-
Notifications
You must be signed in to change notification settings - Fork 133
The INI file
Some settings can be configured with the help of INI file. The default version of this file can be found in the install32_64 directory.
ENABLE_SHORT_LOGGING=True
USE_DEBUG_SYMBOLS=False
FOLLOW_SHELLCODES=1
;FOLLOW_SHELLCODES:
; 0 : trace only the main target module
; 1 : follow only the first shellcode called from the main module
; 2 : follow also the shellcodes called recursively from the the original shellcode
; 3 : follow any shellcodes
TRACE_RDTSC=False
TRACE_INT=False
TRACE_SYSCALL=True
LOG_SECTIONS_TRANSITIONS=True
LOG_SHELLCODES_TRANSITIONS=True
HEXDUMP_SIZE=8
HOOK_SLEEP=False
SLEEP_TIME=10
; ANTIDEBUG: (Windows only)
; 0 : Disabled
; 1 : Standard
; 2 : Deep (may lead to some false positives)
ANTIDEBUG=0
ANTIVM=0You may change the default path to your INI file by editing the variable SETTINGS_FILE:
- On Windows: in
run_me.bat.
Example:
rem The ini file specifying the settings of the tracer
set SETTINGS_FILE=%PIN_TOOLS_DIR%\TinyTracer.ini- On Linux: in
tiny_runner.sh.
Example:
SETTINGS_FILE=$PIN_CONFIGS_DIR"/TinyTracer.ini"This option accepts boolean values. In case if it is disabled, full path of the DLL is logged. Example:
4934b;called: C:\Windows\SysWOW64\kernel32.dll.GetProcAddress
Otherwise only the DLL name is logged:
4934b;kernel32.dll.GetProcAddress
This option accepts boolean values. In case if it is disabled, the functions names are resolved basing on the module's exports table only.
When enabled, debug symbols will be used (if accessible). In this mode, functions names are also automatically demangled.
Allows to enable various degrees of shellcode tracing. More details explained here
Log occurrences of the RDTSC instruction (which is often used to detect that process is being watched/debugged).
By default, TinyTracer tries to bypass the anti-tracing check based on RDTSC, yet it does not log the occurrence of this instruction, in order to avoid possible noise.
Log occurrences of interrupts.
Enable tracing syscalls. More information here.
Log the offsets where the execution switches between one section of the traced module and another.
Example - fragment of the log made with this option enabled:
1b41d;called: C:\Windows\SysWOW64\kernel32.dll.HeapDestroy
17012;[.vmp0] -> [.vmp1]
8b38e;section: [.vmp1]
a3f70;[.vmp1] -> [.vmp0]
16ff2;section: [.vmp0]
17012;[.vmp0] -> [.vmp1]
a3f72;section: [.vmp1]
8ce24;called: C:\Windows\SysWOW64\kernel32.dll.LocalFree
a3f70;called: C:\Windows\SysWOW64\kernel32.dll.ExitProcess
We can see the execution going back and forth between two sections: .text and .vmp0. This characteristics is common for protectors using virtualization.
If we disable this option, we won't see those transitions anymore. Example:
1b41d;called: C:\Windows\SysWOW64\kernel32.dll.HeapDestroy
8ce24;called: C:\Windows\SysWOW64\kernel32.dll.LocalFree
a3f70;called: C:\Windows\SysWOW64\kernel32.dll.ExitProcess
Log the offsets where the execution switches between one shellcode and another.
How long will be the hexdump printed after the pointer (while tracing parameters).
Example - a hexdump of the length 8:
Arg[0] = ptr 0x76fb0000 -> {MZ\x90\x00\x03\x00\x00\x00}
Printable characters are dumped as literals, while non-printable, in form: \x{hex:ASCII value}.
WARNING: This feature is currently implemented for Windows only
Enable NtDelayExecution hook, which allows you to change the slept time. In order to enable, set:
HOOK_SLEEP=TrueThe sleep time in milliseconds. This value will be used in all the Sleep related functions (which call NtDelayExecution), if HOOK_SLEEP is enabled.
Allows to log indirect calls (and jumps) to local functions. More information here.
WARNING: This feature is currently implemented for Windows only
Log occurrences of selected AntiDebug techniques. The occurrences are tagged with [ANTIDEBUG] label. May contain links to materials describing a corresponding technique. Example:
309a39;section: [.vmp2]
3dcccb;kernel32.LocalAlloc
3db8e6;[ANTIDEBUG] --> PEB!BeingDebugged accessed
3dcc56;ntdll.ZwQueryInformationProcess
3dcc58;[ANTIDEBUG] --> ^ ntdll!NtQueryInformationProcess (ProcessDebugPort);https://anti-debug.checkpoint.com/techniques/debug-flags.html#using-win32-api-ntqueryinformationprocess-processdebugport
3df7e2;ntdll.ZwQueryInformationProcess
3df7e4;[ANTIDEBUG] --> ^ ntdll!NtQueryInformationProcess (ProcessDebugObjectHandle);https://anti-debug.checkpoint.com/techniques/debug-flags.html#using-win32-api-ntqueryinformationprocess-processdebugobjecthandle
3dcccb;ntdll.NtSetInformationThread
When run in this mode, tracer will also attempt to autoremove the Trap Flag (to bypass the technique that interrupts the tracing).
Supported options:
| Value | Meaning |
|---|---|
| 0 | Disabled |
| 1 | Standard |
| 2 | Deep (may lead to some false positives) |
WARNING: This feature is currently implemented for Windows only
Log occurrences of selected AntiVM techniques. The occurrences are tagged with [ANTIVM] label. May contain links to materials describing a corresponding technique. Example:
3002;fastprox.[??0CWbemGuidToClassMap@@QEAA@XZ+700]*
305f;fastprox.[?GetInstanceObject@CWbemObjectArrayPacket@@AEAAJAEAVCWbemObjectPacket@@PEAPEAUIWbemClassObject@@AEAVCWbemClassCache@@@Z+550]*
3d21;fastprox.?Get@CWbemObject@@UEAAJPEBGJPEAUtagVARIANT@@PEAJ2@Z
3d23;[ANTIVM] --> ^ WMI query - device ID;https://evasions.checkpoint.com/techniques/wmi.html#generic-wmi-queries
baa0;msvcrt.wcsstr
Supported options:
| Value | Meaning |
|---|---|
| 0 | Disabled |
| 1 | Standard |
This feature is a work in progress. Currently it only supports few techniques based on WMI query.