTN_ReplaceSignature from the TRACE instrumentation callback
// This will cause Pin to terminate with an error
PROTO proto_watch_rtn
= PROTO_Allocate(PIN_PARG(void), CALLINGSTD_DEFAULT, "watch_rtn", PIN_PARG(int), PIN_PARG_END());
RTN_ReplaceSignature(rtn, AFUNPTR(WatchRtnReplacement),
IARG_PROTOTYPE, proto_watch_rtn,
IARG_CONST_CONTEXT,
IARG_THREAD_ID,
IARG_ORIG_FUNCPTR,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_END);
}
VOID HookTCP( const IMG img, const AFUNPTR replacement, const char *functionName )
{
fprintf(LogFile, "Found %s...\r\n", functionName );
std::cerr << "Found " << functionName << "..." << endl;
// hook
RTN rtn = RTN_FindByName( img, functionName );
PROTO proto =
PROTO_Allocate( PIN_PARG(WINDOWS::INT),
CALLINGSTD_STDCALL,
functionName,
PIN_PARG(WINDOWS::SOCKET), // s,
PIN_PARG(WINDOWS::CHAR *), // buf,
PIN_PARG(WINDOWS::INT), // len
PIN_PARG(WINDOWS::INT), // flags
PIN_PARG_END()
);
RTN_ReplaceSignature( rtn, replacement,
IARG_PROTOTYPE, proto,
IARG_ORIG_FUNCPTR,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_FUNCARG_ENTRYPOINT_VALUE, 1,
IARG_FUNCARG_ENTRYPOINT_VALUE, 2,
IARG_FUNCARG_ENTRYPOINT_VALUE, 3,
IARG_CONTEXT,
IARG_PTR, functionName,
IARG_END
);
PROTO_Free( proto );
}
// Hooks
VOID HookUDP( const IMG img, const AFUNPTR replacement, const char *functionName )
{
std::cerr << "Found " << functionName << "..." << endl;
RTN rtn = RTN_FindByName(img, functionName );
PROTO proto =
PROTO_Allocate( PIN_PARG(WINDOWS::INT), // retval
CALLINGSTD_STDCALL,
functionName,
PIN_PARG(WINDOWS::SOCKET), // s,
PIN_PARG(WINDOWS::CHAR *), // buf,
PIN_PARG(WINDOWS::INT), // len
PIN_PARG(WINDOWS::INT), // flags
PIN_PARG(WINDOWS::SOCKADDR *), // from|to,
PIN_PARG(WINDOWS::INT *), // fromlen|tolen,
PIN_PARG_END()
);
RTN_ReplaceSignature(rtn, replacement,
IARG_PROTOTYPE, proto,
IARG_ORIG_FUNCPTR,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_FUNCARG_ENTRYPOINT_VALUE, 1,
IARG_FUNCARG_ENTRYPOINT_VALUE, 2,
IARG_FUNCARG_ENTRYPOINT_VALUE, 3,
IARG_FUNCARG_ENTRYPOINT_VALUE, 4,
IARG_FUNCARG_ENTRYPOINT_VALUE, 5,
IARG_CONTEXT,
IARG_PTR, functionName,
IARG_END
);
std::cerr << "Replaced " << RTN_Name( rtn ) << " and stuff. " << endl;
PROTO_Free(proto);
}
inline static AFUNPTR execute (const Routine & rtn, const Prototype & prototype, CALLINGSTD_TYPE callstd_type)
{
return
RTN_ReplaceSignature (rtn,
AFUNPTR (REPLACEMENT::execute),
IARG_PROTOTYPE,
(PROTO)prototype,
IARG_END);
}
VOID ImageLoad(IMG img, VOID *v)
{
RTN rtn = RTN_FindByName(img, "TestIargPreserveInReplacement");
if (RTN_Valid(rtn))
{
printf ("found TestIargPreserveInReplacement\n");
fflush (stdout);
PROTO proto = PROTO_Allocate( PIN_PARG(void), CALLINGSTD_DEFAULT,
"TestIargPreserveInReplacementProto", PIN_PARG_END() );
