An unpacker for windows executables exploiting the capabilities of PIN.
-
Download the linked version of PIN
-
Unzip PIN to the root directory and rename the folder to pin
-
Clone this repository
-
Extract the archive in PINdemonium/ScyllaDependencies/diStorm.rar into PINdemonium/Scylla/
-
Extract the archive in PINdemonium/ScyllaDependencies/tinyxml.rar into PINdemonium/Scylla/
-
Extract the archive in PINdemonium/ScyllaDependencies/WTL.rar into PINdemonium/Scylla/WTL/
-
Open the file PinUnpacker.sln with Visual Studio 2010 ( NB: The version is mandatory )
-
Set your IDAPro (idaw.exe) path in Config.cpp ( const Log::IDA_PATH )
-
Copy the folders PINdemonium\PINdemoniumDependencies and PINdemonium\PINdemoniumResults in C:\pin\
-
Be sure that you are compiling in Release mode
-
Be sure that all the module inside the project are compiled using the platform toolset v100 ( you can see this with right click on the module -> Properties -> platform toolset field )
-
Compile the solution
-
Optional : Create a folder called PINdemoniumPlugins in C:\pin\
\---C
\---pin
\+---source
|
|
|
\+---PINdemoniumResults
|
|
|
|
\+---PINdemoniumDependencies
| \---badImportsChecker.py
| \---badImportsList.txt
| \---dumperSelector.py
| \---Scylla
| \---ScyllaDLLRelease
| \---ScyllaDLLx86.dll
| \---ScyllaDLLDebug
| \---ScyllaDLLx86.dll
| \---ScyllaDumper.exe
|
|
|
\+---PINdemoniumPlugins
|
|
|
|
\+---PINdemonium.dll
-
Run this command from the directory C:\pin\
pin -t PINdemonium.dll [-flags] -- <path_to_the_exe_to_be_instrumented>s
Flags :
-
-iwae <number_of_jump_to_dump> : specify if you want or not to track the inter_write_set analysis dumps and how many jump
-
-poly-patch: if the binary you are analyzing has some kind of polymorphic behavior this activate the patch in order to avoid pin to execute the wrong trace.
-
-plugin <name_of_the_plugin>: specify if you want to call a custom plugin if the IAT-fix fails (more information on in the Plugin system section).
-
-
Check your result in C:\pin\PINdemoniumResults\< current_date_and_time >\
PINdemonium provides a plugin system in order to extend the functionalities of the IAT fixing module.
To write your own plugin you have to:
-
Copy the sample project called PINdemoniumPluginTemplate located in PINdemonium\PINdemoniumPlugins\ wherever you want.
-
Change the name of the project with a name of your choice
-
Implement the function runPlugin
-
Compile the project
-
Copy the compiled Dll in C:\pin\PINdemoniumPlugins
-
Launch PINdemonium with the flag plugin active followed by your plugin name (EX : -plugin PINdemoniumStolenAPIPlugin.dll)
Inside the template two helper function are provided:
-
readMemoryFromProcess : this function reads the memory from the specified process, at the specified address and copies the read bytes into a buffer
-
writeMemoryToProcess : this function writes the bytes contained inside a specified buffer into the process memory starting from a specified address