[FEATURE] Followed the child process unconditionally (whenever enable…

…d from commandline). Changed the name of the log file
hasherezade · Dec 15, 2024 · b76d6b1 · b76d6b1
1 parent e9cc3c3
commit b76d6b1
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 54 deletions.
diff --git a/Settings.cpp b/Settings.cpp
@@ -8,7 +8,6 @@
 #define DELIM '='
 
 #define KEY_FOLLOW_SHELLCODES           "FOLLOW_SHELLCODES"
-#define KEY_FOLLOW_CHILDPROCESSES       "FOLLOW_CHILDPROCESSES"
 #define KEY_LOG_RTDSC                   "TRACE_RDTSC"
 #define KEY_LOG_INT                     "TRACE_INT"
 #define KEY_LOG_SYSCALL                 "TRACE_SYSCALL"
@@ -132,10 +131,6 @@ bool fillSettings(Settings &s, const std::string &line)
         s.followShellcode = ConvertShcOption(val);
         isFilled = true;
     }
-    if (util::iequals(valName, KEY_FOLLOW_CHILDPROCESSES)) {
-        s.followChildprocesses = loadBoolean(valStr);
-        isFilled = true;
-    }
     if (util::iequals(valName, KEY_LOG_RTDSC)) {
         s.traceRDTSC = loadBoolean(valStr);
         isFilled = true;
@@ -255,7 +250,6 @@ bool Settings::saveINI(const std::string &filename)
         return false;
     }
     myfile << KEY_FOLLOW_SHELLCODES << DELIM << this->followShellcode << "\r\n";
-    myfile << KEY_FOLLOW_CHILDPROCESSES << DELIM << this->followChildprocesses << "\r\n";
     myfile << KEY_LOG_RTDSC << DELIM << booleanToStr(this->traceRDTSC) << "\r\n";
     myfile << KEY_LOG_INT << DELIM << booleanToStr(this->traceINT) << "\r\n";
     myfile << KEY_LOG_SYSCALL << DELIM << booleanToStr(this->traceSYSCALL) << "\r\n";

diff --git a/Settings.h b/Settings.h
@@ -103,7 +103,6 @@ class Settings {
 
     Settings() 
         : followShellcode(SHELLC_FOLLOW_FIRST),
-        followChildprocesses(false),
         traceRDTSC(false),
         traceINT(false),
         traceSYSCALL(true),
@@ -129,7 +128,6 @@ class Settings {
 
     t_shellc_options followShellcode;
 
-    bool followChildprocesses; // Follow Child Processes
     bool traceRDTSC; // Trace RDTSC
     bool traceINT; // trace INT
     bool traceSYSCALL; // Trace syscall instructions (i.e., syscall, int 2Eh, sysenter)

diff --git a/TinyTracer.cpp b/TinyTracer.cpp
@@ -1317,50 +1317,61 @@ static void OnCtxChange(THREADID threadIndex,
 
