├── pin-unpacker ├── .gitignore ├── utils.h ├── MyPinTool.vcxproj.user ├── utils.cpp ├── pin_utils.h ├── export.h ├── README.md ├── export_pin.cpp ├── IAT.h ├── Unpacker.sln ├── export_windows.cpp ├── pin_utils.cpp ├── IAT.cpp ├── Upacker.cpp ├── IAT_repair.py └── MyPinTool.vcxproj ├── README.md ├── IDA_plugin └── param_enum.py └── disable-defender.ps1 /pin-unpacker/.gitignore: -------------------------------------------------------------------------------- 1 | test/ 2 | x64/ 3 | x86/ 4 | IAT.json 5 | *.exe 6 | *.dll 7 | .vs/ -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Collection of tools developped by myself. 2 | 3 | Some of them may have articles describing them on my [blog](https://bidouillesecurity.com) -------------------------------------------------------------------------------- /pin-unpacker/utils.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | std::string int_to_hex(unsigned long long int val); 7 | -------------------------------------------------------------------------------- /pin-unpacker/MyPinTool.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /pin-unpacker/utils.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | using std::endl; 5 | 6 | std::string int_to_hex(ADDRINT val) 7 | { 8 | char buff[33]; 9 | sprintf(buff, "0x%llx", val); 10 | return std::string(buff); 11 | } 12 | -------------------------------------------------------------------------------- /pin-unpacker/pin_utils.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "pin.H" 4 | 5 | SEC Find_Section(ADDRINT addr); 6 | bool in_main_module(ADDRINT addr); 7 | ADDRINT get_RVA(ADDRINT addr); 8 | 9 | ADDRINT get_stack(const CONTEXT* ctx, ADDRINT offset); 10 | 11 | IMG get_main_IMG(); -------------------------------------------------------------------------------- /pin-unpacker/export.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "pin.H" 5 | 6 | void export_image(IMG img, ADDRINT OEP, const std::string& path); 7 | 8 | void export_image_buffer(void* data, size_t size, void* ImageBase, void* RVA_OEP, const std::string& path); 9 | 10 | -------------------------------------------------------------------------------- /pin-unpacker/README.md: -------------------------------------------------------------------------------- 1 | 2 | # Compilation configuration 3 | 4 | ## Environment variables 5 | 6 | 2 environment variables needed : 7 | 8 | * `PINTOOL_DIR` : pintool installation, so folder `$(PINTOOL_DIR)/source/include/pin` exists 9 | * `WIN10SDK_INCLUDE` : SDK installation dir, so `$(WIN10SDK_INCLUDE)/um/windows.h` exists (should me something like `C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0`) 10 | 11 | Add them through `sysdm.cpl` > Advanced > Envrionment Variables -------------------------------------------------------------------------------- /pin-unpacker/export_pin.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | Pin side for the exports 3 | windows.h and pin.H cannot be included simultaneously 4 | */ 5 | 6 | #include 7 | #include 8 | 9 | #include "pin.H" 10 | 11 | #include "export.h" 12 | #include "utils.h" 13 | 14 | using std::endl; 15 | 16 | void export_image(IMG img, ADDRINT OEP, const std::string& path) { 17 | size_t size = IMG_HighAddress(img) - IMG_LowAddress(img) + 1; 18 | char* buffer = (char*) malloc(size); 19 | 20 | PIN_SafeCopy(buffer, (void*) IMG_LowAddress(img), size); 21 | 22 | export_image_buffer(buffer, size, (void*)IMG_LowAddress(img), (void*) (OEP - IMG_LowAddress(img)), path); 23 | 24 | free(buffer); 25 | 26 | std::cerr << "Module " << IMG_Name(img) << " saved at " << path << endl; 27 | } -------------------------------------------------------------------------------- /pin-unpacker/IAT.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | #include "pin.H" 7 | 8 | struct IAT_Func_entry { 9 | std::string Function_name; 10 | ADDRINT IAT_RVA; 11 | ADDRINT GetProcAddress_addr; 12 | }; 13 | 14 | struct IAT_DLL_entry { 15 | ADDRINT LoadLibrary_addr; 16 | std::vector functions; 17 | }; 18 | 19 | typedef std::map IAT_table; 20 | 21 | void IAT_add_library(IAT_table& table, char* DLL_Name, ADDRINT LoadLibrary_addr); 22 | 23 | void IAT_add_function(IAT_table& table, char* DLL_Name, char* function_name, ADDRINT function_addr, ADDRINT GetProcAddress_addr); 24 | 25 | void IAT_print(const IAT_table& table, std::ostream* out); 26 | 27 | void IAT_json_save(const IAT_table& table, const std::string& path); -------------------------------------------------------------------------------- /pin-unpacker/Unpacker.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.31105.61 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "MyPinTool", "MyPinTool.vcxproj", "{639EF517-FCFC-408E-9500-71F0DC0458DB}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|x64.ActiveCfg = Debug|x64 17 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|x64.Build.0 = Debug|x64 18 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|x86.ActiveCfg = Debug|Win32 19 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|x86.Build.0 = Debug|Win32 20 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|x64.ActiveCfg = Release|x64 21 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|x64.Build.0 = Release|x64 22 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|x86.ActiveCfg = Release|Win32 23 | {639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {2F8ECBE6-FF9D-4D3D-B2AB-EC87B9F25AAB} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /pin-unpacker/export_windows.