void ImageLoad (IMG img, void *context)
{
fprintf (stderr, "Notified of load of %s at [%p,%p]\n",
IMG_Name(img).c_str(),
(char *)IMG_LowAddress(img), (char *)IMG_HighAddress(img));
// See if this is ntdll.dll
char szName[_MAX_FNAME];
char szExt[_MAX_EXT];
_splitpath_s (IMG_Name(img).c_str(),
NULL, 0,
NULL, 0,
szName, _MAX_FNAME,
szExt, _MAX_EXT);
strcat_s (szName, _MAX_FNAME, szExt);
if (0 != _stricmp ("ntdll.dll", szName))
return;
RTN rtn = RTN_FindByName (img, "RtlAllocateHeap");
if (RTN_Invalid() == rtn)
{
fprintf (stderr, "Failed to find RtlAllocateHeap in %s\n",
IMG_Name(img).c_str());
return;
}
fprintf(stderr,"Replacing\n");
PROTO protoRtlAllocateHeap =
PROTO_Allocate (PIN_PARG(void *),
CALLINGSTD_STDCALL,
"RtlAllocateHeap",
PIN_PARG(WINDOWS::PVOID), // HeapHandle
PIN_PARG(WINDOWS::ULONG), // Flags
PIN_PARG(WINDOWS::SIZE_T), // Size
PIN_PARG_END());
RTN_ReplaceSignature (rtn, (AFUNPTR)replacement_RtlAllocateHeap,
IARG_PROTOTYPE, protoRtlAllocateHeap,
IARG_ORIG_FUNCPTR,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_FUNCARG_ENTRYPOINT_VALUE, 1,
IARG_FUNCARG_ENTRYPOINT_VALUE, 2,
IARG_CONTEXT,
IARG_END);
PROTO_Free (protoRtlAllocateHeap);
}
VOID ImageLoad(IMG img, VOID *v)
{
if( !s_init )
{
s_protoAlloc = PROTO_Allocate( PIN_PARG(void *), CALLINGSTD_CDECL,
"malloc", PIN_PARG(size_t), PIN_PARG_END() );
s_init = true;
}
static VOID ImageLoad(IMG img, VOID *v)
{
static UINT32 mallocCount = 0;
PROTO protoMalloc = PROTO_Allocate(PIN_PARG(void *), CALLINGSTD_DEFAULT,
"malloc", PIN_PARG(size_t), PIN_PARG_END());
RTN rtnMalloc = RTN_FindByName(img, "malloc");
if (RTN_Valid(rtnMalloc))
{
TraceFile << "probing malloc #" << mallocCount << " in " << IMG_Name(img) << std::endl;
RTN_ReplaceSignatureProbed(rtnMalloc, AFUNPTR(MallocProbe),
IARG_PROTOTYPE, protoMalloc,
IARG_ORIG_FUNCPTR,
IARG_UINT32, static_cast<UINT32>(mallocCount),
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
#if defined(TARGET_IPF)
IARG_REG_VALUE, REG_TP,
#else
IARG_ADDRINT, static_cast<ADDRINT>(0),
#endif
IARG_END);
mallocCount++;
}
PROTO_Free(protoMalloc);
static UINT32 freeCount = 0;
PROTO protoFree = PROTO_Allocate(PIN_PARG(void), CALLINGSTD_DEFAULT,
"free", PIN_PARG(void *), PIN_PARG_END());
RTN freeRtn = RTN_FindByName(img, "free");
if (RTN_Valid(freeRtn))
{
TraceFile << "probing free #" << freeCount << " in " << IMG_Name(img) << std::endl;
RTN_ReplaceSignatureProbed(freeRtn, AFUNPTR(FreeProbe),
IARG_PROTOTYPE, protoFree,
IARG_ORIG_FUNCPTR,
IARG_UINT32, static_cast<UINT32>(freeCount),
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
#if defined(TARGET_IPF)
IARG_REG_VALUE, REG_TP,
#else
IARG_ADDRINT, static_cast<ADDRINT>(0),
#endif
IARG_END);
freeCount++;
}
PROTO_Free(protoFree);
}
static WINDOWS::BOOL
replacementRtlFreeHeap(
AFUNPTR rtlFreeHeap,
WINDOWS::PVOID heapHandle,
WINDOWS::ULONG flags,
WINDOWS::PVOID memoryPtr,
CONTEXT *ctx)
{
WINDOWS::BOOL retval;
PIN_CallApplicationFunction(ctx, PIN_ThreadId(),
CALLINGSTD_STDCALL, rtlFreeHeap,
PIN_PARG(WINDOWS::BOOL), &retval,
PIN_PARG(WINDOWS::PVOID), heapHandle,
PIN_PARG(WINDOWS::ULONG), flags,
PIN_PARG(WINDOWS::PVOID), memoryPtr,
PIN_PARG_END()
);
EmitHeapFreeRecord(PIN_ThreadId(), heapHandle, memoryPtr);
return retval;
}
/*
* ImageLoad
* Replace native malloc, realloc, free functions with my custum functions
* so that I can get mem allocation informations.
