Reputation: 166
Intel Pin Tool: Get instruction from address
I'm using Intel's Pin Tool to do some binary instrumentation, and was wondering if there an API to get the instruction byte code at a given address.
Something like:
instruction = getInstructionatAddr(addr);
where addr is the desired address.
I know the function Instruction (used in many of the simple/manual examples) given by Pin gets the instruction, but I need to know the instructions at other addresses. I perused the web with no avail. Any help would be appreciated!
CHEERS
Upvotes: 1
Views: 3946
Answers (2)
Reputation: 8166
wondering if there an API to get the instruction byte code at a given address
Yes, it's possible but in a somewhat contrived way: with PIN you are usually interested in what is executed (or manipulated through the executed instructions), so everything outside the code / data flow is not of any interest for PIN.
PIN is using (and thus ships with) Intel XED which is an instruction encoder / decoder.
In your PIN installation you should have and \extra folder with two sub-directories: xed-ia32 and xed-intel64 (choose the one that suits your architecture). The main include file for XED is xed-interface.h located in the \include folder of the aforementioned directories.
In your Pintool, given any address in the virtual space of your pintooled program, use the
PIN_SafeCopyfunction to read the program memory (and thus bytes at the given address). The advantage ofPIN_SafeCopyis that it fails graciously even if it can't read the memory, and can read "shadowed" parts of the memory.Use XED to decode the instruction bytes for you.
For an example of how to decode an instruction with XED, see the first example program.
As the small example uses an hardcoded buffer (namely itext in the example program), replace this hardcoded buffer with the destination buffer you used in PIN_SafeCopy.
Obviously, you should make sure that the memory you are reading really contains code.
AFAIK, it is not possible to get an INS type (the usual type describing an instruction in PIN) from an arbitrary address as only addresses in the code flow will "generate" an INS type.
As a side note:
I know the function Instruction (used in many of the simple/manual examples) given by Pin gets the instruction
The Instruction routine used in many PIN example is called an "Instrumentation routine": its name is not relevant in itself.
Upvotes: 3
Reputation: 351
Pin_SafeCopy may help you. This API could copy memory content from the address space of target process to one specified buffer.
Upvotes: 0
Related Questions
- Intel Pin Modifying Instruction Addresses
- Pin Tool - intercepting an instruction by its address to dump the registers value
- How can I use the intel pin tool to count the instruction executed on linux?
- Intel pin: getting instruction memory write\read size
- PIN get assembly opcodes from instruction address
- Pin Binary instrumentation: How to precisely identify a function name.
- Pin: instrument a specified shared library
- Getting physical address in pin tool
- Using the debug information of a executable in a pin tool
- PIN - get process ID for the Binary being instrumented?