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | Functions of export.h that needs Windows.h included 3 | windows.h and pin.H cannot be included simultaneously 4 | */ 5 | 6 | #include 7 | #include 8 | 9 | #include 10 | #include 11 | 12 | 13 | //#include "export.h" // this one includes pin, do NOT IMPORT 14 | #include "utils.h" 15 | 16 | using std::endl; 17 | 18 | size_t pad_size(size_t data, size_t align) 19 | { 20 | if (data % align == 0) { 21 | return 0; 22 | } 23 | else { 24 | return align - (data % align); 25 | } 26 | } 27 | 28 | size_t align(size_t data, size_t align) 29 | { 30 | return data + pad_size(data, align); 31 | } 32 | 33 | /* 34 | Saves the sections of a IMG object to a file 35 | */ 36 | void export_image_buffer(void* data, size_t size, void* ImageBase, void* RVA_OEP, const std::string& path) 37 | { 38 | IMAGE_DOS_HEADER* p_DOS_HDR = (IMAGE_DOS_HEADER*) data; 39 | IMAGE_NT_HEADERS* p_NT_HDR = (IMAGE_NT_HEADERS*)(((char*)p_DOS_HDR) + p_DOS_HDR->e_lfanew); 40 | IMAGE_SECTION_HEADER* sections = (IMAGE_SECTION_HEADER*)(p_NT_HDR + 1); 41 | 42 | //Change Optional Header, disable int size warnings 43 | #pragma warning(suppress: 4311) 44 | #pragma warning(suppress: 4302) 45 | p_NT_HDR->OptionalHeader.ImageBase = (ULONGLONG) ImageBase; // #FIXME : 64 bits .... 46 | 47 | #pragma warning(suppress: 4311) 48 | #pragma warning(suppress: 4302) 49 | p_NT_HDR->OptionalHeader.AddressOfEntryPoint = (DWORD) RVA_OEP; 50 | 51 | //Change sections : 52 | // all sections have RawSize = VirtualSize 53 | // and RawAddress = VirtualAddress 54 | 55 | for (int i = 0; i < p_NT_HDR->FileHeader.NumberOfSections; ++i) { 56 | sections[i].SizeOfRawData = sections[i].Misc.VirtualSize; 57 | sections[i].PointerToRawData = sections[i].VirtualAddress; 58 | } 59 | 60 | // Save the result 61 | 62 | FILE* file = fopen(path.c_str(), "wb"); 63 | if (!file) { 64 | std::cerr << "ERROR opening output file " << int_to_hex(GetLastError()) << endl; 65 | return; 66 | } 67 | 68 | fwrite(data, size, 1, file); 69 | 70 | fclose(file); 71 | } -------------------------------------------------------------------------------- /pin-unpacker/pin_utils.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include "pin_utils.h" 4 | #include "utils.h" 5 | 6 | using std::endl; 7 | 8 | SEC Find_Section(ADDRINT addr) 9 | { 10 | //List images loaded in memory 11 | IMG img = IMG_FindByAddress(addr); 12 | if (IMG_Valid(img)) 13 | { 14 | for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec)) 15 | { 16 | ADDRINT sec_addr = SEC_Address(sec); 17 | USIZE sec_size = SEC_Size(sec); 18 | if (addr >= sec_addr && addr <= sec_addr + sec_size) 19 | { 20 | return sec; 21 | } 22 | } 23 | } 24 | return SEC_Invalid(); 25 | } 26 | 27 | bool in_main_module(ADDRINT addr) 28 | { 29 | PIN_LockClient(); 30 | IMG img = IMG_FindByAddress(addr); 31 | PIN_UnlockClient(); 32 | 33 | if (!IMG_Valid(img)) 34 | { 35 | return false; 36 | } 37 | return IMG_IsMainExecutable(img); 38 | } 39 | 40 | ADDRINT get_RVA(ADDRINT addr) 41 | { 42 | PIN_LockClient(); 43 | IMG img = IMG_FindByAddress(addr); 44 | PIN_UnlockClient(); 45 | 46 | if (!IMG_Valid(img)) 47 | { 48 | std::cerr << "WARNING : No module found for address " << int_to_hex(addr) << endl; 49 | return addr; 50 | } 51 | return addr - IMG_LowAddress(img); 52 | } 53 | 54 | ADDRINT get_stack(const CONTEXT* ctx, ADDRINT offset) 55 | { 56 | ADDRINT RSP = (ADDRINT)PIN_GetContextReg(ctx, REG_STACK_PTR); 57 | ADDRINT data; 58 | PIN_SafeCopy(&data, (void*)(RSP + offset), sizeof(ADDRINT)); 59 | return data; 60 | } 61 | 62 | void print_call_stack(const CONTEXT* ctx, std::ostream* out) { 63 | ADDRINT RBP = (ADDRINT)PIN_GetContextReg(ctx, REG_RBP); 64 | ADDRINT EIP_saved; 65 | while (RBP != 0) { 66 | PIN_SafeCopy(&EIP_saved, (void*)(RBP + sizeof(ADDRINT)), sizeof(ADDRINT)); 67 | *out << " " << int_to_hex(EIP_saved) << endl; 68 | PIN_SafeCopy(&RBP, (void*)(RBP), sizeof(ADDRINT)); 69 | } 70 | } 71 | 72 | static IMG _main_img = IMG_Invalid(); 73 | 74 | IMG get_main_IMG() 75 | { 76 | if (IMG_Valid(_main_img)) { 77 | return _main_img; 78 | } 79 | else { 80 | for (IMG img = APP_ImgHead(); IMG_Valid(img); img = IMG_Next(img)) { 81 | if (IMG_IsMainExecutable(img)) { 82 | _main_img = img; 83 | return _main_img; 84 | } 85 | } 86 | } 87 | return IMG_Invalid(); 88 | 89 | } -------------------------------------------------------------------------------- /IDA_plugin/param_enum.py: -------------------------------------------------------------------------------- 1 | """ 2 | Replace immediate values push before a call by enum value 3 | """ 4 | 5 | from idc import * 6 | from idaapi import * 7 | from idautils import * 8 | from ida_enum import * 9 | 10 | def replace_pushed_int(function_ea, target_push_n, target_enum_name, before_limit=0x30, int_type="hex"): 11 | """ 12 | Replace the last immediate value push before by enum value if possible 13 | 14 | function_ea : target function ea (will check Xref to this ea) 15 | for structs use get_name_ea_simple 16 | target_push_n : how many push back we want, starts at 1 17 | target_enum_name : enum to