When I do malware analysis, I am using many tools. I would like to mention to tool called PIN developed by Intel. Obviously, it will be a tool that I have just discovered and I will use in my malware analysis. That’s why I want to share something about this.
PIN is dynamic binary analysis tool for x86/64 and MIC instruction -set architectures. I started to use it for tracing and deobfuscating malware.
As far as I searched on the internet, it was not possible to come across so much information and documentation at least for Windows side. If I talk about Linux side, you can find more information. After downloading the PIN tool to the Windows platform, you should open necessary tools with Visual Studio then you should make a compile. When you make a compile, you may get multiple errors (like me).
- PIN Tool 3.10 (Link)
- Microsoft Visual Studio (using VS 2017 Community)
- MS Windows x86/64 (tried on Windows 7 x86’da )
Firstly, I downloaded the PIN packages from the main website and unpacked it into C:\pin-3.10.
There is a many tools to use with PIN. I started to use TinyTracer developed by Polish cyber security researcher to track API calls.
Actually I would like to show every details about this tool but this developer published a good and descriptive video about it.
Assuming you will not encounter any errors, you will get output the above after compile process.
Then you use the tool with a single click. Of course, the necessary details are in the video.
The picture above shows how to output looks. Actually it is my first tool to use with PIN. You can make the appropriate tools for your needs through PIN APIs.
1- Application Instrumentation : Application Analysis with Pin – https://msdn.microsoft.com/en-us/magazine/dn818497.aspx
2- How to compile a PIN tool using Visual Studio 2017 – https://hshrzd.wordpress.com/2018/07/16/how-to-compile-a-pin-tool-using-visual-studio-2017/
3- Pin – A Dynamic Binary Instrumentation Tool – https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool