Sunday, July 26, 2020

Break On x86 Syscalls from Pintool

"Pin is a tool for the instrumentation of programs. It supports the Android*, Linux*, OS X* and Windows* operating systems and executables for the IA-32, Intel(R) 64 and Intel(R) Many Integrated Core architectures. Pin allows a tool to insert arbitrary code (written in C or C++) in arbitrary places in the executable. The code is added dynamically while the executable is running. This also makes it possible to attach Pin to an already running process" (

Pin has an API - "Pin_ApplicationBreakPoint" that can be used to stop execution in an application debugger as though a breakpoint was hit. This API can be made use to call an application debugger wherever & whenever we wish for it. The most common use case would obviously be to call the debugger at a specific place of interest. For the sake of this blog let us use this API to call the debugger at a specific syscall.

Well there's more easier way to break on a specific syscall under GDB using the "catch syscall <syscall name/number>" etc etc, but this blog is to understand the Pin's API, so let us stick to this easy task :)

The steps would be as follow,
  1. During instrumentation find whether a instruction that is to be executed is a syscall
  2. If it is a syscall instruction insert a call to get the syscall number and set a global flag
  3. Insert another call in the same instruction to see if we need to send a SIGTRAP to GDB if the syscall is of our interest
The below recorded demo video illustrates how Pin is able to instruct GDB to break on a specific syscall number - 120 which belongs to the clone syscall.

The ideal use case for the above API would be during break into the application during complex conditions and during that you might require a full blown debugger to proceed further.

No comments:

Post a Comment