 BOOL FollowChild(CHILD_PROCESS childProcess, VOID * userData)
 {
-    if (m_Settings.followChildprocesses) {
-        OS_PROCESS_ID childPid = CHILD_PROCESS_GetId(childProcess);
-        std::cerr << "Following Subprocess: " << childPid << std::endl;
-
-        // Get child process command line
-        INT childArgc;
-        CHAR const* const* childArgv;
-        CHILD_PROCESS_GetCommandLine(childProcess, &childArgc, &childArgv);
-        // Set Pin's command line for child process, rebuilding with the same options updated
-        INT pinArgc = 0;
-        const INT pinArgcMax = 40;
-        CHAR const* pinArgv[pinArgcMax];
-
-        pinArgv[pinArgc++] = pinPath.c_str();
-        pinArgv[pinArgc++] = "-follow_execv";
-        pinArgv[pinArgc++] = "-t";
-        pinArgv[pinArgc++] = PIN_ToolFullPath();
-        pinArgv[pinArgc++] = "-o";
-        pinArgv[pinArgc++] = KnobOutputFile.Value().c_str();
-        pinArgv[pinArgc++] = "-s";
-        pinArgv[pinArgc++] = KnobIniFile.Value().c_str();
-        pinArgv[pinArgc++] = "-b";
-        pinArgv[pinArgc++] = KnobWatchListFile.Value().c_str();
-        pinArgv[pinArgc++] = "-x";
-        pinArgv[pinArgc++] = KnobExcludedListFile.Value().c_str();
-        pinArgv[pinArgc++] = "-p";
-        pinArgv[pinArgc++] = KnobStopOffsets.Value().c_str();
-        pinArgv[pinArgc++] = "-l";
-        pinArgv[pinArgc++] = KnobSyscallsTable.Value().c_str();
-        pinArgv[pinArgc++] = "-m";
-        pinArgv[pinArgc++] = childArgv[0];
-        pinArgv[pinArgc++] = "--";
-        // Now copy the child command line
-        for (int i = 0; i < childArgc && pinArgc < pinArgcMax; i++) {
-            pinArgv[pinArgc++] = childArgv[i];
-        }
+    OS_PROCESS_ID childPid = CHILD_PROCESS_GetId(childProcess);
+    std::cerr << "Following Subprocess: " << childPid << std::endl;
+
+    // Get child process command line
+    INT childArgc;
+    CHAR const* const* childArgv;
+    CHILD_PROCESS_GetCommandLine(childProcess, &childArgc, &childArgv);
+    // Set Pin's command line for child process, rebuilding with the same options updated
+    INT pinArgc = 0;
+    const INT pinArgcMax = 40;
+    CHAR const* pinArgv[pinArgcMax];
+
+    pinArgv[pinArgc++] = pinPath.c_str();
+    pinArgv[pinArgc++] = "-follow_execv";
+    pinArgv[pinArgc++] = "-t";
+    pinArgv[pinArgc++] = PIN_ToolFullPath();
+    pinArgv[pinArgc++] = "-o";
+    pinArgv[pinArgc++] = KnobOutputFile.Value().c_str();
+    pinArgv[pinArgc++] = "-s";
+    pinArgv[pinArgc++] = KnobIniFile.Value().c_str();
+    pinArgv[pinArgc++] = "-b";
+    pinArgv[pinArgc++] = KnobWatchListFile.Value().c_str();
+    pinArgv[pinArgc++] = "-x";
+    pinArgv[pinArgc++] = KnobExcludedListFile.Value().c_str();
+    pinArgv[pinArgc++] = "-p";
+    pinArgv[pinArgc++] = KnobStopOffsets.Value().c_str();
+    pinArgv[pinArgc++] = "-l";
+    pinArgv[pinArgc++] = KnobSyscallsTable.Value().c_str();
+    pinArgv[pinArgc++] = "-m";
+    pinArgv[pinArgc++] = childArgv[0];
+    pinArgv[pinArgc++] = "--";
+    // Now copy the child command line
+    for (int i = 0; i < childArgc && pinArgc < pinArgcMax; i++) {
+        pinArgv[pinArgc++] = childArgv[i];
+    }
+
+    CHILD_PROCESS_SetPinCommandLine(childProcess, pinArgc, pinArgv);
+    return TRUE;
+}
 
-        CHILD_PROCESS_SetPinCommandLine(childProcess, pinArgc, pinArgv);
-        return TRUE;
+
+std::string addPidToFilename(const std::string& filename, int pid)
+{
+    std::stringstream fnamestr;
+    size_t pos = filename.find_last_of('.');
+    if (pos == std::string::npos || pos >= filename.length()) {
+        fnamestr << filename << "." << pid;
     }
-    // If the callback return FALSE, the child is not followed
-    return FALSE;
+    else {
+        fnamestr << filename.substr(0, pos) << "." << pid << '.' << filename.substr(pos + 1);
+    }
+    return fnamestr.str();
 }
 
+
 /*!
 * The main procedure of the tool.
 * This function is called when the application image is loaded but not yet started.
@@ -1441,10 +1452,8 @@ int main(int argc, char *argv[])
     }
 
     // init output file:
-    int pid = PIN_GetPid();
-    std::stringstream filename;
-    filename << KnobOutputFile.Value() << "_" << pid << ".log";
-    traceLog.init(filename.str(), m_Settings.shortLogging);
+    std::string filename = addPidToFilename(KnobOutputFile.Value(), PIN_GetPid());
+    traceLog.init(filename, m_Settings.shortLogging);
 
     // Register function to be called for every loaded module
     IMG_AddInstrumentFunction(ImageLoad, NULL);
@@ -1472,13 +1481,13 @@ int main(int argc, char *argv[])
     std::cerr << "Tracing module: " << app_name << std::endl;
     if (!KnobOutputFile.Value().empty())
     {
-        std::cerr << "See file " << filename.str() << " for analysis results" << std::endl;
+        std::cerr << "See file " << filename << " for analysis results" << std::endl;
     }
     std::cerr << "===============================================" << std::endl;
 
     // Register the callback function for child processes
     PIN_AddFollowChildProcessFunction(FollowChild, 0);
-    
+
     // Start the program, never returns
     PIN_StartProgram();
     return 0;