Project Description

Trace And Watch (TraceAndWatch) is a Pintool developed to assist in finding 32-bit integer errors.

The tool provides the ability to watch for a user-specified value while executing the target. When the value is found in a register or at a memory location that is being read by an instruction it puts the program state information in the logfile.

Here is an example bug found with the use of this tool.

Arguments:

-o <filename>          - specify output log filename, default: TraceAndWatch.log
-v <hex value> - specify value to watch, default: 0x41414141
-wf <flags> - specify the watch flags, default: 1
-lf <flags> - specify the log flags, default: 0
-if <flags> - specify the image flags, default: 1
-r <0|1> - specify if relevant instructions are to be logged only, default: 0
-m <module> - specify module to restrict instrumentation to
-d <path> - specify the path of the dump files
-filter_no_shared_libs - do not instrument shared libraries


Watch Flags:

1 Watch registers
2 Watch memory reads


Log Flags:

1 Log stack dump 


Image Flags: 

1 Image
2 No Image

 

Example Usage #1

C:\Work>..\Pin\ia32\bin\pin.exe -pid 153460 -t C:\Work\TraceAndWatch.dll -o C:\Work\firefox.log -m NPSWF -wf 3 -v 0x41414141


Example Usage #2

C:\Work>..\Pin\ia32\bin\pin.exe -t C:\Work\TraceAndWatch.dll -v 0x41414141 -wf 3 -lf 1 -filter_no_shared_libs -- c:\Work\flashplayer_12_sa.exe


Build Instructions
Open the solution file (TraceAndWatch.sln) in Visual Studio 2010.
Download Pin Framework and copy it to the folder called Pin.
Select Win32 and Release in the Configuration Manager.
Build the project. You should find TraceAndWatch.dll in the Release folder.

Limitation
This tool works on Windows 32-bit only.

Blog
Reversing on Windows

Last edited Aug 14, 2014 at 2:48 PM by AttilaSuszter, version 17