Chronicler: a Pin execution capture tool
Chronicler v0.1 can be downloaded here
Usage: pin -t chronicler_[vistasp2/xpsp3].dll [options] -- [application] Options for Chronicler [default]: -o Output filename ["chronicler.out"] -i Append pid to output  -watch_thread Thread to watch, -1 for all [-1] -flush Flush output after every instruction  -symbols Include symbol information  -lines Include line number information  -instruction Trace instructions  -startaddress Start Address  -stopaddress Stop Address  -filefilter File to trace [""] -filefilterhits Number of hits  -syscall Trace system calls  -memory Trace memory  -silent Do everything but write file (for debugging)  -early_out Exit after tracing the first region 
Example chronicle applications
Automated unpacking for malware analysis
Install the Zlib::Compress Perl library.
pin -smc_strict -t chronicler_[vistasp2/xpsp3].dll -- [packed_sample]
Run autounpack.pl on the output log
The output of autounpack.pl are files of the form [chronicler_log]_[code_wave].txt
address byte_value 00401000 85 00401001 139 00401002 236 00401003 139 00401004 69 00401005 12 00401006 80 00401007 139 00401008 77 00401009 8 0040100A 81 0040100B 232 0040100C 231 0040100D 3 0040100E 9 0040100F 251
Chronicler does instruction-level execution tracing and is based on the Pin binary instrumentation framework. Gzip is used to compress the resulting log file. The automatic unpacking algorithm is based on work by Renovo and TraceSurfer.
Run without any parameters, Chronicler will output an execution trace. Run with the "-filefilter [file]" option, Chronicler will output an execution trace starting at the point [file] is read (via NtReadFile), as well as all the system calls involving [file]. If [file] is read multiple times, the trace can be delayed using the "-filefilterhits [num]" or "-startaddress [address]" options.
Currently tested on Windows XP (SP3) and Vista (SP2).