target (created if doesn't exists) 18 | before_limit : how much back we agree to go 19 | str_type : "hex" or "dec", used for the enum value names (in hex or dec number) 20 | """ 21 | 22 | target_enum = get_enum(target_enum_name) 23 | if target_enum == BADADDR: 24 | if int_type == "hex": 25 | target_enum = add_enum(0, target_enum_name, hex_flag()) 26 | else: 27 | target_enum = add_enum(0, target_enum_name, dec_flag()) 28 | 29 | for xref in XrefsTo(function_ea, 0): 30 | current_ea = xref.frm 31 | push_n = 0 32 | 33 | while current_ea != BADADDR: 34 | current_ea = prev_head(current_ea, xref.frm - before_limit) 35 | 36 | if print_insn_mnem(current_ea) == "push": 37 | push_n += 1 38 | 39 | if push_n == target_push_n: # that's the push we are looking for 40 | 41 | type_n = get_operand_type(current_ea, 0) 42 | if type_n == 5: # immediate value 43 | value = get_operand_value(current_ea, 0) 44 | 45 | enum_value = get_enum_member(target_enum, value, 0, 0) 46 | if enum_value == BADADDR: 47 | # Create a new enum value 48 | if int_type == "hex": 49 | enum_val_name = "{:02X}".format(value) 50 | else: 51 | enum_val_name = str(value) 52 | 53 | enum_value = add_enum_member(target_enum, get_enum_name(target_enum) + "_" + enum_val_name, value) 54 | 55 | op_enum(current_ea, 0, target_enum, 0) 56 | 57 | else: # not an immediate value 58 | print(f"Help needed @ {hex(current_ea)}") 59 | 60 | break # Done here, break to the next Xref 61 | -------------------------------------------------------------------------------- /pin-unpacker/IAT.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #include "IAT.h" 5 | #include "utils.h" 6 | 7 | using std::endl; 8 | 9 | void IAT_add_library(IAT_table& table, char* DLL_Name, ADDRINT LoadLibrary_addr) 10 | { 11 | struct IAT_DLL_entry& funct_entry = table[std::string(DLL_Name)]; 12 | if (funct_entry.LoadLibrary_addr != 0) { 13 | funct_entry.LoadLibrary_addr = LoadLibrary_addr; 14 | } 15 | } 16 | 17 | void IAT_add_function(IAT_table& table, char* DLL_Name, char* function_name, ADDRINT function_addr, ADDRINT GetProcAddress_addr) 18 | { 19 | struct IAT_Func_entry entry; 20 | entry.Function_name = std::string(function_name); 21 | entry.IAT_RVA = function_addr; 22 | entry.GetProcAddress_addr = GetProcAddress_addr; 23 | 24 | struct IAT_DLL_entry& funct_entry = table[std::string(DLL_Name)]; 25 | funct_entry.functions.push_back(entry); 26 | } 27 | 28 | void IAT_print(const IAT_table& table, std::ostream* out) 29 | { 30 | *out << "=== IAT ===" << endl; 31 | for (std::pair element : table) 32 | { 33 | *out << element.first << " (Loaded @ " << int_to_hex(element.second.LoadLibrary_addr) << ")" << endl; 34 | for (struct IAT_Func_entry entry : element.second.functions) 35 | { 36 | *out << " " << entry.Function_name << " @ " << int_to_hex(entry.IAT_RVA) << " (Loaded @ " << int_to_hex(entry.GetProcAddress_addr) << ")" << endl; 37 | } 38 | } 39 | } 40 | 41 | void IAT_json_save(const IAT_table& table, const std::string& path) 42 | { 43 | std::ofstream outFile; 44 | outFile.open(path.c_str()); 45 | 46 | outFile << "{\n \"DLL\":{\n"; 47 | 48 | bool first_DLL = true; 49 | for (std::pair element : table) 50 | { 51 | if (!first_DLL) { 52 | outFile << ",\n"; 53 | } 54 | first_DLL = false; 55 | outFile << " \"" << element.first << "\":{\n"; 56 | outFile << " \"LoadLibrary_RVA\":\"" << int_to_hex(element.second.LoadLibrary_addr) << "\",\n"; 57 | outFile << " \"functions\":{\n"; 58 | 59 | bool first_function = true; 60 | for (struct IAT_Func_entry entry : element.second.functions) 61 | { 62 | if (!first_function) { 63 | outFile << ",\n"; 64 | } 65 | first_function = false; 66 | outFile << " \"" << entry.Function_name << "\":{\n"; 67 | outFile << " \"IAT_RVA\":\"" << int_to_hex(entry.IAT_RVA) <<"\",\n"; 68 | outFile << " \"GetProcAddress_RVA\":\"" << int_to_hex(entry.GetProcAddress_addr) << "\"\n"; 69 | outFile << " }"; 70 | } 71 | outFile << "\n }\n"; 72 | outFile << " }"; 73 | } 74 | outFile << "\n }\n}\n"; 75 | 76 | outFile.close(); 77 | std::cerr << "IAT saved in " << path << endl; 78 | } -------------------------------------------------------------------------------- /pin-unpacker/Upacker.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include "pin.H" 6 | #include "utils.h" 7 | #include "pin_utils.h" 8 | #include "IAT.h" 9 | #include "export.h" 10 | 11 | using std::endl; 12 | 13 | std::ostream * out = &std::cerr; 14 | 15 | /* 16 | GLOBAL VARIABLES 17 | */ 18 | 19 | IAT_table iat_table; 20 | char* last_LoadLibrary = NULL; 21 | 22 | VOID save_results(ADDRINT OEP) { 23 | //IAT_print(iat_table, out); 24 | export_image(get_main_IMG(), OEP, "export.exe"); 25 | IAT_json_save(iat_table, "IAT.json"); 26 | 27 | exit(0); //FIXME better solution ? continue and do multiple exports (TLS) ? 