REGSET regsFP;
REGSET_Clear(regsFP);
REGSET_Insert (regsFP, REG_X87);
RTN_ReplaceSignature(
rtn, AFUNPTR(TestIargPreserveReplacement),
IARG_PROTOTYPE, proto,
IARG_CONTEXT,
IARG_ORIG_FUNCPTR,
IARG_PRESERVE, ®sFP,
IARG_END);
PROTO_Free( proto );
}
rtn = RTN_FindByName(img, "TestIargPreserveInReplacement1");
if (RTN_Valid(rtn))
{
printf ("found TestIargPreserveInReplacement1\n");
fflush (stdout);
PROTO proto = PROTO_Allocate( PIN_PARG(void), CALLINGSTD_DEFAULT,
"TestIargPreserveInReplacementProto", PIN_PARG_END() );
RTN_ReplaceSignature(
rtn, AFUNPTR(TestIargPreserveReplacement1),
IARG_PROTOTYPE, proto,
IARG_CONTEXT,
IARG_ORIG_FUNCPTR,
IARG_END);
PROTO_Free( proto );
}
}
void ImageLoad (IMG img, void *context)
{
fprintf (stderr, "Notified of load of %s at [%p,%p]\n",
IMG_Name(img).c_str(),
(char *)IMG_LowAddress(img), (char *)IMG_HighAddress(img));
// See if this is ntdll.dll
char szName[_MAX_FNAME];
char szExt[_MAX_EXT];
_splitpath_s (IMG_Name(img).c_str(),
NULL, 0,
NULL, 0,
szName, _MAX_FNAME,
szExt, _MAX_EXT);
strcat_s (szName, _MAX_FNAME, szExt);
if (0 != _stricmp ("ntdll.dll", szName))
return;
RTN rtn = RTN_FindByName (img, "RtlAllocateHeap");
if (RTN_Invalid() == rtn)
{
fprintf (stderr, "Failed to find RtlAllocateHeap in %s\n",
IMG_Name(img).c_str());
return;
}
fprintf(stderr,"Replacing\n");
PROTO protoRtlAllocateHeap =
PROTO_Allocate (PIN_PARG(void *),
CALLINGSTD_STDCALL,
"RtlAllocateHeap",
PIN_PARG(WINDOWS::PVOID), // HeapHandle
PIN_PARG(WINDOWS::ULONG), // Flags
PIN_PARG(WINDOWS::SIZE_T), // Size
PIN_PARG_END());
RTN_ReplaceSignature (rtn, (AFUNPTR)replacement_RtlAllocateHeap,
IARG_PROTOTYPE, protoRtlAllocateHeap,
IARG_ORIG_FUNCPTR,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_FUNCARG_ENTRYPOINT_VALUE, 1,
IARG_FUNCARG_ENTRYPOINT_VALUE, 2,
IARG_CONTEXT,
IARG_END);
PROTO_Free (protoRtlAllocateHeap);
}
/* ===================================================================== */
VOID ImageLoad(IMG img, VOID *v)
{
if (!IMG_IsMainExecutable(img))
{
return;
}
const char * name = "check_sp_value";
RTN rtn = RTN_FindByName(img, name);
if (RTN_Valid(rtn))
{
PROTO proto = PROTO_Allocate(PIN_PARG(int),
CALLINGSTD_DEFAULT, name,
PIN_PARG(void*),
PIN_PARG_END() );
if ( ! PIN_IsProbeMode() )
{
RTN_ReplaceSignature(
rtn, AFUNPTR(check_sp_value),
IARG_PROTOTYPE, proto,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_REG_VALUE, REG_ESP,
IARG_REG_VALUE, REG_SP,
IARG_END);
}
else if (RTN_IsSafeForProbedReplacement(rtn))
{
RTN_ReplaceSignatureProbed(
rtn, AFUNPTR(check_sp_value),
IARG_PROTOTYPE, proto,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_REG_VALUE, REG_ESP,
IARG_REG_VALUE, REG_SP,
IARG_END);
}
PROTO_Free( proto);
}
}
// WSASendTo HOOK Untested, I think. I forget :/.
