├── LICENSE.txt ├── README.txt ├── exe └── README.txt ├── out ├── 2014-04-22_16-32_helloworld_simple_packed │ ├── tool_procID_0.log │ └── tool_procID_3788_parentID_0.log ├── 2014-04-22_16-45_zeus_04193500185c6d063d909ecfec03448a │ ├── tool_procID_0.log │ ├── tool_procID_1480_parentID_0.log │ └── tool_procID_3324_parentID_0.log ├── 2014-04-22_17-01_virut_5b7301d13defd76c2597165ad1e6993b │ └── tool_procID_0.log └── README.txt ├── report └── report.pdf └── src ├── Nmakefile ├── packman.bat └── packman.cpp /LICENSE.txt: -------------------------------------------------------------------------------- 1 | Packed Malware Analyzer (PACKMAN) is licensed under the MIT License 2 | 3 | Copyright (c) 2014 Enes Goktas, Remco Vermeulen, Herbert Bos 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in 13 | all copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | THE SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.txt: -------------------------------------------------------------------------------- 1 | Packed Malware Analyzer (PACKMAN) is licensed under the MIT License. See LICENSE.txt 2 | 3 | ! Beware that PACKMAN will run the executable being analyzed. 4 | ! Take precautions before running a malware under PACKMAN. 5 | ! Best practice is to run PACKMAN in a Virtual Machine. 6 | 7 | ================== 8 | About directories: 9 | ================== 10 | - "exe" directory: 11 | directory for collecting the executables 12 | in one location, just for convenience 13 | - "out" directory: 14 | output directory of PACKMAN 15 | - "report" directory: 16 | contains the report about PACKMAN 17 | - "src" directory: 18 | contains the source code of PACKMAN and a batch script 19 | script to run PACKMAN 20 | 21 | ================== 22 | PACKMAN requirements: 23 | ================== 24 | 1 - Windows 7 x86 (PACKMAN is not tested with Windows 8 and above, or x86-64) 25 | 2 - PIN Binary instrumentation tool 26 | 3 - Microsoft Visual C++ 27 | 28 | ================== 29 | PACKMAN installation: 30 | ================== 31 | 1 - Set the WF_ROOT variable in src/packman.bat 32 | to the directory where this README file is located 33 | 2 - Set the PIN_ROOT variable in src/packman.bat 34 | to the directory where pin.exe is located 35 | 36 | ================== 37 | PACKMAN usage: 38 | ================== 39 | - Visual Studio Command Prompt must be used 40 | - Working directory of the prompt has to be set to the "src" directory 41 | - packman.bat is the script to run the tool 42 | - options of packman.bat: 43 | -> To analyze an executable: 44 | packman analyze 45 | -> to compile PACKMAN: 46 | packman compile 47 | -> To clean compilation files: 48 | packman clean 49 | 50 | 51 | -------------------------------------------------------------------------------- /exe/README.txt: -------------------------------------------------------------------------------- 1 | This folder can be used to save packed executables. 2 | -------------------------------------------------------------------------------- /out/2014-04-22_16-32_helloworld_simple_packed/tool_procID_0.log: -------------------------------------------------------------------------------- 1 | Pin 2.13 kit 61147 2 | Instrumenting PE file: C:\Users\pmat\Desktop\workfolder\exe\helloworld_simple_packed.exe 3 | Loaded PE file at [0x01280000..0x012abfff](0x0002c000) 4 | Its Entry Point is 0x012aa830 5 | 6 | EXEMEMORY :: insert memory chunk [0x01280000..0x012abfff](0x0002c000) 7 | DLLMGMT :: load at [0x75390000..0x753d9fff] C:\Windows\system32\KERNELBASE.dll 8 | DLLMGMT :: load at [0x76ee0000..0x76fb3fff] C:\Windows\system32\kernel32.dll 9 | DLLMGMT :: load at [0x771c0000..0x772fbfff] C:\Windows\SYSTEM32\ntdll.dll 10 | [T:0|L:1] THREADMGMT :: new thread with id 0 started; new #threads is 1 11 | [T:0|L:1] DLLMGMT :: load at [0x6c490000..0x6c546fff] C:\Windows\system32\MSVCP100D.dll 12 | [T:0|L:1] DLLMGMT :: load at [0x6c310000..0x6c481fff] C:\Windows\system32\MSVCR100D.dll 13 | [T:0|L:1] LIBCALL :: @0x012aa91f call dword ptr [esi+0x2a208]=[0x012ab208]=0x76f32864 kernel32.dll::LoadLibraryA 14 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 15 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 16 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 17 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 18 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 19 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 20 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 21 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 22 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 23 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 24 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 25 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 26 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 27 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 28 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 29 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 30 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 31 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 32 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 33 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 34 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 35 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 36 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 37 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 38 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 39 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 40 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 41 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 42 | [T:0|L:1] LIBCALL :: @0x012aa91f call dword ptr [esi+0x2a208]=[0x012ab208]=0x76f32864 kernel32.dll::LoadLibraryA 43 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 44 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 45 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 46 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 47 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 48 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 49 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 50 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 51 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 52 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 53 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 54 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 55 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 56 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 57 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 58 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 59 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 60 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 61 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 62 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 63 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 64 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 65 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 66 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 67 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 68 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 69 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 70 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 71 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 72 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 73 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 74 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 75 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 76 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 77 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 78 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 79 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 80 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 81 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 82 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 83 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 84 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 85 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 86 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 87 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 88 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 89 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 90 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 91 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 92 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 93 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 94 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 95 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 96 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 97 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 98 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 99 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 100 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 101 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 102 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 103 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 104 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 105 | [T:0|L:1] LIBCALL :: @0x012aa91f call dword ptr [esi+0x2a208]=[0x012ab208]=0x76f32864 kernel32.dll::LoadLibraryA 106 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 107 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 108 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 109 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 110 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 111 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 112 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 113 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 114 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 115 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 116 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 117 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 118 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 119 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 120 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 121 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 122 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 123 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 124 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 125 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 126 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 127 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 128 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 129 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 130 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 131 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 132 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 133 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 134 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 135 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 136 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 137 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 138 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 139 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 140 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 141 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 142 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 143 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 144 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 145 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 146 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 147 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 148 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 149 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 150 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 151 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 152 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 153 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 154 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 155 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 156 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 157 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 158 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 159 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 160 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 161 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 162 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 163 | [T:0|L:1] LIBCALL :: @0x012aa934 call dword ptr [esi+0x2a20c]=[0x012ab20c]=0x76f31837 kernel32.dll::GetProcAddress 164 | [T:0|L:1] LIBCALL :: @0x012aa993 call ebp=0x76f250ab kernel32.dll::VirtualProtect 165 | [T:0|L:1] LIBCALL :: @0x012aa9a8 call ebp=0x76f250ab kernel32.dll::VirtualProtect 166 | [T:0|L:1] *NEWLEVEL* :: a potential new level detected 167 | [T:0|L:1] *NEWLEVEL* :: #1 executed a written instruction @0x012913c0 168 | [T:0|L:1] *NEWLEVEL* :: #2 executed a written instruction @0x01298620 169 | [T:0|L:1] *NEWLEVEL* :: #3 executed a written instruction @0x01298622 170 | [T:0|L:1] *NEWLEVEL* :: #4 executed a written instruction @0x01298623 171 | [T:0|L:1] *NEWLEVEL* :: #5 executed a written instruction @0x01298625 172 | [T:0|L:2] *NEWLEVEL* :: detected a new level! its entry point is 0x012913c0 173 | [T:0|L:2] *NEWLEVEL* :: instruction that jumped to the new level is at 0x012aa9b9 174 | [T:0|L:2] *NEWLEVEL* :: new level is in memory chunk [0x01280000..0x012abfff](0x0002c000) and has a PE file header 175 | [T:0|L:2] *NEWLEVEL* :: dumped new level to file C:\Users\pmat\Desktop\workfolder\logs\pmat\2014-04-22_16-32_helloworld_simple_packed\dump_level_2_procID_0_threadID_0._exe_ 176 | [T:0|L:2] LIBCALL :: @0x01299a75 call dword ptr [0x12a43e4]=0x76f2fe44 kernel32.dll::GetSystemTimeAsFileTime 177 | [T:0|L:2] LIBCALL :: @0x01299a8a call dword ptr [0x12a43e0]=0x76f30d23 kernel32.dll::GetCurrentProcessId 178 | [T:0|L:2] LIBCALL :: @0x01299a96 call dword ptr [0x12a43dc]=0x76f2f212 kernel32.dll::GetCurrentThreadId 179 | [T:0|L:2] LIBCALL :: @0x01299aa2 call dword ptr [0x12a43d8]=0x76f2ef76 kernel32.dll::GetTickCount 180 | [T:0|L:2] LIBCALL :: @0x01299ab2 call dword ptr [0x12a43d4]=0x76f2f2a7 kernel32.dll::QueryPerformanceCounter 181 | [T:0|L:2] LIBCALL :: @0x01298686 call dword ptr [0x12a43a0]=0x76f3c41a kernel32.dll::HeapSetInformation 182 | [T:0|L:2] LIBCALL :: @0x012986b7 call dword ptr [0x12a439c]=0x76f2f23c kernel32.dll::InterlockedCompareExchange 183 | [T:0|L:2] LIBCALL :: @0x01299dec jmp dword ptr [0x12a45e0]=0x6c3586a0 MSVCR100D.dll::_initterm_e 184 | [T:0|L:2] LIBCALL :: @0x01298511 call dword ptr [0x12a45b8]=0x6c355150 MSVCR100D.dll::__set_app_type 185 | [T:0|L:2] LIBCALL :: @0x0129851c call dword ptr [0x12a4400]=0x7722324c ntdll.dll::RtlEncodePointer 186 | [T:0|L:2] LIBCALL :: @0x01299526 jmp dword ptr [0x12a45a4]=0x6c430670 MSVCR100D.dll::_CRT_RTC_INITW 187 | [T:0|L:2] LIBCALL :: @0x0129a438 jmp dword ptr [0x12a4600]=0x6c441de0 MSVCR100D.dll::_controlfp_s 188 | [T:0|L:2] LIBCALL :: @0x012998ea call dword ptr [0x12a43d0]=0x76f33142 kernel32.dll::SetUnhandledExceptionFilter 189 | [T:0|L:2] LIBCALL :: @0x01299de6 jmp dword ptr [0x12a45dc]=0x6c358670 MSVCR100D.dll::_initterm 190 | [T:0|L:2] LIBCALL :: @0x01298a18 call dword ptr [0x12a43a4]=0x7721f020 ntdll.dll::RtlDecodePointer 191 | [T:0|L:2] LIBCALL :: @0x01298a2b call dword ptr [0x12a45f0]=0x6c429150 MSVCR100D.dll::_onexit 192 | [T:0|L:2] LIBCALL :: @0x012985e7 call dword ptr [0x12a45c0]=0x6c358d90 MSVCR100D.dll::__getmainargs 193 | [T:0|L:2] LIBCALL :: @0x01298a18 call dword ptr [0x12a43a4]=0x7721f020 ntdll.dll::RtlDecodePointer 194 | [T:0|L:2] LIBCALL :: @0x01298a2b call dword ptr [0x12a45f0]=0x6c429150 MSVCR100D.dll::_onexit 195 | [T:0|L:2] LIBCALL :: @0x012987a1 call dword ptr [0x12a4394]=0x76f2f25e kernel32.dll::InterlockedExchange 196 | [T:0|L:2] LIBCALL :: @0x012987cf call dword ptr [0x12a45d8]=0x6c428ed0 MSVCR100D.dll::_CrtSetCheckCount 197 | [T:0|L:2] LIBCALL :: @0x01298362 jmp dword ptr [0x12a4670]=0x6c38d510 MSVCR100D.dll::strlen 198 | [T:0|L:2] LIBCALL :: @0x01291d1b call dword ptr [0x12a4510]=0x6c49fec0 MSVCP100D.dll::?width@ios_base@std@@QBE_JXZ 199 | [T:0|L:2] LIBCALL :: @0x0129264c call dword ptr [0x12a451c]=0x6c4a19b0 MSVCP100D.dll::?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ 200 | [T:0|L:2] LIBCALL :: @0x0129266e call dword ptr [0x12a451c]=0x6c4a19b0 MSVCP100D.dll::?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ 201 | [T:0|L:2] LIBCALL :: @0x01292694 call eax=0x6c4a5710 MSVCP100D.dll::?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z 202 | [T:0|L:2] LIBCALL :: @0x012923f4 call dword ptr [0x12a4504]=0x6c49fc20 MSVCP100D.dll::?good@ios_base@std@@QBE_NXZ 203 | [T:0|L:2] LIBCALL :: @0x01292417 call dword ptr [0x12a4508]=0x6c4a3870 MSVCP100D.dll::?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ 204 | [T:0|L:2] LIBCALL :: @0x01292464 call dword ptr [0x12a4504]=0x6c49fc20 MSVCP100D.dll::?good@ios_base@std@@QBE_NXZ 205 | [T:0|L:2] LIBCALL :: @0x01291e1d call dword ptr [0x12a4514]=0x6c49fd40 MSVCP100D.dll::?flags@ios_base@std@@QBEHXZ 206 | [T:0|L:2] LIBCALL :: @0x01291f44 call dword ptr [0x12a451c]=0x6c4a19b0 MSVCP100D.dll::?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ 207 | [T:0|L:2] LIBCALL :: @0x01291f6b call dword ptr [0x12a4524]=0x6c4aa910 MSVCP100D.dll::?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z 208 | [T:0|L:2] LIBCALL :: @0x012920ab call dword ptr [0x12a4528]=0x6c49fee0 MSVCP100D.dll::?width@ios_base@std@@QAE_J_J@Z 209 | [T:0|L:2] LIBCALL :: @0x01292101 call dword ptr [0x12a452c]=0x6c4a1970 MSVCP100D.dll::?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z 210 | [T:0|L:2] LIBCALL :: @0x0129253b call dword ptr [0x12a44fc]=0x6c4db7d0 MSVCP100D.dll::?uncaught_exception@std@@YA_NXZ 211 | [T:0|L:2] LIBCALL :: @0x01292556 call dword ptr [0x12a4500]=0x6c4a37e0 MSVCP100D.dll::?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ 212 | [T:0|L:2] LIBCALL :: @0x01292714 call dword ptr [0x12a451c]=0x6c4a19b0 MSVCP100D.dll::?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ 213 | [T:0|L:2] LIBCALL :: @0x01292736 call dword ptr [0x12a451c]=0x6c4a19b0 MSVCP100D.dll::?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ 214 | [T:0|L:2] LIBCALL :: @0x0129275c call eax=0x6c4a5740 MSVCP100D.dll::?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z 215 | [T:0|L:2] LIBCALL :: @0x01291c4c call dword ptr [0x12a44f8]=0x6c4bbba0 MSVCP100D.dll::??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z 216 | [T:0|L:2] LIBCALL :: @0x01291c60 call dword ptr [0x12a4678]=0x6c36b6a0 MSVCR100D.dll::system 217 | [T:0|L:2] DLLMGMT :: load at [0x75210000..0x7525afff] C:\Windows\system32\apphelp.dll 218 | [T:0|L:2] CHILDPROC :: started app C:\Windows\system32\cmd.exe with process id 3788 219 | [T:0|L:2] LIBCALL :: @0x01298816 call dword ptr [0x12a45d0]=0x6c3580a0 MSVCR100D.dll::exit 220 | [T:0|L:2] LIBCALL :: @0x01297fac call dword ptr [0x12a4468]=0x6c4f2350 MSVCP100D.dll::??0_Lockit@std@@QAE@H@Z 221 | [T:0|L:2] LIBCALL :: @0x01297fed call dword ptr [0x12a4464]=0x6c4f2390 MSVCP100D.dll::??1_Lockit@std@@QAE@XZ 222 | [T:0|L:2] LIBCALL :: @0x01299526 jmp dword ptr [0x12a45a4]=0x6c430670 MSVCR100D.dll::_CRT_RTC_INITW 223 | [T:0|L:2] LIBCALL :: @0x01299526 jmp dword ptr [0x12a45a4]=0x6c430670 MSVCR100D.dll::_CRT_RTC_INITW 224 | [T:0|L:2] THREADMGMT :: thread with id 0 stopped; new #threads is 1 225 | DLLMGMT :: remove at [0x75390000..0x753d9fff] C:\Windows\system32\KERNELBASE.dll 226 | DLLMGMT :: remove at [0x76ee0000..0x76fb3fff] C:\Windows\system32\kernel32.dll 227 | DLLMGMT :: remove at [0x771c0000..0x772fbfff] C:\Windows\SYSTEM32\ntdll.dll 228 | DLLMGMT :: remove at [0x6c490000..0x6c546fff] C:\Windows\system32\MSVCP100D.dll 229 | DLLMGMT :: remove at [0x6c310000..0x6c481fff] C:\Windows\system32\MSVCR100D.dll 230 | DLLMGMT :: remove at [0x75210000..0x7525afff] C:\Windows\system32\apphelp.dll 231 | =============================================== 232 | Current level = 2 233 | Execution time = 21971 ms 234 | =============================================== 235 | -------------------------------------------------------------------------------- /out/2014-04-22_16-32_helloworld_simple_packed/tool_procID_3788_parentID_0.log: -------------------------------------------------------------------------------- 1 | Pin 2.13 kit 61147 2 | Instrumenting PE file: C:\Windows\system32\cmd.exe 3 | Loaded PE file at [0x4a940000..0x4a98bfff](0x0004c000) 4 | Its Entry Point is 0x4a9460dc 5 | 6 | EXEMEMORY :: insert memory chunk [0x4a940000..0x4a98bfff](0x0004c000) 7 | DLLMGMT :: load at [0x75390000..0x753d9fff] C:\Windows\system32\KERNELBASE.dll 8 | DLLMGMT :: load at [0x76ee0000..0x76fb3fff] C:\Windows\system32\kernel32.dll 9 | DLLMGMT :: load at [0x771c0000..0x772fbfff] C:\Windows\SYSTEM32\ntdll.dll 10 | [T:0|L:1] THREADMGMT :: new thread with id 0 started; new #threads is 1 11 | [T:0|L:1] DLLMGMT :: load at [0x76e30000..0x76edbfff] C:\Windows\system32\msvcrt.dll 12 | [T:0|L:1] DLLMGMT :: load at [0x72540000..0x72546fff] C:\Windows\system32\WINBRAND.dll 13 | [T:0|L:1] DLLMGMT :: load at [0x756a0000..0x75768fff] C:\Windows\system32\USER32.dll 14 | [T:0|L:1] DLLMGMT :: load at [0x75940000..0x7598dfff] C:\Windows\system32\GDI32.dll 15 | [T:0|L:1] DLLMGMT :: load at [0x77310000..0x77319fff] C:\Windows\system32\LPK.dll 16 | [T:0|L:1] DLLMGMT :: load at [0x75770000..0x7580cfff] C:\Windows\system32\USP10.dll 17 | [T:0|L:1] DLLMGMT :: load at [0x77330000..0x7734efff] C:\Windows\system32\IMM32.DLL 18 | [T:0|L:1] DLLMGMT :: load at [0x75db0000..0x75e7bfff] C:\Windows\system32\MSCTF.dll 19 | [T:0|L:1] LIBCALL :: @0x4a945f5f call dword ptr [0x4a94114c]=0x76f2fe44 kernel32.dll::GetSystemTimeAsFileTime 20 | [T:0|L:1] LIBCALL :: @0x4a945f6b call dword ptr [0x4a941150]=0x76f30d23 kernel32.dll::GetCurrentProcessId 21 | [T:0|L:1] LIBCALL :: @0x4a945f73 call dword ptr [0x4a94120c]=0x76f2f212 kernel32.dll::GetCurrentThreadId 22 | [T:0|L:1] LIBCALL :: @0x4a945f7b call dword ptr [0x4a941154]=0x76f2ef76 kernel32.dll::GetTickCount 23 | [T:0|L:1] LIBCALL :: @0x4a945f87 call dword ptr [0x4a941158]=0x76f2f2a7 kernel32.dll::QueryPerformanceCounter 24 | [T:0|L:1] LIBCALL :: @0x4a946106 call dword ptr [0x4a941170]=0x76f2f23c kernel32.dll::InterlockedCompareExchange 25 | [T:0|L:1] LIBCALL :: @0x4a946380 call dword ptr [0x4a94115c]=0x76f328d7 kernel32.dll::GetModuleHandleA 26 | [T:0|L:1] LIBCALL :: @0x4a94630c call dword ptr [0x4a941020]=0x76e42804 msvcrt.dll::__set_app_type 27 | [T:0|L:1] LIBCALL :: @0x4a946322 call dword ptr [0x4a941024]=0x76e427ce msvcrt.dll::__p__fmode 28 | [T:0|L:1] LIBCALL :: @0x4a946330 call dword ptr [0x4a941028]=0x76e427c3 msvcrt.dll::__p__commode 29 | [T:0|L:1] LIBCALL :: @0x4a94636b call dword ptr [0x4a941014]=0x76e3e1e1 msvcrt.dll::_controlfp 30 | [T:0|L:1] LIBCALL :: @0x4a945f10 call dword ptr [0x4a941160]=0x76f33142 kernel32.dll::SetUnhandledExceptionFilter 31 | [T:0|L:1] LIBCALL :: @0x4a945f1e jmp dword ptr [0x4a941034]=0x76e3c151 msvcrt.dll::_initterm 32 | [T:0|L:1] LIBCALL :: @0x4a945ef7 call dword ptr [0x4a941044]=0x76e42bc0 msvcrt.dll::__getmainargs 33 | [T:0|L:1] LIBCALL :: @0x4a946177 call dword ptr [0x4a941168]=0x76f2f25e kernel32.dll::InterlockedExchange 34 | [T:0|L:1] LIBCALL :: @0x4a944f47 call dword ptr [0x4a94120c]=0x76f2f212 kernel32.dll::GetCurrentThreadId 35 | [T:0|L:1] LIBCALL :: @0x4a944f54 call dword ptr [0x4a941210]=0x76f30d8f kernel32.dll::OpenThread 36 | [T:0|L:1] LIBCALL :: @0x4a945daf call dword ptr [0x4a941298]=0x76f319a1 kernel32.dll::GetModuleHandleW 37 | [T:0|L:1] LIBCALL :: @0x4a945dc9 call dword ptr [0x4a941294]=0x76f31837 kernel32.dll::GetProcAddress 38 | [T:0|L:1] LIBCALL :: @0x4a941687 call dword ptr [0x4a9640cc]=0x76f32e18 kernel32.dll::SetThreadUILanguage 39 | [T:0|L:1] LIBCALL :: @0x4a944f6a call dword ptr [0x4a941214]=0x76f3c41a kernel32.dll::HeapSetInformation 40 | [T:0|L:1] LIBCALL :: @0x4a945e24 call dword ptr [0x4a941354]=0x76f2f729 kernel32.dll::RegOpenKeyExW 41 | [T:0|L:1] LIBCALL :: @0x4a946025 call ebx=0x76f33104 kernel32.dll::VirtualQuery 42 | [T:0|L:1] LIBCALL :: @0x4a94603f call ebx=0x76f33104 kernel32.dll::VirtualQuery 43 | [T:0|L:1] LIBCALL :: @0x4a94603f call ebx=0x76f33104 kernel32.dll::VirtualQuery 44 | [T:0|L:1] LIBCALL :: @0x4a94603f call ebx=0x76f33104 kernel32.dll::VirtualQuery 45 | [T:0|L:1] LIBCALL :: @0x4a94603f call ebx=0x76f33104 kernel32.dll::VirtualQuery 46 | [T:0|L:1] LIBCALL :: @0x4a94523e call dword ptr [0x4a9412e0]=0x76f32e84 kernel32.dll::GetConsoleOutputCP 47 | [T:0|L:1] LIBCALL :: @0x4a94524f call dword ptr [0x4a9412dc]=0x76f32974 kernel32.dll::GetCPInfo 48 | [T:0|L:1] LIBCALL :: @0x4a941b01 jmp dword ptr [0x4a9410f8]=0x76e39790 msvcrt.dll::memset 49 | [T:0|L:1] LIBCALL :: @0x4a945997 call dword ptr [0x4a941220]=0x7721f8be ntdll.dll::RtlInitializeCriticalSection 50 | [T:0|L:1] LIBCALL :: @0x4a941a35 call dword ptr [0x4a94123c]=0x77206b7e ntdll.dll::RtlEnterCriticalSection 51 | [T:0|L:1] LIBCALL :: @0x4a941a48 call dword ptr [0x4a941240]=0x77206b40 ntdll.dll::RtlLeaveCriticalSection 52 | [T:0|L:1] LIBCALL :: @0x4a9459a9 call dword ptr [0x4a941224]=0x76f3365e kernel32.dll::SetConsoleCtrlHandler 53 | [T:0|L:1] LIBCALL :: @0x4a941600 call esi=0x76e3f2b1 msvcrt.dll::_get_osfhandle 54 | [T:0|L:1] LIBCALL :: @0x4a94160a call edi=0x76f32ed3 kernel32.dll::SetConsoleMode 55 | [T:0|L:1] LIBCALL :: @0x4a941613 call esi=0x76e3f2b1 msvcrt.dll::_get_osfhandle 56 | [T:0|L:1] LIBCALL :: @0x4a94161d call ebx=0x76f31854 kernel32.dll::GetConsoleMode 57 | [T:0|L:1] LIBCALL :: @0x4a94643b call esi=0x76e3f2b1 msvcrt.dll::_get_osfhandle 58 | [T:0|L:1] LIBCALL :: @0x4a94643f call edi=0x76f32ed3 kernel32.dll::SetConsoleMode 59 | [T:0|L:1] LIBCALL :: @0x4a94163a call esi=0x76e3f2b1 msvcrt.dll::_get_osfhandle 60 | [T:0|L:1] LIBCALL :: @0x4a94163e call ebx=0x76f31854 kernel32.dll::GetConsoleMode 61 | [T:0|L:1] LIBCALL :: @0x4a9416a4 call dword ptr [0x4a941324]=0x76f330b7 kernel32.dll::GetEnvironmentStringsW 62 | [T:0|L:1] LIBCALL :: @0x4a9416be call dword ptr [0x4a94128c]=0x76f2f24c kernel32.dll::GetProcessHeap 63 | [T:0|L:1] LIBCALL :: @0x4a9416c5 call dword ptr [0x4a9412a0]=0x7721209d ntdll.dll::RtlAllocateHeap 64 | [T:0|L:1] LIBCALL :: @0x4a941695 jmp dword ptr [0x4a9410b4]=0x76e39910 msvcrt.dll::memcpy 65 | [T:0|L:1] LIBCALL :: @0x4a9416dd call dword ptr [0x4a941320]=0x76f330d4 kernel32.dll::FreeEnvironmentStringsW 66 | [T:0|L:1] LIBCALL :: @0x4a943a73 call esi=0x76f2f24c kernel32.dll::GetProcessHeap 67 | [T:0|L:1] LIBCALL :: @0x4a943a76 call dword ptr [0x4a9412a0]=0x7721209d ntdll.dll::RtlAllocateHeap 68 | [T:0|L:1] LIBCALL :: @0x4a9416a4 call dword ptr [0x4a941324]=0x76f330b7 kernel32.dll::GetEnvironmentStringsW 69 | [T:0|L:1] LIBCALL :: @0x4a9416be call dword ptr [0x4a94128c]=0x76f2f24c kernel32.dll::GetProcessHeap 70 | [T:0|L:1] LIBCALL :: @0x4a9416c5 call dword ptr [0x4a9412a0]=0x7721209d ntdll.dll::RtlAllocateHeap 71 | [T:0|L:1] LIBCALL :: @0x4a941695 jmp dword ptr [0x4a9410b4]=0x76e39910 msvcrt.dll::memcpy 72 | [T:0|L:1] LIBCALL :: @0x4a9416dd call dword ptr [0x4a941320]=0x76f330d4 kernel32.dll::FreeEnvironmentStringsW 73 | [T:0|L:1] LIBCALL :: @0x4a94559e call dword ptr [0x4a941354]=0x76f2f729 kernel32.dll::RegOpenKeyExW 74 | [T:0|L:1] LIBCALL :: @0x4a9455d9 call edi=0x76f2fcf1 kernel32.dll::RegQueryValueExW 75 | [T:0|L:1] LIBCALL :: @0x4a94560a call edi=0x76f2fcf1 kernel32.dll::RegQueryValueExW 76 | [T:0|L:1] LIBCALL :: @0x4a945652 call edi=0x76f2fcf1 kernel32.dll::RegQueryValueExW 77 | [T:0|L:1] LIBCALL :: @0x4a945683 call edi=0x76f2fcf1 kernel32.dll::RegQueryValueExW 78 | [T:0|L:1] LIBCALL :: @0x4a9456ca call edi=0x76f2fcf1 kernel32.dll::RegQueryValueExW 79 | [T:0|L:1] LIBCALL :: @0x4a94572b call edi=0x76f2fcf1 kernel32.dll::RegQueryValueExW 80 | [T:0|L:1] LIBCALL :: @0x4a9457b7 call edi=0x76f2fcf1 kernel32.dll::RegQueryValueExW 81 | [T:0|L:1] LIBCALL :: @0x4a9457c7 call dword ptr [0x4a941348]=0x76f2f9d0 kernel32.dll::RegCloseKey 82 | [T:0|L:1] LIBCALL :: @0x4a94559e call dword ptr [0x4a941354]=0x76f2f729 kernel32.dll::RegOpenKeyExW 83 | [T:0|L:1] LIBCALL :: @0x4a9455d9 call edi=0x76f2fcf1 kernel32.dll::RegQueryValueExW 84 | [T:0|L:1] LIBCALL :: @0x4a94560a call edi=0x76f2fcf1 kernel32.dll::RegQueryValueExW 85 | [T:0|L:1] LIBCALL :: @0x4a945652 call edi=0x76f2fcf1 kernel32.dll::RegQueryValueExW 86 | [T:0|L:1] LIBCALL :: @0x4a945683 call edi=0x76f2fcf1 kernel32.dll::RegQueryValueExW 87 | [T:0|L:1] LIBCALL :: @0x4a9456ca call edi=0x76f2fcf1 kernel32.dll::RegQueryValueExW 88 | [T:0|L:1] LIBCALL :: @0x4a94572b call edi=0x76f2fcf1 kernel32.dll::RegQueryValueExW 89 | [T:0|L:1] LIBCALL :: @0x4a9457b7 call edi=0x76f2fcf1 kernel32.dll::RegQueryValueExW 90 | [T:0|L:1] LIBCALL :: @0x4a9457c7 call dword ptr [0x4a941348]=0x76f2f9d0 kernel32.dll::RegCloseKey 91 | [T:0|L:1] LIBCALL :: @0x4a9457e1 call dword ptr [0x4a941084]=0x76e3f708 msvcrt.dll::time 92 | [T:0|L:1] LIBCALL :: @0x4a9457e8 call dword ptr [0x4a941088]=0x76e3f757 msvcrt.dll::srand 93 | [T:0|L:1] LIBCALL :: @0x4a9459c8 call esi=0x76f3ecab kernel32.dll::GetCommandLineW 94 | [T:0|L:1] LIBCALL :: @0x4a9459eb call esi=0x76f3ecab kernel32.dll::GetCommandLineW 95 | [T:0|L:1] LIBCALL :: @0x4a943ac4 call dword ptr [0x4a9411b4]=0x76f3356f kernel32.dll::GetCurrentDirectoryW 96 | [T:0|L:1] LIBCALL :: @0x4a9418cb call dword ptr [0x4a94128c]=0x76f2f24c kernel32.dll::GetProcessHeap 97 | [T:0|L:1] LIBCALL :: @0x4a9418d2 call dword ptr [0x4a9412a0]=0x7721209d ntdll.dll::RtlAllocateHeap 98 | [T:0|L:1] LIBCALL :: @0x4a94548f call dword ptr [0x4a941230]=0x76f329f4 kernel32.dll::GetModuleFileNameW 99 | [T:0|L:1] LIBCALL :: @0x4a94194f call dword ptr [0x4a94133c]=0x76f32dfd kernel32.dll::GetEnvironmentVariableW 100 | [T:0|L:1] LIBCALL :: @0x4a94194f call dword ptr [0x4a94133c]=0x76f32dfd kernel32.dll::GetEnvironmentVariableW 101 | [T:0|L:1] LIBCALL :: @0x4a94194f call dword ptr [0x4a94133c]=0x76f32dfd kernel32.dll::GetEnvironmentVariableW 102 | [T:0|L:1] LIBCALL :: @0x4a94194f call dword ptr [0x4a94133c]=0x76f32dfd kernel32.dll::GetEnvironmentVariableW 103 | [T:0|L:1] LIBCALL :: @0x4a94194f call dword ptr [0x4a94133c]=0x76f32dfd kernel32.dll::GetEnvironmentVariableW 104 | [T:0|L:1] LIBCALL :: @0x4a942c0d call ebx=0x76e3a9e9 msvcrt.dll::_wcsicmp 105 | [T:0|L:1] LIBCALL :: @0x4a942c21 call ebx=0x76e3a9e9 msvcrt.dll::_wcsicmp 106 | [T:0|L:1] LIBCALL :: @0x4a942c35 call ebx=0x76e3a9e9 msvcrt.dll::_wcsicmp 107 | [T:0|L:1] LIBCALL :: @0x4a942c49 call ebx=0x76e3a9e9 msvcrt.dll::_wcsicmp 108 | [T:0|L:1] LIBCALL :: @0x4a942c5d call ebx=0x76e3a9e9 msvcrt.dll::_wcsicmp 109 | [T:0|L:1] LIBCALL :: @0x4a942c71 call ebx=0x76e3a9e9 msvcrt.dll::_wcsicmp 110 | [T:0|L:1] LIBCALL :: @0x4a942d28 call ebx=0x76e3a9e9 msvcrt.dll::_wcsicmp 111 | [T:0|L:1] LIBCALL :: @0x4a9418cb call dword ptr [0x4a94128c]=0x76f2f24c kernel32.dll::GetProcessHeap 112 | [T:0|L:1] LIBCALL :: @0x4a9418d2 call dword ptr [0x4a9412a0]=0x7721209d ntdll.dll::RtlAllocateHeap 113 | [T:0|L:1] LIBCALL :: @0x4a944d43 call dword ptr [0x4a9411b4]=0x76f3356f kernel32.dll::GetCurrentDirectoryW 114 | [T:0|L:1] LIBCALL :: @0x4a944d55 call esi=0x76e3f670 msvcrt.dll::towupper 115 | [T:0|L:1] LIBCALL :: @0x4a944d6b call dword ptr [0x4a9410a8]=0x76e3c136 msvcrt.dll::iswalpha 116 | [T:0|L:1] LIBCALL :: @0x4a944d8a call esi=0x76e3f670 msvcrt.dll::towupper 117 | [T:0|L:1] LIBCALL :: @0x4a944dae call dword ptr [0x4a9412f8]=0x76f319d1 kernel32.dll::GetFullPathNameW 118 | [T:0|L:1] LIBCALL :: @0x4a944e33 call esi=0x76f313ce kernel32.dll::GetFileAttributesW 119 | [T:0|L:1] LIBCALL :: @0x4a943961 call dword ptr [0x4a9412f4]=0x76f3105a kernel32.dll::FindFirstFileW 120 | [T:0|L:1] LIBCALL :: @0x4a943974 call dword ptr [0x4a9412ec]=0x76f3351a kernel32.dll::FindClose 121 | [T:0|L:1] LIBCALL :: @0x4a941695 jmp dword ptr [0x4a9410b4]=0x76e39910 msvcrt.dll::memcpy 122 | [T:0|L:1] LIBCALL :: @0x4a943961 call dword ptr [0x4a9412f4]=0x76f3105a kernel32.dll::FindFirstFileW 123 | [T:0|L:1] LIBCALL :: @0x4a943974 call dword ptr [0x4a9412ec]=0x76f3351a kernel32.dll::FindClose 124 | [T:0|L:1] LIBCALL :: @0x4a941695 jmp dword ptr [0x4a9410b4]=0x76e39910 msvcrt.dll::memcpy 125 | [T:0|L:1] LIBCALL :: @0x4a943961 call dword ptr [0x4a9412f4]=0x76f3105a kernel32.dll::FindFirstFileW 126 | [T:0|L:1] LIBCALL :: @0x4a943974 call dword ptr [0x4a9412ec]=0x76f3351a kernel32.dll::FindClose 127 | [T:0|L:1] LIBCALL :: @0x4a941695 jmp dword ptr [0x4a9410b4]=0x76e39910 msvcrt.dll::memcpy 128 | [T:0|L:1] LIBCALL :: @0x4a943961 call dword ptr [0x4a9412f4]=0x76f3105a kernel32.dll::FindFirstFileW 129 | [T:0|L:1] LIBCALL :: @0x4a943974 call dword ptr [0x4a9412ec]=0x76f3351a kernel32.dll::FindClose 130 | [T:0|L:1] LIBCALL :: @0x4a943a4a call dword ptr [0x4a941108]=0x76e3aae3 msvcrt.dll::_wcsnicmp 131 | [T:0|L:1] LIBCALL :: @0x4a941695 jmp dword ptr [0x4a9410b4]=0x76e39910 msvcrt.dll::memcpy 132 | [T:0|L:1] LIBCALL :: @0x4a943961 call dword ptr [0x4a9412f4]=0x76f3105a kernel32.dll::FindFirstFileW 133 | [T:0|L:1] LIBCALL :: @0x4a943974 call dword ptr [0x4a9412ec]=0x76f3351a kernel32.dll::FindClose 134 | [T:0|L:1] LIBCALL :: @0x4a941695 jmp dword ptr [0x4a9410b4]=0x76e39910 msvcrt.dll::memcpy 135 | [T:0|L:1] LIBCALL :: @0x4a944e6b call esi=0x76f313ce kernel32.dll::GetFileAttributesW 136 | [T:0|L:1] LIBCALL :: @0x4a944ea1 call dword ptr [0x4a9411b8]=0x76f33557 kernel32.dll::SetCurrentDirectoryW 137 | [T:0|L:1] LIBCALL :: @0x4a941761 call dword ptr [0x4a941328]=0x76f330e1 kernel32.dll::SetEnvironmentVariableW 138 | [T:0|L:1] LIBCALL :: @0x4a941771 call dword ptr [0x4a94128c]=0x76f2f24c kernel32.dll::GetProcessHeap 139 | [T:0|L:1] LIBCALL :: @0x4a941778 call dword ptr [0x4a941288]=0x76f2f198 kernel32.dll::HeapFree 140 | [T:0|L:1] LIBCALL :: @0x4a9416a4 call dword ptr [0x4a941324]=0x76f330b7 kernel32.dll::GetEnvironmentStringsW 141 | [T:0|L:1] LIBCALL :: @0x4a9416be call dword ptr [0x4a94128c]=0x76f2f24c kernel32.dll::GetProcessHeap 142 | [T:0|L:1] LIBCALL :: @0x4a9416c5 call dword ptr [0x4a9412a0]=0x7721209d ntdll.dll::RtlAllocateHeap 143 | [T:0|L:1] LIBCALL :: @0x4a941695 jmp dword ptr [0x4a9410b4]=0x76e39910 msvcrt.dll::memcpy 144 | [T:0|L:1] LIBCALL :: @0x4a9416dd call dword ptr [0x4a941320]=0x76f330d4 kernel32.dll::FreeEnvironmentStringsW 145 | [T:0|L:1] LIBCALL :: @0x4a943ac4 call dword ptr [0x4a9411b4]=0x76f3356f kernel32.dll::GetCurrentDirectoryW 146 | [T:0|L:1] LIBCALL :: @0x4a941415 call dword ptr [0x4a94128c]=0x76f2f24c kernel32.dll::GetProcessHeap 147 | [T:0|L:1] LIBCALL :: @0x4a94141c call dword ptr [0x4a941288]=0x76f2f198 kernel32.dll::HeapFree 148 | [T:0|L:1] LIBCALL :: @0x4a9418cb call dword ptr [0x4a94128c]=0x76f2f24c kernel32.dll::GetProcessHeap 149 | [T:0|L:1] LIBCALL :: @0x4a9418d2 call dword ptr [0x4a9412a0]=0x7721209d ntdll.dll::RtlAllocateHeap 150 | [T:0|L:1] LIBCALL :: @0x4a9418a7 call dword ptr [0x4a9410ec]=0x76e3aa61 msvcrt.dll::wcschr 151 | [T:0|L:1] LIBCALL :: @0x4a945302 call dword ptr [0x4a9410c4]=0x76e3ad52 msvcrt.dll::towlower 152 | [T:0|L:1] LIBCALL :: @0x4a9418cb call dword ptr [0x4a94128c]=0x76f2f24c kernel32.dll::GetProcessHeap 153 | [T:0|L:1] LIBCALL :: @0x4a9418d2 call dword ptr [0x4a9412a0]=0x7721209d ntdll.dll::RtlAllocateHeap 154 | [T:0|L:1] LIBCALL :: @0x4a942cc9 call dword ptr [0x4a9410f4]=0x76e3aacb msvcrt.dll::iswspace 155 | [T:0|L:1] LIBCALL :: @0x4a942cc9 call dword ptr [0x4a9410f4]=0x76e3aacb msvcrt.dll::iswspace 156 | [T:0|L:1] LIBCALL :: @0x4a941415 call dword ptr [0x4a94128c]=0x76f2f24c kernel32.dll::GetProcessHeap 157 | [T:0|L:1] LIBCALL :: @0x4a94141c call dword ptr [0x4a941288]=0x76f2f198 kernel32.dll::HeapFree 158 | [T:0|L:1] LIBCALL :: @0x4a945a41 call dword ptr [0x4a9412e0]=0x76f32e84 kernel32.dll::GetConsoleOutputCP 159 | [T:0|L:1] LIBCALL :: @0x4a945a52 call dword ptr [0x4a9412dc]=0x76f32974 kernel32.dll::GetCPInfo 160 | [T:0|L:1] LIBCALL :: @0x4a94519d call dword ptr [0x4a9412fc]=0x76f315ab kernel32.dll::GetUserDefaultLCID 161 | [T:0|L:1] LIBCALL :: @0x4a945b81 call esi=0x76f3354a kernel32.dll::GetLocaleInfoW 162 | [T:0|L:1] LIBCALL :: @0x4a945ba0 call esi=0x76f3354a kernel32.dll::GetLocaleInfoW 163 | [T:0|L:1] LIBCALL :: @0x4a945c01 call esi=0x76f3354a kernel32.dll::GetLocaleInfoW 164 | [T:0|L:1] LIBCALL :: @0x4a945c41 call esi=0x76f3354a kernel32.dll::GetLocaleInfoW 165 | [T:0|L:1] LIBCALL :: @0x4a945c6b call esi=0x76f3354a kernel32.dll::GetLocaleInfoW 166 | [T:0|L:1] LIBCALL :: @0x4a945c84 call esi=0x76f3354a kernel32.dll::GetLocaleInfoW 167 | [T:0|L:1] LIBCALL :: @0x4a945c9d call esi=0x76f3354a kernel32.dll::GetLocaleInfoW 168 | [T:0|L:1] LIBCALL :: @0x4a945cb6 call esi=0x76f3354a kernel32.dll::GetLocaleInfoW 169 | [T:0|L:1] LIBCALL :: @0x4a945ccf call esi=0x76f3354a kernel32.dll::GetLocaleInfoW 170 | [T:0|L:1] LIBCALL :: @0x4a945ce8 call esi=0x76f3354a kernel32.dll::GetLocaleInfoW 171 | [T:0|L:1] LIBCALL :: @0x4a945d01 call esi=0x76f3354a kernel32.dll::GetLocaleInfoW 172 | [T:0|L:1] LIBCALL :: @0x4a945d1a call esi=0x76f3354a kernel32.dll::GetLocaleInfoW 173 | [T:0|L:1] LIBCALL :: @0x4a945d36 call esi=0x76f3354a kernel32.dll::GetLocaleInfoW 174 | [T:0|L:1] LIBCALL :: @0x4a945d4f call esi=0x76f3354a kernel32.dll::GetLocaleInfoW 175 | [T:0|L:1] LIBCALL :: @0x4a945d60 call dword ptr [0x4a9410cc]=0x76e45286 msvcrt.dll::setlocale 176 | [T:0|L:1] LIBCALL :: @0x4a945a65 call dword ptr [0x4a94128c]=0x76f2f24c kernel32.dll::GetProcessHeap 177 | [T:0|L:1] LIBCALL :: @0x4a945a6c call dword ptr [0x4a9412a0]=0x7721209d ntdll.dll::RtlAllocateHeap 178 | [T:0|L:1] LIBCALL :: @0x4a945a7d call dword ptr [0x4a94126c]=0x76f3f333 kernel32.dll::GetConsoleTitleW 179 | [T:0|L:1] LIBCALL :: @0x4a945aa5 call dword ptr [0x4a941298]=0x76f319a1 kernel32.dll::GetModuleHandleW 180 | [T:0|L:1] LIBCALL :: @0x4a945abc call esi=0x76f31837 kernel32.dll::GetProcAddress 181 | [T:0|L:1] LIBCALL :: @0x4a945ace call esi=0x76f31837 kernel32.dll::GetProcAddress 182 | [T:0|L:1] LIBCALL :: @0x4a945ae0 call esi=0x76f31837 kernel32.dll::GetProcAddress 183 | [T:0|L:1] LIBCALL :: @0x4a941bc6 jmp dword ptr [0x4a941094]=0x76e3edef msvcrt.dll::_setjmp3 184 | [T:0|L:1] LIBCALL :: @0x4a941bc6 jmp dword ptr [0x4a941094]=0x76e3edef msvcrt.dll::_setjmp3 185 | [T:0|L:1] LIBCALL :: @0x4a941bc6 jmp dword ptr [0x4a941094]=0x76e3edef msvcrt.dll::_setjmp3 186 | [T:0|L:1] LIBCALL :: @0x4a941a35 call dword ptr [0x4a94123c]=0x77206b7e ntdll.dll::RtlEnterCriticalSection 187 | [T:0|L:1] LIBCALL :: @0x4a941a48 call dword ptr [0x4a941240]=0x77206b40 ntdll.dll::RtlLeaveCriticalSection 188 | [T:0|L:1] LIBCALL :: @0x4a9418cb call dword ptr [0x4a94128c]=0x76f2f24c kernel32.dll::GetProcessHeap 189 | [T:0|L:1] LIBCALL :: @0x4a9418d2 call dword ptr [0x4a9412a0]=0x7721209d ntdll.dll::RtlAllocateHeap 190 | [T:0|L:1] LIBCALL :: @0x4a941415 call dword ptr [0x4a94128c]=0x76f2f24c kernel32.dll::GetProcessHeap 191 | [T:0|L:1] LIBCALL :: @0x4a94141c call dword ptr [0x4a941288]=0x76f2f198 kernel32.dll::HeapFree 192 | [T:0|L:1] LIBCALL :: @0x4a941d79 call dword ptr [0x4a9410f4]=0x76e3aacb msvcrt.dll::iswspace 193 | [T:0|L:1] LIBCALL :: @0x4a9418a7 call dword ptr [0x4a9410ec]=0x76e3aa61 msvcrt.dll::wcschr 194 | [T:0|L:1] LIBCALL :: @0x4a9423c9 call ebx=0x76e3aacb msvcrt.dll::iswspace 195 | [T:0|L:1] LIBCALL :: @0x4a9418a7 call dword ptr [0x4a9410ec]=0x76e3aa61 msvcrt.dll::wcschr 196 | [T:0|L:1] LIBCALL :: @0x4a942157 call dword ptr [0x4a941008]=0x76e3c02c msvcrt.dll::iswdigit 197 | [T:0|L:1] LIBCALL :: @0x4a9423c9 call ebx=0x76e3aacb msvcrt.dll::iswspace 198 | [T:0|L:1] LIBCALL :: @0x4a9418a7 call dword ptr [0x4a9410ec]=0x76e3aa61 msvcrt.dll::wcschr 199 | [T:0|L:1] LIBCALL :: @0x4a942157 call dword ptr [0x4a941008]=0x76e3c02c msvcrt.dll::iswdigit 200 | [T:0|L:1] LIBCALL :: @0x4a9423c9 call ebx=0x76e3aacb msvcrt.dll::iswspace 201 | [T:0|L:1] LIBCALL :: @0x4a9418a7 call dword ptr [0x4a9410ec]=0x76e3aa61 msvcrt.dll::wcschr 202 | [T:0|L:1] LIBCALL :: @0x4a942157 call dword ptr [0x4a941008]=0x76e3c02c msvcrt.dll::iswdigit 203 | [T:0|L:1] LIBCALL :: @0x4a9423c9 call ebx=0x76e3aacb msvcrt.dll::iswspace 204 | [T:0|L:1] LIBCALL :: @0x4a9418a7 call dword ptr [0x4a9410ec]=0x76e3aa61 msvcrt.dll::wcschr 205 | [T:0|L:1] LIBCALL :: @0x4a942157 call dword ptr [0x4a941008]=0x76e3c02c msvcrt.dll::iswdigit 206 | [T:0|L:1] LIBCALL :: @0x4a9423c9 call ebx=0x76e3aacb msvcrt.dll::iswspace 207 | [T:0|L:1] LIBCALL :: @0x4a9418a7 call dword ptr [0x4a9410ec]=0x76e3aa61 msvcrt.dll::wcschr 208 | [T:0|L:1] LIBCALL :: @0x4a942157 call dword ptr [0x4a941008]=0x76e3c02c msvcrt.dll::iswdigit 209 | [T:0|L:1] LIBCALL :: @0x4a9421db call dword ptr [0x4a94110c]=0x76e3a9e9 msvcrt.dll::_wcsicmp 210 | [T:0|L:1] LIBCALL :: @0x4a942675 call dword ptr [0x4a941008]=0x76e3c02c msvcrt.dll::iswdigit 211 | [T:0|L:1] LIBCALL :: @0x4a942498 call esi=0x76e3a9e9 msvcrt.dll::_wcsicmp 212 | [T:0|L:1] LIBCALL :: @0x4a9424aa call esi=0x76e3a9e9 msvcrt.dll::_wcsicmp 213 | [T:0|L:1] LIBCALL :: @0x4a9424bc call esi=0x76e3a9e9 msvcrt.dll::_wcsicmp 214 | [T:0|L:1] LIBCALL :: @0x4a9424ce call esi=0x76e3a9e9 msvcrt.dll::_wcsicmp 215 | [T:0|L:1] LIBCALL :: @0x4a9424e0 call esi=0x76e3a9e9 msvcrt.dll::_wcsicmp 216 | [T:0|L:1] LIBCALL :: @0x4a9424f2 call esi=0x76e3a9e9 msvcrt.dll::_wcsicmp 217 | [T:0|L:1] LIBCALL :: @0x4a9418cb call dword ptr [0x4a94128c]=0x76f2f24c kernel32.dll::GetProcessHeap 218 | [T:0|L:1] LIBCALL :: @0x4a9418d2 call dword ptr [0x4a9412a0]=0x7721209d ntdll.dll::RtlAllocateHeap 219 | [T:0|L:1] LIBCALL :: @0x4a9418cb call dword ptr [0x4a94128c]=0x76f2f24c kernel32.dll::GetProcessHeap 220 | [T:0|L:1] LIBCALL :: @0x4a9418d2 call dword ptr [0x4a9412a0]=0x7721209d ntdll.dll::RtlAllocateHeap 221 | [T:0|L:1] LIBCALL :: @0x4a941bc6 jmp dword ptr [0x4a941094]=0x76e3edef msvcrt.dll::_setjmp3 222 | [T:0|L:1] LIBCALL :: @0x4a941dd7 call dword ptr [0x4a941008]=0x76e3c02c msvcrt.dll::iswdigit 223 | [T:0|L:1] LIBCALL :: @0x4a942675 call dword ptr [0x4a941008]=0x76e3c02c msvcrt.dll::iswdigit 224 | [T:0|L:1] LIBCALL :: @0x4a941bc6 jmp dword ptr [0x4a941094]=0x76e3edef msvcrt.dll::_setjmp3 225 | [T:0|L:1] LIBCALL :: @0x4a941bc6 jmp dword ptr [0x4a941094]=0x76e3edef msvcrt.dll::_setjmp3 226 | [T:0|L:1] LIBCALL :: @0x4a941d79 call dword ptr [0x4a9410f4]=0x76e3aacb msvcrt.dll::iswspace 227 | [T:0|L:1] LIBCALL :: @0x4a9418a7 call dword ptr [0x4a9410ec]=0x76e3aa61 msvcrt.dll::wcschr 228 | [T:0|L:1] LIBCALL :: @0x4a941dd7 call dword ptr [0x4a941008]=0x76e3c02c msvcrt.dll::iswdigit 229 | [T:0|L:1] LIBCALL :: @0x4a942675 call dword ptr [0x4a941008]=0x76e3c02c msvcrt.dll::iswdigit 230 | [T:0|L:1] LIBCALL :: @0x4a941bc6 jmp dword ptr [0x4a941094]=0x76e3edef msvcrt.dll::_setjmp3 231 | [T:0|L:1] LIBCALL :: @0x4a941bc6 jmp dword ptr [0x4a941094]=0x76e3edef msvcrt.dll::_setjmp3 232 | [T:0|L:1] LIBCALL :: @0x4a941d79 call dword ptr [0x4a9410f4]=0x76e3aacb msvcrt.dll::iswspace 233 | [T:0|L:1] LIBCALL :: @0x4a9418a7 call dword ptr [0x4a9410ec]=0x76e3aa61 msvcrt.dll::wcschr 234 | [T:0|L:1] LIBCALL :: @0x4a941dd7 call dword ptr [0x4a941008]=0x76e3c02c msvcrt.dll::iswdigit 235 | [T:0|L:1] LIBCALL :: @0x4a941bc6 jmp dword ptr [0x4a941094]=0x76e3edef msvcrt.dll::_setjmp3 236 | [T:0|L:1] LIBCALL :: @0x4a941bc6 jmp dword ptr [0x4a941094]=0x76e3edef msvcrt.dll::_setjmp3 237 | [T:0|L:1] LIBCALL :: @0x4a941d79 call dword ptr [0x4a9410f4]=0x76e3aacb msvcrt.dll::iswspace 238 | [T:0|L:1] LIBCALL :: @0x4a9418a7 call dword ptr [0x4a9410ec]=0x76e3aa61 msvcrt.dll::wcschr 239 | [T:0|L:1] LIBCALL :: @0x4a941dd7 call dword ptr [0x4a941008]=0x76e3c02c msvcrt.dll::iswdigit 240 | [T:0|L:1] LIBCALL :: @0x4a941bc6 jmp dword ptr [0x4a941094]=0x76e3edef msvcrt.dll::_setjmp3 241 | [T:0|L:1] LIBCALL :: @0x4a941bc6 jmp dword ptr [0x4a941094]=0x76e3edef msvcrt.dll::_setjmp3 242 | [T:0|L:1] LIBCALL :: @0x4a941d79 call dword ptr [0x4a9410f4]=0x76e3aacb msvcrt.dll::iswspace 243 | [T:0|L:1] LIBCALL :: @0x4a9418a7 call dword ptr [0x4a9410ec]=0x76e3aa61 msvcrt.dll::wcschr 244 | [T:0|L:1] LIBCALL :: @0x4a941dd7 call dword ptr [0x4a941008]=0x76e3c02c msvcrt.dll::iswdigit 245 | [T:0|L:1] LIBCALL :: @0x4a941bc6 jmp dword ptr [0x4a941094]=0x76e3edef msvcrt.dll::_setjmp3 246 | [T:0|L:1] LIBCALL :: @0x4a941bc6 jmp dword ptr [0x4a941094]=0x76e3edef msvcrt.dll::_setjmp3 247 | [T:0|L:1] LIBCALL :: @0x4a941d79 call dword ptr [0x4a9410f4]=0x76e3aacb msvcrt.dll::iswspace 248 | [T:0|L:1] LIBCALL :: @0x4a9418a7 call dword ptr [0x4a9410ec]=0x76e3aa61 msvcrt.dll::wcschr 249 | [T:0|L:1] LIBCALL :: @0x4a941dd7 call dword ptr [0x4a941008]=0x76e3c02c msvcrt.dll::iswdigit 250 | [T:0|L:1] LIBCALL :: @0x4a941bc6 jmp dword ptr [0x4a941094]=0x76e3edef msvcrt.dll::_setjmp3 251 | [T:0|L:1] LIBCALL :: @0x4a941bc6 jmp dword ptr [0x4a941094]=0x76e3edef msvcrt.dll::_setjmp3 252 | [T:0|L:1] LIBCALL :: @0x4a941d79 call dword ptr [0x4a9410f4]=0x76e3aacb msvcrt.dll::iswspace 253 | [T:0|L:1] LIBCALL :: @0x4a9418a7 call dword ptr [0x4a9410ec]=0x76e3aa61 msvcrt.dll::wcschr 254 | [T:0|L:1] LIBCALL :: @0x4a941dd7 call dword ptr [0x4a941008]=0x76e3c02c msvcrt.dll::iswdigit 255 | [T:0|L:1] LIBCALL :: @0x4a942291 call dword ptr [0x4a94126c]=0x76f3f333 kernel32.dll::GetConsoleTitleW 256 | [T:0|L:1] LIBCALL :: @0x4a9418a7 call dword ptr [0x4a9410ec]=0x76e3aa61 msvcrt.dll::wcschr 257 | [T:0|L:1] LIBCALL :: @0x4a9418a7 call dword ptr [0x4a9410ec]=0x76e3aa61 msvcrt.dll::wcschr 258 | [T:0|L:1] LIBCALL :: @0x4a9418a7 call dword ptr [0x4a9410ec]=0x76e3aa61 msvcrt.dll::wcschr 259 | [T:0|L:1] LIBCALL :: @0x4a9418a7 call dword ptr [0x4a9410ec]=0x76e3aa61 msvcrt.dll::wcschr 260 | [T:0|L:1] LIBCALL :: @0x4a9418a7 call dword ptr [0x4a9410ec]=0x76e3aa61 msvcrt.dll::wcschr 261 | [T:0|L:1] LIBCALL :: @0x4a9418a7 call dword ptr [0x4a9410ec]=0x76e3aa61 msvcrt.dll::wcschr 262 | [T:0|L:1] LIBCALL :: @0x4a9418a7 call dword ptr [0x4a9410ec]=0x76e3aa61 msvcrt.dll::wcschr 263 | [T:0|L:1] LIBCALL :: @0x4a9418a7 call dword ptr [0x4a9410ec]=0x76e3aa61 msvcrt.dll::wcschr 264 | [T:0|L:1] LIBCALL :: @0x4a9418a7 call dword ptr [0x4a9410ec]=0x76e3aa61 msvcrt.dll::wcschr 265 | [T:0|L:1] LIBCALL :: @0x4a9418a7 call dword ptr [0x4a9410ec]=0x76e3aa61 msvcrt.dll::wcschr 266 | [T:0|L:1] LIBCALL :: @0x4a944710 call dword ptr [0x4a94110c]=0x76e3a9e9 msvcrt.dll::_wcsicmp 267 | [T:0|L:1] LIBCALL :: @0x4a944710 call dword ptr [0x4a94110c]=0x76e3a9e9 msvcrt.dll::_wcsicmp 268 | [T:0|L:1] LIBCALL :: @0x4a944710 call dword ptr [0x4a94110c]=0x76e3a9e9 msvcrt.dll::_wcsicmp 269 | [T:0|L:1] LIBCALL :: @0x4a944710 call dword ptr [0x4a94110c]=0x76e3a9e9 msvcrt.dll::_wcsicmp 270 | [T:0|L:1] LIBCALL :: @0x4a944710 call dword ptr [0x4a94110c]=0x76e3a9e9 msvcrt.dll::_wcsicmp 271 | [T:0|L:1] LIBCALL :: @0x4a944710 call dword ptr [0x4a94110c]=0x76e3a9e9 msvcrt.dll::_wcsicmp 272 | [T:0|L:1] LIBCALL :: @0x4a944710 call dword ptr [0x4a94110c]=0x76e3a9e9 msvcrt.dll::_wcsicmp 273 | [T:0|L:1] LIBCALL :: @0x4a944710 call dword ptr [0x4a94110c]=0x76e3a9e9 msvcrt.dll::_wcsicmp 274 | [T:0|L:1] LIBCALL :: @0x4a944710 call dword ptr [0x4a94110c]=0x76e3a9e9 msvcrt.dll::_wcsicmp 275 | [T:0|L:1] LIBCALL :: @0x4a944710 call dword ptr [0x4a94110c]=0x76e3a9e9 msvcrt.dll::_wcsicmp 276 | [T:0|L:1] LIBCALL :: @0x4a944710 call dword ptr [0x4a94110c]=0x76e3a9e9 msvcrt.dll::_wcsicmp 277 | [T:0|L:1] LIBCALL :: @0x4a944710 call dword ptr [0x4a94110c]=0x76e3a9e9 msvcrt.dll::_wcsicmp 278 | [T:0|L:1] LIBCALL :: @0x4a9418cb call dword ptr [0x4a94128c]=0x76f2f24c kernel32.dll::GetProcessHeap 279 | [T:0|L:1] LIBCALL :: @0x4a9418d2 call dword ptr [0x4a9412a0]=0x7721209d ntdll.dll::RtlAllocateHeap 280 | [T:0|L:1] LIBCALL :: @0x4a9418cb call dword ptr [0x4a94128c]=0x76f2f24c kernel32.dll::GetProcessHeap 281 | [T:0|L:1] LIBCALL :: @0x4a9418d2 call dword ptr [0x4a9412a0]=0x7721209d ntdll.dll::RtlAllocateHeap 282 | [T:0|L:1] LIBCALL :: @0x4a95bcc3 call dword ptr [0x4a9412c4]=0x76f318aa kernel32.dll::GetStdHandle 283 | [T:0|L:1] LIBCALL :: @0x4a944a3c call dword ptr [0x4a941090]=0x76e3f2b1 msvcrt.dll::_get_osfhandle 284 | [T:0|L:1] LIBCALL :: @0x4a944a4b call dword ptr [0x4a9412c8]=0x76f31c42 kernel32.dll::GetFileType 285 | [T:0|L:1] LIBCALL :: @0x4a944a77 call dword ptr [0x4a9412c4]=0x76f318aa kernel32.dll::GetStdHandle 286 | [T:0|L:1] LIBCALL :: @0x4a944a84 call dword ptr [0x4a941334]=0x76f31854 kernel32.dll::GetConsoleMode 287 | [T:0|L:1] LIBCALL :: @0x4a949efb call dword ptr [0x4a941090]=0x76e3f2b1 msvcrt.dll::_get_osfhandle 288 | [T:0|L:1] LIBCALL :: @0x4a949f09 call dword ptr [0x4a9412c0]=0x76f2cb3a kernel32.dll::GetConsoleScreenBufferInfo 289 | [T:0|L:1] LIBCALL :: @0x4a949fff call edi=0x76f2b65c kernel32.dll::FormatMessageW 290 | [T:0|L:1] LIBCALL :: @0x4a9418a7 call dword ptr [0x4a9410ec]=0x76e3aa61 msvcrt.dll::wcschr 291 | [T:0|L:1] LIBCALL :: @0x4a94a056 call edi=0x76f2b65c kernel32.dll::FormatMessageW 292 | [T:0|L:1] LIBCALL :: @0x4a949f7f call dword ptr [0x4a9412b0]=0x76f2afeb kernel32.dll::WriteConsoleW 293 | [T:0|L:1] LIBCALL :: @0x4a943bdd call dword ptr [0x4a941090]=0x76e3f2b1 msvcrt.dll::_get_osfhandle 294 | [T:0|L:1] LIBCALL :: @0x4a943be7 call dword ptr [0x4a9412c8]=0x76f31c42 kernel32.dll::GetFileType 295 | [T:0|L:1] LIBCALL :: @0x4a94465f call dword ptr [0x4a9412c4]=0x76f318aa kernel32.dll::GetStdHandle 296 | [T:0|L:1] LIBCALL :: @0x4a94466c call dword ptr [0x4a941334]=0x76f31854 kernel32.dll::GetConsoleMode 297 | [T:0|L:1] LIBCALL :: @0x4a95bcf2 call dword ptr [0x4a9412d8]=0x76f8d9e9 kernel32.dll::FlushConsoleInputBuffer 298 | [T:0|L:1] LIBCALL :: @0x4a95bcf8 call dword ptr [0x4a941004]=0x76e8f719 msvcrt.dll::_getch 299 | [T:0|L:1] LIBCALL :: @0x4a947329 call dword ptr [0x4a941010]=0x76e3bbce msvcrt.dll::_vsnwprintf 300 | [T:0|L:1] LIBCALL :: @0x4a944a3c call dword ptr [0x4a941090]=0x76e3f2b1 msvcrt.dll::_get_osfhandle 301 | [T:0|L:1] LIBCALL :: @0x4a944a4b call dword ptr [0x4a9412c8]=0x76f31c42 kernel32.dll::GetFileType 302 | [T:0|L:1] LIBCALL :: @0x4a944a77 call dword ptr [0x4a9412c4]=0x76f318aa kernel32.dll::GetStdHandle 303 | [T:0|L:1] LIBCALL :: @0x4a944a84 call dword ptr [0x4a941334]=0x76f31854 kernel32.dll::GetConsoleMode 304 | [T:0|L:1] LIBCALL :: @0x4a94869c call dword ptr [0x4a941090]=0x76e3f2b1 msvcrt.dll::_get_osfhandle 305 | [T:0|L:1] LIBCALL :: @0x4a9486a4 call dword ptr [0x4a9412b0]=0x76f2afeb kernel32.dll::WriteConsoleW 306 | [T:0|L:1] LIBCALL :: @0x4a941600 call esi=0x76e3f2b1 msvcrt.dll::_get_osfhandle 307 | [T:0|L:1] LIBCALL :: @0x4a94160a call edi=0x76f32ed3 kernel32.dll::SetConsoleMode 308 | [T:0|L:1] LIBCALL :: @0x4a941613 call esi=0x76e3f2b1 msvcrt.dll::_get_osfhandle 309 | [T:0|L:1] LIBCALL :: @0x4a94161d call ebx=0x76f31854 kernel32.dll::GetConsoleMode 310 | [T:0|L:1] LIBCALL :: @0x4a94163a call esi=0x76e3f2b1 msvcrt.dll::_get_osfhandle 311 | [T:0|L:1] LIBCALL :: @0x4a94163e call ebx=0x76f31854 kernel32.dll::GetConsoleMode 312 | [T:0|L:1] LIBCALL :: @0x4a94166d call eax=0x76f33004 kernel32.dll::SetConsoleInputExeNameW 313 | [T:0|L:1] LIBCALL :: @0x4a945008 call dword ptr [0x4a9412e0]=0x76f32e84 kernel32.dll::GetConsoleOutputCP 314 | [T:0|L:1] LIBCALL :: @0x4a945019 call esi=0x76f32974 kernel32.dll::GetCPInfo 315 | [T:0|L:1] LIBCALL :: @0x4a941687 call dword ptr [0x4a9640cc]=0x76f32e18 kernel32.dll::SetThreadUILanguage 316 | [T:0|L:1] LIBCALL :: @0x4a943b7c call dword ptr [0x4a941000]=0x76e436aa msvcrt.dll::exit 317 | [T:0|L:1] THREADMGMT :: thread with id 0 stopped; new #threads is 1 318 | DLLMGMT :: remove at [0x75390000..0x753d9fff] C:\Windows\system32\KERNELBASE.dll 319 | DLLMGMT :: remove at [0x76ee0000..0x76fb3fff] C:\Windows\system32\kernel32.dll 320 | DLLMGMT :: remove at [0x771c0000..0x772fbfff] C:\Windows\SYSTEM32\ntdll.dll 321 | DLLMGMT :: remove at [0x76e30000..0x76edbfff] C:\Windows\system32\msvcrt.dll 322 | DLLMGMT :: remove at [0x72540000..0x72546fff] C:\Windows\system32\WINBRAND.dll 323 | DLLMGMT :: remove at [0x756a0000..0x75768fff] C:\Windows\system32\USER32.dll 324 | DLLMGMT :: remove at [0x75940000..0x7598dfff] C:\Windows\system32\GDI32.dll 325 | DLLMGMT :: remove at [0x77310000..0x77319fff] C:\Windows\system32\LPK.dll 326 | DLLMGMT :: remove at [0x75770000..0x7580cfff] C:\Windows\system32\USP10.dll 327 | DLLMGMT :: remove at [0x77330000..0x7734efff] C:\Windows\system32\IMM32.DLL 328 | DLLMGMT :: remove at [0x75db0000..0x75e7bfff] C:\Windows\system32\MSCTF.dll 329 | =============================================== 330 | Current level = 1 331 | Execution time = 11466 ms 332 | =============================================== 333 | -------------------------------------------------------------------------------- /out/README.txt: -------------------------------------------------------------------------------- 1 | The folders contain example output of PACKMAN retrieved from real packed binaries. 2 | -------------------------------------------------------------------------------- /report/report.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/egoktas/PACKMAN/f3f06109a4430603c8e57210bd430211d852ef39/report/report.pdf -------------------------------------------------------------------------------- /src/Nmakefile: -------------------------------------------------------------------------------- 1 | # PREDEFINED: 2 | # - TOOL_NAME 3 | # - EXE_FILE 4 | # - EXE_FILE_NAME_NO_EXT 5 | # - TIMESTAMP 6 | # - WF_ROOT 7 | # - PIN_ROOT 8 | 9 | SRC_DIR = $(WF_ROOT)\src 10 | LOG_DIR = $(WF_ROOT)\out 11 | 12 | PIN_EXE = $(PIN_ROOT)\pin.exe 13 | PIN_TOOLS_DIR = $(PIN_ROOT)\source\tools 14 | 15 | EXE_LOG_PATH = $(LOG_DIR)\$(TIMESTAMP)_$(EXE_FILE_NAME_NO_EXT) 16 | TOOL_LOG_FILE = $(EXE_LOG_PATH)\tool_procID_0.log 17 | PIN_LOG_FILE = $(EXE_LOG_PATH)\pin_procID_0.log 18 | 19 | TOOL_CPP = $(SRC_DIR)\$(TOOL_NAME).cpp 20 | TOOL_O = $(SRC_DIR)\$(TOOL_NAME).o 21 | TOOL_DLL = $(SRC_DIR)\$(TOOL_NAME).dll 22 | 23 | PIN_OPTIONS = -follow_execv -smc_strict -logfile $(PIN_LOG_FILE) 24 | PIN_TOOL = -t $(TOOL_DLL) 25 | TOOL_OPTIONS = -logfile $(TOOL_LOG_FILE) -ts $(TIMESTAMP) -pin_path_32 $(PIN_EXE) -process_id 0 -exe_log_path $(EXE_LOG_PATH) -tool_dll_file $(TOOL_DLL) -tool_name $(TOOL_NAME) 26 | 27 | $(TOOL_NAME) : $(EXE_FILE) $(TOOL_DLL) $(EXE_LOG_PATH) 28 | $(PIN_EXE) $(PIN_OPTIONS) $(PIN_TOOL) $(TOOL_OPTIONS) -- $(EXE_FILE) 29 | 30 | $(TOOL_DLL) : $(TOOL_O) 31 | link /debug /DLL /EXPORT:main /NODEFAULTLIB /NOLOGO /INCREMENTAL:NO /OPT:REF /MACHINE:x86 \ 32 | /ENTRY:Ptrace_DllMainCRTStartup@12 /BASE:0x55000000 \ 33 | /LIBPATH:$(PIN_ROOT)\ia32\lib \ 34 | /LIBPATH:$(PIN_ROOT)\ia32\lib-ext \ 35 | /LIBPATH:$(PIN_ROOT)\extras\xed2-ia32\lib \ 36 | /IMPLIB:$(TOOL_O:.o=.lib) \ 37 | /PDB:$(TOOL_O:.o=.pdb) \ 38 | /OUT:$(TOOL_DLL) $(TOOL_O) \ 39 | pin.lib libxed.lib libcpmt.lib libcmt.lib pinvm.lib kernel32.lib ntdll-32.lib 40 | 41 | $(TOOL_O) : $(TOOL_CPP) $(SRC_DIR) 42 | cl /c /MT /EHs- /EHa- /wd4530 /Z7 \ 43 | /DTARGET_WINDOWS /DBIGARRAY_MULTIPLIER=1 /DUSING_XED /D_CRT_SECURE_NO_DEPRECATE /D_SECURE_SCL=0 \ 44 | /nologo /Gy /O2 /DTARGET_IA32 /DHOST_IA32 \ 45 | /I$(PIN_ROOT)\source\include\pin \ 46 | /I$(PIN_ROOT)\source\include\pin\gen \ 47 | /I$(PIN_ROOT)\source\tools\InstLib \ 48 | /I$(PIN_ROOT)\extras\xed2-ia32\include \ 49 | /I$(PIN_ROOT)\extras\components\include \ 50 | /Fo$(TOOL_O) $(TOOL_CPP) 51 | 52 | $(EXE_LOG_PATH) : $(LOG_DIR) 53 | md $(EXE_LOG_PATH) 54 | 55 | clean : 56 | del $(SRC_DIR)\$(TOOL_NAME).dll $(SRC_DIR)\$(TOOL_NAME).exp $(SRC_DIR)\$(TOOL_NAME).lib $(SRC_DIR)\$(TOOL_NAME).o $(SRC_DIR)\$(TOOL_NAME).pdb 57 | 58 | -------------------------------------------------------------------------------- /src/packman.bat: -------------------------------------------------------------------------------- 1 | echo off 2 | @SETLOCAL 3 | cls 4 | echo. 5 | 6 | REM ##################### 7 | REM set global variables: 8 | REM ##################### 9 | set TOOL_NAME=packman 10 | set WF_ROOT=C:\Users\pmat\Desktop\packman 11 | set PIN_ROOT=C:\Users\pmat\Desktop\pin 12 | 13 | REM set TIMESTAMP 14 | For /f "tokens=2-4 delims=/ " %%a in ('date /t') do (set mydate=%%c-%%a-%%b) 15 | For /f "tokens=1-2 delims=/:" %%a in ("%TIME%") do (set HOURS=%%a& set MINS=%%b) 16 | if %HOURS% == 0 (set HOURS=00) 17 | if %HOURS% == 1 (set HOURS=01) 18 | if %HOURS% == 2 (set HOURS=02) 19 | if %HOURS% == 3 (set HOURS=03) 20 | if %HOURS% == 4 (set HOURS=04) 21 | if %HOURS% == 5 (set HOURS=05) 22 | if %HOURS% == 6 (set HOURS=06) 23 | if %HOURS% == 7 (set HOURS=07) 24 | if %HOURS% == 8 (set HOURS=08) 25 | if %HOURS% == 9 (set HOURS=09) 26 | set mytime=%HOURS%-%MINS% 27 | set TIMESTAMP=%mydate%_%mytime% 28 | 29 | REM check first argument 30 | if "%~1"=="clean" GOTO CLEAN 31 | if "%~1"=="compile" GOTO COMPILE 32 | if "%~1"=="analyze" GOTO ANALYZE 33 | if "%~1"=="" GOTO EMPTY 34 | 35 | :COMPILE 36 | echo ^>^> Compiling PACKMAN! ^<^< 37 | nmake.exe /NOLOGO /f Nmakefile %TOOL_NAME% 38 | GOTO DONE 39 | 40 | :ANALYZE 41 | if "%~2"=="" GOTO EMPTY 42 | echo ^>^> Analyzing %2 ^<^< 43 | 44 | set EXE_FILE=%2 45 | For %%A in ("%EXE_FILE%") do ( 46 | REM %%~nxA = filename WITH extention 47 | REM %%~nA = filename withOUT extention 48 | Set EXE_FILE_NAME_NO_EXT=%%~nA 49 | ) 50 | 51 | nmake.exe /NOLOGO /f Nmakefile 52 | GOTO DONE 53 | 54 | :CLEAN 55 | echo ^>^> Cleaning! ^<^< 56 | nmake.exe /NOLOGO /f Nmakefile clean 57 | GOTO DONE 58 | 59 | :EMPTY 60 | echo ^> Missing parameters! 