couple of DBI examples

Author: yurichev

ChangeLog

@@ -1,3 +1,4 @@
+02-Jul-2018: DBI examples: minesweeper and WinRAR
 15-Sep-2016: More fundamentals and examples
 14-Sep-2016: More of my blog posts are copypasted into the book
 06-Sep-2016: Blog posts about FAT12 and fortune file has been copypasted into the book

DBI/XOR/files/Rar.exe

@@ -0,0 +1,136 @@
+// based on emudiv.cpp
+
+// by dennis(a)yurichev.com
+
+#include <stdio.h>
+#include "pin.H"
+#include <iostream>
+#include <fstream>
+
+std::ofstream TraceFile;
+
+KNOB<string> KnobOutputFile(KNOB_MODE_WRITEONCE, "pintool",
+	"o", "XOR_ins.out", "specify trace file name");
+
+std::map<ADDRINT, int> XORs;
+PIN_LOCK lock;
+
+// ==== these functions executed during runtime (begin) ====
+VOID log_info (ADDRINT ip, ADDRINT op1, ADDRINT op2)
+{
+	if (op1!=op2 && op1!=0 && op2!=0 && op1!=0xffffffff && op2!=0xffffffff)
+	{
+		//TraceFile << "ip=" << ip << " op1=" << op1 << " op2=" << op2 << endl;
+		XORs[ip]=XORs[ip]+1;
+	};
+};
+
+VOID XOR_reg_reg(ADDRINT ip, ADDRINT op1, ADDRINT op2, THREADID threadid)
+{
+	PIN_GetLock(&lock, threadid+1);
+	log_info (ip, op1, op2);
+	PIN_ReleaseLock(&lock);
+}
+
+VOID XOR_mem_reg(ADDRINT ip, ADDRINT *op1_addr, unsigned int op1_size, ADDRINT op2, THREADID threadid)
+{
+	PIN_GetLock(&lock, threadid+1);
+	ADDRINT op1;
+	PIN_SafeCopy(&op1, op1_addr, op1_size);
+	log_info (ip, op1, op2);
+	PIN_ReleaseLock(&lock);
+};
+
+// save stat, do not track registers (yet)
+VOID PXOR(ADDRINT ip, THREADID threadid)
+{
+	PIN_GetLock(&lock, threadid+1);
+	//TraceFile << "PXOR at " << ip << endl;
+	XORs[ip]=XORs[ip]+1;
+	PIN_ReleaseLock(&lock);
+}
+// ==== these functions executed during runtime (end) ====
+
+// this function executed only during startup, so no need to optimize anything here:
+VOID InstrumentXOR(INS ins, VOID* v)
+{
+	// XOR reg, reg
+	if ((INS_Mnemonic(ins) == "XOR") && (INS_OperandIsReg(ins, 0)) && (INS_OperandIsReg(ins, 1)))
+	{
+		INS_InsertCall(ins,
+			IPOINT_BEFORE,
+			AFUNPTR(XOR_reg_reg),
+			IARG_INST_PTR,
+			IARG_REG_VALUE, REG(INS_OperandReg(ins, 0)),
+			IARG_REG_VALUE, REG(INS_OperandReg(ins, 1)),
+			IARG_THREAD_ID,
+			IARG_END);
+	}
+
+	// XOR mem, reg
+	if ((INS_Mnemonic(ins) == "XOR") && INS_OperandIsMemory(ins, 0) && INS_OperandIsReg(ins, 1))
+	{
+		INS_InsertCall(ins,
+			IPOINT_BEFORE,
+			AFUNPTR(XOR_mem_reg),
+			IARG_INST_PTR,
+			IARG_MEMORYREAD_EA,
+			IARG_MEMORYREAD_SIZE,
+			IARG_REG_VALUE, REG(INS_OperandReg(ins, 1)),
+			IARG_THREAD_ID,
+			IARG_END);
+	}
+
+	// XOR reg, mem
+	if ((INS_Mnemonic(ins) == "XOR") && INS_OperandIsReg(ins, 0) && INS_OperandIsMemory(ins, 1))
+	{
+		INS_InsertCall(ins,
+			IPOINT_BEFORE,
+			AFUNPTR(XOR_mem_reg),
+			IARG_INST_PTR,
+			IARG_MEMORYREAD_EA,
+			IARG_MEMORYREAD_SIZE,
+			IARG_REG_VALUE, REG(INS_OperandReg(ins, 0)),
+			IARG_THREAD_ID,
+			IARG_END);
+	}
+
+	if ((INS_Mnemonic(ins) == "PXOR"))
+	{
+		INS_InsertCall(ins,
+			IPOINT_BEFORE,
+			AFUNPTR(PXOR),
+			IARG_INST_PTR,
+			IARG_THREAD_ID,
+			IARG_END);
+	}
+}
+
+INT32 Usage()
+{
+	cerr << "This tool intercepts XOR/PXOR" << endl;
+	cerr << KNOB_BASE::StringKnobSummary() << endl << flush;
+	return -1;
+}
+
+VOID Fini(INT32 code, VOID *v)
+{
+	for (auto i=XORs.begin(); i!=XORs.end(); i++)
+		TraceFile << "ip=" << i->first << " count=" << i->second << endl;
+	TraceFile.close();
+}
+
+int main(int argc, char * argv[])
+{
+	if (PIN_Init(argc, argv))
+		return Usage();
+
+	TraceFile.open(KnobOutputFile.Value().c_str());
+
+	TraceFile << std::hex << std::showbase;
+	INS_AddInstrumentFunction(InstrumentXOR, 0);
+	PIN_AddFiniFunction(Fini, 0);
+	PIN_StartProgram();// Never returns
+
+	return 0;
+}

