1

I'm doing a bit of research on Intel Pin. I'm looking to see if there is a way of attaching a Pin tool to an existing process using the Pin API.

I can see there is a way of running the pin executable on an already running process using pin.exe -pid <process_id> but I can't see anything in the pin documentation.

EDIT: As per a previous comment, I'm updating the question with an example.

The problem I'm trying to solve is instrumenting an injected process (this is for malware analysis).

If the process/binary I'm instrumenting creates a child process then pin can seamlessly attach itself to said child process. Wonderful!

If, however, the binary process/binary I'm instrumenting injects into another process (i.e. OpenProcess > VirtualAllocEx > WriteProcessMemory > CreateRemoteThread) then Pin will NOT attach to the injected process. I need to be able to tell pin to attach dynamically at runtime.

ben_re
  • 518
  • 2
  • 12
  • It's mentioned in the [command line switches](https://software.intel.com/sites/landingpage/pintool/docs/97554/Pin/html/group__KNOBS.html); A pintool runs the same if it is started with the target program or attached to it (the code doesn't need to be different). You might have a different logic inside your pintool to see if it was started with or attached later, though. – Neitsa Mar 01 '18 at 09:56
  • @Neitsa - That's not entirely what I'm getting at. I'll update the question with an example so you can see what problem I'm trying to solve. – ben_re Mar 01 '18 at 10:37

1 Answers1

0

You'll have to implement something like that yourself - instrument the system calls and if you see an injection pattern, attach pin to the process.

nitzanms
  • 1,786
  • 12
  • 35
  • I was hoping there would be an Pin API to attach pin to the process once I have recognized the injection pattern (something like `AttachPinToProcess(NATIVE_PROCESS pid)`). I guess I'll have to spin up another instance of Pin with `OS_CreateProcess()`. – ben_re Mar 02 '18 at 09:28
  • FYI - There is an issue with OS_CreateProcess. It's returning OS_RETURN_CODE_NOT_IMPLEMENTED, so I guess this is not actually possible. – ben_re Mar 12 '18 at 16:03
  • 1
    It is preferable not to do these things through Pin but through an external process which communicates with the pintool, eg through a file. This gets around limitations like process permissions which are very prevalent in modern OSs. – nitzanms Mar 13 '18 at 11:09