28 | } 29 | 30 | VOID Fini(INT32 code, VOID *v) 31 | { 32 | IAT_print(iat_table, out); 33 | *out << "DONE" << std::endl; 34 | } 35 | 36 | /* Finds a function RTN object 37 | RTN must be closed after use 38 | */ 39 | RTN FindRoutine(IMG image, std::string name) { 40 | for (SYM sym = IMG_RegsymHead(image); SYM_Valid(sym); sym = SYM_Next(sym)) 41 | { 42 | std::string fname = PIN_UndecorateSymbolName(SYM_Name(sym), UNDECORATION_NAME_ONLY); 43 | if (fname == name) 44 | { 45 | RTN rtn = RTN_FindByAddress(IMG_LowAddress(image) + SYM_Value(sym)); 46 | if (RTN_Valid(rtn)) 47 | { 48 | return rtn; 49 | } 50 | } 51 | } 52 | return RTN_Invalid(); 53 | } 54 | 55 | VOID Callback_LoadLibrary(const CONTEXT* ctx, char* lib_name) 56 | { 57 | ADDRINT saved_EIP = get_stack(ctx, 0); 58 | if (in_main_module(saved_EIP)) 59 | { 60 | // *out << "Callback : LoadLibrary(" << lib_name << ") @ " << int_to_hex(saved_EIP) << endl; 61 | last_LoadLibrary = lib_name; 62 | IAT_add_library(iat_table, lib_name, get_RVA(saved_EIP)); 63 | } 64 | } 65 | 66 | VOID Callback_GetProcAddress(const CONTEXT* ctx, char* funct_name) 67 | { 68 | ADDRINT RBX = (ADDRINT)PIN_GetContextReg(ctx, REG_RBX); 69 | ADDRINT saved_EIP = get_stack(ctx, 0); 70 | if (in_main_module(saved_EIP)) 71 | { 72 | //*out << "Callback : GetProcAddress(" << last_LoadLibrary << ", " << funct_name << ") @ " << int_to_hex(saved_EIP) << endl; 73 | //*out << " RBX=" << int_to_hex(RBX) << " (" << int_to_hex(get_RVA(RBX)) << ")" << endl; 74 | IAT_add_function(iat_table, last_LoadLibrary, funct_name, get_RVA(RBX), get_RVA(saved_EIP)); //FIXME 75 | } 76 | } 77 | 78 | /* Called on DLL loaded by the Application */ 79 | VOID Callback_ImageLoad(IMG image, VOID* v) 80 | { 81 | //*out << "Loading " << IMG_Name(image) << endl; 82 | RTN funct_rtn = FindRoutine(image, "LoadLibraryA"); 83 | if (RTN_Valid(funct_rtn)) 84 | { 85 | //*out << "Instrumenting LoadLibraryA in " << IMG_Name(image) << endl; 86 | RTN_Open(funct_rtn); 87 | RTN_InsertCall(funct_rtn, IPOINT_BEFORE, (AFUNPTR)Callback_LoadLibrary, IARG_CONTEXT, IARG_FUNCARG_ENTRYPOINT_VALUE, 0, IARG_END); 88 | RTN_Close(funct_rtn); 89 | } 90 | 91 | funct_rtn = FindRoutine(image, "GetProcAddress"); 92 | if (RTN_Valid(funct_rtn)) 93 | { 94 | //*out << "Instrumenting GetProcAddress in " << IMG_Name(image) << endl; 95 | RTN_Open(funct_rtn); 96 | RTN_InsertCall(funct_rtn, IPOINT_BEFORE, (AFUNPTR)Callback_GetProcAddress, IARG_CONTEXT, IARG_FUNCARG_ENTRYPOINT_VALUE, 1, IARG_END); 97 | RTN_Close(funct_rtn); 98 | } 99 | } 100 | 101 | ADDRINT main_exec_section = 0; 102 | bool last_in_exec_section = true; 103 | ADDRINT last_ins = 0; 104 | 105 | VOID Callback_Instruction(INS ins, VOID*) { 106 | // check instruction in main module 107 | ADDRINT ins_addr = INS_Address(ins); 108 | 109 | if (in_main_module(ins_addr)) { //FIXME : VirtualAlloc ? 110 | SEC ins_sec = Find_Section(ins_addr); 111 | if (!SEC_Valid(ins_sec)) { 112 | // should never happen inside a module ! 113 | *out << "ERROR : instruction in main module, but not in a section ? (" << int_to_hex(ins_addr) << ")" << endl; 114 | } 115 | else { 116 | ADDRINT ins_secaddr = SEC_Address(ins_sec); 117 | if (main_exec_section == 0) { 118 | main_exec_section = ins_secaddr; //base section address for EntryPoint 119 | } 120 | else{ 121 | if (main_exec_section != ins_secaddr) { 122 | if (last_in_exec_section) { 123 | *out << "Inter section jump found : RVA " << int_to_hex(get_RVA(ins_addr)) << " called from RVA " << int_to_hex(get_RVA(last_ins)) << endl; 124 | save_results(ins_addr); 125 | } 126 | last_in_exec_section = false; 127 | } 128 | else { 129 | last_in_exec_section = true; 130 | } 131 | } 132 | } 133 | } 134 | 135 | last_ins = ins_addr; 136 | } 137 | 138 | VOID Callback_AppStart(void* ) 139 | { 140 | //*out << "AppStart callback\n"; 141 | } 142 | 143 | int main(int argc, char *argv[]) 144 | { 145 | // Initialize PIN library. Print help message if -h(elp) is specified 146 | // in the command line or the command line is invalid 147 | if( PIN_Init(argc,argv) ) 148 | { 149 | return 0; 150 | } 151 | 152 | PIN_InitSymbols(); 153 | 154 | IMG_AddInstrumentFunction(Callback_ImageLoad, NULL); 155 | INS_AddInstrumentFunction(Callback_Instruction, NULL); 156 | 157 | PIN_AddApplicationStartFunction(Callback_AppStart, NULL); 158 | PIN_AddFiniFunction(Fini, NULL); 159 | 160 | // Start the program, never returns 161 | PIN_StartProgram(); 162 | 163 | return 0; 164 | } -------------------------------------------------------------------------------- /pin-unpacker/IAT_repair.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | import lief 3 | import os 4 | import json 5 | 6 | def align(x, al): 7 | """ return aligned to """ 8 | if x % al == 0: 9 | return x 10 | else: 11 | return x - (x % al) + al 12 | 13 | 14 | def pad_data(data, al): 15 | """ return padded with 0 to a size aligned with """ 16 | return data + ([0] * (align(len(data), al) - len(data))) 17 | 18 | 19 | class ImportTableBuilder: 20 | 21 | def __init__(self, baseoffset, ptr_size): 22 | self.data = b"" 23 | self.hint_name_RVA_dict = {} 24 | self.name_thunk_RVA_dict = {} 25 | self.baseoffset = baseoffset 26 | self.IDT_RVA = 0 27 | self.ptr_size = ptr_size 28 | 29 | 30 | def _add_name(self, name, hint=0): 31 | self.hint_name_RVA_dict[name] = self.baseoffset + len(self.data) 32 | self.data += b"\x00\x00" # hint field, added even for DLL names 33 | self.data += name.encode("ASCII") + b'\x00' 34 | 35 | 36 | def _add_thunk_list(self, dllname, name_list): 37 | self.name_thunk_RVA_dict[dllname] = self.baseoffset + len(self.data) 38 | for n in name_list: 39 | self._push(self.hint_name_RVA_dict[n], self.ptr_size) 40 | self._push(0, self.ptr_size) #end of the array 41 | 42 | 43 | def _add_import_descriptor(self, dllname, IAT_RVA): 44 | if(self.IDT_RVA ==0): 45 | self.IDT_RVA = self.baseoffset + len(self.data) 46 | self._push(self.name_thunk_RVA_dict[dllname], 4) #OriginalFirstThunk 47 | self._push(0, 4) #TimeDateStamp 48 | self._push(0, 4) #ForwarderChain 49 | self._push(self.hint_name_RVA_dict[dllname] + 2, 4) #DLLname, + 2 to ignore hint field 50 | self._push(IAT_RVA, 4) #FirstThunk 51 | 52 | 53 | def _push(self, val, size): 54 | self.data += val.to_bytes(size, "little") 55 | 56 | 57 | def _init_IAT(self, input_PE, base_IAT_addr, name_list): 58 | """ 59 | Init the IAT to point to the functions names we created 60 | """ 61 | rva = base_IAT_addr 62 | for n in name_list: 63 | data = list(self.hint_name_RVA_dict[n].to_bytes(self.ptr_size, "little")) 64 | input_PE.patch_address(rva, data, lief.Binary.VA_TYPES.RVA) 65 | rva += self.ptr_size 66 | 67 | 68 | def build(self, imports_names, IAT_locations, input_PE): 69 | """ 70 | import_names = { 71 | 'DLL_name':['functions_names'] 72 | } 73 | 74 | IAT_locations = {'DLL_name':RVA} 75 | """ 76 | 77 | for dll_name, func_names_list in imports_names.items(): 78 | self._add_name(dll_name) 79 | for fun_name in func_names_list: 80 | self._add_name(fun_name) 81 | 82 | self._add_thunk_list(dll_name, func_names_list) 83 | self._init_IAT(input_PE, IAT_locations[dll_name], func_names_list) 84 | 85 | for dll_name in imports_names.keys(): 86 | self._add_import_descriptor(dll_name, IAT_locations[dll_name]) 87 | self._push(0, 20) # empty import_descriptor to finish the array 88 | 89 | 90 | if __name__ =="__main__" : 91 | 92 | parser = argparse.ArgumentParser(description='Pack PE binary') 93 | parser.add_argument('input', metavar="FILE", help='input PE file') 94 | parser.add_argument('iat_file', metavar="IAT FILE", help='input IAT json file') 95 | parser.add_argument('-o', metavar="FILE", help='output', default="IAT_corrected.exe") 96 | 97 | args = parser.parse_args() 98 | 99 | with open(args.iat_file, "r") as f: 100 | IAT_data = json.load(f) 101 | 102 | input_PE = lief.PE.parse(args.input) 103 | 104 | # get RVA for new section 105 | max_RVA = max([x.virtual_address + x.size for x in input_PE.sections]) 106 | max_RVA = align(max_RVA, input_PE.optional_header.section_alignment) 107 | 108 | import_names = {} 109 | IAT_locations = {} 110 | 111 | for dll_name in IAT_data["DLL"].keys(): 112 | import_names[dll_name] = [] 113 | IAT_locations[dll_name] = 0 114 | 115 | func_dict = IAT_data["DLL"][dll_name]["functions"] 116 | 117 | for fun_name in func_dict.keys(): 118 | import_names[dll_name] += [fun_name] 119 | 120 | IAT_loc = min([int(infos["IAT_RVA"], 16) for (name, infos) in func_dict.items()]) 121 | 122 | IAT_locations[dll_name] = IAT_loc 123 | 124 | builder = ImportTableBuilder(max_RVA, 8) 125 | 126 | builder.build(import_names, IAT_locations, input_PE) 127 | 128 | import_data = pad_data(list(builder.data), input_PE.optional_header.file_alignment) 129 | import_section = lief.PE.Section(name=".imp") 130 | import_section.content = import_data 131 | import_section.size = len(import_data) 132 | import_section.virtual_address = max_RVA 133 | import_section.characteristics = (lief.PE.SECTION_CHARACTERISTICS.MEM_READ 134 | | lief.PE.SECTION_CHARACTERISTICS.MEM_WRITE) 135 | 136 | input_PE.add_section(import_section) 137 | 138 | # change the file ehaders 139 | 140 | # make lief compute the new sizeof_image 141 | input_PE.optional_header.sizeof_image = 0 142 | 143 | # chagne the Import table to point to ours 144 | import_data_dir = input_PE.data_directory(lief.PE.DATA_DIRECTORY.IMPORT_TABLE) 145 | import_data_dir.rva = builder.IDT_RVA 146 | import_data_dir.size = len(builder.data) 147 | 148 | # not supposed to move (no reloctions table) 149 | input_PE.optional_header.dll_characteristics = 0 150 | 151 | # make all sections writable (make sur the IAT is writable) 152 | for s in input_PE.sections: 153 | s.characteristics = s.characteristics | lief.PE.SECTION_CHARACTERISTICS.MEM_WRITE 154 | 155 | 156 | # save the resulting PE 157 | if(os.path.exists(args.o)): 158 | # little trick here : lief emits no warning when it cannot write because the output 159 | # file is already opened. Using this function ensure we fail in this case (avoid errors). 160 | os.remove(args.o) 161 | 162 | builder = lief.PE.Builder(input_PE) 163 | builder.build() 164 | builder.write(args.o) 165 | 166 | print(f"Output saved in {args.o}") 167 | 168 | 169 | 170 | 171 | 172 | -------------------------------------------------------------------------------- /disable-defender.ps1: -------------------------------------------------------------------------------- 1 | # Disable Windows Defender 2 | 3 | <# 4 | _ _ 5 | __ ____ _ _ __ _ __ (_)_ __ __ _ | | 6 | \ \ /\ / / _` | '__| '_ \| | '_ \ / _` | | | 7 | \ V V / (_| | | | | | | | | | | (_| | |_| 8 | \_/\_/ \__,_|_| |_| |_|_|_| |_|\__, | (_) 9 | |___/ 10 | 11 | This script is NOT a disable/enable solution, I'm a malware analyst, I use it for malware analysis. 12 | It can completely DELETE Defender, and it is NOT REVERSIBLE (that's what I need). 13 | Once you have run it, you will no longer have any sort of antivirus protection, and WILL NOT BE ABLE to reactivate it. 14 | 15 | Think twice before running it, or read the blog post to understand and modify it to suit **your** needs. 