Monday, February 23, 2015

A simple PIN detection mechanism(and its circumvention)

PIN, the pintool and the application being instrumented share the address space. However, no libraries are shared-- there typically are 3 versions of glibc in the address space to avoid any unwanted interaction[1]. As a result of this ptrace based antidebugging checks are not detected even though PIN relies on ptrace.

A simple PIN detecting mechanism would be to scan /proc/self/maps and look for a page corresponding to the pinbin binary[2]. This can be circumvented by doing something as simple as renaming pinbin to something else and creating a symbolic link to it by the name of pinbin.


No comments:

Post a Comment