VOID HookWSASendTo( const IMG img, AFUNPTR replacement, const char *functionName )
{
std::cerr << "Found " << functionName << "..." << endl;
RTN rtn = RTN_FindByName(img, functionName );
PROTO proto =
PROTO_Allocate( PIN_PARG(WINDOWS::INT), // retval
CALLINGSTD_STDCALL,
functionName,
PIN_PARG(WINDOWS::SOCKET), // s,
PIN_PARG(WINDOWS::LPWSABUF), // lpBuffers,
PIN_PARG(WINDOWS::DWORD), // dwBufferCount
PIN_PARG(WINDOWS::LPDWORD), // lpNumberOfBytesSend
PIN_PARG(WINDOWS::DWORD), // dwFlags
PIN_PARG(WINDOWS::SOCKADDR *), // lpTo,
PIN_PARG(WINDOWS::INT), // iToLen,
PIN_PARG(WINDOWS::LPWSAOVERLAPPED), // lpOverlapped
PIN_PARG(WINDOWS::LPWSAOVERLAPPED_COMPLETION_ROUTINE), // lpCompletionRoutine
PIN_PARG_END()
);
RTN_ReplaceSignature(rtn, replacement,
IARG_PROTOTYPE, proto,
IARG_ORIG_FUNCPTR,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_FUNCARG_ENTRYPOINT_VALUE, 1,
IARG_FUNCARG_ENTRYPOINT_VALUE, 2,
IARG_FUNCARG_ENTRYPOINT_VALUE, 3,
IARG_FUNCARG_ENTRYPOINT_VALUE, 4,
IARG_FUNCARG_ENTRYPOINT_VALUE, 5,
IARG_FUNCARG_ENTRYPOINT_VALUE, 6,
IARG_FUNCARG_ENTRYPOINT_VALUE, 7,
IARG_FUNCARG_ENTRYPOINT_VALUE, 8,
IARG_CONTEXT,
IARG_PTR, functionName,
IARG_END
);
std::cerr << "Replaced " << RTN_Name( rtn ) << endl;
PROTO_Free(proto);
}
VOID Image(IMG img, VOID *v)
{
// Instrument the memcpy() function. Print the input argument f each memcpy().
// Find the memcpy() function.
RTN memcpyRtn = RTN_FindByName(img, "memcpy");
if (RTN_Valid(memcpyRtn))
{
if (SYM_IFunc(RTN_Sym(memcpyRtn)))
{
TraceFile << "Ifunc memcpy" << endl;
PROTO proto_ifunc_memcpy = PROTO_Allocate( PIN_PARG(void *), CALLINGSTD_DEFAULT,
"memcpy", PIN_PARG_END() );
actual_memcpy_add= RTN_Address(memcpyRtn);
RTN_ReplaceSignature(
memcpyRtn, AFUNPTR( IfuncMemcpyWrapper ),
IARG_PROTOTYPE, proto_ifunc_memcpy,
IARG_CONTEXT,
IARG_ORIG_FUNCPTR,
IARG_END);
}
else
{
RTN_Open(memcpyRtn);
TraceFile << "Normal memcpy" << endl;
// Instrument memcpy() to print the input argument value and the return value.
