Reputation: 1223
How to get memory operation values using Intel PIN?
I am using Intel PIN to modify memory allocation in the system.
I cannot find a way to get the actual values under memory instructions.
VOID Instruction(INS ins, VOID *v) {
UINT32 memOperands = INS_MemoryOperandCount(ins)
for (UINT32 memOp = 0; memOp < memOperands; memOp++) {
if (INS_MemoryOperandIsRead(ins, memOp)) {
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)RecordMemRead,
IARG_INST_PTR,
IARG_MEMORYOP_EA, memOp,
IARG_END);
}
if (INS_MemoryOperandIsWritten(ins, memOp)) {
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)RecordMemWrite,
IARG_INST_PTR,
IARG_MEMORYOP_EA, memOp,
IARG_END);
}
}
}
VOID RecordMemRead(VOID * ip, VOID * addr) {
if (!Record) return;
printf("%p: R %p\n", ip, addr);
}
VOID RecordMemWrite(VOID * ip, VOID * addr) {
if (!Record) return;
printf("%p: R %p\n", ip, addr);
}
As I understand this only prints the instruction pointer and the register address of the operand. Is that correct? If so, how can I get the value of this register?
Ultimately, what I am trying to do is intercept all assignments to static and heap variables and translate them to some procedure calls to save the values on Google Bigtable.
Upvotes: 4
Views: 1710
Answers (1)
Reputation: 8166
As I understand this [...] prints the instruction pointer
Yes, due to IARG_INST_PTR.
and the register address of the operand
No, what you get is the EA (Effective Address) of the operand which is defined as:
Effective Address = Displacement + Base_Reg + Index_Reg * Scale
Suppose you have the following instruction (Intel syntax):
mov eax, [ebx+ecx+0xf]
The EA of the source operand (right operand) is the computed address for [ebx+ecx+0xf], you don't get the value of each of the components of the EA if you use IARG_MEMORYOP_EA.
As you only want to track down heap and static variables assignments, you're probably not interested in the "components" of the operands.
Ultimately, what I am trying to do is intercept all assignments to static and heap variables and translate them to some procedure calls to save the values on Google Bigtable.
Not an easy task, tho.
You could use the RTN_xxx function to track calls to memory allocation and liberation functions (typically, malloc() and free()). I think there an example that comes with the PIN source.
For malloc() you could track down the returned pointer and the size of the allocation (put that on a std::map for example). Each time you have a write, check if it falls within the range of one of your allocation. For each free(), remove the pointer from the map.
As for static variables, you could track loaded modules with IMG_AddInstrumentFunction and see if a write happens in one of the sections of your executable.
Upvotes: 1
Related Questions
- How do I get the value that is written by a store instruction in Pin?
- PIN: identify MOV and indirect memory operand
- How to use intel pin tools on applications?
- Intel pin: getting instruction memory write\read size
- Intel Pin: how to obtain return address of system call
- Using IARG_MEMORYWRITE_SIZE and IARG_MEMORYREAD_SIZE parameter in Intel Pin
- Using IARG_MEMORYREAD_EA
- Using Intel's PIN tool to count the number of cache hits/misses in a program
- Intel Pin Get Function Argument Number
- Intel pin: Instrumentate running process