Monday, February 23, 2015

A simple PIN detection mechanism(and its circumvention)

PIN, the pintool and the application being instrumented share the address space. However, no libraries are shared-- there typically are 3 versions of glibc in the address space to avoid any unwanted interaction[1]. As a result of this ptrace based antidebugging checks are not detected even though PIN relies on ptrace.

A simple PIN detecting mechanism would be to scan /proc/self/maps and look for a page corresponding to the pinbin binary[2]. This can be circumvented by doing something as simple as renaming pinbin to something else and creating a symbolic link to it by the name of pinbin.


[1] http://www.cs.virginia.edu/kim/courses/cs851/papers/luk05pin.pdf
[2] https://gist.github.com/eQu1NoX/529e7dc69b8f4b3bb5e4