Binary instrumentation~
Say something
Although it is not the main thing to do, the knowledge of safety engineers is too large.
Learning knowledge of other subjects will help to train your thinking, so remember the learning process
What is instrumentation
Dynamic binary instrumentation (DBI) technology is a method of analyzing the behavior of a binary application at runtime by injecting instrumentation code.
The dynamic binary instrumentation technology can insert specific analysis codes in the program execution process according to the user's analysis requirements without affecting the program's dynamic execution results, so as to realize the monitoring and analysis of the program's dynamic execution process.
Why do you need to insert piles
Source code instrumentation
You must have tried this way to debug your program:
。。。。。
printf("牛奶颜色:%s\n", milk_color);
。。。。
This is the source code instrumentation, which is convenient and quick. If the milk color is black, the program will go wrong .
Binary instrumentation
Inject the instrumentation code into the running process, and you can debug the program...
mov esp, ebp
我插,我看~
pop ebp
For example, you can see ebp in this way, but the process is more cumbersome than source code instrumentation and needs to be disassembled.
How to insert piles
Two main ways and three execution modes
Way 1:
The program is executed from beginning to end under the control of the dynamic binary system.
Way 2:
The dynamic binary system can be attached to an already running program
The first mode:
The JIT mode is the most common implementation method, and also the most commonly used mode:
copy a file, modify, and then execute
The second mode:
Interpretation mode
The third mode:
Detection mode, by using new instructions to overwrite the old instructions, the file is not copied
Instrumentation example
Pin dynamic binary instrumentation
Pin is a dynamic binary instrumentation framework developed by Intel. You can insert various functions during the running of the binary program to monitor the execution of each step of the program.
Link: Download the official website .
Pin is a closed-source framework composed of Pin and Pintool. Pin provides an API internally, and users use the API to write a plug-in in the form of a dynamic link library that can be called by Pin, called Pintool.
Generally, the two components required for instrumentation are in Pintool:
插桩代码(Instrumentation code)
在什么位置插入插桩代码
分析代码(Analysis code)
在选定的位置要执行的代码