16 | 17 | THIS IS NOT A JOKE. 18 | YOU HAVE BEEN WARNED. 19 | #> 20 | 21 | <# 22 | Options : 23 | 24 | -Delete : delete the defender related files (services, drivers, executables, ....) 25 | 26 | Source : https://bidouillesecurity.com/disable-windows-defender-in-powershell 27 | 28 | #> 29 | 30 | Write-Host "[+] Disable Windows Defender (as $(whoami))" 31 | 32 | 33 | ## STEP 0 : elevate if needed 34 | 35 | 36 | if(-Not $($(whoami) -eq "nt authority\system")) { 37 | $IsSystem = $false 38 | 39 | # Elevate to admin (needed when called after reboot) 40 | if (-Not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) { 41 | Write-Host " [i] Elevate to Administrator" 42 | $CommandLine = "-ExecutionPolicy Bypass `"" + $MyInvocation.MyCommand.Path + "`" " + $MyInvocation.UnboundArguments 43 | Start-Process -FilePath PowerShell.exe -Verb Runas -ArgumentList $CommandLine 44 | Exit 45 | } 46 | 47 | # Elevate to SYSTEM if psexec is available 48 | $psexec_path = $(Get-Command PsExec -ErrorAction 'ignore').Source 49 | if($psexec_path) { 50 | Write-Host " [i] Elevate to SYSTEM" 51 | $CommandLine = " -i -s powershell.exe -ExecutionPolicy Bypass `"" + $MyInvocation.MyCommand.Path + "`" " + $MyInvocation.UnboundArguments 52 | Start-Process -WindowStyle Hidden -FilePath $psexec_path -ArgumentList $CommandLine 53 | exit 54 | } else { 55 | Write-Host " [i] PsExec not found, will continue as Administrator" 56 | } 57 | 58 | } else { 59 | $IsSystem = $true 60 | } 61 | 62 | 63 | ## STEP 1 : Disable everything we can with immediate effect 64 | 65 | 66 | Write-Host " [+] Add exclusions" 67 | 68 | # Add the whole system in Defender exclusions 69 | 70 | 67..90|foreach-object{ 71 | $drive = [char]$_ 72 | Add-MpPreference -ExclusionPath "$($drive):\" -ErrorAction SilentlyContinue 73 | Add-MpPreference -ExclusionProcess "$($drive):\*" -ErrorAction SilentlyContinue 74 | } 75 | 76 | Write-Host " [+] Disable scanning engines (Set-MpPreference)" 77 | 78 | Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue 79 | Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue 80 | Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue 81 | Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue 82 | Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue 83 | Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue 84 | Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue 85 | Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue 86 | Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue 87 | Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue 88 | 89 | Write-Host " [+] Set default actions to Allow (Set-MpPreference)" 90 | 91 | Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue 92 | Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue 93 | Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue 94 | 95 | 96 | ## STEP 2 : Disable services, we cannot stop them, but we can disable them (they won't start next reboot) 97 | 98 | 99 | Write-Host " [+] Disable services" 100 | 101 | $need_reboot = $false 102 | 103 | # WdNisSvc Network Inspection Service 104 | # WinDefend Antivirus Service 105 | # Sense : Advanced Protection Service 106 | 107 | $svc_list = @("WdNisSvc", "WinDefend", "Sense") 108 | foreach($svc in $svc_list) { 109 | if($(Test-Path "HKLM:\SYSTEM\CurrentControlSet\Services\$svc")) { 110 | if( $(Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$svc").Start -eq 4) { 111 | Write-Host " [i] Service $svc already disabled" 112 | } else { 113 | Write-Host " [i] Disable service $svc (next reboot)" 114 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$svc" -Name Start -Value 4 115 | $need_reboot = $true 116 | } 117 | } else { 118 | Write-Host " [i] Service $svc already deleted" 119 | } 120 | } 121 | 122 | Write-Host " [+] Disable drivers" 123 | 124 | # WdnisDrv : Network Inspection System Driver 125 | # wdfilter : Mini-Filter Driver 126 | # wdboot : Boot Driver 127 | 128 | $drv_list = @("WdnisDrv", "wdfilter", "wdboot") 129 | foreach($drv in $drv_list) { 130 | if($(Test-Path "HKLM:\SYSTEM\CurrentControlSet\Services\$drv")) { 131 | if( $(Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$drv").Start -eq 4) { 132 | Write-Host " [i] Driver $drv already disabled" 133 | } else { 134 | Write-Host " [i] Disable driver $drv (next reboot)" 135 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$drv" -Name Start -Value 4 136 | $need_reboot = $true 137 | } 138 | } else { 139 | Write-Host " [i] Driver $drv already deleted" 140 | } 141 | } 142 | 143 | # Check if service running or not 144 | if($(GET-Service -Name WinDefend).Status -eq "Running") { 145 | Write-Host " [+] WinDefend Service still running (reboot required)" 146 | $need_reboot = $true 147 | } else { 148 | Write-Host " [+] WinDefend Service not running" 149 | } 150 | 151 | 152 | ## STEP 3 : Reboot if needed, add a link to the script to Startup (will be runned again after reboot) 153 | 154 | 155 | $link_reboot = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\disable-defender.lnk" 156 | Remove-Item -Force "$link_reboot" -ErrorAction 'ignore' # Remove the link (only execute once after reboot) 157 | 158 | if($need_reboot) { 159 | Write-Host " [+] This script will be started again after reboot." -BackgroundColor DarkRed -ForegroundColor White 160 | 161 | $powershell_path = '"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"' 162 | $cmdargs = "-ExecutionPolicy Bypass `"" + $MyInvocation.MyCommand.Path + "`" " + $MyInvocation.UnboundArguments 163 | 164 | $res = New-Item $(Split-Path -Path $link_reboot -Parent) -ItemType Directory -Force 165 | $WshShell = New-Object -comObject WScript.Shell 166 | $shortcut = $WshShell.CreateShortcut($link_reboot) 167 | $shortcut.TargetPath = $powershell_path 168 | $shortcut.Arguments = $cmdargs 169 | $shortcut.WorkingDirectory = "$(Split-Path -Path $PSScriptRoot -Parent)" 170 | $shortcut.Save() 171 | 172 | } else { 173 | 174 | 175 | ## STEP 4 : After reboot (we checked that everything was successfully disabled), make sure it doesn't come up again ! 