I'm trying to learn how to use Intel Pin (Version 3.25) on Windows 11. I am trying to instrument the ETS6 software by the KNX Association. On startup, ETS creates another process by calling CreateProcessW. This child process does all the interesting stuff that I want to track. So according to the Pin documentation, it seems I need to apply the -follow_execv flag to instrument the child.
To test this, I wrote the following pintool called "detect_execv.cpp" and compiled it for x86 architecture (since ETS6 is 32-bit):
#include "pin.H"
#include <iostream>
#include <unistd.h>
FILE* fp;
VOID Finish(INT32 code, VOID* v)
{
fclose(fp);
}
BOOL FollowChild(CHILD_PROCESS cproc, VOID* user_data)
{
fprintf(fp, "Before child: %u\n", getpid());
return TRUE;
}
int main(int argc, char* argv[])
{
if (PIN_Init(argc, argv))
{
printf("PIN_Init failed\n");
return -1;
}
fp = fopen("detect_execv.out", "w");
PIN_InitSymbols();
PIN_AddFollowChildProcessFunction(FollowChild, 0);
PIN_AddFiniFunction(Finish, 0);
// Never returns
PIN_StartProgram();
return 0;
}
If I try to test the pintool using pin -follow_execv -t obj-ia32\detect_execv.dll -- ETS6, it logs a single entry into "detect_execv.out". However, the pintool crashes almost immediately and I get the following error which is logged to "pin.log":
E: [tid:24760] Failure to map DLL C:\pin\pin-3.25-98650-g8f6168173-msvc-windows\source\tools\SimpleExamples\obj-ia32\detect_execv.dll
System error 216 :
If I test the pintool without the -follow_execv flag, then the crash does not happen, but it also does not log anything to "detect_execv.out", which makes me think that the child process was not instrumented.
So, what should I do here if I want to instrument the child process?
