1. Reno Robert
  2. Data Structure Discovery using PIN

Overview

HTTPS SSH

README

This is POC tool to discover data structures from stripped ELF using Intel PIN Dynamic Binary Instrumentation Framework and PyGraphviz.

PIN Tool

The structtrace.so PIN tool will generate a trace file of all heap based allocations and memory access to these allocated memory

$pin -t structtrace.so -- program

Trace File

$ cat StructTrace | head
.data[0x804a020,0x8]
.bss[0x804a028,0x4]
0x8048557@malloc[0xc]
ret[0x95cf008]
0x8048564 @mov dword ptr [eax+0x4], 0x0               : WRIMM MEM[0x95cf00c] VAL[0]
0x8048576 @mov dword ptr [eax+0x8], edx               : WRREG MEM[0x95cf010] VAL[0]
0x8048582 @mov dword ptr [edx], eax                   : WRREG MEM[0x95cf008] VAL[0x6b8b4567]

Graph

The structgraph.py file uses PyGraphviz to generate memory graph based to trace file generated by PIN tool

$ python structgraph.py -h
usage: structgraph.py [-h] --filename FILENAME [--bss] [--relink]
                       [--nullwrite]

Generate memory access graph

optional arguments:
  -h, --help           show this help message and exit
  --filename FILENAME  Pin trace file
  --bss                Track data/bss section
  --relink             Enable relink
  --nullwrite          Enable nullwrite, this could be useful with relink

$ python structgraph.py --filename StructTrace