├── README.md ├── http.py └── syscalltest.cpp /README.md: -------------------------------------------------------------------------------- 1 | # pin 2 | Introduction to intel pin tool 3 | 4 | ## Setup 5 | Find the correct download here: https://software.intel.com/en-us/articles/pintool-downloads. This example was tested on Kali linux. Untar the file. I built my tool under the MyPinTool directory at .../pin-3.2-81205-gcc-linux/source/tools/MyPinTool. 6 | 7 | ## Running the tool 8 | Drop the syscall tool into the MyPinTool directory. Open makefile.rules with your favorite text editor and change the target of the TEST_TOOL_ROOTS to the example syscall tool. Then: 9 | 10 | ``` 11 | make 12 | ../../../pin -t obj-intel64/syscalltest.so -- python http.py 13 | ``` -------------------------------------------------------------------------------- /http.py: -------------------------------------------------------------------------------- 1 | import urllib2 2 | page = urllib2.urlopen("http://www.google.com").read() 3 | print page -------------------------------------------------------------------------------- /syscalltest.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include "pin.H" 10 | 11 | /* 12 | Retrieves the value of registers with the current context. 13 | */ 14 | void getContext(CONTEXT *ctxt) 15 | { 16 | fprintf(stdout, "rax: 0x%lx\nrbx: 0x%lx\nrcx: 0x%lx\nrdx: 0x%lx\nrsp: 0x%lx\nrbp: 0x%lx\nrsi: 0x%lx\nrdi: 0x%lx\nr8: 0x%lx\nr9: 0x%lx\n", 17 | PIN_GetContextReg(ctxt, REG_RAX), 18 | PIN_GetContextReg(ctxt, REG_RBX), 19 | PIN_GetContextReg(ctxt, REG_RCX), 20 | PIN_GetContextReg(ctxt, REG_RDX), 21 | PIN_GetContextReg(ctxt, REG_RSP), 22 | PIN_GetContextReg(ctxt, REG_RBP), 23 | PIN_GetContextReg(ctxt, REG_RSI), 24 | PIN_GetContextReg(ctxt, REG_RDI), 25 | PIN_GetContextReg(ctxt, REG_R8), 26 | PIN_GetContextReg(ctxt, REG_R9)); 27 | } 28 | 29 | /* 30 | Retrieves the arguments of a system call. 31 | */ 32 | void getSyscallArgs(CONTEXT *ctxt, SYSCALL_STANDARD std) 33 | { 34 | for (int i = 0; i < 5; i++) { 35 | ADDRINT scargs = PIN_GetSyscallArgument(ctxt, std, i); 36 | fprintf(stdout, "arg%d: 0x%lx\n", i, scargs); 37 | } 38 | } 39 | 40 | /* 41 | Retrieves the arguments of the sendto and recvfrom system calls. Dereferences then increments 42 | the bufptr pointer to grab the value at each byte in the buffer. 43 | */ 44 | void getSyscallArgsVal(CONTEXT *ctxt, SYSCALL_STANDARD std) 45 | { 46 | ADDRINT buf = PIN_GetSyscallArgument(ctxt, std, 1); 47 | ADDRINT len = PIN_GetSyscallArgument(ctxt, std, 2); 48 | int buflen = (int)len; 49 | char *bufptr = (char *)buf; 50 | fprintf(stdout, "buffer start: 0x%lx\n", buf); 51 | fprintf(stdout, "length: %d\n", buflen); 52 | 53 | for (int i = 0; i < buflen; i++, bufptr++) { 54 | fprintf(stdout, "%c", *bufptr); 55 | } 56 | fprintf(stdout, "\n"); 57 | } 58 | 59 | /* 60 | Entry function before system call execution. Checks all system call numbers but hooks 61 | sendto and recvfrom. 62 | */ 63 | void syscallEntryCallback(THREADID threadIndex, CONTEXT *ctxt, SYSCALL_STANDARD std, void *v) 64 | { 65 | ADDRINT scnum = PIN_GetSyscallNumber(ctxt, std); 66 | if (scnum == __NR_sendto) 67 | { 68 | fprintf(stdout, "systemcall sendto: %lu\n", scnum); 69 | getSyscallArgsVal(ctxt, std); 70 | 71 | } else if (scnum == __NR_recvfrom) 72 | { 73 | fprintf(stdout, "systemcall recvfrom: %lu\n", scnum); 74 | getSyscallArgsVal(ctxt, std); 75 | } 76 | } 77 | 78 | /* 79 | Exit function after system call execution. Grabs the system call return value. 80 | */ 81 | void syscallExitCallback(THREADID threadIndex, CONTEXT *ctxt, SYSCALL_STANDARD std, void *v) 82 | { 83 | //ADDRINT retval = PIN_GetSyscallReturn(ctxt, std); 84 | //fprintf(stdout, "retval: %lu\n", retval); 85 | } 86 | 87 | int Usage() 88 | { 89 | fprintf(stdout, "../../../pin -t obj-intel64/syscalltest.so -- sample program"); 90 | return -1; 91 | } 92 | 93 | int32_t main(int32_t argc, char *argv[]) 94 | { 95 | if (PIN_Init(argc, argv)) 96 | { 97 | return Usage(); 98 | } 99 | 100 | fprintf(stdout, "call PIN_AddSyscallEntryFunction\n"); 101 | PIN_AddSyscallEntryFunction(&syscallEntryCallback, NULL); 102 | 103 | fprintf(stdout, "call PIN_AddSyscallExitFunction\n"); 104 | PIN_AddSyscallExitFunction(&syscallExitCallback, NULL); 105 | 106 | fprintf(stdout, "call PIN_StartProgram()\n"); 107 | PIN_StartProgram(); 108 | 109 | return(0); 110 | } --------------------------------------------------------------------------------