RTN_InsertCall(memcpyRtn, IPOINT_BEFORE, (AFUNPTR)MemcpyBefore,
IARG_ADDRINT, "memcpy (normal)",
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_FUNCARG_ENTRYPOINT_VALUE, 1,
IARG_FUNCARG_ENTRYPOINT_VALUE, 2,
IARG_END);
RTN_Close(memcpyRtn);
}
}
VOID Image(IMG img, void *v)
{
RTN rtn = RTN_FindByName(img, "Replaced");
if (RTN_Valid(rtn))
{
PROTO proto = PROTO_Allocate(PIN_PARG(int), CALLINGSTD_DEFAULT, "Replaced", PIN_PARG_END());
RTN_ReplaceSignature(rtn, AFUNPTR(REPLACE_Replaced),
IARG_PROTOTYPE, proto,
(KnobUseIargConstContext)?IARG_CONST_CONTEXT:IARG_CONTEXT,
IARG_THREAD_ID,
IARG_ORIG_FUNCPTR,
IARG_END);
PROTO_Free(proto);
}
rtn = RTN_FindByName(img, "Inner");
if (RTN_Valid(rtn))
{
RTN_Open(rtn);
RTN_InsertCall(rtn, IPOINT_BEFORE, AFUNPTR(AtInner), IARG_REG_VALUE, scratchReg, IARG_END);
RTN_Close(rtn);
}
}
static VOID
HookHeapFunctions(IMG img)
{
RTN rtn;
// check this image actually has the heap functions.
if ((rtn = RTN_FindByName(img, "RtlAllocateHeap")) == RTN_Invalid())
return;
// hook RtlAllocateHeap
RTN rtlAllocate = RTN_FindByName(img, "RtlAllocateHeap");
PROTO protoRtlAllocateHeap = \
PROTO_Allocate( PIN_PARG(void *),
CALLINGSTD_STDCALL,
"RtlAllocateHeap",
PIN_PARG(WINDOWS::PVOID), // HeapHandle
PIN_PARG(WINDOWS::ULONG), // Flags
PIN_PARG(WINDOWS::SIZE_T), // Size
PIN_PARG_END()
);
RTN_ReplaceSignature(rtlAllocate,(AFUNPTR)replacementRtlAllocateHeap,
IARG_PROTOTYPE, protoRtlAllocateHeap,
IARG_ORIG_FUNCPTR,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_FUNCARG_ENTRYPOINT_VALUE, 1,
IARG_FUNCARG_ENTRYPOINT_VALUE, 2,
IARG_CONTEXT,
IARG_END
);
PROTO_Free(protoRtlAllocateHeap);
// replace RtlReAllocateHeap()
RTN rtlReallocate = RTN_FindByName(img, "RtlReAllocateHeap");
PROTO protoRtlReAllocateHeap = \
PROTO_Allocate( PIN_PARG(void *), CALLINGSTD_STDCALL,
"RtlReAllocateHeap",
PIN_PARG(WINDOWS::PVOID), // HeapHandle
PIN_PARG(WINDOWS::ULONG), // Flags
PIN_PARG(WINDOWS::PVOID), // MemoryPtr
PIN_PARG(WINDOWS::SIZE_T),// Size
PIN_PARG_END()
);
RTN_ReplaceSignature(rtlReallocate,(AFUNPTR)replacementRtlReAllocateHeap,
IARG_PROTOTYPE, protoRtlReAllocateHeap,
IARG_ORIG_FUNCPTR,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_FUNCARG_ENTRYPOINT_VALUE, 1,
IARG_FUNCARG_ENTRYPOINT_VALUE, 2,
IARG_FUNCARG_ENTRYPOINT_VALUE, 3,
IARG_CONTEXT,
IARG_END
);
PROTO_Free(protoRtlReAllocateHeap);
// replace RtlFreeHeap
RTN rtlFree = RTN_FindByName(img, "RtlFreeHeap");
PROTO protoRtlFreeHeap = \
PROTO_Allocate( PIN_PARG(void *), CALLINGSTD_STDCALL,
"RtlFreeHeap",
PIN_PARG(WINDOWS::PVOID), // HeapHandle
PIN_PARG(WINDOWS::ULONG), // Flags
PIN_PARG(WINDOWS::PVOID), // MemoryPtr
PIN_PARG_END()
);
RTN_ReplaceSignature(rtlFree,(AFUNPTR)replacementRtlFreeHeap,
IARG_PROTOTYPE, protoRtlFreeHeap,
IARG_ORIG_FUNCPTR,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_FUNCARG_ENTRYPOINT_VALUE, 1,
IARG_FUNCARG_ENTRYPOINT_VALUE, 2,
IARG_CONTEXT,
IARG_END
);
PROTO_Free(protoRtlAllocateHeap);
}