DBI/XOR/files/XOR_ins.cpp

@@ -0,0 +1,164 @@
+372,377c381,386
+< ip=0x140011902 count=0x2
+< ip=0x140011d31 count=0x2
+< ip=0x140011e75 count=0x1
+< ip=0x140012186 count=0x1
+< ip=0x140012b5a count=0x1
+< ip=0x140012f1f count=0x1
+---
+> ip=0x140011902 count=0x11
+> ip=0x140011d31 count=0x11
+> ip=0x140011e75 count=0x59
+> ip=0x140012186 count=0x59
+> ip=0x140012b5a count=0x59
+> ip=0x140012f1f count=0x59
+394,395c403,404
+< ip=0x1400175e2 count=0x9
+< ip=0x140017770 count=0x9
+---
+> ip=0x1400175e2 count=0xa
+> ip=0x140017770 count=0xa
+398,405c407,414
+< ip=0x140017b21 count=0xd84
+< ip=0x140017b48 count=0x81f
+< ip=0x140017b59 count=0x858
+< ip=0x140017b6a count=0xc13
+< ip=0x140017b7b count=0xefc
+< ip=0x140017b8a count=0xefd
+< ip=0x140017b92 count=0xb86
+< ip=0x140017ba1 count=0xf01
+---
+> ip=0x140017b21 count=0x9eab5
+> ip=0x140017b48 count=0x79863
+> ip=0x140017b59 count=0x862e8
+> ip=0x140017b6a count=0x99495
+> ip=0x140017b7b count=0xa891c
+> ip=0x140017b8a count=0xa89f4
+> ip=0x140017b92 count=0x8ed72
+> ip=0x140017ba1 count=0xa8a8a
+435,445c444,456
+< ip=0x140025ede count=0x5
+< ip=0x140026000 count=0x5
+< ip=0x140026050 count=0x5
+< ip=0x14002622e count=0x5
+< ip=0x1400277b7 count=0x1
+< ip=0x1400278e9 count=0x1
+< ip=0x14002c4f1 count=0x4fce
+< ip=0x14002c586 count=0x1
+< ip=0x14002c73f count=0x1
+< ip=0x14002e006 count=0x1
+< ip=0x14002e416 count=0x1
+---
+> ip=0x140025ede count=0x1bd
+> ip=0x140026000 count=0x1bd
+> ip=0x140026050 count=0x1bd
+> ip=0x14002622e count=0x1bd
+> ip=0x1400277b7 count=0x55
+> ip=0x1400278e9 count=0x55
+> ip=0x14002c4f1 count=0x4463be
+> ip=0x14002c586 count=0x35
+> ip=0x14002c73f count=0x35
+> ip=0x14002e006 count=0x55
+> ip=0x14002e416 count=0x55
+> ip=0x14002e47e count=0x20
+> ip=0x14002e677 count=0x20
+480,481c491,492
+< ip=0x14004104a count=0x367
+< ip=0x140041057 count=0x367
+---
+> ip=0x14004104a count=0x24193