*/
VOID ImageLoad(IMG img, VOID *v)
{
RTN mallocRtn = RTN_FindByName(img, "malloc");
if (RTN_Valid(mallocRtn))
{
PROTO proto_malloc = PROTO_Allocate( PIN_PARG(void *), CALLINGSTD_DEFAULT,
"malloc", PIN_PARG(size_t), PIN_PARG_END() );
RTN_ReplaceSignature(
mallocRtn, AFUNPTR( Malloc ),
IARG_PROTOTYPE, proto_malloc,
IARG_CONTEXT,
IARG_ORIG_FUNCPTR,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_CALL_ORDER, CALL_ORDER_FIRST,
IARG_END);
}
RTN reallocRtn = RTN_FindByName(img, "realloc");
if (RTN_Valid(reallocRtn))
{
PROTO proto_realloc = PROTO_Allocate( PIN_PARG(void *), CALLINGSTD_DEFAULT,
"realloc", PIN_PARG(void *), PIN_PARG(size_t), PIN_PARG_END() );
RTN_ReplaceSignature(
reallocRtn, AFUNPTR( Realloc ),
IARG_PROTOTYPE, proto_realloc,
IARG_CONTEXT,
IARG_ORIG_FUNCPTR,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_FUNCARG_ENTRYPOINT_VALUE, 1,
IARG_CALL_ORDER, CALL_ORDER_FIRST+1,
IARG_END);
}
RTN freeRtn = RTN_FindByName(img, "free");
if (RTN_Valid(freeRtn))
{
PROTO proto_free = PROTO_Allocate( PIN_PARG(void), CALLINGSTD_DEFAULT,
"free", PIN_PARG(void *), PIN_PARG_END() );
RTN_ReplaceSignature(
freeRtn, AFUNPTR( Free ),
IARG_PROTOTYPE, proto_free,
IARG_CONTEXT,
IARG_ORIG_FUNCPTR,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_CALL_ORDER, CALL_ORDER_FIRST+2,
IARG_END);
}
}
void InsertProbe( IMG img, char * funcName)
{
/*
printf ("Image %s\n", IMG_Name(img).c_str());
for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
{
for (RTN rtn = SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn))
{
printf (" Rtn: %s %s\n", RTN_Name(rtn).c_str(), funcName);
if (strstr( RTN_Name(rtn).c_str(), funcName))
{
printf (" found\n");
}
}
}
*/
RTN allocRtn = RTN_FindByName(img, funcName);
if (RTN_Valid(allocRtn) && RTN_IsSafeForProbedReplacement(allocRtn))
{
fprintf (fp, "RTN_ReplaceSignatureProbed on %s\n", funcName);
PROTO protoHeapAlloc = PROTO_Allocate( PIN_PARG(void *), CALLINGSTD_STDCALL,
"protoHeapAlloc", PIN_PARG(WINDOWS::HANDLE),
PIN_PARG(WINDOWS::DWORD),PIN_PARG(WINDOWS::DWORD), PIN_PARG_END() );
RTN_ReplaceSignatureProbed(allocRtn, AFUNPTR(ReplacementFunc),
IARG_PROTOTYPE, protoHeapAlloc,
IARG_ORIG_FUNCPTR,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_FUNCARG_ENTRYPOINT_VALUE, 1,
IARG_FUNCARG_ENTRYPOINT_VALUE, 2,
IARG_CONTEXT,
IARG_RETURN_IP,
IARG_END);
PROTO_Free( protoHeapAlloc );
}
static VOID
HookHeapFunctions(IMG img)
{
RTN rtn;
// check this image actually has the heap functions.
if ((rtn = RTN_FindByName(img, "RtlAllocateHeap")) == RTN_Invalid())
return;
// hook RtlAllocateHeap
RTN rtlAllocate = RTN_FindByName(img, "RtlAllocateHeap");
PROTO protoRtlAllocateHeap = \
PROTO_Allocate( PIN_PARG(void *),
CALLINGSTD_STDCALL,
"RtlAllocateHeap",
PIN_PARG(WINDOWS::PVOID), // HeapHandle
PIN_PARG(WINDOWS::ULONG), // Flags
PIN_PARG(WINDOWS::SIZE_T), // Size
PIN_PARG_END()
);
RTN_ReplaceSignature(rtlAllocate,(AFUNPTR)replacementRtlAllocateHeap,
IARG_PROTOTYPE, protoRtlAllocateHeap,
IARG_ORIG_FUNCPTR,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_FUNCARG_ENTRYPOINT_VALUE, 1,
IARG_FUNCARG_ENTRYPOINT_VALUE, 2,
IARG_CONTEXT,
IARG_END
);
PROTO_Free(protoRtlAllocateHeap);
// replace RtlReAllocateHeap()
RTN rtlReallocate = RTN_FindByName(img, "RtlReAllocateHeap");
PROTO protoRtlReAllocateHeap = \
PROTO_Allocate( PIN_PARG(void *), CALLINGSTD_STDCALL,
"RtlReAllocateHeap",
PIN_PARG(WINDOWS::PVOID), // HeapHandle
PIN_PARG(WINDOWS::ULONG), // Flags
PIN_PARG(WINDOWS::PVOID), // MemoryPtr
PIN_PARG(WINDOWS::SIZE_T),// Size
PIN_PARG_END()
);
RTN_ReplaceSignature(rtlReallocate,(AFUNPTR)replacementRtlReAllocateHeap,
IARG_PROTOTYPE, protoRtlReAllocateHeap,
IARG_ORIG_FUNCPTR,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_FUNCARG_ENTRYPOINT_VALUE, 1,
IARG_FUNCARG_ENTRYPOINT_VALUE, 2,
IARG_FUNCARG_ENTRYPOINT_VALUE, 3,
IARG_CONTEXT,
IARG_END
);
PROTO_Free(protoRtlReAllocateHeap);
// replace RtlFreeHeap
RTN rtlFree = RTN_FindByName(img, "RtlFreeHeap");
PROTO protoRtlFreeHeap = \
PROTO_Allocate( PIN_PARG(void *), CALLINGSTD_STDCALL,
"RtlFreeHeap",
PIN_PARG(WINDOWS::PVOID), // HeapHandle
PIN_PARG(WINDOWS::ULONG), // Flags
PIN_PARG(WINDOWS::PVOID), // MemoryPtr
PIN_PARG_END()
);
RTN_ReplaceSignature(rtlFree,(AFUNPTR)replacementRtlFreeHeap,
IARG_PROTOTYPE, protoRtlFreeHeap,
IARG_ORIG_FUNCPTR,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_FUNCARG_ENTRYPOINT_VALUE, 1,
IARG_FUNCARG_ENTRYPOINT_VALUE, 2,
IARG_CONTEXT,
IARG_END
);
PROTO_Free(protoRtlAllocateHeap);
}