This is POC tool to discover data structures from stripped ELF using Intel PIN Dynamic Binary Instrumentation Framework and PyGraphviz.

PIN Tool

The PIN tool will generate a trace file of all heap based allocations and memory access to these allocated memory

$pin -t -- program

Trace File

$ cat StructTrace | head
0x8048564 @mov dword ptr [eax+0x4], 0x0               : WRIMM MEM[0x95cf00c] VAL[0]
0x8048576 @mov dword ptr [eax+0x8], edx               : WRREG MEM[0x95cf010] VAL[0]
0x8048582 @mov dword ptr [edx], eax                   : WRREG MEM[0x95cf008] VAL[0x6b8b4567]


The file uses PyGraphviz to generate memory graph based to trace file generated by PIN tool

$ python -h
usage: [-h] --filename FILENAME [--bss] [--relink]

Generate memory access graph

optional arguments:
  -h, --help           show this help message and exit
  --filename FILENAME  Pin trace file
  --bss                Track data/bss section
  --relink             Enable relink
  --nullwrite          Enable nullwrite, this could be useful with relink

$ python --filename StructTrace