How to find main function with pintool

Question

I'm new to writing pintool programs. I want to find the main function of target program with PIN. But I always got just an UnNamedImageEntryPoint with SYM_Name() and RTN_Name. I guess the lack of symbols caused this. So is there any solution for me to find main function when there's no symbols? This is My main function:

int main(int argc, char *argv[]) {
    PIN_InitSymbols();
    init_all();
    if (PIN_Init(argc, argv)) return Usage();
    INS_AddInstrumentFunction(Instructions, 0);
    IMG_AddInstrumentFunction(ImageLoad, 0);
    PIN_AddFiniFunction(Fini, 0);
    PIN_StartProgram();
    return 0;
}

And this is how I look for main function:

VOID ImageLoad(IMG img, VOID *v) {
    if (IMG_IsMainExecutable(img)) {
        for (SYM sym = IMG_RegsymHead(img); SYM_Valid(sym); sym = SYM_Next(sym)) {
            string undFuncName = PIN_UndecorateSymbolName(SYM_Name(sym), UNDECORATION_NAME_ONLY);
            output<<undFuncName<<endl;
            if (undFuncName == "main") {
                RTN_InsertCall(rtn, IPOINT_BEFORE,(AFUNPTR)onMainStarted, IARG_END);
            }
        }
    }
}

This is all undFuncName I got.

unnamedImageEntryPoint
.text

Once the compiler is finished there's really nothing special about the `main` function. It's a function just like any other. And once the linker have finished and added the code that actually calls `main`, there's nothing that will distinguish it from other functions. — Some programmer dude, Mar 25 '20 at 04:07
But we can find `main` function in most programs with IDA pro. I think there must be a way to do it with PIN. — shijy, Mar 25 '20 at 09:16
You can easily find out the "start" function, where execution actually start. Then using deduction it might be possible to find a jump to a function that might be the `main` function. — Some programmer dude, Mar 25 '20 at 09:36
The problem is I can't find any function in programs with PIN. When I find functions with `RTN_Name()` or `SYM_Name()`, I just got an `unnamedImageEntryPoint` or `.text`. In normal cases, I could get all the function names in this way. Well, I know there's no name in executable files, but at least I want to find more functions than just one `unnamedImageEntryPoint`. — shijy, Mar 26 '20 at 03:11
That `unnamedImageEntryPoint` is very probably the "start" function added by the linker, where the operating system really starts execution of your program. If you want to use symbols then you need to keep those symbols in the generated executable program image file. If you strip all symbols from the file, then you simply can't use functions dealing with symbols. — Some programmer dude, Mar 26 '20 at 04:23
It is sad that I'm analyze non-symbol program. And I'm trying to mark the start address and the end address of `main` function of the program. This is easy with IDAPRO, but difficult with PIN. Maybe I am going to try execute some scripts to find the addresses instead of doing it with PIN directly. Thanks a bunch for your help. — shijy, Mar 26 '20 at 07:50
Can you show the main function in your pintool program, (i.e., PIN_InitSymbols(); must be there to enable dealing with symbols.) — Mos Moh, Mar 30 '20 at 15:42
Details are added in the description. In fact I gave up doing this with PIN. I'm doing function analysis with IDAPRO and then input the result to PIN. But it would be a relief if the PIN problem was solved. — shijy, Mar 31 '20 at 03:33
Perhaps related: [Printing program and function name of each instruction with Pin tool](https://stackoverflow.com/q/54499458) — Peter Cordes, Feb 01 '23 at 17:57

score 1 · Answer 1 · answered Oct 25 '21 at 11:04

The following code working fine with me:

VOID ImageLoad(IMG img, VOID *v) {
  RTN mainRtn = RTN_FindByName(img, "main");
  if (RTN_Valid(mainRtn)){
    // ....... YOUR CODE
  }
}
// Another way:
VOID ImageLoad(IMG img, VOID *v) {
  for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec)) {
   for (RTN rtn = SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn)) {
    if (RTN_Valid(rtn)){
    // ....... YOUR CODE
    // YOU CAN SEARCH FOR YOUR ROUTINE HERE
    }
   }
  }
}

Thanks for the answer. But this won't work when target IMG is compiled without debug information. — shijy, Nov 01 '21 at 10:56

How to find main function with pintool

1 Answers1

Linked

Related