Using the TAGs with disassemblers and debuggers

The TAG format

The tags generated by the Tiny Tracer have the following format:

{RVA};{traced event}

The RVA is relative to the module that is an object of tracing (TRACED_MODULE).

If tracing of shellcodes was enabled, the tracelog may additionally include calls done from within the shellcode. They are perpended with >. In such case, the shellcode base is also printed, and the RVA that follows is relative to this base:

> {shellcode base}+{RVA};{traced event}

Example:

> b337000+74;kernel32.GetModuleHandleA

Loading the TAG format into other tools

The tags are helpful in deobfuscating obfuscated API calls.

You can load them into other tools, to annotate the code. Example:

annotated function

PE-bear

The .tag format is natively supported by PE-bear.

IDA Pro

You can load the tags into your IDA database with the help of IFL plugin.

Step 1:

Step 2:

x64dbg

You need to use a tag_converter to create a script that will populate your view with the collected tags:

✔ Check: hasherezade/tag_converter

Example - a tag loaded into x64dbg:

Ghidra

✔ Check: Dump-GUY/ghidra_scripts

✔ Check: zxgio/ghidra_tag_importer

Cutter

✔ Check: Dump-GUY/tiny_tracer_tag_to_cutter

Tiny Tracer Wiki, by hasherezade

Provide feedback

Saved searches

Use saved searches to filter your results more quickly