Intel Pin初探

1、在/home/hf/Desktop/pin/pin-3.30-98830-g1d7b601b3-gcc-linux/source/tools/ManualExamples/目录下写自己的pintools

去到该目录
cd /home/hf/Desktop/pin/pin-3.30-98830-g1d7b601b3-gcc-linux/source/tools/ManualExamples/
编写pintools
vim Mycmp.cpp

下面是Mycmp.cpp内容

#include "pin.H"
#include <iostream>
#include <fstream>

std::ofstream outfile;

VOID Instruction(INS ins, VOID *v)
{
    if (INS_Opcode(ins) == XED_ICLASS_CMP)
    {
        outfile << "CMP Instruction at address: " << INS_Address(ins) << std::endl;
        for (UINT32 i = 0; i < INS_OperandCount(ins); ++i)
        {
            if (INS_OperandIsReg(ins, i))
            {
                outfile << "Operand " << i << ": Register" << std::endl;
            }
            else if (INS_OperandIsMemory(ins, i))
            {
                outfile << "Operand " << i << ": Memory" << std::endl;
            }
            else if (INS_OperandIsImmediate(ins, i))
            {
                outfile << "Operand " << i << ": Immediate Value: " << INS_OperandImmediate(ins, i) << std::endl;
            }
        }
        outfile << std::endl;
    }
}

VOID Fini(INT32 code, VOID *v)
{
    outfile.close();
}

int main(int argc, char *argv[])
{
    // Initialize Pin
    PIN_InitSymbols();
    if (PIN_Init(argc, argv))
    {
        return -1;
    }

    // Open output file
    outfile.open("cmp_operations.txt");

    // Register Instruction to be called to instrument instructions
    INS_AddInstrumentFunction(Instruction, 0);

    // Register Fini to be called when the application exits
    PIN_AddFiniFunction(Fini, 0);

    // Start the program, never returns
    PIN_StartProgram();

    return 0;
}

2、生成pintool

当前在目录下
输入
make obj-intel64/Mycmp.so TARGET=intel64

这时可以在obj-intel64目录下查看到Mycmp.so

3、使用Pintool

我的mytools.so在/home/hf/Desktop/pin/pin-3.30-98830-g1d7b601b3-gcc-linux/source/tools/ManualExamples/obj-intel64/，要分析的service.exe在/home/hf/Desktop/pin/

去目录下
cd /home/hf/Desktop/pin/pin-3.30-98830-g1d7b601b3-gcc-linux/
使用命令执行pintool
./pin -t /home/hf/Desktop/pin/pin-3.30-98830-g1d7b601b3-gcc-linux/source/tools/ManualExamples/obj-intel64/Mycmp.so -- /home/hf/Desktop/pin/service.exe
这个命令的格式为 pin -t <pintool目录绝对路径> -- <要分析的程序的绝对路径>

上面的方法会将结果输出到命令行，我们还可以将结果输出到一个文本文件中，只需在命令后加上 > output.txt
即
./pin -t /home/hf/Desktop/pin/pin-3.30-98830-g1d7b601b3-gcc-linux/source/tools/ManualExamples/obj-intel64/Mycmp.so -- /home/hf/Desktop/pin/service.exe > output.txt

注意：此时可能没有操作server.exe的权限

使用命令查看server.exe的权限
ls -l /home/hf/Desktop/pin/Server.exe
如果输出中没有执行权限（x 权限），可以使用 chmod 命令添加执行权限：
chmod +x /home/hf/Desktop/pin/Server.exe