+> ip=0x140041057 count=0x24193
+497c508
+< ip=0x140043e10 count=0x23006
+---
+> ip=0x140043e10 count=0x23004
+499c510
+< ip=0x140043e56 count=0x22ffd
+---
+> ip=0x140043e56 count=0x23002
+501c512
+< ip=0x140043e95 count=0x23005
+---
+> ip=0x140043e95 count=0x22ffd
+503c514
+< ip=0x140043ece count=0x23001
+---
+> ip=0x140043ece count=0x22fff
+505c516
+< ip=0x140043f19 count=0x23004
+---
+> ip=0x140043f19 count=0x22ffe
+507c518
+< ip=0x140043f3f count=0x23004
+---
+> ip=0x140043f3f count=0x23003
+509c520
+< ip=0x140043f83 count=0x22fff
+---
+> ip=0x140043f83 count=0x23004
+511c522
+< ip=0x140043fba count=0x2300a
+---
+> ip=0x140043fba count=0x23001
+513c524
+< ip=0x140043ffb count=0x23009
+---
+> ip=0x140043ffb count=0x23003
+515c526
+< ip=0x140044013 count=0x23008
+---
+> ip=0x140044013 count=0x22ffc
+517c528
+< ip=0x14004407c count=0x23002
+---
+> ip=0x14004407c count=0x23009
+519c530
+< ip=0x14004409f count=0x23004
+---
+> ip=0x14004409f count=0x22ffd
+521c532
+< ip=0x1400440f3 count=0x23009
+---
+> ip=0x1400440f3 count=0x22fff
+523c534
+< ip=0x14004412d count=0x23001
+---
+> ip=0x14004412d count=0x22ffd
+525c536
+< ip=0x140044146 count=0x22ffc
+---
+> ip=0x140044146 count=0x22ffe
+527c538
+< ip=0x14004419c count=0x23002
+---
+> ip=0x14004419c count=0x23005
+529c540
+< ip=0x1400441b9 count=0x23003
+---
+> ip=0x1400441b9 count=0x23006
+537c548
+< ip=0x140044224 count=0x23005
+---
+> ip=0x140044224 count=0x23006
+542c553
+< ip=0x140044247 count=0x23004
+---
+> ip=0x140044247 count=0x23006
+547c558
+< ip=0x140044280 count=0x23003
+---
+> ip=0x140044280 count=0x23007
+846,849c857,860
+< ip=0x14005bec3 count=0xd
+< ip=0x14005c143 count=0xd
+< ip=0x14005d19c count=0xa
+< ip=0x14005d387 count=0xa
+---
+> ip=0x14005bec3 count=0xe
+> ip=0x14005c143 count=0xe
+> ip=0x14005d19c count=0xb
+> ip=0x14005d387 count=0xb
+862c873
+< ip=0x14006292c count=0x5f
+---
+> ip=0x14006292c count=0x60