eXait is a benchmark-like tool to test all the anti-instrumentation techniques presented in the "Dynamic Binary Frameworks: I know you're there spying on me" talk at RECon 2012.

How to use eXait?

eXait comes in two different versions: console and GUI.

In the GUI version you only need to pick the techniques you want to test and hit the "Start Test" button.
eXait has 5 different columns:

- Enable: has the checkboxes to select the anti-instrumentation techniques you want to test.
- Plugin name: the name of the plugin.
- Result: shows whether pin was detected or not.
- Status: indicates if the execution of the plugin has terminated.
- Plugin description: a little description about the technique implemented in the plugin.

In the console version you need to execute eXait in the following way: exait.exe

-l: List all available plugins
-a: Executes all the available plugins
-n:  Gets the name of the Plugin (i.e: detect_by_eip.dll)
-d:  Gets description of the Plugin (i.e: detect_by_eip.dll)
-p:  Executes the specified plugin (i.e: detect_by_eip.dll)
-s:  Loads the plugins indicated in  ((i.e: detect_by_eip.dll detect_by_argv.dll ...))
-f:  Loads a file name with a list of plugins to load (i.e: blah.txt)
-h: Prints this help


eXait has a plugin architecture. Each anti-instrumentation technique is implemented in a separated DLL library. 
In order to write your own plugin for eXait you only need to compile a DLL exporting the following functions:

#define DllExport extern "C" __declspec(dllexport)

DllExport char* GetPluginName(void);
DllExport char* GetPluginDescription(void);
DllExport int DoMyJob(void);

- GetPluginName: must return the plugin name.
- GetPluginDescription: must return a little description about the implemented technique.
- DoMyJob: this function is the one that implements the anti-instrumentation technique. This function returns one of these values:

- DETECTED: when Pin was detected.
- NOTDETECTED: when Pin was not detected.
- PLUGINERROR: if something wrong happened.
- PLATFORMNOTSUPPORTED: when you are testing a technique under a non-supported platform.

Additional notes

eXait (GUI and console version) and plugins are dynamically linked. You need to install the Microsoft Visual C++ 2008 Redistributable Package (x86) in order to use eXait.


eXait is distributed under a BSD-like license.


eXait was developed by:

- Francisco Falcón
- Nahuel Riva

Contact Info

You can contact us through oss@coresecurity.com


Release date

License type
2-clause BSD

Research Project
BSD 2 clause