Pinitor – An API Monitor Based on Pin

 
In the last few days, I was thinking about finding a way to discover the Native Windows APIs which malware programmers are more interested in. What I did was downloading a sample of 48k malware from VxHeaven collection and using Rohitab’s API Monitor which is a sophisticated tool in which you can find what is happening in your PE. There are also other tools that do the same thing but I almost everytime use Rohitab‘s tool.
After struggling with such tools, I figured out that this tool is not good enough in analyzing these samples because they actually hook everything or somehow they are known applications which some packers or protectors search for them among all the processes or if you wanna debug them, there are many nasty anti-debugging techniques that are hard to bypass so let’s get rid of all of them and use instrumentation in order to defeat these techniques.
I create a pin tool which is able to have the functionality of API Monitor but based on dynamic instrumentation and Intel’s pin and it “Pinitor” which stands for Pin Monitor and actually this is a tool which detects every API calling by instrumenting the target executable.
Pinitor create a call to one of its events, so that every time a new module (e.g .dll) loaded, it notifies pin about it and then search for every exported function in that module by using the EnumExportedFunctions, After that it tries to put a call in every function or in Windows Native API so everytime any of these functions called then Pinitor captures 12 arguments from the stack by default and save it in a file.
The problem here is, I don’t know a way of knowing how many inputs does a special function have! As I know all API Monitor applications contain a second file (data storage) which tells them about all the functions and its arguments, so if you know any other way, please tell me about it in comments!
Pinitor in its first version only works in Intel x86 systems, I’ve also built an x64 version of this tool whenever possible but for now, I think it should be a good tool for researching about binaries.
In the bottom of the post, I’ve added the source code so you can change and use it for your researching but compiling a pin tool in Windows is really tricky! It takes me, more than three days to build my first pin tool, but for the future, I prepare a blog post about how to build a pin tool and the errors that might happen during the pin tool compiling process.

Installing

First of all download pin from Intel’s website, then you can download Pinitor compiled binaries here, then you are good to go.

How to use

After downloading Pin and Pinitor then you should run pin with this tool, in the following example I demonstrate a simple example of how to use.

This will create a file (“MyOutput.txt”) then add the results to this file.

Examples

Imagine we built a native PE by using the following code :
Example.cpp

 

 
After that, you should run Pinitor based on how to use.
 

 
And now you are able to see the result, below is a small part of the output from Pinitor :
 

 

In this way, you can use Pinitor for your own binaries.

Note

You might have encountered that some of the results are somehow wrong, I analyze the “example.exe” by a debugger and understand that this results are because of application’s internal calls which are not defined in any exported functions in dll(s) but as long as they are calls and have return then pin automatically prints them in the results. I can filter this kind of calls but I think this calls should exist in the results so you can also filter this kind of calls and returns in AddInvokeFunctionToFile by simply checking the name content and if the name is null then you can ignore the rest of operation.

Contributing

We are hardly working to create a binary analyzing and reverse engineering framework which is called Binvoke and this tool and many other tools will be added to the Binvoke Framework so any contribution and innovative idea will be appreciated.

Source Code

This project is done by the contribution of my best friend Sima, we also published theses tools in Binvoke Framework as a module.


Todo :

  • Show the exact number of Arguments to functions ( I have no idea except using a list of functions with their input parameters count. If you know the other ways please tell me in comments below.)
  • Test And Publish the Result of most used functions in virus samples
  • Build Such tool for ELF Binaries
  • Build Intel64 version of Pinitor

Special thanks to Mahdi,one of my friends who makes the logo.
 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.