├── README.md
├── http.py
└── syscalltest.cpp


/README.md:
--------------------------------------------------------------------------------
 1 | # pin
 2 | Introduction to intel pin tool
 3 | 
 4 | ## Setup
 5 | Find the correct download here: https://software.intel.com/en-us/articles/pintool-downloads. This example was tested on Kali linux. Untar the file. I built my tool under the MyPinTool directory at .../pin-3.2-81205-gcc-linux/source/tools/MyPinTool.
 6 | 
 7 | ## Running the tool
 8 | Drop the syscall tool into the MyPinTool directory. Open makefile.rules with your favorite text editor and change the target of the TEST_TOOL_ROOTS to the example syscall tool. Then:
 9 | 
10 | ```
11 | make
12 | ../../../pin -t obj-intel64/syscalltest.so -- python http.py
13 | ```


--------------------------------------------------------------------------------
/http.py:
--------------------------------------------------------------------------------
1 | import urllib2
2 | page = urllib2.urlopen("http://www.google.com").read()
3 | print page


--------------------------------------------------------------------------------
/syscalltest.cpp:
--------------------------------------------------------------------------------
  1 | #include <iostream>
  2 | #include <stdio.h>
  3 | #include <stdint.h>
  4 | #include <string.h>
  5 | #include <stdlib.h>
  6 | #include <errno.h>
  7 | #include <sys/types.h>
  8 | #include <sys/syscall.h>
  9 | #include "pin.H"
 10 | 
 11 | /*
 12 | Retrieves the value of registers with the current context.
 13 | */
 14 | void getContext(CONTEXT *ctxt)
 15 | {
 16 | 	fprintf(stdout, "rax: 0x%lx\nrbx: 0x%lx\nrcx: 0x%lx\nrdx: 0x%lx\nrsp: 0x%lx\nrbp: 0x%lx\nrsi: 0x%lx\nrdi: 0x%lx\nr8: 0x%lx\nr9: 0x%lx\n",
 17 | 	PIN_GetContextReg(ctxt, REG_RAX),
 18 | 	PIN_GetContextReg(ctxt, REG_RBX),
 19 | 	PIN_GetContextReg(ctxt, REG_RCX),
 20 | 	PIN_GetContextReg(ctxt, REG_RDX),
 21 | 	PIN_GetContextReg(ctxt, REG_RSP),
 22 | 	PIN_GetContextReg(ctxt, REG_RBP),
 23 | 	PIN_GetContextReg(ctxt, REG_RSI),
 24 | 	PIN_GetContextReg(ctxt, REG_RDI),
 25 | 	PIN_GetContextReg(ctxt, REG_R8),
 26 | 	PIN_GetContextReg(ctxt, REG_R9));
 27 | }
 28 | 
 29 | /*
 30 | Retrieves the arguments of a system call.
 31 | */
 32 | void getSyscallArgs(CONTEXT *ctxt, SYSCALL_STANDARD std)
 33 | {
 34 | 	for (int i = 0; i < 5; i++) {
 35 | 		ADDRINT scargs = PIN_GetSyscallArgument(ctxt, std, i);
 36 | 		fprintf(stdout, "arg%d: 0x%lx\n", i, scargs);
 37 | 	}
 38 | }
 39 | 
 40 | /*
 41 | Retrieves the arguments of the sendto and recvfrom system calls. Dereferences then increments
 42 | the bufptr pointer to grab the value at each byte in the buffer.
 43 | */
 44 | void getSyscallArgsVal(CONTEXT *ctxt, SYSCALL_STANDARD std)
 45 | {
 46 | 	ADDRINT buf = PIN_GetSyscallArgument(ctxt, std, 1);
 47 | 	ADDRINT len = PIN_GetSyscallArgument(ctxt, std, 2);
 48 | 	int buflen = (int)len;
 49 | 	char *bufptr = (char *)buf;
 50 | 	fprintf(stdout, "buffer start: 0x%lx\n", buf);
 51 | 	fprintf(stdout, "length: %d\n", buflen);
 52 | 
 53 | 	for (int i = 0; i < buflen; i++, bufptr++) {
 54 | 		fprintf(stdout, "%c", *bufptr);
 55 | 	}
 56 | 	fprintf(stdout, "\n");
 57 | }
 58 | 
 59 | /*
 60 | Entry function before system call execution. Checks all system call numbers but hooks
 61 | sendto and recvfrom.
 62 | */
 63 | void syscallEntryCallback(THREADID threadIndex, CONTEXT *ctxt, SYSCALL_STANDARD std, void *v)
 64 | {
 65 | 	ADDRINT scnum = PIN_GetSyscallNumber(ctxt, std);
 66 | 	if (scnum == __NR_sendto)
 67 | 	{
 68 | 		fprintf(stdout, "systemcall sendto: %lu\n", scnum);
 69 | 		getSyscallArgsVal(ctxt, std);
 70 | 
 71 | 	} else if (scnum == __NR_recvfrom)
 72 | 	{
 73 | 		fprintf(stdout, "systemcall recvfrom: %lu\n", scnum);
 74 | 		getSyscallArgsVal(ctxt, std);
 75 | 	}
 76 | }
 77 | 
 78 | /*
 79 | Exit function after system call execution. Grabs the system call return value.
 80 | */
 81 | void syscallExitCallback(THREADID threadIndex, CONTEXT *ctxt, SYSCALL_STANDARD std, void *v)
 82 | {
 83 | 	//ADDRINT retval = PIN_GetSyscallReturn(ctxt, std);
 84 | 	//fprintf(stdout, "retval: %lu\n", retval);
 85 | }
 86 | 
 87 | int Usage()
 88 | {
 89 | 	fprintf(stdout, "../../../pin -t obj-intel64/syscalltest.so -- sample program");
 90 | 	return -1;
 91 | }
 92 | 
 93 | int32_t main(int32_t argc, char *argv[])
 94 | {
 95 |     if (PIN_Init(argc, argv))
 96 |     {
 97 |         return Usage();
 98 |     }
 99 | 
100 |     fprintf(stdout, "call PIN_AddSyscallEntryFunction\n");
101 |     PIN_AddSyscallEntryFunction(&syscallEntryCallback, NULL);
102 | 
103 |     fprintf(stdout, "call PIN_AddSyscallExitFunction\n");
104 |     PIN_AddSyscallExitFunction(&syscallExitCallback, NULL);
105 | 
106 |     fprintf(stdout, "call PIN_StartProgram()\n");
107 |     PIN_StartProgram();
108 | 
109 |     return(0);
110 | }


--------------------------------------------------------------------------------