Test Pin
Pin is a dynamic binary instrumentation tool. Dynamic means that its instrumentation is executed at runtime, without the need for the source code of the program
Instruction: an assembly instruction;
Basic blocks: instruction sequence ending with conditional jump;
Trace: A sequence of basic blocks ending with an unconditional jump.
Run a demo. In this example, if the insmixde tool is
successful, the insmix.so file will be generated in source/tools/Insmix/obj-intel64/
and executed in the root directory of the pin. The
resulting file is output in the root directory of the pin, namely insmix.out.
Example 2: Count the number of instructions (instruction instrumentation)
The analysis results can be output to the specified file by adding option
pin -t obj-intel64/inscount0.so -o inscount0.log-/bin/ls
Example 3: Memory Reference Trace
Sometimes you only want to instrument a certain type of instructions, such as memory operations (read and write). For this, you can use the API provided by Pin for classify and examine instructions. (Basic API for all instruction sets, and special API for a certain instruction set)
This example uses examination instructions to select instrument instructions. The Tool tracks and outputs the memory address referenced by the program. At the same time, call INS_InsertPredicatedCall instead of INS_InsertCall to avoid the reference to the predicated instructions when the predicate is false.
Source code:
/*
* This file contains an ISA-portable PIN tool for tracing memory accesses.
*/
#include <stdio.h>
#include "pin.H"
FILE * trace;// Print a memory read record打印内存读取记录
VOID RecordMemRead(VOID * ip, VOID * addr){
//打印内存读记录
fprintf(trace,"%p: R %p\n", ip, addr);}// Print a memory write record
VOID RecordMemWrite(VOID * ip, VOID * addr){
fprintf(trace,"%p: W %p\n", ip, addr);}// Is called for every instruction and instruments reads and writes //每条指令和插桩读和写
VOID Instruction(INS ins, VOID *v){
// Instruments memory accesses using a predicated call, i.e.
// the instrumentation is called iff the instruction will actually be executed.
//
// On the IA-32 and Intel(R) 64 architectures conditional moves and REP
// prefixed instructions appear as predicated instructions in Pin.
UINT32 memOperands = INS_MemoryOperandCount(ins);
// Iterate over each memory operand of the instruction.
for (UINT32 memOp = 0; memOp < memOperands; memOp++)
{
if (INS_MemoryOperandIsRead(ins, memOp))
{
//只对 MemOp 做 instrument 并加入 analysis 函数 RecordMemWrite
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)RecordMemRead,
IARG_INST_PTR,
IARG_MEMORYOP_EA, memOp,
IARG_END);
}
// Note that in some architectures a single memory operand can be
// both read and written (for instance incl (%eax) on IA-32)
// In that case we instrument it once for read and once for write.
if (INS_MemoryOperandIsWritten(ins, memOp))
{
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)RecordMemWrite,
IARG_INST_PTR,
IARG_MEMORYOP_EA, memOp,
IARG_END);
}
}}
VOID Fini(INT32 code, VOID *v){
fprintf(trace, "#eof\n");
fclose(trace);}/* ===================================================================== *//* Print Help Message *//* ===================================================================== */
INT32 Usage(){
PIN_ERROR( "This Pintool prints a trace of memory addresses\n"
+ KNOB_BASE::StringKnobSummary() + "\n");
return -1;}/* ===================================================================== *//* Main *//* ===================================================================== */int main(int argc, char *argv[]){
if (PIN_Init(argc, argv)) return Usage();
trace = fopen("pinatrace.out", "w");
INS_AddInstrumentFunction(Instruction, 0); //每个 instruction 都会调用
PIN_AddFiniFunction(Fini, 0);
// Never returns
PIN_StartProgram();
return 0;}