176 | 177 | 178 | if($IsSystem) { 179 | 180 | # Configure the Defender registry to disable it (and the TamperProtection) 181 | # editing HKLM:\SOFTWARE\Microsoft\Windows Defender\ requires to be SYSTEM 182 | 183 | Write-Host " [+] Disable all functionnalities with registry keys (SYSTEM privilege)" 184 | 185 | # Cloud-delivered protection: 186 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0 187 | # Automatic Sample submission 188 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0 189 | # Tamper protection 190 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4 191 | 192 | # Disable in registry 193 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 194 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 195 | 196 | } else { 197 | Write-Host " [W] (Optional) Cannot configure registry (not SYSTEM)" 198 | } 199 | 200 | 201 | if($MyInvocation.UnboundArguments -And $($MyInvocation.UnboundArguments.tolower().Contains("-delete"))) { 202 | 203 | # Delete Defender files 204 | 205 | function Delete-Show-Error { 206 | $path_exists = Test-Path $args[0] 207 | if($path_exists) { 208 | Remove-Item -Recurse -Force -Path $args[0] 209 | } else { 210 | Write-Host " [i] $($args[0]) already deleted" 211 | } 212 | } 213 | 214 | Write-Host "" 215 | Write-Host "[+] Delete Windows Defender (files, services, drivers)" 216 | 217 | # Delete files 218 | Delete-Show-Error "C:\ProgramData\Windows\Windows Defender\" 219 | Delete-Show-Error "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\" 220 | 221 | # Delete drivers 222 | Delete-Show-Error "C:\Windows\System32\drivers\wd\" 223 | 224 | # Delete service registry entries 225 | foreach($svc in $svc_list) { 226 | Delete-Show-Error "HKLM:\SYSTEM\CurrentControlSet\Services\$svc" 227 | } 228 | 229 | # Delete drivers registry entries 230 | foreach($drv in $drv_list) { 231 | Delete-Show-Error "HKLM:\SYSTEM\CurrentControlSet\Services\$drv" 232 | } 233 | } 234 | } 235 | 236 | Write-Host "" 237 | Read-Host -Prompt "Press any key to continue" 238 | -------------------------------------------------------------------------------- /pin-unpacker/MyPinTool.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Debug 10 | x64 11 | 12 | 13 | Release 14 | Win32 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {639EF517-FCFC-408E-9500-71F0DC0458DB} 23 | MyPinTool 24 | Win32Proj 25 | 10.0 26 | Unpacker 27 | 28 | 29 | 30 | DynamicLibrary 31 | MultiByte 32 | true 33 | v142 34 | 35 | 36 | DynamicLibrary 37 | MultiByte 38 | v142 39 | x86 40 | 41 | 42 | DynamicLibrary 43 | MultiByte 44 | true 45 | v142 46 | 47 | 48 | DynamicLibrary 49 | MultiByte 50 | v142 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | <_ProjectFileVersion>10.0.40219.1 70 | $(ProjectDir)$(Platform)\$(Configuration)\ 71 | $(Platform)\$(Configuration)\ 72 | false 73 | false 74 | $(ProjectDir)$(Platform)\$(Configuration)\ 75 | $(Platform)\$(Configuration)\ 76 | false 77 | false 78 | $(ProjectDir)$(Platform)\$(Configuration)\ 79 | $(Platform)\$(Configuration)\ 80 | false 81 | false 82 | $(ProjectDir)$(Platform)\$(Configuration)\ 83 | $(Platform)\$(Configuration)\ 84 | false 85 | false 86 | AllRules.ruleset 87 | 88 | 89 | AllRules.ruleset 90 | 91 | 92 | AllRules.ruleset 93 | 94 | 95 | AllRules.ruleset 96 | 97 | 98 | 99 | 100 | 101 | /GR- /GS- /EHs- /EHa- /Oi- /FIinclude/msvc_compat.h %(AdditionalOptions) 102 | Disabled 103 | $(PINTOOLS_DIR)\source\include\pin;$(PINTOOLS_DIR)\source\include\pin\gen;$(PINTOOLS_DIR)\source\toolsInstLib;$(PINTOOLS_DIR)\extras\xed-ia32\include\xed;$(PINTOOLS_DIR)\extras\components\include;$(PINTOOLS_DIR)\extras\stlport\include;$(PINTOOLS_DIR)\extras;$(PINTOOLS_DIR)\extras\libstdc++\include;$(PINTOOLS_DIR)\extras\crt\include;$(PINTOOLS_DIR)\extras\crt;$(PINTOOLS_DIR)\extras\crt\include\arch-x86;$(PINTOOLS_DIR)\extras\crt\include\kernel\uapi;$(PINTOOLS_DIR)\extras\crt\include\kernel\uapi\asm-x86;%(AdditionalIncludeDirectories);$(WindowsSdkDir)\include 104 | TARGET_IA32;HOST_IA32;TARGET_WINDOWS;__PIN__=1;PIN_CRT=1;__i386__;_WINDOWS_H_PATH_=$(WIN10SDK_INCLUDE)/um 105 | false 106 | 107 | 108 | Default 109 | MultiThreadedDebugDLL 110 | false 111 | true 112 | NotSet 113 | false 114 | 115 | 116 | Level3 117 | ProgramDatabase 118 | 4530;5208;%(DisableSpecificWarnings) 119 | stdcpp17 120 | stdc17 121 | 122 | 123 | /export:main /ignore:4210 /ignore:4281 %(AdditionalOptions) 124 | pin.lib;xed.lib;pinvm.lib;pincrt.lib;ntdll-32.lib;kernel32.lib;crtbeginS.obj 125 | $(PINTOOLS_DIR)\ia32\lib;$(PINTOOLS_DIR)\ia32\lib-ext;$(PINTOOLS_DIR)\extras\xed-ia32\lib;$(PINTOOLS_DIR)\ia32\runtime\pincrt;%(AdditionalLibraryDirectories);$(WindowsSdkDir)\lib 