JuanLesPIN
IntelPin tool to detect and mitigate Windows malware evasion techniques.
This tool is a prototype developed for a research project whose paper is currently under submission. In order to comply with double-blind, also the name of the tool present in the paper has been opportunely anonymized.
Installation
To install this tool you will need to download first:
- Visual Studio (also community edition is ok). Make sure to have C++ Windows development kit
- Intel PIN 3.17 (you can download it from HERE)
Then simply follow those 5 steps:
-
Extract the zip containing IntelPIN inside C:\ and rename it to "pin" so that you should have the pin executable at C:\pin\pin.exe
-
Change directory to C:\pin\source\tools and clone the repo.
-
Open the file C:\pin\source\tools\JuanLesPIN-Public\JuanLesPIN.sln with Visual Studio.
-
Go to Project->Properties inside Visual Studio menu. Then inside "Configuration Properties" -> C/C++ -> Preprocessor -> "Preprocessor Definitions" , modify the value of the variable _WINDOWS_H_PATH to match your windows development kit version.
-
Build the project in Release mode x86 (the tool has been developed to work mainly on 32 bit malware)
Usage
Now to instrument a malware with JuanLesPIN you can launch:
C:\pin\pin.exe -follow_execv -t C:\pin\source\tools\JuanLesPIN-Public\Release\JuanLesPIN.dll -timer 0 -report evasion-report -- <path to malware>
