0

In my pintool, I check NtReadFile() and NtCreateFile() system calls using the PIN API:

PIN_AddSyscallEntryFunction() 
PIN_AddSyscallExitFunction()

But the outputs seems to be polluted with many unexpected additional interceptions, I would like to filter out.

Problem is, the SYSCALL_ENTRY_CALLBACK functions do not let you access to information needed to deduce from where the system call has been spawned (calling site), even at the entry. Checking the value of REG_EIP (address of the instruction pointer) juste before the system call is executed, I see I am way off the calling site (out of the address range of the image I am instrumenting, although the system call is made within this image).

I also tried to instrument instructions with INS_IsSyscall() at IPOINT_BEFORE and check it's address, but it seems it is too late too (out of range of the image's low and high addresses)

What would be the correct process to instrument only system calls starting from the image I am instrumenting ?

Heyji
  • 1,113
  • 8
  • 26
  • Are you instrumenting a 32-bit process on a 64-bit system? – Neitsa May 03 '19 at 20:51
  • Both, 32 bit and 64bit app, both running on 64 bit windows 10 (not at the same time tough). – Heyji May 05 '19 at 13:02
  • @Heyjihave you found an answer to this question? – maysara Mar 14 '21 at 17:46
  • It has been a while now, but what I remember is a bug in PIN_GetSyscallArgument() described [here](https://groups.io/g/pinheads/topic/65995793#12970) that used to mess up all my expectations. Also the fact that on windows, syscall numbers are on 16 bits only, I needed to clear the high order bits to make sure I only get the 16 first bits. – Heyji Mar 15 '21 at 21:47
  • Hello, @Heyji I've recently encountered the same problem trying to see whether I can use any of the arguments available using `SYSCALL_ENTRY_CALLBACK` function such as `(THREADID thread_id, CONTEXT *ctx, SYSCALL_STANDARD std, void *v)` to solve this question you asked. I'm guessing that you could not figure out the solution, right? I was able to sort of program a somewhat bandaid solution, but it is pretty ugly, so I wanted to check with you to see whether there have been any progress in this regard – Jay Feb 04 '23 at 02:21
  • @Jay : no progress so far. Let's get in touch – Heyji Mar 02 '23 at 13:21

0 Answers0