61 | echo ^> - Analyze an executable: packman analyze ^ 62 | echo ^> - Compile PACKMAN: packman compile 63 | echo ^> - Clean compilation files: packman clean 64 | GOTO DONE 65 | 66 | :DONE 67 | echo. 68 | echo ^>^> Done! ^<^< 69 | -------------------------------------------------------------------------------- /src/packman.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Author: Enes Goktas 3 | * Last edited: 24 April 2014 4 | * License: PACKMAN is licensed under the MIT License. 5 | * See LICENSE.txt 6 | */ 7 | 8 | #include // I/O STREAM 9 | #include // I/O MANIPulation 10 | #include // File STREAM 11 | #include // String STREAM 12 | #include // transform() string 13 | #include "pin.H" // PIN 14 | #include // sprintf 15 | #include // clock_t, clock, CLOCKS_PER_SEC 16 | #include // sqrt 17 | 18 | namespace WINDOWS{ 19 | #include 20 | } 21 | 22 | using namespace std; 23 | 24 | typedef unsigned int uint; 25 | typedef unsigned short ushort; 26 | 27 | string strToLower(string str){ 28 | string copy(str); 29 | std::transform(copy.begin(), copy.end(), copy.begin(), ::tolower); 30 | return copy; 31 | } 32 | 33 | 34 | /* ================================================================== */ 35 | /* ================================================================== */ 36 | /* ========================= LOG TYPES ============================== */ 37 | /* ================================================================== */ 38 | /* ================================================================== */ 39 | 40 | #define LT_MAX_LENGTH 12 41 | #define LT_EXEMEMORY "EXEMEMORY" 42 | #define LT_DLLMGMT "DLLMGMT" 43 | #define LT_THREADMGMT "THREADMGMT" 44 | #define LT_LIBCALL "LIBCALL" 45 | #define LT_CALLDETAILS "CALLDETAILS" 46 | #define LT_NEWLEVEL "*NEWLEVEL*" 47 | #define LT_ERROR "!! ERROR !!" 48 | #define LT_CHILDPROC "CHILDPROC" 49 | #define LT_DIRECTCALL "DIRECTCALL" 50 | 51 | string getLogType(string log_type) 52 | { 53 | stringstream res; 54 | res << left << setw(LT_MAX_LENGTH) << log_type << ":: "; 55 | return res.str(); 56 | } 57 | 58 | /* ================================================================== */ 59 | /* ================================================================== */ 60 | /* ========================= LOG TYPES ============================== */ 61 | /* ================================================================== */ 62 | /* ================================================================== */ 63 | 64 | 65 | /* ================================================================== */ 66 | /* ================================================================== */ 67 | /* ==================== PROCEDURE REFERRERS ========================= */ 68 | /* ================================================================== */ 69 | /* ================================================================== */ 70 | 71 | enum REF_SOURCE { 72 | //RS_NULL, 73 | RS_REGISTER, 74 | RS_CURRENT_MEMORY_REGION, 75 | RS_UNKNOWN_MEMORY_REGION 76 | }; 77 | 78 | typedef struct ProcRef { 79 | uint proc; // address of the library procedure/function 80 | uint ref; // address in the main executable that contains the PROCedure address 81 | REF_SOURCE ref_source; 82 | ProcRef * next; 83 | } ProcRef; 84 | 85 | ProcRef * new_ProcRef(uint proc, uint ref, REF_SOURCE ref_source){ 86 | ProcRef * res = new ProcRef; 87 | res->proc = proc; 88 | res->ref = ref; 89 | res->ref_source = ref_source; 90 | res->next = NULL; 91 | return res; 92 | } 93 | 94 | ProcRef * new_ProcRef(ProcRef * pr){ 95 | return new_ProcRef(pr->proc, pr->ref, pr->ref_source); 96 | } 97 | 98 | bool isPREqual(ProcRef * lhs, ProcRef * rhs){ 99 | return lhs->proc == rhs->proc && lhs->ref == rhs->ref && lhs->ref_source == rhs->ref_source; 100 | } 101 | 102 | // sorted on referrer 103 | // test with has_ProcRef before calling this function to prevent 104 | // duplicates of procref with ref==0 (in case of "REGISTER" ref_source) 105 | ProcRef * insert_ProcRef(ProcRef ** head, ProcRef * _pr_){ 106 | if(head == NULL || _pr_ == NULL) return NULL; 107 | 108 | ProcRef * pr = new_ProcRef(_pr_); 109 | 110 | if(*head == NULL) { 111 | *head = pr; 112 | return *head; 113 | } 114 | 115 | ProcRef * curr = *head; 116 | while(curr->next != NULL && curr->next->ref < pr->ref){ 117 | curr = curr->next; 118 | } 119 | 120 | // if already in list 121 | if(isPREqual(curr, pr) || (curr->next != NULL && isPREqual(curr->next,pr))){ 122 | delete pr; 123 | return *head; 124 | } 125 | 126 | if(curr == *head && pr->ref < curr->ref){ 127 | // curr still equal to head AND 128 | // pr should be inserted before head 129 | pr->next = curr; 130 | curr = *head = pr; 131 | }else{ 132 | // insert pr after curr 133 | pr->next = curr->next; 134 | curr->next = pr; 135 | } 136 | 137 | return curr; 138 | } 139 | 140 | void insert_ProcRef_list(ProcRef ** dst, ProcRef * src){ 141 | if(dst == NULL) return; 142 | 143 | while(src != NULL){ 144 | insert_ProcRef(dst, src); 145 | src = src->next; 146 | } 147 | } 148 | 149 | bool has_ProcRef(ProcRef ** head, ProcRef * pr){ 150 | if(head == NULL || *head == NULL || pr == NULL) 151 | return false; 152 | 153 | ProcRef * curr = *head; 154 | while(curr != NULL && !isPREqual(curr,pr)){ 155 | curr = curr->next; 156 | } 157 | 158 | return curr != NULL; 159 | } 160 | 161 | /* ================================================================== */ 162 | /* ================================================================== */ 163 | /* ==================== PROCEDURE REFERRERS ========================= */ 164 | /* ================================================================== */ 165 | /* ================================================================== */ 166 | 167 | 168 | /* ================================================================== */ 169 | /* ================================================================== */ 170 | /* =================== Handling of Memory Blocks ==================== */ 171 | /* ================================================================== */ 172 | /* ================================================================== */ 173 | 174 | #define MAX_LINE_LENGTH 160 175 | 176 | typedef struct MemBlock { 177 | uint begin; // Begin address 178 | uint end; // End address 179 | MemBlock * next; // Pointer to the next Memory Block 180 | } MemBlock; 181 | 182 | typedef struct Level { 183 | uint id; //Level number 184 | uint oep; //Level's OEP 185 | MemBlock * write_list; //Written addresses 186 | ProcRef * procref_list; //Current level's library calls 187 | Level * next; //Pointer to the next level 188 | } Level; 189 | 190 | Level * new_Level(uint id){ 191 | Level * res = new Level; 192 | res->id = id; 193 | res->write_list = NULL; 194 | res->procref_list = NULL; 195 | res->next = NULL; 196 | return res; 197 | } 198 | 199 | MemBlock * new_MemBlock(uint begin, uint end){ 200 | MemBlock * res = new MemBlock; 201 | res->begin = begin; 202 | res->end = end; 203 | res->next = NULL; 204 | return res; 205 | } 206 | 207 | MemBlock * new_MemBlock(MemBlock * block){ 208 | return new_MemBlock(block->begin, block->end); 209 | } 210 | 211 | template< typename T > 212 | string int_to_hex(T value){ 213 | stringstream stream; 214 | 215 | stream << "0x" << setw(sizeof(T)*2) << setfill('0') << hex << value; 216 | 217 | return stream.str(); 218 | } 219 | 220 | MemBlock * getGaps(MemBlock * block, uint max_interval){ 221 | if(block == NULL) return NULL; 222 | 223 | // head 224 | MemBlock * result = new_MemBlock(0, block->begin - 1); 225 | MemBlock * curr = result; 226 | 227 | // middle 228 | while(block->next != NULL){ 229 | uint interval = block->next->begin - block->end - 1; 230 | 231 | if(interval > max_interval){ 232 | // add block 233 | curr->next = new_MemBlock(block->end + 1 , block->next->begin - 1); 234 | curr = curr->next; 235 | } 236 | 237 | block = block->next; 238 | } 239 | 240 | //tail 241 | curr->next = new_MemBlock(block->end + 1, 0); 242 | 243 | return result; 244 | } 245 | 246 | MemBlock * insert_MemBlock(MemBlock ** head, MemBlock * block); 247 | void insert_MemBlock_list(MemBlock ** dst, MemBlock * src){ 248 | if(dst == NULL) return; 249 | 250 | /*if(*dst == NULL) { 251 | *dst = src; 252 | return; 253 | }*/ 254 | 255 | while(src != NULL){ 256 | insert_MemBlock(dst, src); 257 | src = src->next; 258 | } 259 | } 260 | 261 | MemBlock * getGaps(Level * level, uint max_interval){ 262 | MemBlock * result = NULL; 263 | 264 | while(level != NULL){ 265 | insert_MemBlock_list(&result, level->write_list); 266 | 267 | level = level->next; 268 | } 269 | 270 | MemBlock * gaps = getGaps(result, max_interval); 271 | return gaps; 272 | } 273 | 274 | // Perform merge after insertion 275 | // returns: 276 | // - lhs if merged 277 | // - rhs if NO merge (i.e. end of list reached) 278 | // - NULL if FAIL or NO merge 279 | MemBlock * merge(MemBlock * lhs, MemBlock * rhs){ 280 | if(lhs == NULL || rhs == NULL) { 281 | // lhs == NULL : FAIL => return NULL; 282 | // rhs == NULL : NO merge => return rhs(NULL); 283 | return NULL; 284 | } 285 | 286 | if(rhs->end <= lhs->end){ 287 | // rhs is contained in lhs 288 | lhs->next = rhs->next; 289 | delete rhs; 290 | }else if(rhs->begin <= lhs->end +1){ 291 | // rhs is partly in lhs 292 | // do a merge 293 | lhs->end = rhs->end; 294 | lhs->next = rhs->next; 295 | delete rhs; 296 | }else{ 297 | return rhs; 298 | } 299 | 300 | return lhs; 301 | } 302 | 303 | MemBlock * insert_MemBlock(MemBlock ** head, MemBlock * _block_){ 304 | if(head == NULL || _block_ == NULL) return NULL; 305 | 306 | MemBlock * block = new_MemBlock(_block_); 307 | 308 | if(*head == NULL) { 309 | *head = block; 310 | return *head; 311 | } 312 | 313 | // find the node that should precede block; 314 | MemBlock * curr = *head; 315 | while(curr->next != NULL && curr->next->begin < block->begin){ 316 | // next node's begin address is smaller than block's addr 317 | curr = curr->next; 318 | } 319 | 320 | if(curr == *head && block->begin < curr->begin){ 321 | // curr still equal to head AND 322 | // block should be inserted before head 323 | block->next = curr; 324 | curr = *head = block; 325 | }else{ 326 | // insert block after curr 327 | block->next = curr->next; 328 | curr->next = block; 329 | } 330 | 331 | // while it equals curr, a merge occured 332 | MemBlock *res = curr; 333 | while(res != NULL && (res == curr || res == curr->next)){ 334 | // continue while res points to curr or to curr->next 335 | // but stop when res reaches the end, which is NULL 336 | res = merge(res, res->next); 337 | } 338 | 339 | return curr; 340 | } 341 | 342 | bool isSameRegion(MemBlock * a, MemBlock * b){ 343 | if(a == NULL || b == NULL) return false; 344 | 345 | return a->begin == b->begin && a->end == b->end; 346 | } 347 | 348 | void delete_MemBlock(MemBlock ** head, MemBlock * block){ 349 | if(head == NULL || *head == NULL || block == NULL) return; 350 | 351 | MemBlock * curr = insert_MemBlock(head, block); 352 | if(curr == NULL) return; 353 | 354 | if(isSameRegion(curr,block)){ 355 | // this can only be the head since begins are equal 356 | // advance head to delete first 357 | if(*head != curr) { 358 | LOG(getLogType(LT_ERROR)+"ERROR IN delete_MemBlock(..)\n"); 359 | exit(1); 360 | } 361 | 362 | *head = curr->next; 363 | delete curr; 364 | return; 365 | }else if(curr->next != NULL && isSameRegion(curr->next, block)){ 366 | // delete next complete region 367 | MemBlock * temp = curr->next; 368 | curr->next = curr->next->next; 369 | delete temp; 370 | return; 371 | } 372 | 373 | // decide which block contains the added block 374 | MemBlock * containsblock = NULL; 375 | if(block->end <= curr->end){ 376 | containsblock = curr; 377 | }else{ 378 | containsblock = curr->next; 379 | } 380 | 381 | if(block->end == containsblock->end){ 382 | // remove at the end of containsblock 383 | containsblock->end = block->begin - 1; 384 | }else if(block->begin == containsblock->begin){ 385 | // remove at the beginning of containsblock 386 | containsblock->begin = block->end + 1; 387 | }else{ 388 | // remove at the middle of containsblock => SPLIT 389 | MemBlock * splittedblock = new MemBlock; 390 | splittedblock->begin = block->end + 1; 391 | splittedblock->end = containsblock->end; 392 | splittedblock->next = containsblock->next; 393 | 394 | containsblock->end = block->begin - 1; 395 | containsblock->next = splittedblock; 396 | } 397 | } 398 | 399 | bool has_MemBlock(MemBlock ** head, MemBlock * block){ 400 | if(head == NULL || *head == NULL || block == NULL) 401 | return false; 402 | 403 | // find the node that should precede block; 404 | MemBlock * curr = *head; 405 | while(curr->next != NULL && curr->next->begin < block->begin){ 406 | // next node's begin address is smaller than block's addr 407 | curr = curr->next; 408 | } 409 | 410 | if(block->begin <= curr->end && block->end >= curr->begin){ 411 | return true; 412 | }else if(curr->next != NULL && block->end >= curr->next->begin && block->begin <= curr->next->end){ 413 | return true; 414 | } 415 | 416 | return false; 417 | } 418 | 419 | /* ================================================================== */ 420 | /* ================================================================== */ 421 | /* =================== Handling of Memory Blocks ==================== */ 422 | /* ================================================================== */ 423 | /* ================================================================== */ 424 | 425 | 426 | 427 | /* ================================================================== */ 428 | // Global variables 429 | /* ================================================================== */ 430 | 431 | #define INTERBLOCK_INTERVAL 0x200 432 | #define INITIAL_LEVEL_ID 1 433 | #define THRESHOLD_WRITTEN_INSTR_EXECUTION 5 434 | Level * levels; // All Levels 435 | Level * cl; // Current Level 436 | 437 | IMG img_glb; 438 | MemBlock * loaded_modules; 439 | MemBlock * user_memory; // memory allocated by the malware 440 | uint user_memory_alloc_size_temp = 0; 441 | UINT32 img_base = 0; 442 | UINT32 img_end = 0; 443 | 444 | UINT32 threadCount = 0; 445 | UINT32 userThreadCount = 0; // nr of Threads created with LIBCALL: CreateThread 446 | 447 | bool log_disabled = false; 448 | RTN last_bbl_rtn; 449 | UINT32 last_bbl_addr = 0; 450 | 451 | UINT32 latest_branch_src = 0; 452 | UINT32 latest_branch_dest = 0; 453 | UINT32 latest_branch_count = 1; 454 | 455 | bool isBranchToCreateProcessA = false; 456 | bool isBranchToWriteProcessMemory = false; 457 | bool isBranchToCreateThread = false; 458 | 459 | /* ===================================================================== */ 460 | // Multi Threading 461 | /* ===================================================================== */ 462 | // Force each thread's data to be in its own data cache line so that 463 | // multiple threads do not contend for the same data cache line. 464 | // This avoids the false sharing problem. 