Permalink
Browse files

couple of DBI examples

  • Loading branch information...
DennisYurichev committed Jul 2, 2018
1 parent 63c0565 commit 1074c9571cb00bf7dda1741a5c9de64f58825f77
@@ -1,3 +1,4 @@
02-Jul-2018: DBI examples: minesweeper and WinRAR
15-Sep-2016: More fundamentals and examples
14-Sep-2016: More of my blog posts are copypasted into the book
06-Sep-2016: Blog posts about FAT12 and fortune file has been copypasted into the book
BIN +583 KB DBI/XOR/files/Rar.exe
Binary file not shown.
@@ -0,0 +1,136 @@
// based on emudiv.cpp

// by dennis(a)yurichev.com

#include <stdio.h>
#include "pin.H"
#include <iostream>
#include <fstream>

std::ofstream TraceFile;

KNOB<string> KnobOutputFile(KNOB_MODE_WRITEONCE, "pintool",
"o", "XOR_ins.out", "specify trace file name");

std::map<ADDRINT, int> XORs;
PIN_LOCK lock;

// ==== these functions executed during runtime (begin) ====
VOID log_info (ADDRINT ip, ADDRINT op1, ADDRINT op2)
{
if (op1!=op2 && op1!=0 && op2!=0 && op1!=0xffffffff && op2!=0xffffffff)
{
//TraceFile << "ip=" << ip << " op1=" << op1 << " op2=" << op2 << endl;
XORs[ip]=XORs[ip]+1;
};
};

VOID XOR_reg_reg(ADDRINT ip, ADDRINT op1, ADDRINT op2, THREADID threadid)
{
PIN_GetLock(&lock, threadid+1);
log_info (ip, op1, op2);
PIN_ReleaseLock(&lock);
}

VOID XOR_mem_reg(ADDRINT ip, ADDRINT *op1_addr, unsigned int op1_size, ADDRINT op2, THREADID threadid)
{
PIN_GetLock(&lock, threadid+1);
ADDRINT op1;
PIN_SafeCopy(&op1, op1_addr, op1_size);
log_info (ip, op1, op2);
PIN_ReleaseLock(&lock);
};

// save stat, do not track registers (yet)
VOID PXOR(ADDRINT ip, THREADID threadid)
{
PIN_GetLock(&lock, threadid+1);
//TraceFile << "PXOR at " << ip << endl;
XORs[ip]=XORs[ip]+1;
PIN_ReleaseLock(&lock);
}
// ==== these functions executed during runtime (end) ====

// this function executed only during startup, so no need to optimize anything here:
VOID InstrumentXOR(INS ins, VOID* v)
{
// XOR reg, reg
if ((INS_Mnemonic(ins) == "XOR") && (INS_OperandIsReg(ins, 0)) && (INS_OperandIsReg(ins, 1)))
{
INS_InsertCall(ins,
IPOINT_BEFORE,
AFUNPTR(XOR_reg_reg),
IARG_INST_PTR,
IARG_REG_VALUE, REG(INS_OperandReg(ins, 0)),
IARG_REG_VALUE, REG(INS_OperandReg(ins, 1)),
IARG_THREAD_ID,
IARG_END);
}

// XOR mem, reg
if ((INS_Mnemonic(ins) == "XOR") && INS_OperandIsMemory(ins, 0) && INS_OperandIsReg(ins, 1))
{
INS_InsertCall(ins,
IPOINT_BEFORE,
AFUNPTR(XOR_mem_reg),
IARG_INST_PTR,
IARG_MEMORYREAD_EA,
IARG_MEMORYREAD_SIZE,
IARG_REG_VALUE, REG(INS_OperandReg(ins, 1)),
IARG_THREAD_ID,
IARG_END);
}

// XOR reg, mem
if ((INS_Mnemonic(ins) == "XOR") && INS_OperandIsReg(ins, 0) && INS_OperandIsMemory(ins, 1))
{
INS_InsertCall(ins,
IPOINT_BEFORE,
AFUNPTR(XOR_mem_reg),
IARG_INST_PTR,
IARG_MEMORYREAD_EA,
IARG_MEMORYREAD_SIZE,
IARG_REG_VALUE, REG(INS_OperandReg(ins, 0)),
IARG_THREAD_ID,
IARG_END);
}

if ((INS_Mnemonic(ins) == "PXOR"))
{
INS_InsertCall(ins,
IPOINT_BEFORE,
AFUNPTR(PXOR),
IARG_INST_PTR,
IARG_THREAD_ID,
IARG_END);
}
}

INT32 Usage()
{
cerr << "This tool intercepts XOR/PXOR" << endl;
cerr << KNOB_BASE::StringKnobSummary() << endl << flush;
return -1;
}

VOID Fini(INT32 code, VOID *v)
{
for (auto i=XORs.begin(); i!=XORs.end(); i++)
TraceFile << "ip=" << i->first << " count=" << i->second << endl;
TraceFile.close();
}

int main(int argc, char * argv[])
{
if (PIN_Init(argc, argv))
return Usage();

TraceFile.open(KnobOutputFile.Value().c_str());

TraceFile << std::hex << std::showbase;
INS_AddInstrumentFunction(InstrumentXOR, 0);
PIN_AddFiniFunction(Fini, 0);
PIN_StartProgram();// Never returns

return 0;
}
@@ -0,0 +1,164 @@
372,377c381,386
< ip=0x140011902 count=0x2
< ip=0x140011d31 count=0x2
< ip=0x140011e75 count=0x1
< ip=0x140012186 count=0x1
< ip=0x140012b5a count=0x1
< ip=0x140012f1f count=0x1
---
> ip=0x140011902 count=0x11
> ip=0x140011d31 count=0x11
> ip=0x140011e75 count=0x59
> ip=0x140012186 count=0x59
> ip=0x140012b5a count=0x59
> ip=0x140012f1f count=0x59
394,395c403,404
< ip=0x1400175e2 count=0x9
< ip=0x140017770 count=0x9
---
> ip=0x1400175e2 count=0xa
> ip=0x140017770 count=0xa
398,405c407,414
< ip=0x140017b21 count=0xd84
< ip=0x140017b48 count=0x81f
< ip=0x140017b59 count=0x858
< ip=0x140017b6a count=0xc13
< ip=0x140017b7b count=0xefc
< ip=0x140017b8a count=0xefd
< ip=0x140017b92 count=0xb86
< ip=0x140017ba1 count=0xf01
---
> ip=0x140017b21 count=0x9eab5
> ip=0x140017b48 count=0x79863
> ip=0x140017b59 count=0x862e8
> ip=0x140017b6a count=0x99495
> ip=0x140017b7b count=0xa891c
> ip=0x140017b8a count=0xa89f4
> ip=0x140017b92 count=0x8ed72
> ip=0x140017ba1 count=0xa8a8a
435,445c444,456
< ip=0x140025ede count=0x5
< ip=0x140026000 count=0x5
< ip=0x140026050 count=0x5
< ip=0x14002622e count=0x5
< ip=0x1400277b7 count=0x1
< ip=0x1400278e9 count=0x1
< ip=0x14002c4f1 count=0x4fce
< ip=0x14002c586 count=0x1
< ip=0x14002c73f count=0x1
< ip=0x14002e006 count=0x1
< ip=0x14002e416 count=0x1
---
> ip=0x140025ede count=0x1bd
> ip=0x140026000 count=0x1bd
> ip=0x140026050 count=0x1bd
> ip=0x14002622e count=0x1bd
> ip=0x1400277b7 count=0x55
> ip=0x1400278e9 count=0x55
> ip=0x14002c4f1 count=0x4463be
> ip=0x14002c586 count=0x35
> ip=0x14002c73f count=0x35
> ip=0x14002e006 count=0x55
> ip=0x14002e416 count=0x55
> ip=0x14002e47e count=0x20
> ip=0x14002e677 count=0x20
480,481c491,492
< ip=0x14004104a count=0x367
< ip=0x140041057 count=0x367
---
> ip=0x14004104a count=0x24193
> ip=0x140041057 count=0x24193
497c508
< ip=0x140043e10 count=0x23006
---
> ip=0x140043e10 count=0x23004
499c510
< ip=0x140043e56 count=0x22ffd
---
> ip=0x140043e56 count=0x23002
501c512
< ip=0x140043e95 count=0x23005
---
> ip=0x140043e95 count=0x22ffd
503c514
< ip=0x140043ece count=0x23001
---
> ip=0x140043ece count=0x22fff
505c516
< ip=0x140043f19 count=0x23004
---
> ip=0x140043f19 count=0x22ffe
507c518
< ip=0x140043f3f count=0x23004
---
> ip=0x140043f3f count=0x23003
509c520
< ip=0x140043f83 count=0x22fff
---
> ip=0x140043f83 count=0x23004
511c522
< ip=0x140043fba count=0x2300a
---
> ip=0x140043fba count=0x23001
513c524
< ip=0x140043ffb count=0x23009
---
> ip=0x140043ffb count=0x23003
515c526
< ip=0x140044013 count=0x23008
---
> ip=0x140044013 count=0x22ffc
517c528
< ip=0x14004407c count=0x23002
---
> ip=0x14004407c count=0x23009
519c530
< ip=0x14004409f count=0x23004
---
> ip=0x14004409f count=0x22ffd
521c532
< ip=0x1400440f3 count=0x23009
---
> ip=0x1400440f3 count=0x22fff
523c534
< ip=0x14004412d count=0x23001
---
> ip=0x14004412d count=0x22ffd
525c536
< ip=0x140044146 count=0x22ffc
---
> ip=0x140044146 count=0x22ffe
527c538
< ip=0x14004419c count=0x23002
---
> ip=0x14004419c count=0x23005
529c540
< ip=0x1400441b9 count=0x23003
---
> ip=0x1400441b9 count=0x23006
537c548
< ip=0x140044224 count=0x23005
---
> ip=0x140044224 count=0x23006
542c553
< ip=0x140044247 count=0x23004
---
> ip=0x140044247 count=0x23006
547c558
< ip=0x140044280 count=0x23003
---
> ip=0x140044280 count=0x23007
846,849c857,860
< ip=0x14005bec3 count=0xd
< ip=0x14005c143 count=0xd
< ip=0x14005d19c count=0xa
< ip=0x14005d387 count=0xa
---
> ip=0x14005bec3 count=0xe
> ip=0x14005c143 count=0xe
> ip=0x14005d19c count=0xb
> ip=0x14005d387 count=0xb
862c873
< ip=0x14006292c count=0x5f
---
> ip=0x14006292c count=0x60
Oops, something went wrong.

0 comments on commit 1074c95

Please sign in to comment.