by Nicolas Guigo

ICPin is an Intel pintool leveraging the framework’s JIT mode designed to track a binary’s integrity checks. It records all reads and all writes performed by the target executable or dynamically loaded library on its text section and outputs a human readable text file describing each memory access with its type (R|W) and in case of a write, the list of values successively written at that address.

Additionally, it also tracks dynamic memory allocations and outputs the address, size and disassembled instructions executed from them. While pintools are by design immune to some common anti-debug techniques, ICPin also hooks a number of system calls such as NtQueryObject and NtQueryInformationProcess and includes potential anti-debug calls as part of its output. In a similar fashion, it also records anti-debug breakpoints such as INT 3. Finally ICPin’s output includes BBL-granular backtraces for all detected occurrences.

While ICPin currently supports MS Windows environments, Intel Pintool’s portability should allow straightforward porting to *NIX systems.

ICPin is released today under a GPLv2 license and the C++ source can be found at https://www.github.com/NCCGroup/ICPin

The repository includes build instructions, visual studio project files and a sample output.

Published