Skip to content

nccgroup/ICPin

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits

LICENSE.txt

LICENSE.txt

 
 

MyPinTool.cpp

MyPinTool.cpp

 
 

MyPinTool.h

MyPinTool.h

 
 

MyPinTool.sln

MyPinTool.sln

 
 

MyPinTool.vcxproj

MyPinTool.vcxproj

 
 

Tracer.cpp

Tracer.cpp

 
 

Tracer.h

Tracer.h

 
 

Util.cpp

Util.cpp

 
 

ad.cpp

ad.cpp

 
 

ad.h

ad.h

 
 

common.h

common.h

 
 

icpin_importer.py

icpin_importer.py

 
 

makefile

makefile

 
 

makefile.rules

makefile.rules

 
 

memaccess.cpp

memaccess.cpp

 
 

memaccess.h

memaccess.h

 
 

readme.md

readme.md

 
 

Repository files navigation

ICPin

An Integrity-Check Monitoring Pintool

What

A pintool that records the reads and writes to the executable in memory. It also tracks dynamically executed code and handles some antidebug checks (it is immune to most antidebug by pintool`s design) and outputs backtraces of watched behavior.

How

Building

Running

pin -t path/to/ICPin.dll -- /path/to/target/executable

Importing Results In Python

from icpin_importer import Importer

imp = Importer('/path/to/pinatrace.out')
gadgets = imp.loadDB()

Ouput Sample (edited)

