1

For a program analysis tool, I need to identify all types of MOV operations (Register->Register, Memory->Register, Register->Memory). I was able to identify Memory->Register, but failed for the other ones.

Another problem are indirect memory operands. I need to identify them somehow. I understand that PIN is able to check whether we have a memory read/memory write. But indirect memory accesses are e.g. MOV eax [ebx], aren't they? How can I handle them? I need the content of ebx in this example.

Cheers

moo
  • 486
  • 8
  • 22
  • What exactly are you analysing? The binary, the object file, the generated assembly language? What do you mean by "identify"? – Alan Stokes Jun 07 '14 at 12:39
  • Hi Alan, it is a binary-only analysis. By identify I mean, e.g. I want to record the memory addresses and registers involved in a MOV. The algorithm I want to implement is introduced in the following paper: https://www.utdallas.edu/~zxl111930/file/Rewards_NDSS10.pdf (page 5, algorithm 1). – moo Jun 10 '14 at 07:40

1 Answers1

2

Use INS_OperandMemoryBaseReg etc. I hope you are familiar with the complex way in which memory operands can be addressed on x86. If not, read the Intel manuals first or for a quick summary read for example this. You can get the other parts of something like [eax+ebx*2+25] with INS_OperandMemoryIndexReg, INS_OperandMemoryScale, INS_OperandMemoryDisplacement etc.

The code in movRMHandler() from http://devilheart.googlecode.com/svn-history/r80/trunk/devilheart/project_pin/devilheart/ins_handler.cpp should get you started.

Dining Philosopher
  • 445
  • 5
  • 18
Fizz
  • 4,782
  • 1
  • 24
  • 51