Intel Pin初探

go__Ahead發表於2024-03-13
Intel

1、在/home/hf/Desktop/pin/pin-3.30-98830-g1d7b601b3-gcc-linux/source/tools/ManualExamples/目錄下寫自己的pintools

去到該目錄
cd /home/hf/Desktop/pin/pin-3.30-98830-g1d7b601b3-gcc-linux/source/tools/ManualExamples/
編寫pintools
vim Mycmp.cpp

下面是Mycmp.cpp內容

#include "pin.H"
#include <iostream>
#include <fstream>

std::ofstream outfile;

VOID Instruction(INS ins, VOID *v)
{
    if (INS_Opcode(ins) == XED_ICLASS_CMP)
    {
        outfile << "CMP Instruction at address: " << INS_Address(ins) << std::endl;
        for (UINT32 i = 0; i < INS_OperandCount(ins); ++i)
        {
            if (INS_OperandIsReg(ins, i))
            {
                outfile << "Operand " << i << ": Register" << std::endl;
            }
            else if (INS_OperandIsMemory(ins, i))
            {
                outfile << "Operand " << i << ": Memory" << std::endl;
            }
            else if (INS_OperandIsImmediate(ins, i))
            {
                outfile << "Operand " << i << ": Immediate Value: " << INS_OperandImmediate(ins, i) << std::endl;
            }
        }
        outfile << std::endl;
    }
}

VOID Fini(INT32 code, VOID *v)
{
    outfile.close();
}

int main(int argc, char *argv[])
{
    // Initialize Pin
    PIN_InitSymbols();
    if (PIN_Init(argc, argv))
    {
        return -1;
    }

    // Open output file
    outfile.open("cmp_operations.txt");

    // Register Instruction to be called to instrument instructions
    INS_AddInstrumentFunction(Instruction, 0);

    // Register Fini to be called when the application exits
    PIN_AddFiniFunction(Fini, 0);

    // Start the program, never returns
    PIN_StartProgram();

    return 0;
}

2、生成pintool

當前在目錄下
輸入
make obj-intel64/Mycmp.so TARGET=intel64

這時可以在obj-intel64目錄下檢視到Mycmp.so

image

3、使用Pintool

我的mytools.so在/home/hf/Desktop/pin/pin-3.30-98830-g1d7b601b3-gcc-linux/source/tools/ManualExamples/obj-intel64/,要分析的service.exe在/home/hf/Desktop/pin/

去目錄下
cd /home/hf/Desktop/pin/pin-3.30-98830-g1d7b601b3-gcc-linux/
使用命令執行pintool
./pin -t /home/hf/Desktop/pin/pin-3.30-98830-g1d7b601b3-gcc-linux/source/tools/ManualExamples/obj-intel64/Mycmp.so -- /home/hf/Desktop/pin/service.exe
這個命令的格式為 pin -t <pintool目錄絕對路徑> -- <要分析的程式的絕對路徑>

上面的方法會將結果輸出到命令列,我們還可以將結果輸出到一個文字檔案中,只需在命令後加上 > output.txt

./pin -t /home/hf/Desktop/pin/pin-3.30-98830-g1d7b601b3-gcc-linux/source/tools/ManualExamples/obj-intel64/Mycmp.so -- /home/hf/Desktop/pin/service.exe > output.txt

注意:此時可能沒有操作server.exe的許可權

使用命令檢視server.exe的許可權
ls -l /home/hf/Desktop/pin/Server.exe
如果輸出中沒有執行許可權(x 許可權),可以使用 chmod 命令新增執行許可權:
chmod +x /home/hf/Desktop/pin/Server.exe

相關文章