-
Notifications
You must be signed in to change notification settings - Fork 139
Tracing syscalls
Tracing syscalls can be enabled in TinyTracer.ini, by setting:
TRACE_SYSCALL=Trueanalogously, it can be disabled by:
TRACE_SYSCALL=FalseSyscalls Table allows to map syscall ID to the corresponding function's name. Thanks to this feature, we get the results in more human-readable form. Tiny Tracer is shipped with a helper tool syscall_extract.exe that allows to automatically generate the syscalls table for a current Windows version.
This tool is automatically called by run_me.bat at the beginning of tracing. The relevant fragment:
if NOT exist %SYSCALLS_TABLE% (
if exist %PIN_TOOLS_DIR%\syscall_extract.exe (
%PIN_TOOLS_DIR%\syscall_extract.exe %SYSCALLS_TABLE%
)
)
Tracing parameters of selected syscalls can be enabled similarly to tracing parameters of functions.
In order to enable this option, you need to:
- Create a list of syscalls that you want to watch, in the following format:
<SYSCALL>;[syscal number];[params_count]
Example:
<SYSCALL>;0x36;4
<SYSCALL>;0x20;2- Append it to the same file that is used to watch parameters of functions, i.e.
params.txt.
Note, that if the syscalls table is loaded, syscalls parameters can also be traced by the corresponding function's name.
Example:
params.txt
ntdll;NtSetInformationThread;4
<SYSCALL>;0x19;4
Fragment of the tracelog generated with the above settings:
[...]
7605;SYSCALL:0xd(NtSetInformationThread)
NtSetInformationThread:
Arg[0] = 0xfffffffffffffffe = 18446744073709551614
Arg[1] = 0x0000000000000011 = 17
Arg[2] = 0
Arg[3] = 0
75c1;SYSCALL:0x19(NtQueryInformationProcess)
SYSCALL:0x19:
Arg[0] = 0xffffffffffffffff = 18446744073709551615
Arg[1] = 0x0000000000000007 = 7
Arg[2] = ptr 0x000000f6befcf690 -> {\x00\x00\x00\x00\x00\x00\x00\x00}
Arg[3] = 0x0000000000000004 = 4
[...]