Intel Pin: Attaching to an existing process using the Pin API

1
votes

I'm doing a bit of research on Intel Pin. I'm looking to see if there is a way of attaching a Pin tool to an existing process using the Pin API.

I can see there is a way of running the pin executable on an already running process using pin.exe -pid <process_id> but I can't see anything in the pin documentation.

EDIT: As per a previous comment, I'm updating the question with an example.

The problem I'm trying to solve is instrumenting an injected process (this is for malware analysis).

If the process/binary I'm instrumenting creates a child process then pin can seamlessly attach itself to said child process. Wonderful!

If, however, the binary process/binary I'm instrumenting injects into another process (i.e. OpenProcess > VirtualAllocEx > WriteProcessMemory > CreateRemoteThread) then Pin will NOT attach to the injected process. I need to be able to tell pin to attach dynamically at runtime.

1
instrumentationintel-pin
It's mentioned in the command line switches; A pintool runs the same if it is started with the target program or attached to it (the code doesn't need to be different). You might have a different logic inside your pintool to see if it was started with or attached later, though.Neitsa
@Neitsa - That's not entirely what I'm getting at. I'll update the question with an example so you can see what problem I'm trying to solve.ben_re

1 Answers

0
votes

You'll have to implement something like that yourself - instrument the system calls and if you see an injection pattern, attach pin to the process.