465 | #define PADSIZE 52 // 64 byte line size: 64-4-4-4 466 | 467 | // key for accessing TLS storage in the threads. initialized once in main() 468 | static TLS_KEY tls_key; 469 | 470 | // 471 | // Detailed info about specific library calls 472 | // 473 | enum CALLED_PROC { 474 | /* 475 | * to add a new proc: 476 | * - add a CALLED_PROC enum entry 477 | * - add entry to getProcName && getCalledProc 478 | * - add the instrumentation code in the imgLoad function 479 | * - add the Before and After functions 480 | */ 481 | NO_CALLED_PROC, 482 | CREATE_PROCESS_A, 483 | CREATE_THREAD, 484 | WRITE_PROCESS_MEMORY, 485 | VIRTUAL_ALLOC_EX, 486 | VIRTUAL_ALLOC, 487 | VIRTUAL_FREE, 488 | NT_ALLOCATE_VIRTUAL_MEMORY, 489 | ZW_ALLOCATE_VIRTUAL_MEMORY, 490 | OPEN_SC_MANAGER_A, //OpenSCManagerA 491 | OPEN_SERVICE_A //OpenServiceA 492 | }; 493 | 494 | // a running count of the instructions 495 | class thread_data_t 496 | { 497 | public: 498 | thread_data_t() : 499 | written_instr_execution_count(0), 500 | temp_long_jump(0), 501 | temp_level_oep(NULL), 502 | addr_latest_exec_instr(0) {} 503 | UINT32 written_instr_execution_count; 504 | UINT32 temp_long_jump; 505 | MemBlock * temp_level_oep; 506 | UINT32 addr_latest_exec_instr; 507 | CALLED_PROC calledProc; 508 | UINT8 _pad[PADSIZE-sizeof(enum CALLED_PROC)]; 509 | }; 510 | 511 | // function to access thread-specific data 512 | thread_data_t* get_tls(THREADID threadid){ 513 | thread_data_t* tdata = static_cast(PIN_GetThreadData(tls_key, threadid)); 514 | return tdata; 515 | } 516 | 517 | string getProcName(CALLED_PROC cp){ 518 | string res; 519 | switch (cp){ 520 | case NO_CALLED_PROC: 521 | res = "NO_CALLED_PROC"; break; 522 | case CREATE_PROCESS_A: 523 | res = "CreateProcessA"; break; 524 | case CREATE_THREAD: 525 | res = "CreateThread"; break; 526 | case WRITE_PROCESS_MEMORY: 527 | res = "WriteProcessMemory"; break; 528 | case VIRTUAL_ALLOC_EX: 529 | res = "VirtualAllocEx"; break; 530 | case VIRTUAL_ALLOC: 531 | res = "VirtualAlloc"; break; 532 | case VIRTUAL_FREE: 533 | res = "VirtualFree"; break; 534 | case NT_ALLOCATE_VIRTUAL_MEMORY: 535 | res = "NtAllocateVirtualMemory"; break; 536 | case ZW_ALLOCATE_VIRTUAL_MEMORY: 537 | res = "ZwAllocateVirtualMemory"; break; 538 | case OPEN_SC_MANAGER_A: 539 | res = "OpenSCManagerA"; break; 540 | case OPEN_SERVICE_A: 541 | res = "OpenServiceA"; break; 542 | default: 543 | LOG(getLogType(LT_ERROR)+"## error:getProcName ## should not get here ##\n"); 544 | } 545 | return res; 546 | } 547 | 548 | CALLED_PROC getCalledProc(string procName){ 549 | CALLED_PROC res; 550 | if(procName == "CreateProcessA"){ 551 | res = CREATE_PROCESS_A; 552 | }else if(procName == "CreateThread"){ 553 | res = CREATE_THREAD; 554 | }else if(procName == "WriteProcessMemory"){ 555 | res = WRITE_PROCESS_MEMORY; 556 | }else if(procName == "VirtualAllocEx"){ 557 | res = VIRTUAL_ALLOC_EX; 558 | }else if(procName == "VirtualAlloc"){ 559 | res = VIRTUAL_ALLOC; 560 | }else if(procName == "VirtualFree"){ 561 | res = VIRTUAL_FREE; 562 | }else if(procName == "NtAllocateVirtualMemory"){ 563 | res = NT_ALLOCATE_VIRTUAL_MEMORY; 564 | }else if(procName == "ZwAllocateVirtualMemory"){ 565 | res = ZW_ALLOCATE_VIRTUAL_MEMORY; 566 | }else if(procName == "OpenSCManagerA"){ 567 | res = OPEN_SC_MANAGER_A; 568 | }else if(procName == "OpenServiceA"){ 569 | res = OPEN_SERVICE_A; 570 | }else{ // procName == anything else 571 | res = NO_CALLED_PROC; 572 | } 573 | return res; 574 | } 575 | 576 | void setCalledProc(string proc){ 577 | THREADID tid = PIN_ThreadId(); 578 | get_tls(tid)->calledProc = getCalledProc(proc); 579 | } 580 | 581 | bool isCalledProc(CALLED_PROC cp){ 582 | THREADID tid = PIN_ThreadId(); 583 | return get_tls(tid)->calledProc == cp; 584 | } 585 | 586 | void clearCalledProc(){ 587 | THREADID tid = PIN_ThreadId(); 588 | get_tls(tid)->calledProc = NO_CALLED_PROC; 589 | } 590 | 591 | string getCurrentProcName(){ 592 | THREADID tid = PIN_ThreadId(); 593 | return getProcName(get_tls(tid)->calledProc); 594 | } 595 | 596 | /* ===================================================================== */ 597 | // Command line switches 598 | /* ===================================================================== */ 599 | KNOB KnobPinPath32(KNOB_MODE_WRITEONCE, "pintool", 600 | "pin_path_32", ".", "specify directory for MyPinTool output"); 601 | 602 | KNOB KnobProcessID(KNOB_MODE_WRITEONCE, "pintool", 603 | "process_id", ".", "specify directory for MyPinTool output"); 604 | 605 | KNOB KnobToolDllFile(KNOB_MODE_WRITEONCE, "pintool", 606 | "tool_dll_file", ".", "specify directory for MyPinTool output"); 607 | 608 | KNOB KnobExeLogPath(KNOB_MODE_WRITEONCE, "pintool", 609 | "exe_log_path", ".", "specify directory for MyPinTool output"); 610 | 611 | KNOB KnobToolName(KNOB_MODE_WRITEONCE, "pintool", 612 | "tool_name", ".", "specify directory for MyPinTool output"); 613 | 614 | KNOB KnobTimeStamp(KNOB_MODE_WRITEONCE, "pintool", 615 | "ts", "9999-99-99_99-99", "specify a timestamp for MyPinTool output"); 616 | /* ===================================================================== */ 617 | // Utilities 618 | /* ===================================================================== */ 619 | 620 | INT32 Usage() 621 | { 622 | cerr << "This tool prints out the number of dynamically executed " << endl << 623 | "instructions, basic blocks and threads in the application." << endl << endl; 624 | 625 | cerr << KNOB_BASE::StringKnobSummary() << endl; 626 | 627 | return -1; 628 | } 629 | 630 | bool isAtLastDirectory(const char * directory){ 631 | uint name_table_rva = *(uint *) directory; 632 | directory += 0x04; 633 | uint timestamp = *(uint *) directory; 634 | directory += 0x04; 635 | uint forwarder_chain = *(uint *) directory; 636 | directory += 0x04; 637 | uint name_rva = *(uint *) directory; 638 | directory += 0x04; 639 | uint address_table_rva = *(uint *) directory; 640 | return name_table_rva==0 && timestamp==0 641 | && forwarder_chain==0 && forwarder_chain==0 642 | && address_table_rva==0; 643 | } 644 | 645 | bool isAtLastAddress(const char * import_addr){ 646 | return *(uint *)import_addr == 0; 647 | } 648 | 649 | /* ===================================================================== */ 650 | // Analysis routines 651 | /* ===================================================================== */ 652 | VOID Fini(INT32 code, VOID *v); 653 | 654 | enum RET_VAL { ACCESS_VIOLATION, NOT_OK, OK }; 655 | // ACCESS_VIOLATION -> the address being tested is not in the memory regions allocated by the malware 656 | 657 | RET_VAL isAtBase(uint b_a){ // base_address 658 | // check access violation 659 | MemBlock * b_block = new_MemBlock(b_a,b_a); 660 | if(!has_MemBlock(&user_memory, b_block)){ 661 | delete b_block; 662 | return ACCESS_VIOLATION; 663 | }delete b_block; 664 | 665 | // b_a is in memory allocated by malware 666 | char * pe = (char*) (*(uint*)(b_a + 0x3C) + b_a); 667 | char * b_p = (char *) b_a; 668 | if(*b_p == 'M' && *(b_p+1) == 'Z' && *pe == 'P' && *(pe+1) == 'E'){ 669 | return OK; 670 | }else{ 671 | return NOT_OK; 672 | } 673 | } 674 | 675 | void writeToBuf(char * buf, uint index, uint val){ 676 | char * val_arr = (char *) &val; 677 | buf[index] = val_arr[0]; 678 | buf[index+1] = val_arr[1]; 679 | buf[index+2] = val_arr[2]; 680 | buf[index+3] = val_arr[3]; 681 | } 682 | 683 | void writeToBuf(char * buf, uint index, ushort val){ 684 | char * val_arr = (char *) &val; 685 | buf[index] = val_arr[0]; 686 | buf[index+1] = val_arr[1]; 687 | } 688 | 689 | string getThreadAndLevelLOGPrefix(THREADID tid){ 690 | string res = ""; 691 | if(threadCount > 0){ 692 | res = "[T:"+decstr(tid)+"|L:"+decstr(cl->id)+"] "; 693 | } 694 | return res; 695 | } 696 | 697 | void constructHeader(char ** hdr, uint * hdr_size, uint code_base, uint code_size, uint entry_point, THREADID tid){ 698 | if(code_base < 0x1000) LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_ERROR)+"#[constructHeader]# code_base is lower than 0x1000; expected to be higher ## \n"); 699 | uint image_base = code_base - 0x1000; 700 | 701 | uint sz = 0x200; 702 | char * res = new char[sz]; 703 | 704 | memset(res, 0x0, sz*sizeof(char)); 705 | writeToBuf(res, 0x00, (ushort) 0x5A4D); // = 0x4D 0x5A = M Z 706 | uint pe_offset = 0x000000B8; 707 | writeToBuf(res, 0x3C, pe_offset); // set PE_OFFSET 708 | 709 | writeToBuf(res, pe_offset, (uint) 0x00004550); // = 0x50 0x45 0x00 0x00 = P E _ _ 710 | 711 | uint coff_hdr_offset = pe_offset + 0x04; 712 | writeToBuf(res, coff_hdr_offset, (ushort) 0x014C); // 0x014C = Machine Type 713 | writeToBuf(res, coff_hdr_offset + 0x02, (ushort) 0x0001); // 0x0001 = # Sections 714 | writeToBuf(res, coff_hdr_offset + 0x10, (ushort) 0x00E0); // 0x00E0 = Size of Optional Header 715 | writeToBuf(res, coff_hdr_offset + 0x12, (ushort) 0x0103); // Characteristics: 0x0001=RELOC_STRIPPED | 0x0002=EXE_IMG | 0x0100=32BIT_MACHINE 716 | 717 | uint opt_hdr_offset = pe_offset + 0x18; 718 | writeToBuf(res, opt_hdr_offset, (ushort) 0x010B); // Magic, normal executable 719 | res[opt_hdr_offset+0x02] = 0x0A; // Major Linker Version 720 | writeToBuf(res, opt_hdr_offset + 0x04, code_size); // Size of Code 721 | writeToBuf(res, opt_hdr_offset + 0x10, entry_point - image_base); // Address of Entry Point 722 | writeToBuf(res, opt_hdr_offset + 0x14, (uint) 0x00001000); // Base of Code 723 | writeToBuf(res, opt_hdr_offset + 0x1C, image_base); // Image Base 724 | writeToBuf(res, opt_hdr_offset + 0x20, (uint) 0x00001000); // Section Alignment 725 | writeToBuf(res, opt_hdr_offset + 0x24, (uint) 0x00000200); // File Alignment 726 | writeToBuf(res, opt_hdr_offset + 0x28, (ushort) 0x0005); // Major O/S version 727 | writeToBuf(res, opt_hdr_offset + 0x2A, (ushort) 0x0001); // Minor O/S version 728 | writeToBuf(res, opt_hdr_offset + 0x30, (ushort) 0x0005); // Major Subsystem version 729 | writeToBuf(res, opt_hdr_offset + 0x32, (ushort) 0x0001); // Minor Subsystem version 730 | // code_size should be a multiple of page_size(0x1000) 731 | uint img_size = code_size + 0x1000; // 0x1000 = hdr size when loaded 732 | writeToBuf(res, opt_hdr_offset + 0x38, img_size); // Size of Image 733 | writeToBuf(res, opt_hdr_offset + 0x3C, sz); // Size of Headers 734 | writeToBuf(res, opt_hdr_offset + 0x44, (ushort) 0x0003); // Subsystem: 0x0003 = IMAGE_SUBSYSTEM_WINDOWS_CUI 735 | writeToBuf(res, opt_hdr_offset + 0x46, (ushort) 0x8100); // DLL Characteristics: 0x0100=NX_COMPAT | 0x8000=TERMINAL_SERVER_AWARE 736 | writeToBuf(res, opt_hdr_offset + 0x48, (uint) 0x00100000); // Size of Stack Reserve 737 | writeToBuf(res, opt_hdr_offset + 0x4C, (uint) 0x00001000); // Size of Stack Commit 738 | writeToBuf(res, opt_hdr_offset + 0x50, (uint) 0x00100000); // Size of Heap Reserve 739 | writeToBuf(res, opt_hdr_offset + 0x54, (uint) 0x00001000); // Size of Heap Commit 740 | writeToBuf(res, opt_hdr_offset + 0x5C, (uint) 0x00000010); // # Data Directories 741 | 742 | uint section_offset = opt_hdr_offset + 0xE0; // 0xE0 = optional header size 743 | writeToBuf(res, section_offset, (uint) 0x7478742E); // Name: [0x2E 0x74 0x78 0x74] : [. t x t] 744 | writeToBuf(res, section_offset + 0x08, code_size); // Virtual Size 745 | writeToBuf(res, section_offset + 0x0C, (uint) 0x00001000); // RVA 746 | writeToBuf(res, section_offset + 0x10, code_size); // Size of Raw Data 747 | writeToBuf(res, section_offset + 0x14, (uint) 0x00000200); // Pointer to Raw Data 748 | writeToBuf(res, section_offset + 0x24, (uint) 0x60000020); // # Characteristics 749 | 750 | *hdr = res; 751 | *hdr_size = sz; 752 | } 753 | 754 | MemBlock * getCodeBlock(uint code_base){ 755 | MemBlock * curr = user_memory; 756 | while(curr != NULL && curr->begin != code_base){ 757 | curr = curr->next; 758 | } 759 | return curr; 760 | } 761 | 762 | void dumpWithNewEntryPoint(uint pe_oep, THREADID tid){ 763 | uint dump_base = pe_oep & 0xFFFFF000; // set page start 764 | 765 | RET_VAL res; 766 | while((res = isAtBase(dump_base)) == NOT_OK){ 767 | dump_base -= 1; // enter previous page 768 | dump_base &= 0xFFFFF000; // go to beginning of page 769 | } 770 | 771 | // border between allocated memory / regions not clear... 772 | // a base may be incorrect, because it may a base of another allocation 773 | if(res == ACCESS_VIOLATION){ 774 | dump_base += 0x1000; 775 | 776 | char * hdr; 777 | uint hdr_size; 778 | uint code_base = dump_base; 779 | MemBlock * code_block = getCodeBlock(code_base); 780 | if(code_block == NULL){ 781 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_ERROR)+getLogType(LT_NEWLEVEL)+"#[dumpWithNewEntryPoint]# NOT_FOUND ## aborted DUMP; but process continues ! \n"); 782 | return; 783 | } 784 | uint code_size = code_block->end - code_base + 1; 785 | uint entry_point = pe_oep; 786 | constructHeader(&hdr, &hdr_size, code_base, code_size, entry_point, tid); 787 | 788 | string dump_file_name = KnobExeLogPath.Value()+"\\"; 789 | dump_file_name += "dump_level_"+decstr(cl->id)+"_procID_"+KnobProcessID.Value()+"_threadID_"+decstr(tid)+"_custom._exe_"; 790 | fstream df (dump_file_name.c_str(), ios::in | ios::out | ios::trunc | ios::binary); // dump file 791 | 792 | if (df.is_open()) { /* ok, proceed with output */ 793 | df.write(hdr, hdr_size); 794 | df.write((char *) code_base, code_size); 795 | df.close(); 796 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_NEWLEVEL)+"new level is in memory chunk ["+int_to_hex(code_base)+".."