[LOAD] c:\Program Files (x86)\ExEPath\Exe.exe [0x620000 - 0xc89fff]
[LOAD] C:\WINDOWS\SYSTEM32\MSCOREE.DLL [0x738c0000 - 0x73918fff]
[LOAD] C:\WINDOWS\System32\KERNEL32.dll [0x74c10000 - 0x74ceffff]
[LOAD] C:\WINDOWS\System32\KERNELBASE.dll [0x74e30000 - 0x74fd0fff]
[HOOK]  - CloseHandle
[HOOK]  - VirtualFree
[HOOK]  - VirtualAlloc
[HOOK]  - VirtualProtect
[LOAD] C:\WINDOWS\SYSTEM32\ntdll.dll [0x77060000 - 0x771e1fff]
[HOOK]  - NtQueryObject
[HOOK]  - NtQueryInformationProcess
[HOOK]  - KiUserExceptionDispatcher
[TIME] Initial instrumentation took 0.000000 seconds
[LOAD] C:\WINDOWS\System32\ADVAPI32.dll [0x743d0000 - 0x74446fff]
[LOAD] C:\WINDOWS\System32\msvcrt.dll [0x75310000 - 0x753cdfff]
[LOAD] C:\WINDOWS\System32\sechost.dll [0x753d0000 - 0x75410fff]
[LOAD] C:\WINDOWS\System32\RPCRT4.dll [0x73ba0000 - 0x73c60fff]
----------------------
[ICPin] Using software interrupts to detect debugger
[EXCEPTION] code: 0x80000003    ip: 0x53ce0168 -> 0x770d0020
[KiUserExceptionDispatcher] Back from km, context EIP = 53ce0168 -> 53ce0169
----------------------
TIME: Running instrumented took 1497.00 seconds
GADGET LIST ------------------------------
----------------------------------------
#0021] Exe.dll+0x478945: R [+0x47a264 -  0x47a366) - 0x102 bytes
----------------------------------------
#0022] Exe.dll+0x29eb2f: R [+0x29eb91 -  0x29ebc1) - 0x30 bytes
----------------------------------------
#0023] Exe.dll+0x47257c: R [+0x472776 -  0x4727f4) - 0x7e bytes
----------------------------------------
#0058] Exe.dll+0xd39bd: R [+0x3ae7c -  0x4312c) - 0x82b0 bytes
----------------------------------------
#0077] Exe.dll+0xdfceb: R [+0x1762fc -  0x17f228) - 0x8f2c bytes
----------------------------------------
#0096] Exe.dll+0xe88b5: R [+0x37e18 -  0x40b50) - 0x8d38 bytes
----------------------------------------
Total: 942 gadgets
BACKTRACES for NtQueryInformationProcess
----------------------
BACKTRACES for interrupts
[0x53ce0168] : -> 0x53d9a667 -> 0x53d9a660 -> 0x53d9a674 -> 0x53d9a64b -> 0x53d9a654 -> 0x53d9a667 -> 0x53d9a660 -> 0x53d9a667 -> 0x53d9a660 -> 0x53d9a667 -> 0x53d9a660 -> 0x53d9a667 -> 0x53d9a660 -> 0x53d9a674 -> 0x53d9a67a -> 0x53ce62a9 -> 0x53ce65bf -> 0x53ce5d50 -> 0x53ce5d59 -> 0x53ce5f6c -> 0x53ce5f78 -> 0x53ce5fd5 -> 0x53ce60ff -> 0x53ce6283 -> 0x53ce628f -> 0x53ce653f -> 0x53ce0fe0 -> 0x53ce0ff5 -> 0x53ce10a0 -> 0x53ce6544 -> 0x53d99710 -> 0x53d99721 -> 0x53ce6554 -> 0x53ce65bf -> 0x53ce5d50 -> 0x53ce5d59 -> 0x53ce5f6c -> 0x53ce5f78 -> 0x53ce5f7f -> 0x53ce60ff -> 0x53ce6283 -> 0x53ce65bf -> 0x53ce65cb -> 0x53ce65d2 -> 0x53ce65dd -> 0x53ce65e0 -> 0x53ce65e5 -> 0x53ce65bf -> 0x53ce5d50 -> 0x53ce5d59 -> 0x53ce5f6c -> 0x53ce60ff -> 0x53ce610b -> 0x53ce6275 -> 0x53ce65bf -> 0x53ce5d50 -> 0x53ce5d59 -> 0x53ce5f6c -> 0x53ce60ff -> 0x53ce610b -> 0x53ce61f6 -> 0x53ce6283 -> 0x53ce65bf -> 0x53ce5d50 -> 0x53ce5d59 -> 0x53ce5f6c -> 0x53ce5f78 -> 0x53ce60d3 -> 0x53ce60ff -> 0x53ce610b -> 0x53ce61dd -> 0x53ce6283 -> 0x53ce65bf -> 0x53ce5d50 -> 0x53ce5d59 -> 0x53ce5f6c -> 0x53ce5f78 -> 0x53ce60a0 -> 0x53ce60b4 -> 0x53ce0168 
--------
[0x540edb95] : -> 0x540ed80b -> 0x540ed983 -> 0x540ed0b5 -> 0x540ed0be -> 0x540ed383 -> 0x540ed38f -> 0x540ed63c -> 0x540ed678 -> 0x540ed80b -> 0x540ed983 -> 0x540ed0b5 -> 0x540ed0be -> 0x540ed383 -> 0x540ed38f -> 0x540ed4b1 -> 0x540ed678 -> 0x540ed80b -> 0x540ed983 -> 0x540ed0b5 -> 0x540ed0be -> 0x540ed383 -> 0x540ed38f -> 0x540ed482 -> 0x540ed678 -> 0x540ed80b -> 0x540ed983 -> 0x540ed0b5 -> 0x540ed0be -> 0x540ed383 -> 0x540ed38f -> 0x540ed63c -> 0x540ed678 -> 0x540ed80b -> 0x540ed983 -> 0x540ed0b5 -> 0x540ed0be -> 0x540ed0c7 -> 0x540ed0d8 -> 0x540ed0ef -> 0x540ed383 -> 0x540ed38f -> 0x540ed3a8 -> 0x540ed678 -> 0x540ed80b -> 0x540ed983 -> 0x540ed98f -> 0x540ed996 -> 0x540ed0b5 -> 0x540ed0be -> 0x540ed383 -> 0x540ed678 -> 0x540ed80b -> 0x540ed983 -> 0x540ed98f -> 0x540eda1c -> 0x540ed0b5 -> 0x540ed0be -> 0x540ed0c7 -> 0x540ed68b -> 0x540ed383 -> 0x540ed38f -> 0x540ed396 -> 0x540ed678 -> 0x540ed80b -> 0x540ed983 -> 0x540ed98f -> 0x540ed9a6 -> 0x540ed0b5 -> 0x540ed0be -> 0x540ed383 -> 0x540ed678 -> 0x540ed684 -> 0x540ed7fe -> 0x540ed983 -> 0x540ed0b5 -> 0x540ed0be -> 0x540ed0c7 -> 0x540ed2c8 -> 0x540ed2e4 -> 0x540edb95 
--------
----------------------
#DONE (0)

References

https://software.intel.com/sites/landingpage/pintool/docs/81205/Pin/html/

About

An Integrity-Check Monitoring Pintool

Resources

Readme

License

GPL-2.0 license
Activity
Custom properties

Stars

54 stars

Watchers

10 watching

Forks

10 forks
Report repository

Releases 1

v1.0 Latest
Nov 2, 2020

Packages

No packages published

Languages