126 | true 127 | %(IgnoreSpecificDefaultLibraries) 128 | true 129 | NotSet 130 | false 131 | Ptrace_DllMainCRTStartup%4012 132 | 0x55000000 133 | MachineX86 134 | true 135 | false 136 | 137 | 138 | 139 | 140 | X64 141 | 142 | 143 | /GR- /GS- /EHs- /EHa- /Oi- /FIinclude/msvc_compat.h %(AdditionalOptions) 144 | Disabled 145 | $(PINTOOLS_DIR)\source\include\pin;$(PINTOOLS_DIR)\source\include\pin\gen;$(PINTOOLS_DIR)\source\toolsInstLib;$(PINTOOLS_DIR)\extras\xed-intel64\include\xed;$(PINTOOLS_DIR)\extras\components\include;$(PINTOOLS_DIR)\extras\stlport\include;$(PINTOOLS_DIR)\extras;$(PINTOOLS_DIR)\extras\libstdc++\include;$(PINTOOLS_DIR)\extras\crt\include;$(PINTOOLS_DIR)\extras\crt;$(PINTOOLS_DIR)\extras\crt\include\arch-x86_64;$(PINTOOLS_DIR)\extras\crt\include\kernel\uapi;$(PINTOOLS_DIR)\extras\crt\include\kernel\uapi\asm-x86;$(WindowsSdkDir)\include;%(AdditionalIncludeDirectories);$(WindowsSdkDir)\include 146 | TARGET_IA32E;HOST_IA32E;TARGET_WINDOWS;__PIN__=1;PIN_CRT=1;__LP64__;_WINDOWS_H_PATH_=$(WIN10SDK_INCLUDE)/um 147 | false 148 | 149 | 150 | Default 151 | MultiThreadedDebugDLL 152 | false 153 | true 154 | false 155 | 156 | 157 | Level3 158 | ProgramDatabase 159 | 4530;5208;%(DisableSpecificWarnings) 160 | stdcpp17 161 | stdc17 162 | 163 | 164 | /export:main /ignore:4210 /ignore:4281 %(AdditionalOptions) 165 | pin.lib;xed.lib;pinvm.lib;pincrt.lib;ntdll-64.lib;kernel32.lib;crtbeginS.obj 166 | $(PINTOOLS_DIR)\intel64\lib;$(PINTOOLS_DIR)\intel64\lib-ext;$(PINTOOLS_DIR)\extras\xed-intel64\lib;$(PINTOOLS_DIR)\intel64\runtime\pincrt;$(WindowsSdkDir)\lib;%(AdditionalLibraryDirectories);$(WindowsSdkDir)\lib 167 | true 168 | %(IgnoreSpecificDefaultLibraries) 169 | true 170 | NotSet 171 | false 172 | Ptrace_DllMainCRTStartup 173 | 0xC5000000 174 | MachineX64 175 | true 176 | 177 | 178 | 179 | 180 | /GR- /GS- /EHs- /EHa- /Oi- /FIinclude/msvc_compat.h %(AdditionalOptions) 181 | false 182 | false 183 | $(PINTOOLS_DIR)\source\include\pin;$(PINTOOLS_DIR)\source\include\pin\gen;$(PINTOOLS_DIR)\source\toolsInstLib;$(PINTOOLS_DIR)\extras\xed-ia32\include\xed;$(PINTOOLS_DIR)\extras\components\include;$(PINTOOLS_DIR)\extras\stlport\include;$(PINTOOLS_DIR)\extras;$(PINTOOLS_DIR)\extras\libstdc++\include;$(PINTOOLS_DIR)\extras\crt\include;$(PINTOOLS_DIR)\extras\crt;$(PINTOOLS_DIR)\extras\crt\include\arch-x86;$(PINTOOLS_DIR)\extras\crt\include\kernel\uapi;$(PINTOOLS_DIR)\extras\crt\include\kernel\uapi\asm-x86;%(AdditionalIncludeDirectories);$(WindowsSdkDir)\include 184 | TARGET_IA32;HOST_IA32;TARGET_WINDOWS;__PIN__=1;PIN_CRT=1;__i386__;_WINDOWS_H_PATH_=$(WIN10SDK_INCLUDE)/um 185 | false 186 | 187 | 188 | Default 189 | MultiThreadedDLL 190 | false 191 | true 192 | NotSet 193 | false 194 | 195 | 196 | Level3 197 | 198 | 199 | 4530;5208;%(DisableSpecificWarnings) 200 | stdcpp17 201 | stdc17 202 | 203 | 204 | /export:main /ignore:4210 /ignore:4281 %(AdditionalOptions) 205 | pin.lib;xed.lib;pinvm.lib;pincrt.lib;ntdll-32.lib;kernel32.lib;crtbeginS.obj 206 | $(PINTOOLS_DIR)\ia32\lib;$(PINTOOLS_DIR)\ia32\lib-ext;$(PINTOOLS_DIR)\extras\xed-ia32\lib;$(PINTOOLS_DIR)\ia32\runtime\pincrt;%(AdditionalLibraryDirectories);$(WindowsSdkDir)\lib 207 | true 208 | %(IgnoreSpecificDefaultLibraries) 209 | true 210 | NotSet 211 | true 212 | 213 | 214 | 215 | 216 | Ptrace_DllMainCRTStartup%4012 217 | 0x55000000 218 | MachineX86 219 | false 220 | 221 | 222 | 223 | 224 | X64 225 | 226 | 227 | /GR- /GS- /EHs- /EHa- /Oi- /FIinclude/msvc_compat.h %(AdditionalOptions) 228 | false 229 | false 230 | $(PINTOOLS_DIR)\source\include\pin;$(PINTOOLS_DIR)\source\include\pin\gen;$(PINTOOLS_DIR)\source\toolsInstLib;$(PINTOOLS_DIR)\extras\xed-intel64\include\xed;$(PINTOOLS_DIR)\extras\components\include;$(PINTOOLS_DIR)\extras\stlport\include;$(PINTOOLS_DIR)\extras;$(PINTOOLS_DIR)\extras\libstdc++\include;$(PINTOOLS_DIR)\extras\crt\include;$(PINTOOLS_DIR)\extras\crt;$(PINTOOLS_DIR)\extras\crt\include\arch-x86_64;$(PINTOOLS_DIR)\extras\crt\include\kernel\uapi;$(PINTOOLS_DIR)\extras\crt\include\kernel\uapi\asm-x86;$(WindowsSdkDir)\include;%(AdditionalIncludeDirectories);$(WindowsSdkDir)\include 231 | TARGET_IA32E;HOST_IA32E;TARGET_WINDOWS;__PIN__=1;PIN_CRT=1;__LP64__;_WINDOWS_H_PATH_=$(WIN10SDK_INCLUDE)/um 232 | false 233 | 234 | 235 | Default 236 | MultiThreadedDLL 237 | false 238 | true 239 | false 240 | 241 | 242 | Level3 243 | 244 | 245 | 4530;5208;%(DisableSpecificWarnings) 246 | stdcpp17 247 | stdc17 248 | 249 | 250 | /export:main /ignore:4210 /ignore:4281 %(AdditionalOptions) 251 | pin.lib;xed.lib;pinvm.lib;pincrt.lib;ntdll-64.lib;kernel32.lib;crtbeginS.obj 252 | $(PINTOOLS_DIR)\intel64\lib;$(PINTOOLS_DIR)\intel64\lib-ext;$(PINTOOLS_DIR)\extras\xed-intel64\lib;$(PINTOOLS_DIR)\intel64\runtime\pincrt;$(WindowsSdkDir)\lib;%(AdditionalLibraryDirectories);$(WindowsSdkDir)\lib 253 | true 254 | %(IgnoreSpecificDefaultLibraries) 255 | true 256 | NotSet 257 | true 258 | 259 | 260 | 261 | 262 | Ptrace_DllMainCRTStartup 263 | 0xC5000000 264 | MachineX64 265 | 266 | 267 | 268 | 269 | 270 | 271 | 272 | 273 | 274 | 275 | 276 | 277 | 278 | 279 | 280 | 281 | 282 | 283 | 284 | --------------------------------------------------------------------------------