A Pin Tool for tracing:
- API calls, including parameters of selected functions
- selected instructions: RDTSC, CPUID
- transition between sections of the traced module (helpful in finding OEP of the packed module)
Bypasses the anti-tracing check based on RDTSC.
Generates a report in a
.tag format (which can be loaded into other analysis tools):
345c2;section: .text 58069;called: C:\Windows\SysWOW64\kernel32.dll.IsProcessorFeaturePresent 3976d;called: C:\Windows\SysWOW64\kernel32.dll.LoadLibraryExW 3983c;called: C:\Windows\SysWOW64\kernel32.dll.GetProcAddress 3999d;called: C:\Windows\SysWOW64\KernelBase.dll.InitializeCriticalSectionEx 398ac;called: C:\Windows\SysWOW64\KernelBase.dll.FlsAlloc 3995d;called: C:\Windows\SysWOW64\KernelBase.dll.FlsSetValue 49275;called: C:\Windows\SysWOW64\kernel32.dll.LoadLibraryExW 4934b;called: C:\Windows\SysWOW64\kernel32.dll.GetProcAddress ...
How to build?
Clone this repo into
\source\tools that is inside your Pin root directory. Open the project in Visual Studio and build. Detailed description available here.
- In order for Pin to work correctly, Kernel Debugging must be DISABLED.
install32_64you can find a utility that checks if Kernel Debugger is disabled (
kdb_check.exe, source), and it is used by the Tiny Tracer's
.batscripts. This utilty sometimes gets flagged as a malware by Windows Defender (it is a known false positive). If you encounter this issue, you may need to exclude the installation directory from Windows Defender scans.
- Since the version 3.20 Pin has dropped a support for old versions of Windows. If you need to use the tool on Windows < 8, try to compile it with Pin 3.19.