1

I'm using Intel's Pin Tool to do some binary instrumentation, and was wondering if there an API to get the instruction byte code at a given address.

Something like:

instruction = getInstructionatAddr(addr);

where addr is the desired address.

I know the function Instruction (used in many of the simple/manual examples) given by Pin gets the instruction, but I need to know the instructions at other addresses. I perused the web with no avail. Any help would be appreciated!

CHEERS

dannykim
  • 166
  • 1
  • 2
  • 10

2 Answers2

3

wondering if there an API to get the instruction byte code at a given address

Yes, it's possible but in a somewhat contrived way: with PIN you are usually interested in what is executed (or manipulated through the executed instructions), so everything outside the code / data flow is not of any interest for PIN.

PIN is using (and thus ships with) Intel XED which is an instruction encoder / decoder.

In your PIN installation you should have and \extra folder with two sub-directories: xed-ia32 and xed-intel64 (choose the one that suits your architecture). The main include file for XED is xed-interface.h located in the \include folder of the aforementioned directories.

  1. In your Pintool, given any address in the virtual space of your pintooled program, use the PIN_SafeCopy function to read the program memory (and thus bytes at the given address). The advantage of PIN_SafeCopy is that it fails graciously even if it can't read the memory, and can read "shadowed" parts of the memory.

  2. Use XED to decode the instruction bytes for you.

For an example of how to decode an instruction with XED, see the first example program.

As the small example uses an hardcoded buffer (namely itext in the example program), replace this hardcoded buffer with the destination buffer you used in PIN_SafeCopy.

Obviously, you should make sure that the memory you are reading really contains code.

AFAIK, it is not possible to get an INS type (the usual type describing an instruction in PIN) from an arbitrary address as only addresses in the code flow will "generate" an INS type.

As a side note:

I know the function Instruction (used in many of the simple/manual examples) given by Pin gets the instruction

The Instruction routine used in many PIN example is called an "Instrumentation routine": its name is not relevant in itself.

Neitsa
  • 7,693
  • 1
  • 28
  • 45
  • 1
    Is it possible to pass the ins (of type INS) to another function from the Instruction routine? – dannykim Jun 11 '15 at 16:22
  • @dannykim Yes, as long as the `INS`instance is passed to a PIN function that takes an `INS` type as argument, you are free to pass it to another function from your instrumentation routine (`Instruction()`). – Neitsa Jun 11 '15 at 17:18
  • 1
    @dannykim Ok, so this is about the analysis routine, not the instrumentation routine. AFAIK, you can't deal with `INS`, `BBL` or `TRACE` types in an analysis routine, and as you have seen there's no way to pass them to the analysis routine... You might try to pass an `INS` instance as an `IARG_PTR` (or equivalent) to the analysis routine and try to use one of the the `INS_XXX` inspection function (it must **not** be an instrumentation function). I never tested it, and this is not documented in the user guide, so this probably leads to an unknown behavior. – Neitsa Jun 13 '15 at 10:55
  • @Neitsa Hi, the [link](https://software.intel.com/sites/landingpage/pintool/docs/71313/Xed/html/group__SMALLEXAMPLES.html) provided above has dead, is there any alternative or new location for the link? Thanks! – Feng. Ma Apr 20 '21 at 10:40
  • 1
    @Feng.Ma Yep, XED documentation is now on github; the examples page is [here](https://intelxed.github.io/ref-manual/group__EXAMPLES.html) (the small example referenced in the post is [here](https://intelxed.github.io/ref-manual/group__SMALLEXAMPLES.html).) – Neitsa Apr 20 '21 at 13:17
0

Pin_SafeCopy may help you. This API could copy memory content from the address space of target process to one specified buffer.

慕冬亮
  • 339
  • 1
  • 2
  • 10