Information Technology Reference
In-Depth Information
Box 7.
typedef VOID * ( *FP_SLEEP )( unsigned int );
// This is the replacement routine.
VOID * NewSleep( FP_SLEEP orgFuncptr, UINT32 arg0, ADDRINT returnIp ) {
// Normally one would do something more interesting with this data.
//
cout << “NewSleep (“
<< hex << ADDRINT ( orgFuncptr ) << “, “
<< dec << arg0 << “, “
<< hex << returnIp << “)”
<< endl << flush;
// Call the relocated entry point of the original (replaced) routine.
//
VOID * v = orgFuncptr( arg0 );
return v;
}
Box 8.
// Pin calls this function every time a new image is loaded. It is best to do probe
// replacement when the image is loaded,because only one thread knows about the image at
// this time.
VOID ImageLoad( IMG image, VOID *v )
{
// See if sleep() is present in the image. If so, replace it.
//
RTN rtn = RTN_FindByName( image, “sleep” );
if (RTN_Valid(rtn))
{
cout << “Replacing sleep in “ << IMG_Name(image) << endl;
// Define a function prototype that describes the application routine
// that will be replaced.
//
PROTO proto_sleep = PROTO_Allocate( PIN_PARG(void *), CALLINGSTD_DEFAULT,
“sleep”, PIN_PARG(int), PIN_PARG_END() );
// Replace the application routine with the replacement function.
// Additional arguments have been added to the replacement routine.
// The return value and the argument passed into the replacement
// function with IARG_ORIG_FUNCPTR are the same.
//
AFUNPTR origptr = RTN_ReplaceSignatureProbed(rtn, AFUNPTR(NewSleep),
IARG_PROTOTYPE, proto_sleep,
IARG_ORIG_FUNCPTR,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_RETURN_IP,
IARG_END);
cout << “The original entry point to the replaced function has been moved to 0x”;
cout << hex << ( ADDRINT ) origptr << dec << endl;
continued on following page
Search WWH ::
Custom Search