+int_to_hex(code_block->end)+"]("+int_to_hex(code_size)+") and has *NO* PE file header\n"); 797 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_NEWLEVEL)+"dumped new level to file "+dump_file_name+"\n"); 798 | }else{ 799 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_ERROR)+"# Unable to open file to dump new level; filename:["+dump_file_name+"] \n"); 800 | exit(EXIT_FAILURE); 801 | } 802 | 803 | }else{ // res == OK 804 | string dump_file_name = KnobExeLogPath.Value()+"\\"; 805 | dump_file_name += "dump_level_"+decstr(cl->id)+"_procID_"+KnobProcessID.Value()+"_threadID_"+decstr(tid)+"._exe_"; 806 | fstream df (dump_file_name.c_str(), ios::in | ios::out | ios::trunc | ios::binary); 807 | 808 | if (df.is_open()) { 809 | uint pe_base = *(uint*)(dump_base + 0x3C) + dump_base; 810 | streamsize size = *(uint*)(pe_base + 0x50); // get Size Of Image 811 | 812 | df.write((char *) dump_base,size); 813 | 814 | // fix the section sizes in dumped file 815 | short nr_sections = *(short*)(pe_base + 0x06); 816 | uint section_rva = pe_base + 0xF8 - dump_base; 817 | uint virtual_size_offset = 0x08; 818 | uint virtual_addr_offset = 0x0C; 819 | uint raw_size_offset = 0x10; 820 | uint raw_addr_offset = 0x14; 821 | const uint nr_bytes = 8; 822 | char virt_data[nr_bytes]; 823 | for(short i = 0; i < nr_sections; i++){ 824 | df.seekg(section_rva + virtual_size_offset); 825 | df.read(virt_data, nr_bytes); 826 | 827 | df.seekp(section_rva + raw_size_offset); 828 | df.write(virt_data, nr_bytes); 829 | 830 | section_rva += 0x28; // next section header 831 | } 832 | 833 | // fix oep in dumped file 834 | df.seekp(pe_base + 0x28 - dump_base); 835 | uint oep_rva = pe_oep - dump_base; 836 | df.write((char *) &oep_rva, sizeof(uint)); 837 | 838 | df.close(); 839 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_NEWLEVEL)+"new level is in memory chunk ["+int_to_hex(dump_base)+".."+int_to_hex(dump_base+(uint)size-1)+"]("+int_to_hex((uint)size)+") and has a PE file header\n"); 840 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_NEWLEVEL)+"dumped new level to file "+dump_file_name+"\n"); 841 | }else{ 842 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_ERROR)+"# Unable to open file to dump new level; filename:["+dump_file_name+"] \n"); 843 | exit(EXIT_FAILURE); 844 | } 845 | 846 | } 847 | } 848 | 849 | void checkForNewLevel(MemBlock * exec_block){ 850 | THREADID tid = PIN_ThreadId(); 851 | string s = getThreadAndLevelLOGPrefix(tid); 852 | thread_data_t* tdata = get_tls(tid); 853 | 854 | if(has_MemBlock(&cl->write_list, exec_block)){ 855 | if(tdata->written_instr_execution_count == 0){ 856 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_NEWLEVEL)+"a potential new level detected\n"); 857 | tdata->temp_level_oep = new_MemBlock(exec_block); 858 | tdata->temp_long_jump = tdata->addr_latest_exec_instr; 859 | } 860 | tdata->written_instr_execution_count++; 861 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_NEWLEVEL)+"#"+decstr(tdata->written_instr_execution_count)+" executed a written instruction @"+int_to_hex(exec_block->begin)+"\n"); 862 | if(tdata->written_instr_execution_count == THRESHOLD_WRITTEN_INSTR_EXECUTION){ 863 | // execution 5 contiguous tainted instructions detected! = new level 864 | cl->next = new_Level(cl->id+1); 865 | 866 | cl = cl->next; 867 | cl->oep = tdata->temp_level_oep->begin; 868 | 869 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_NEWLEVEL)+"detected a new level! its entry point is "+int_to_hex(cl->oep)+"\n"); 870 | 871 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_NEWLEVEL)+"instruction that jumped to the new level is at "+int_to_hex(tdata->temp_long_jump)+"\n"); 872 | 873 | dumpWithNewEntryPoint(cl->oep, tid); 874 | 875 | tdata->temp_long_jump = 0; 876 | tdata->temp_level_oep = NULL; 877 | tdata->written_instr_execution_count = 0; 878 | } 879 | }else if(tdata->written_instr_execution_count != 0){ 880 | // detection of new level failed 881 | // -> no consecutive execution of 5 written instrucitons! 882 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_NEWLEVEL)+"detection of new level failed\n"); 883 | 884 | tdata->temp_long_jump = 0; 885 | delete tdata->temp_level_oep; 886 | tdata->written_instr_execution_count = 0; 887 | } 888 | } 889 | 890 | // Left as future work 891 | BOOL checkSensitiveFunctions(MemBlock * exec_block){ 892 | return false; 893 | } 894 | 895 | VOID checkStopCondition(MemBlock * exec_block){ 896 | BOOL detectedCoreMalware = checkSensitiveFunctions(exec_block); 897 | 898 | if(detectedCoreMalware){ 899 | LOG("FOUND CORE OF THE MALWARE!!\n"); 900 | exit(1); 901 | } 902 | } 903 | 904 | VOID SaveWrite(ADDRINT ins_ea, UINT32 ins_size, ADDRINT mem_ea, UINT32 mem_size, THREADID tid){ 905 | MemBlock * exec_block = new_MemBlock((uint)ins_ea, (uint)ins_ea+ins_size-1); 906 | MemBlock * write_block = new_MemBlock((uint)mem_ea, (uint)mem_ea+mem_size-1); 907 | 908 | checkStopCondition(exec_block); 909 | checkForNewLevel(exec_block); 910 | insert_MemBlock(&cl->write_list, write_block); // write_list = log of writes in current level 911 | 912 | delete exec_block; 913 | delete write_block; 914 | 915 | thread_data_t* tdata = get_tls(tid); 916 | tdata->addr_latest_exec_instr = (UINT32) ins_ea; 917 | } 918 | 919 | VOID CheckInstruction(ADDRINT ins_ea, UINT32 ins_size, THREADID tid){ 920 | MemBlock * exec_block = new_MemBlock((uint)ins_ea, (uint)ins_ea+ins_size-1); 921 | 922 | checkStopCondition(exec_block); 923 | checkForNewLevel(exec_block); 924 | 925 | delete exec_block; 926 | 927 | thread_data_t* tdata = get_tls(tid); 928 | tdata->addr_latest_exec_instr = (UINT32) ins_ea; 929 | } 930 | 931 | string FormatAddress(ADDRINT address, RTN rtn) 932 | { 933 | string s = StringFromAddrint(address); 934 | 935 | if (RTN_Valid(rtn)) 936 | { 937 | string imgname = IMG_Name(SEC_Img(RTN_Sec(rtn))); 938 | string filename = imgname.substr( imgname.find_last_of("\\") + 1 ); 939 | s += " " + filename + "::"; 940 | s += RTN_Name(rtn); 941 | } 942 | 943 | return s; 944 | } 945 | 946 | BOOL exitsMainIMG(ADDRINT src, ADDRINT dest){ 947 | UINT32 _src = (UINT32) src; 948 | UINT32 _dest = (UINT32) dest; 949 | return (_src >= img_base && _src <= img_end) 950 | && (_dest <= img_base || _dest >= img_end); 951 | } 952 | 953 | BOOL isBranchOrCallToLoadedModuleFromNonLoadedModule(ADDRINT src, ADDRINT dest){ 954 | UINT32 _src = (UINT32) src; 955 | UINT32 _dest = (UINT32) dest; 956 | 957 | MemBlock * src_b = new_MemBlock(_src,_src); 958 | MemBlock * dest_b = new_MemBlock(_dest,_dest); 959 | bool result = !has_MemBlock(&loaded_modules, src_b) && has_MemBlock(&loaded_modules, dest_b); 960 | delete src_b; 961 | delete dest_b; 962 | 963 | return result; 964 | } 965 | 966 | VOID DirectCall(string * str){ 967 | LOG(*str); 968 | } 969 | 970 | BOOL isRefSourceInCurrentMemoryRegion(uint referrer_addr, uint ins_addr){ 971 | MemBlock * mb_ra = new_MemBlock(referrer_addr,referrer_addr); 972 | // check if referrer_addr is in any memory block allocated by the malware 973 | if(!has_MemBlock(&user_memory, mb_ra)){ 974 | delete mb_ra; 975 | return false; 976 | }delete mb_ra; 977 | 978 | // find the memory block in which referrer_addr is contained 979 | MemBlock * curr = user_memory; 980 | while(curr != NULL && !(curr->begin <= referrer_addr && referrer_addr <= curr->end)){ 981 | curr = curr->next; 982 | } 983 | 984 | if(curr == NULL){ 985 | return false; 986 | } 987 | 988 | if(curr->begin <= ins_addr && ins_addr <= curr->end){ 989 | return true; 990 | } 991 | 992 | return false; 993 | } 994 | 995 | VOID IndirectCall(THREADID tid, ADDRINT ins_addr, UINT32 ins_size, BOOL isCall, BOOL isMemRead, 996 | ADDRINT referrer_addr, UINT32 referrer_size, string * reg_name, ADDRINT branch_target_addr, string * disasm){ 997 | if(isBranchOrCallToLoadedModuleFromNonLoadedModule(ins_addr, branch_target_addr)){ 998 | if(!log_disabled) log_disabled = true; 999 | 1000 | PIN_LockClient(); 1001 | RTN branch_target_RTN = RTN_FindByAddress(branch_target_addr); 1002 | PIN_UnlockClient(); 1003 | 1004 | const string rtn_name = RTN_Name(branch_target_RTN); 1005 | if(!isCalledProc(NO_CALLED_PROC)) { 1006 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_ERROR)+"## [IndirectCall] ## The thread should be in one PROCedure at a time! Function that did not return:"+getCurrentProcName()+" \n"); 1007 | clearCalledProc(); 1008 | } 1009 | setCalledProc(rtn_name); 1010 | 1011 | REF_SOURCE ref_source; 1012 | if(isMemRead){ 1013 | // check in which region the referrer's address is 1014 | if(isRefSourceInCurrentMemoryRegion((uint)referrer_addr, (uint)ins_addr)){ 1015 | ref_source = RS_CURRENT_MEMORY_REGION; 1016 | }else{ 1017 | ref_source = RS_UNKNOWN_MEMORY_REGION; 1018 | } 1019 | }else if(reg_name != NULL){ 1020 | ref_source = RS_REGISTER; 1021 | referrer_addr = 0x0; 1022 | } 1023 | 1024 | // create pr 1025 | ProcRef * pr = new_ProcRef((uint)branch_target_addr, (uint)referrer_addr, ref_source); 1026 | if(!has_ProcRef(&cl->procref_list,pr)){ 1027 | insert_ProcRef(&cl->procref_list, pr); 1028 | } 1029 | 1030 | string s = ""; 1031 | 1032 | s += "@"+int_to_hex(ins_addr); 1033 | s+= " "+*disasm+"="; 1034 | 1035 | if(ref_source != RS_REGISTER){ 1036 | if((*disasm).find("[0x") == string::npos){ 1037 | s += "["+int_to_hex(referrer_addr)+"]="; 1038 | } 1039 | } 1040 | 1041 | PIN_LockClient(); 1042 | s+= FormatAddress(branch_target_addr, branch_target_RTN); 1043 | PIN_UnlockClient(); 1044 | 1045 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_LIBCALL) +s+ "\n"); 1046 | }else if(exitsMainIMG(ins_addr, branch_target_addr)){ 1047 | string s = "Indirect || "; 1048 | s += "Exits main EXEcutable || @"+int_to_hex(ins_addr); 1049 | if(isCall){ 1050 | s+= " Call "; 1051 | }else{ 1052 | s+= " Jump "; 1053 | } 1054 | s+= int_to_hex(branch_target_addr); 1055 | 1056 | if(!log_disabled) log_disabled = true; 1057 | LOG(getThreadAndLevelLOGPrefix(tid)+ s+"\n"); 1058 | s=""; 1059 | } 1060 | } 1061 | 1062 | /* ===================================================================== */ 1063 | // Instrumentation callbacks 1064 | /* ===================================================================== */ 1065 | VOID Instruction(INS ins, VOID* v){ 1066 | 1067 | THREADID tid = PIN_ThreadId(); 1068 | string *disptr = new string(INS_Disassemble(ins)); 1069 | 1070 | if(INS_IsMemoryWrite(ins)){ 1071 | INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)SaveWrite, 1072 | IARG_INST_PTR, 1073 | IARG_UINT32, INS_Size(ins), 1074 | IARG_MEMORYWRITE_EA, 1075 | IARG_MEMORYWRITE_SIZE, 1076 | IARG_THREAD_ID, 1077 | IARG_END); 1078 | }else{ 1079 | INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)CheckInstruction, 1080 | IARG_INST_PTR, 1081 | IARG_UINT32, INS_Size(ins), 1082 | IARG_THREAD_ID, 1083 | IARG_END); 1084 | } 1085 | 1086 | if(INS_IsDirectBranchOrCall(ins) && !INS_IsRet(ins)){ 1087 | ADDRINT src = INS_Address(ins); 1088 | ADDRINT dest = INS_DirectBranchOrCallTargetAddress(ins); 1089 | 1090 | MemBlock * src_b = new_MemBlock((UINT32)src,(UINT32)src); 1091 | MemBlock * dest_b = new_MemBlock((UINT32)dest,(UINT32)dest); 1092 | BOOL isSrcInMalwareCode = has_MemBlock(&user_memory,src_b) || has_MemBlock(&cl->write_list, src_b); 1093 | BOOL isDstInMalwareCode = has_MemBlock(&user_memory,dest_b) || has_MemBlock(&cl->write_list, dest_b); 1094 | BOOL isDstInLibraryCode = has_MemBlock(&loaded_modules,dest_b); 1095 | delete src_b; 1096 | delete dest_b; 1097 | 1098 | string s_dcall = ""; 1099 | 1100 | s_dcall += "@"+int_to_hex(src); 1101 | s_dcall += " "+*disptr+" "; 1102 | 1103 | PIN_LockClient(); 1104 | s_dcall += FormatAddress(dest, RTN_FindByAddress(dest)); 1105 | PIN_UnlockClient(); 1106 | 1107 | if(isSrcInMalwareCode && isDstInLibraryCode){ 1108 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_DIRECTCALL)+s_dcall+"\n"); 1109 | }else if(isSrcInMalwareCode && !isDstInMalwareCode){ 1110 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_ERROR)+"unexpected directcall from malware code to unknown memory:\n"); 1111 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_ERROR)+s_dcall+"\n"); 1112 | } 1113 | } 1114 | 1115 | 1116 | if(INS_IsIndirectBranchOrCall(ins) && !INS_IsRet(ins)){ 1117 | BOOL isCall = INS_IsCall(ins); 1118 | BOOL isMemRead = INS_IsMemoryRead(ins); 1119 | if(isMemRead){ 1120 | INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)IndirectCall, 1121 | IARG_THREAD_ID, 1122 | IARG_INST_PTR, 1123 | IARG_UINT32, INS_Size(ins), 1124 | IARG_BOOL, isCall, 1125 | IARG_BOOL, isMemRead, 1126 | IARG_MEMORYREAD_EA, 1127 | IARG_MEMORYREAD_SIZE, 1128 | IARG_PTR, NULL, // REG_NAME 1129 | IARG_BRANCH_TARGET_ADDR, 1130 | IARG_PTR, disptr, 1131 | IARG_END); 1132 | }else if(INS_OperandIsReg(ins, 0)){ 1133 | string s = REG_StringShort(INS_OperandReg(ins,0)); 1134 | INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)IndirectCall, 1135 | IARG_THREAD_ID, 1136 | IARG_INST_PTR, 1137 | IARG_UINT32, INS_Size(ins), 1138 | IARG_BOOL, isCall, 1139 | IARG_BOOL, isMemRead, 1140 | IARG_UINT32, 0x0,//IARG_MEMORYREAD_EA, 1141 | IARG_UINT32, 0x0,//IARG_MEMORYREAD_SIZE, 1142 | IARG_PTR, new string(s), 1143 | IARG_BRANCH_TARGET_ADDR, 1144 | IARG_PTR, disptr, 1145 | IARG_END); 1146 | }else{ 1147 | LOG(getLogType(LT_ERROR)+"the indirect branch expects a memory read or a REGister ----\n"); 1148 | } 1149 | } 1150 | } 1151 | 1152 | clock_t execution_time; 1153 | VOID Fini(INT32 code, VOID *v) 1154 | { 1155 | 1156 | execution_time = clock() - execution_time; 1157 | stringstream res; 1158 | res << "===============================================" << endl; 1159 | res << " Current level = " << cl->id << endl; 1160 | res << " Execution time = " << (((float)execution_time*1000)/CLOCKS_PER_SEC) << " ms" << endl; 1161 | res << " ===============================================" << endl; 1162 | LOG(res.str()); 1163 | } 1164 | 1165 | /* ===================================================================== */ 1166 | // Procedure Analysis routines 1167 | // Before and After functions 1168 | // (Each thread tracks its own Procedure calls) 1169 | /* ===================================================================== */ 1170 | VOID CreateThreadBefore(WINDOWS::LPTHREAD_START_ROUTINE lpStartAddress, THREADID tid){ 1171 | if(!isCalledProc(CREATE_THREAD)) return; 1172 | userThreadCount++; 1173 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_CALLDETAILS)+"CreateThreadBefore; number of threads started by exe="+decstr(userThreadCount)+"; thread Entry Point="+int_to_hex((uint)lpStartAddress)+"\n"); 1174 | } 1175 | 1176 | VOID CreateThreadAfter(THREADID tid){ 1177 | if(!isCalledProc(CREATE_THREAD)) return; 1178 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_CALLDETAILS)+"CreateThreadAfter; done\n"); 1179 | clearCalledProc(); 1180 | } 1181 | 1182 | VOID CreateProcessABefore(THREADID tid){ 1183 | if(!isCalledProc(CREATE_PROCESS_A)) return; 1184 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_CALLDETAILS)+"CreateProcessBefore\n"); 1185 | } 1186 | 1187 | VOID CreateProcessAAfter(THREADID tid){ 1188 | if(!isCalledProc(CREATE_PROCESS_A)) return; 1189 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_CALLDETAILS)+"CreateProcessAfter; done\n"); 1190 | clearCalledProc(); 1191 | } 1192 | 1193 | VOID WriteProcessMemoryBefore(WINDOWS::HANDLE hProcess, void * dest, char * buf, uint buf_size, THREADID tid){ 1194 | if(!isCalledProc(WRITE_PROCESS_MEMORY)) return; 1195 | 1196 | uint size = MAX_PATH; 1197 | char filename[MAX_PATH]; 1198 | uint res = WINDOWS::QueryFullProcessImageName(hProcess, 0, filename, (WINDOWS::PDWORD)&size); // 2nd arg: 0 = C:\.. & 1 = \Device\.. 