PIEtrace (x86) (implemented as a Pintool)

Post date: Jan 29, 2013 5:41:19 AM

This is our x86 implementation.

Like other pintools, you can run our system with an input program like following:

pin -t [pintool name] -- "an input program file name" "argument"

Our system has a configuration file to allow you to change the output folder.

The configuration file must be "current path\config.ini" and contain two values,

"entrypoint" and "outputfolder".

1. Entrypoint: Entrypoint of a target (input) program. Our tool will start to trace from this address.

2. Outputfolder: A folder path where a trace program will be generated.

[!] It is very important that you have the config.ini file. Even though the program will try to print out an error message when there is no config file, in some cases, it would not be printed out on the screen due to the faulty execution of Pin infrastructure.

-------------------------------------

We provide "pinexec.zip" to ease the execution processes.

In that zip file, you can find an executable file. If you execute it, you can extract all required files (dll, exe, config files)

After that, please extract all files in the C:\pinexec folder. Then, open the command line utility, and type run_~~.bat file.

There are

run_acrord.bat for acrobat reader

run_castripper.bat for cast ripper

run_freeamp.bat for freeamp

run_hh.bat for HTML help file viewer

run_pt.bat for power tab editor.

Each of them will setup all configuration files and try to feed vulnerable input files except Cast Ripper (which does not support a command line argument).

Please make sure that these batch files are in "C:\pinexec\" folder.

-------------------------------------

We also uploaded pinexec_bho.zip to ease the process.

In that file, you can execute an exe file which automatically unzip its contents.

Please locate this file at "C:\" and run it. Then "pinexec" folder will be created.

On the command line, you can run run_malware_ie.bat file to get a trace from our BHO malware sample.

-------------------------------------

After you get a trace program, the below virt_src.zip should be added before you compile.

These files contain a set of functions for memory and instruction virtualization.

-------------------------------------

To ease a build process, we provide a sample VS2008 project which also can be compiled with gcc on linux(tracep.zip).

With this sample project, only two processes are required to compile.

1. Run SetWin32.bat in the folder.

2. Copy all files from the output folder to the project folder.

3. Add or remove re_func??.cpp files on the project.

4. Do "Rebuild All"

(* Technically, as you may know, changing source code may make VS2010 freeze.

In that case, we recommend you to remove .ncb file which holds meta data of the source code.)

-------------------------------------

For Linux users, we provide a simple compilation helper program called "ctp" (Compile Trace Program)

To compile on Linux, please see the following instructions.

1. Run ./SetLinux.sh in the folder.

2. Copy all files from the output folder to a new folder.

3. Execute "./ctp"

-------------------------------------

As you can see, tracep.zip includes virt_src.zip.

So, you don't need to download both of them.

The virt_src.zip is for those who want to know our implementation details about the virtualization layer.

To compile our tool from the source code, you first install the Pin framework.

Then move to "PIN directory\source\tools\SimpleExamples" and extract the provided source code(pietrace_src_v?.zip).

By compiling icount.dll which is one of the simplest Pin tools, you can get the binary.

(It will produce icount.dll which is our tool. Please don't care about the file name.)

Thanks for your interest!