/** * Callback function that is executed every time an instruction identified as * potential shellcode is executed. **/ void dump_shellcode(std::string* instructionString, RegList* regs, CONTEXT* ctxt) { if (dumped.find(instructionString) != dumped.end()) { // This check makes sure that an instruction is not dumped twice. // For a complete run trace it would make sense to dump an instruction // every time it is executed. However, imagine the shellcode has a // tight loop that is executed a million times. The resulting log file // is much easier to read if every instruction is only dumped once. return; } if (!legitInstructions.empty()) { // If legit instructions have been logged before the shellcode is // executed, it is now a good time to dump them to the file. This // information then shows when control flow was transferred from // legit code to shellcode. traceFile << endl << "Executed before" << endl; for (std::list<std::string>::iterator Iter = legitInstructions.begin(); Iter != legitInstructions.end(); ++Iter) { traceFile << *Iter << endl; } traceFile << endl << "Shellcode:" << endl; legitInstructions.clear(); } traceFile << dumpContext(ctxt) << std::endl << *instructionString; // for ( std::list<REG>::iterator iter = (*regs).begin(); iter != (*regs).end(); ++iter ) // { // traceFile << REG_StringShort( *iter ) << " = " << PIN_GetContextReg(ctxt, *iter) << " "; // } traceFile << std::endl; dumped.insert(instructionString); }
bool CEException::writeException(TCHAR *path, EXCEPTION_POINTERS *exceptionPointers) { HANDLE dumpFile; TCHAR dumpFileName[MAX_PATH]; SYSTEMTIME systemTime; GetSystemTime(&systemTime); wsprintf(dumpFileName, TEXT("%s_%.2d_%.2d_%.4d_%.2d_%.2d_%.2d.txt"), path, systemTime.wDay, systemTime.wMonth, systemTime.wYear, systemTime.wHour, systemTime.wMinute, systemTime.wSecond); dumpFile = CreateFile(dumpFileName, GENERIC_READ | GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (dumpFile == INVALID_HANDLE_VALUE) return false; dumpException(dumpFile, exceptionPointers->ExceptionRecord); dumpContext(dumpFile, GetCurrentProcess(), exceptionPointers->ContextRecord); CloseHandle(dumpFile); return true; }