1199 | if(res == 0){ 1200 | uint err = WINDOWS::GetLastError(); 1201 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_ERROR)+"WriteProcessMemoryBefore; failed to get new process' image name; windows error code="+int_to_hex(err)+"\n"); 1202 | return; 1203 | } 1204 | uint id = WINDOWS::GetProcessId(hProcess); 1205 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_CALLDETAILS)+"WriteProcessMemoryBefore; target process handle="+hexstr(hProcess)+"; target process id=0x"+hexstr(id)+ 1206 | "; target process image name="+*(new string(filename))+"\n"); 1207 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_CALLDETAILS)+"WriteProcessMemoryBefore; destination in target process="+int_to_hex((uint)dest)+"; buffer in this process=["+int_to_hex((uint)buf)+".." 1208 | +int_to_hex((uint)(buf+buf_size-1))+"]; size="+int_to_hex(buf_size)+"\n"); 1209 | } 1210 | 1211 | VOID WriteProcessMemoryAfter(THREADID tid){ 1212 | if(!isCalledProc(WRITE_PROCESS_MEMORY)) return; 1213 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_CALLDETAILS)+"WriteProcessMemoryAfter; done \n"); 1214 | clearCalledProc(); 1215 | } 1216 | 1217 | VOID VirtualAllocExBefore(WINDOWS::HANDLE hProcess, uint pref_addr, uint size, THREADID tid){ 1218 | if(!isCalledProc(VIRTUAL_ALLOC_EX)) return; 1219 | 1220 | uint path_size = MAX_PATH; 1221 | char filename[MAX_PATH]; 1222 | uint res = WINDOWS::QueryFullProcessImageName(hProcess, 0, filename, (WINDOWS::PDWORD)&path_size); // 2nd arg: 0 = C:\.. & 1 = \Device\.. 1223 | if(res == 0){ 1224 | uint err = WINDOWS::GetLastError(); 1225 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_ERROR)+"VirtualAllocExBefore; failed to get new process' image name; windows error code="+int_to_hex(err)+"\n"); 1226 | return; 1227 | } 1228 | 1229 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_CALLDETAILS)+"VirtualAllocExBefore; target process handle="+hexstr(hProcess)+"; allocate mem at address="+int_to_hex(pref_addr)+"; size="+int_to_hex(size)+"\n"); 1230 | user_memory_alloc_size_temp = size; 1231 | } 1232 | 1233 | VOID VirtualAllocExAfter(uint alloc_addr, THREADID tid){ 1234 | if(!isCalledProc(VIRTUAL_ALLOC_EX)) return; 1235 | if(user_memory_alloc_size_temp == 0) { 1236 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_CALLDETAILS)+"VirtualAllocExAfter; done; return value="+int_to_hex(alloc_addr)+"\n"); 1237 | }else if(alloc_addr == NULL){ 1238 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_CALLDETAILS)+"VirtualAllocExAfter; done; return value="+int_to_hex(alloc_addr)+"\n"); 1239 | }else{ 1240 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_CALLDETAILS)+"VirtualAllocExAfter; done; return value="+int_to_hex(alloc_addr)+"\n"); 1241 | 1242 | uint mem_end = (((alloc_addr+user_memory_alloc_size_temp)-1)&0xFFFFF000)+0x1000-1; 1243 | 1244 | MemBlock * block = new_MemBlock(alloc_addr, mem_end); 1245 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_EXEMEMORY)+"insert memory chunk ["+int_to_hex(alloc_addr)+".."+int_to_hex(mem_end)+"]("+int_to_hex(mem_end-alloc_addr+1)+") \n"); 1246 | insert_MemBlock(&user_memory, block); 1247 | delete block; 1248 | 1249 | user_memory_alloc_size_temp = 0; 1250 | } 1251 | 1252 | clearCalledProc(); 1253 | } 1254 | 1255 | VOID VirtualAllocBefore(uint pref_addr, uint size, THREADID tid){ 1256 | if(!isCalledProc(VIRTUAL_ALLOC)) return; 1257 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_CALLDETAILS)+"VirtualAllocBefore; allocate memory at address="+int_to_hex(pref_addr)+"; size="+int_to_hex(size)+"\n"); 1258 | user_memory_alloc_size_temp = size; 1259 | } 1260 | 1261 | VOID VirtualAllocAfter(uint alloc_addr, THREADID tid){ 1262 | if(!isCalledProc(VIRTUAL_ALLOC)) return; 1263 | if(user_memory_alloc_size_temp == 0) { 1264 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_ERROR)+"VirtualAllocAfter; done; return value="+int_to_hex(alloc_addr)+"\n"); 1265 | }else if(alloc_addr == NULL){ 1266 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_ERROR)+"VirtualAllocAfter; done: return value="+int_to_hex(alloc_addr)+"\n"); 1267 | }else{ 1268 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_CALLDETAILS)+"VirtualAllocAfter; done; return value="+int_to_hex(alloc_addr)+"\n"); 1269 | 1270 | uint mem_end = (((alloc_addr+user_memory_alloc_size_temp)-1)&0xFFFFF000)+0x1000-1; 1271 | 1272 | MemBlock * block = new_MemBlock(alloc_addr, mem_end); 1273 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_EXEMEMORY)+"insert memory chunk ["+int_to_hex(alloc_addr)+".."+int_to_hex(mem_end)+"]("+int_to_hex(mem_end-alloc_addr+1)+") \n"); 1274 | insert_MemBlock(&user_memory, block); 1275 | delete block; 1276 | 1277 | user_memory_alloc_size_temp = 0; 1278 | } 1279 | 1280 | clearCalledProc(); 1281 | } 1282 | 1283 | VOID VirtualFreeBefore(uint addr, uint size, uint type, THREADID tid){ 1284 | if(!isCalledProc(VIRTUAL_FREE)) return; 1285 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_CALLDETAILS)+"VirtualFreeBefore; free memory chunk at address="+int_to_hex(addr)+"; size="+int_to_hex(size)+"; free type="+hexstr(type)+"\n"); 1286 | } 1287 | 1288 | VOID VirtualFreeAfter(THREADID tid){ 1289 | if(!isCalledProc(VIRTUAL_FREE)) return; 1290 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_CALLDETAILS)+"VirtualFreeAfter; done \n"); 1291 | clearCalledProc(); 1292 | } 1293 | 1294 | VOID NtAllocateVirtualMemoryBefore(WINDOWS::HANDLE processHandle, uint pref_addr, uint size, THREADID tid){ 1295 | if(!isCalledProc(NT_ALLOCATE_VIRTUAL_MEMORY)) return; 1296 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_CALLDETAILS)+"NtAllocateVirtualMemoryBefore; process handle="+int_to_hex((uint)processHandle)+ 1297 | "; allocate memory at address="+int_to_hex(pref_addr)+"; size="+int_to_hex(size)+"\n"); 1298 | } 1299 | 1300 | VOID NtAllocateVirtualMemoryAfter(THREADID tid){ 1301 | if(!isCalledProc(NT_ALLOCATE_VIRTUAL_MEMORY)) return; 1302 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_CALLDETAILS)+"NtAllocateVirtualMemoryAfter; done\n"); 1303 | clearCalledProc(); 1304 | } 1305 | 1306 | VOID ZwAllocateVirtualMemoryBefore(WINDOWS::HANDLE processHandle, uint pref_addr, uint size, THREADID tid){ 1307 | if(!isCalledProc(ZW_ALLOCATE_VIRTUAL_MEMORY)) return; 1308 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_CALLDETAILS)+"ZwAllocateVirtualMemoryBefore; process handle="+int_to_hex((uint)processHandle)+ 1309 | "; allocate memory at "+int_to_hex(pref_addr)+"; size "+int_to_hex(size)+"\n"); 1310 | } 1311 | 1312 | VOID ZwAllocateVirtualMemoryAfter(THREADID tid){ 1313 | if(!isCalledProc(ZW_ALLOCATE_VIRTUAL_MEMORY)) return; 1314 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_CALLDETAILS)+"ZwAllocateVirtualMemoryAfter; done\n"); 1315 | clearCalledProc(); 1316 | } 1317 | 1318 | VOID OpenSCManagerABefore(WINDOWS::LPCTSTR lpMachineName, WINDOWS::LPCTSTR lpDatabaseName, uint dwDesiredAccess, THREADID tid){ 1319 | if(!isCalledProc(OPEN_SC_MANAGER_A)) return; 1320 | string machine_name = "LOCAL_COMPUTER"; 1321 | if(lpMachineName != NULL) machine_name = string(lpMachineName); 1322 | string db_name = "DEFAULT_SERVICES_ACTIVE_DATABASE"; 1323 | if(lpDatabaseName != NULL) db_name = string(lpDatabaseName); 1324 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_CALLDETAILS)+"OpenSCManagerABefore; machine name="+machine_name+"; db name="+db_name+"; access type="+int_to_hex(dwDesiredAccess)+"\n"); 1325 | } 1326 | 1327 | VOID OpenSCManagerAAfter(THREADID tid){ 1328 | if(!isCalledProc(OPEN_SC_MANAGER_A)) return; 1329 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_CALLDETAILS)+"OpenSCManagerAAfter; done\n"); 1330 | clearCalledProc(); 1331 | } 1332 | 1333 | VOID OpenServiceABefore(WINDOWS::SC_HANDLE hSCManager, WINDOWS::LPCTSTR lpServiceName, uint dwDesiredAccess, THREADID tid){ 1334 | if(!isCalledProc(OPEN_SERVICE_A)) return; 1335 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_CALLDETAILS)+"OpenServiceABefore; service manager handle="+int_to_hex((uint)hSCManager)+ 1336 | "; service name="+string(lpServiceName)+"; access type="+int_to_hex(dwDesiredAccess)+"\n"); 1337 | } 1338 | 1339 | VOID OpenServiceAAfter(THREADID tid){ 1340 | if(!isCalledProc(OPEN_SERVICE_A)) return; 1341 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_CALLDETAILS)+"OpenServiceAAfter; done\n"); 1342 | clearCalledProc(); 1343 | } 1344 | 1345 | void ImgLoad(IMG img, VOID *v){ 1346 | THREADID tid = PIN_ThreadId(); 1347 | if(!img_base && IMG_IsMainExecutable(img)) { 1348 | stringstream img_info; 1349 | img_glb = img; 1350 | img_base = IMG_LowAddress(img); 1351 | img_end = IMG_HighAddress(img); 1352 | img_info << "Instrumenting PE file: " << IMG_Name(img) << endl; 1353 | img_info << " Loaded PE file at ["<< int_to_hex(img_base) <<".."<< int_to_hex(img_end) <<"]("<calledProc = getCalledProc("none"); 1591 | } 1592 | 1593 | VOID ThreadFini(THREADID threadid, const CONTEXT *ctxt, INT32 code, VOID *v) 1594 | { 1595 | LOG(getThreadAndLevelLOGPrefix(threadid)+getLogType(LT_THREADMGMT)+"thread with id "+decstr(threadid)+" stopped; new #threads is "+decstr(threadCount)+"\n"); 1596 | threadCount--; 1597 | } 1598 | 1599 | BOOL FollowChild(CHILD_PROCESS childProcess, VOID * userData) 1600 | { 1601 | BOOL res; 1602 | INT appArgc; 1603 | CHAR const * const * appArgv; 1604 | 1605 | THREADID tid = PIN_ThreadId(); 1606 | OS_PROCESS_ID pid = CHILD_PROCESS_GetId(childProcess); 1607 | 1608 | CHILD_PROCESS_GetCommandLine(childProcess, &appArgc, &appArgv); 1609 | string childApp(appArgv[0]); 1610 | LOG(getThreadAndLevelLOGPrefix(tid)+getLogType(LT_CHILDPROC)+"started app "+childApp+" with process id "+decstr(pid)+"\n"); 1611 | 1612 | //Set Pin's command line for child process 1613 | INT pinArgc = 0; 1614 | CHAR const * pinArgv[30]; 1615 | 1616 | string pin = KnobPinPath32.Value(); 1617 | pinArgv[pinArgc++] = pin.c_str(); 1618 | pinArgv[pinArgc++] = "-follow_execv"; 1619 | pinArgv[pinArgc++] = "-smc_strict"; 1620 | pinArgv[pinArgc++] = "-logfile"; 1621 | string logfile_pin = KnobExeLogPath.Value()+"\\"+"pin_procID_"+decstr(pid)+"_parentID_"+KnobProcessID.Value()+".log"; 1622 | pinArgv[pinArgc++] = logfile_pin.c_str(); 1623 | pinArgv[pinArgc++] = "-t"; 1624 | string tool_dll = KnobToolDllFile.Value(); 1625 | pinArgv[pinArgc++] = tool_dll.c_str(); 1626 | pinArgv[pinArgc++] = "-logfile"; 1627 | string logfile_tool = KnobExeLogPath.Value()+"\\"+"tool_procID_"+decstr(pid)+"_parentID_"+KnobProcessID.Value()+".log"; 1628 | pinArgv[pinArgc++] = logfile_tool.c_str(); 1629 | pinArgv[pinArgc++] = "-ts"; 1630 | pinArgv[pinArgc++] = KnobTimeStamp.Value().c_str(); 1631 | pinArgv[pinArgc++] = "-pin_path_32"; 1632 | pinArgv[pinArgc++] = KnobPinPath32.Value().c_str(); 1633 | pinArgv[pinArgc++] = "-process_id"; 1634 | pinArgv[pinArgc++] = decstr(pid).c_str(); 1635 | pinArgv[pinArgc++] = "-exe_log_path"; 1636 | pinArgv[pinArgc++] = KnobExeLogPath.Value().c_str(); 1637 | pinArgv[pinArgc++] = "-tool_dll_file"; 1638 | pinArgv[pinArgc++] = KnobToolDllFile.Value().c_str(); 1639 | pinArgv[pinArgc++] = "-tool_name"; 1640 | pinArgv[pinArgc++] = KnobToolName.Value().c_str(); 1641 | pinArgv[pinArgc++] = "--"; 1642 | 1643 | CHILD_PROCESS_SetPinCommandLine(childProcess, pinArgc, pinArgv); 1644 | 1645 | return TRUE; 1646 | } 1647 | 1648 | int main(int argc, char *argv[]) 1649 | { 1650 | execution_time = clock(); 1651 | // Initialize PIN library. Print help message if -h(elp) is specified 1652 | // in the command line or the command line is invalid 1653 | PIN_InitSymbols(); 1654 | if( PIN_Init(argc,argv) ) 1655 | { 1656 | return Usage(); 1657 | } 1658 | 1659 | levels = new_Level(INITIAL_LEVEL_ID); 1660 | cl = levels; 1661 | last_bbl_rtn = RTN_Invalid(); 1662 | 1663 | // Obtain a key for TLS storage. 1664 | tls_key = PIN_CreateThreadDataKey(0); 1665 | 1666 | PIN_AddFollowChildProcessFunction(FollowChild, 0); 1667 | 1668 | IMG_AddInstrumentFunction(ImgLoad,0); 1669 | IMG_AddUnloadFunction(ImgUnload, 0); 1670 | 1671 | PIN_AddThreadStartFunction(ThreadStart, 0); 1672 | PIN_AddThreadFiniFunction(ThreadFini, 0); 1673 | 1674 | INS_AddInstrumentFunction(Instruction, 0); 1675 | 1676 | // Register function to be called when the application exits 1677 | PIN_AddFiniFunction(Fini, 0); 1678 | 1679 | // Start the program, never returns 1680 | PIN_StartProgram(); 1681 | 1682 | return 0; 1683 | } 1684 | --------------------------------------------------------------------------------