|
Pin
|
Functions | |
| VOID | INS_RewriteMemoryOperand (INS ins, UINT32 memindex, REG reg) |
| VOID | INS_RewriteScatteredMemoryOperand (INS ins, UINT32 memindex) |
| VOID | INS_InsertIndirectJump (INS ins, IPOINT ipoint, REG reg) |
| VOID | INS_InsertDirectJump (INS ins, IPOINT ipoint, ADDRINT tgt) |
| VOID | INS_Delete (INS ins) |
Use these functions to modify instructions. They work for all instruction sets. For experts only!
| VOID INS_Delete | ( | INS | ins | ) |
Delete the instruction
| VOID INS_InsertDirectJump | ( | INS | ins, |
| IPOINT | ipoint, | ||
| ADDRINT | tgt | ||
| ) |
Insert a direct jump instruction relative to the given instruction When used with INS_Delete it can be used to emulate control transfer instructions.
| [in] | ins | input instruction |
| [in] | ipoint | location relative to ins (only IPOINT_BEFORE and IPOINT_AFTER are supported) |
| [in] | tgt | absolute address of the target |
Insert an indirect jump instruction relative to the given instruction. When used with INS_Delete it can be used to emulate control transfer instructions.
| [in] | ins | input instruction |
| [in] | ipoint | location relative to ins (only IPOINT_BEFORE and IPOINT_AFTER are supported) |
| [in] | reg | register holding the target |
| VOID INS_RewriteMemoryOperand | ( | INS | ins, |
| UINT32 | memindex, | ||
| REG | reg | ||
| ) |
Change this memory access instruction to reference the virtual memory location contained in the given register.
This function will generate an error for memory operands with scattered access, i.e. vgather/vscatter. In this case use INS_RewriteScatteredMemoryOperand instead.
| [in] | ins | input instruction |
| [in] | memopIdx | controls which memory operand to rewrite (0,1,...) |
| [in] | newBase | register containing the base address of the new operand which will normally be a scratch register allocated via PIN_ClaimToolRegister() |
On IA-32 and Intel64, the modified operand uses only base register addressing with the new base register newBase. Any index, scale, or offset fields from that operand in the original instruction are removed. In addition, if the original instruction's operand uses a segment override, the instruction is changed to use the default segment.
This function can be used to rewrite memory operands even when they are implicit (for instance call, ret, push, pop), though in this case the instruction may ultimately be replaced by a sequence of instructions which achieve the same effect. (This is transparent to instrumentation, which continues to see the original instruction).
The only instruction which cannot be rewritten is enter with a second operand > 0.
Note that the address in newBase is always the lowest address which will be accessed by this operand. This is consistent with the way in which Pin returns addresses in IARG_*_EA, but means that if the operand is modified by the instruction before the memory access occurs (for instance a push instruction), the value in newBase will not be the value in the stack pointer, but the address of the memory which is accessed by the instruction.
This can also be confusing for xlat; where the value of newBase is the address from which data is loaded, not the address of the base of the translation table. (Again, this is consistent with the IARG_*_EA which Pin will report for an xlat operation).
Similarly for the bt,btc,btr and bts insructions, if the bit index is larger than the operand size (so that parts of the bit index affect the EA), they are included in Pin's normal EA calculation. In this case, Pin automatically masks the bit index operand so that it only includes the index within the addressed unit of memory. This ensures that your address manipulation function need only consider the translation of the EA, it does not have to worry about additional offsets generated by the bit index operand of these instructions. (This is equivalent to saying that if you replace all memory operands, but use an address computation function that simply returns the original EA, the code will continue to execute correctly).
Please note the analysis routine that is used for setting the rewritten address must be called last among all the IPOINT_BEFORE analysis routines for this instruction (IARG_CALL_ORDER, CALL_ORDER_LAST). The reason is so that the register used to store the rewritten address will not get accidentally rewritten with another value by another analysis routine. The actual rewrite happens just before executing the instruction, so the value of the register containing the rewritten address must remain intact.
The canonical instrumentation code for memory address rewriting now looks something like this
There is no need to handle any instructions specially.
| VOID INS_RewriteScatteredMemoryOperand | ( | INS | ins, |
| UINT32 | memindex | ||
| ) |
Change this memory access instruction to reference the virtual memory location previously configured by an analysis routine. This function is supported only for memory operands with scattered access (vscatter/vgather), and will generate an error for all other instructions. For other instructions use INS_RewriteMemoryOperand instead.
Call INS_HasScatteredMemoryAccess to check if this function can be used for an instruction.
| [in] | ins | input instruction |
| [in] | memopIdx | controls which memory operand to rewrite (0,1,...) |
In order to rewrite a vscatter/vgather memory operand, two calls are required:
(1) A call to this function
(2) An IPOINT_BEFORE analysis routine with IARG_REWRITE_SCATTERED_MEMOP that will set the new addresses.
If (1) is missing then the (2) will still execute as it may perform other tasks other than rewrite.
However no rewrite will be executed and the addresses set by the analysis routine will not be used.
If (2) is missing then there will be no rewrite.
The canonical instrumentation code for scattered access memory rewriting now looks something like this
1.8.17