-
Notifications
You must be signed in to change notification settings - Fork 141
Tracing shellcodes
Tiny Tracer traces the PE file that was run (or explicitly set as an object of tracing - TRACED_MODULE). However, sometimes the PE module (especially if it is a malware or a protected application) may allocate additional memory pages and unpack there some code. Usually we want to trace what happens there too.
We can configure tracing shellcodes with the help of the parameter FOLLOW_SHELLCODES in TinyTracer.ini (more about the INI file).
This parameter is an enum.
| value | description |
|---|---|
| 0 | disabled: trace only the main target module |
| 1 | follow only the first shellcode called from the main module |
| 2 | follow also the shellcodes called recursively from the the original shellcode |
| 3 | follow any shellcodes |
By default, TinyTracer comes with this option enabled at the lowest level (1):
FOLLOW_SHELLCODES=1
It means only the first shellcode called from the traced PE is followed. If you want to go deeper, and follow them recursively, change the option to 2.
The maximal option (3) enables tracing all shellcodes, no matter if they were called from the traced PE, or from any other.
FOLLOW_SHELLCODES=3
To test what is the difference between those two settings, you may try to run this example.
Fragment of the tag file generated with FOLLOW_SHELLCODES=1:
1000;section:
1005;->.teddy
6b001;section: .teddy
6b0ed;kernel32.VirtualAlloc
6b11b;kernel32.VirtualAlloc
6b1ad;kernel32.VirtualFree
6b1b8;called: ?? [b337000+0]
> b337000+74;kernel32.GetModuleHandleA
> b337000+8a;kernel32.GetProcAddress
> b337000+9e;kernel32.GetProcAddress
> b337000+c4;kernel32.VirtualAlloc
> b337000+fb;kernel32.VirtualFree
At the line:
6b1b8;called: ?? [b337000+0]
the execution was redirected into a shellcode. The base address of the shellcode was b337000.
The lines starting with > indicate the calls made from within this shellcode.
If we run the same file with tracing shellcodes disabled (FOLLOW_SHELLCODES=0):
1000;section:
1005;->.teddy
6b001;section: .teddy
6b0ed;kernel32.VirtualAlloc
6b11b;kernel32.VirtualAlloc
6b1ad;kernel32.VirtualFree
6b1b8;called: ?? [b347000+0]
1014;section:
1014;called: ?? [b33f000+17]
271d6;called: ?? [b454000+6c0]
We will see only the calls from the main module into the shellcode, but we will not see what happens inside the shellcode.