Pin
|
Functions | |
VOID | INS_RewriteMemoryOperand (INS ins, UINT32 memindex, REG reg) |
VOID | INS_InsertIndirectJump (INS ins, IPOINT ipoint, REG reg) |
VOID | INS_InsertDirectJump (INS ins, IPOINT ipoint, ADDRINT tgt) |
VOID | INS_Delete (INS ins) |
Use these functions to modify instructions. They work for all instruction sets. For experts only!
VOID INS_Delete | ( | INS | ins | ) |
Delete the instruction
VOID INS_InsertDirectJump | ( | INS | ins, |
IPOINT | ipoint, | ||
ADDRINT | tgt | ||
) |
Insert a direct jump instruction relative to the given instruction When used with INS_Delete it can be used to emulate control transfer instructions.
[in] | ins | input instruction |
[in] | ipoint | location relative to ins (only IPOINT_BEFORE and IPOINT_AFTER are supported) |
[in] | tgt | absolute address of the target |
Insert an indirect jump instruction relative to the given instruction. When used with INS_Delete it can be used to emulate control transfer instructions.
[in] | ins | input instruction |
[in] | ipoint | location relative to ins (only IPOINT_BEFORE and IPOINT_AFTER are supported) |
[in] | reg | register holding the target |
VOID INS_RewriteMemoryOperand | ( | INS | ins, |
UINT32 | memindex, | ||
REG | reg | ||
) |
Change this memory access instruction to reference the virtual memory location contained in the given register.
[in] | ins | input instruction |
[in] | memopIdx | controls which memory operand to rewrite (0,1,...) |
[in] | newBase | register containing the base address of the new operand which will normally be a scratch register allocated via PIN_ClaimToolRegister() |
On IA-32 and Intel64, the modified operand uses only base register addressing with the new base register newBase. Any index, scale, or offset fields from that operand in the original instruction are removed. In addition, if the original instruction's operand uses a segment override, the instruction is changed to use the default segment.
This function can be used to rewrite memory operands even when they are implicit (for instance call, ret, push, pop), though in this case the instruction may ultimately be replaced by a sequence of instructions which achieve the same effect. (This is transparent to instrumentation, which continues to see the original instruction).
The only instruction which cannot be rewritten is enter with a second operand > 0.
Note that the address in newBase is always the lowest address which will be accessed by this operand. This is consistent with the way in which Pin returns addresses in IARG_*_EA, but means that if the operand is modified by the instruction before the memory access occurs (for instance a push instruction), the value in newBase will not be the value in the stack pointer, but the address of the memory which is accessed by the instruction.
This can also be confusing for xlat; where the value of newBase is the address from which data is loaded, not the address of the base of the translation table. (Again, this is consistent with the IARG_*_EA which Pin will report for an xlat operation).
Similarly for the bt,btc,btr and bts insructions, if the bit index is larger than the operand size (so that parts of the bit index affect the EA), they are included in Pin's normal EA calculation. In this case, Pin automatically masks the bit index operand so that it only includes the index within the addressed unit of memory. This ensures that your address manipulation function need only consider the translation of the EA, it does not have to worry about additional offsets generated by the bit index operand of these instructions. (This is equivalent to saying that if you replace all memory operands, but use an address computation function that simply returns the original EA, the code will continue to execute correctly).
The canonical instrumentation code for memory address rewriting now looks something like this
There is no need to handle any instructions specially.