Skip to content
Windows API tracer for malware (oldname: unitracer)
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
samples
unitracer fix hooks handling Oct 16, 2017
.gitignore update Unitracer::Win32 Feb 16, 2017
.gitmodules
LICENSE Create LICENSE Oct 11, 2017
README.md fix and add example code Oct 16, 2017
example.py fix and add example code Oct 16, 2017
test.py

README.md

unitracer

Windows API tracer for malware

Requirements

  • Unicorn 1.0
  • Capstone
  • some dlls

Features

  • Windows API trace/hook
  • setup special data of TIB, PEB, LDR...
  • using original PE parser (faster than pefile)

Usage

import unitracer
from unicorn.x86_const import *


uni = unitracer.Windows()

# add search path for dll
uni.dll_path.insert(0, "dlls")

# change stack
uni.STACK_BASE = 0x60000000
uni.STACK_SIZE = 0x10000

# load binary
uni.load_pe('./samples/AntiDebug.exe')
# uni.load_code(open('./samples/URLDownloadToFile.sc').read())

# add api hooks
def IsDebuggerPresent(ut):
    emu = ut.emu
    retaddr = ut.popstack()
    print "IsDebuggerPresent"
    emu.reg_write(UC_X86_REG_EAX, 0)
    ut.pushstack(retaddr)

uni.api_hooks['IsDebuggerPresent'] = IsDebuggerPresent

# add original hooks
def myhook(ut, address, size, userdata):
    if address == 0xdeadbeef:
        ut.dumpregs(["eax", "ebx"])

uni.hooks.append(myhook)

# suppress verbose output (disassemble)
uni.verbose = False

uni.start(0)

Sample

  • running samples/URLDownloadToFile.sc sample

TODO

  • 64 bit
  • etc...
You can’t perform that action at this time.