Skip to content

Instantly share code, notes, and snippets.

@c0d3inj3cT

c0d3inj3cT/instrace.cpp

Last active January 4, 2021 21:13
Show Gist options
  • Save c0d3inj3cT/b1976a7de7d872276333 to your computer and use it in GitHub Desktop.
Save c0d3inj3cT/b1976a7de7d872276333 to your computer and use it in GitHub Desktop.
Download ZIP
This pintool was written to identify interesting sequence of instructions which are often used by malwares to either obfuscate the control flow, to be position independent, to identify virtual machine, to perform anti debugging tricks, usage of encryption and decryption routines.
Raw
instrace.cpp
/*
Instruction Tracer to identify
interesting sequence of instructions
in malwares.
c0d3inj3cT
*/
#include <stdio.h>
#include <iostream>
#include "pin.H"
VOID Instruction(INS ins, VOID *v)
{
if(INS_Opcode(ins) == XED_ICLASS_XOR && INS_Address(ins) < 0x3d930000)
{
string regRead;
string regWrite;
regWrite = REG_StringShort(INS_RegW(ins, 0));
regRead = REG_StringShort(INS_RegR(ins, 0));
if(regRead.compare(regWrite) != 0 && regRead.compare("ebp") != 0 && regWrite.compare("ebp") != 0)
{
cout << hex << INS_Address(ins) << " : " << INS_Disassemble(ins) << endl;
}
}
else if(INS_Opcode(ins) == XED_ICLASS_ADD && INS_Address(ins) < 0x3d930000)
{
string regRead;
string regWrite;
regWrite = REG_StringShort(INS_RegW(ins, 0));
regRead = REG_StringShort(INS_RegR(ins, 0));
if(regRead.compare(regWrite) != 0 && regRead.compare("ebp") != 0 && regWrite.compare("ebp") != 0 && regRead.compare("esp") != 0 && regWrite.compare("esp") != 0)
{
cout << hex << INS_Address(ins) << " : " << INS_Disassemble(ins) << endl;
}
}
else if(INS_Opcode(ins) == XED_ICLASS_SIDT || INS_Opcode(ins) == XED_ICLASS_SGDT || INS_Opcode(ins) == XED_ICLASS_SLDT)
{
cout << hex << INS_Address(ins) << " : " << INS_Disassemble(ins) << endl;
}
else if(INS_Opcode(ins) == XED_ICLASS_STI || INS_Opcode(ins) == XED_ICLASS_CLI)
{
cout << hex << INS_Address(ins) << " : " << INS_Disassemble(ins) << endl;
}
else if(INS_Opcode(ins) == XED_ICLASS_XOR && INS_MaxNumRRegs(ins) == 1 && INS_Address(ins) < 0x3d930000)
{
cout << hex << INS_Address(ins) << " : " << INS_Disassemble(ins) << endl;
}
else if(INS_Opcode(ins) == XED_ICLASS_ADD && INS_MaxNumRRegs(ins) == 1 && INS_Address(ins) < 0x3d930000)
{
cout << hex << INS_Address(ins) << " : " << INS_Disassemble(ins) << endl;
}
else if(INS_Opcode(ins) == XED_ICLASS_SUB && INS_MaxNumRRegs(ins) == 1 && INS_RegWContain(ins, REG_ESP) == 0 && (INS_OperandImmediate(ins, 1) & 0x0000ff00) != 0 && INS_Address(ins) < 0x3d930000)
{
cout << hex << INS_Address(ins) << " : " << INS_Disassemble(ins) << endl;
}
else if(INS_Opcode(ins) == XED_ICLASS_CMP && INS_MaxNumRRegs(ins) == 1 && INS_Size(ins) > 0x3 && INS_IsMemoryRead(ins) == 0 && (INS_OperandImmediate(ins, 1) & 0xff000000) != 0 && INS_Address(ins) < 0x3d930000)
{
cout << hex << INS_Address(ins) << " : " << INS_Disassemble(ins) << endl;
}
else if(INS_Opcode(ins) == XED_ICLASS_LOOP && INS_Address(ins) < 0x3d930000)
{
cout << hex << INS_Address(ins) << " : " << INS_Disassemble(ins) << endl;
}
else if(INS_Opcode(ins) == XED_ICLASS_ROR && INS_MaxNumRRegs(ins) == 1 && INS_Address(ins) < 0x3d930000)
{
cout << hex << INS_Address(ins) << " : " << INS_Disassemble(ins) << endl;
}
else if(INS_IsCall(ins) && INS_IsIndirectBranchOrCall(ins) == 0)
{
if(INS_DirectBranchOrCallTargetAddress(ins) == INS_Address(ins) + 0x5)
{
cout << hex << INS_Address(ins) << " : " << INS_Disassemble(ins) << " --> GetPC " << endl;
}
}
else if(INS_Opcode(ins) == XED_ICLASS_RDTSC)
{
cout << hex << INS_Address(ins) << " : " << INS_Disassemble(ins) << endl;
}
}
VOID Fini(INT32 code, VOID *v)
{
printf("Instrumentation has completed!\n");
}
INT32 Usage()
{
return -1;
}
int main(int argc, char * argv[])
{
if (PIN_Init(argc, argv))
return Usage();
INS_AddInstrumentFunction(Instruction, 0);
PIN_AddFiniFunction(Fini, 0);
PIN_StartProgram();
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment