Skip to content
Windows API tracer for malware (oldname: unitracer)
Python
Branch: master
Clone or download
Latest commit b704751 Oct 16, 2017
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
samples add unitracer class Feb 9, 2017
unitracer fix hooks handling Oct 16, 2017
.gitignore update Unitracer::Win32 Feb 16, 2017
.gitmodules move pe to submodule Mar 8, 2017
LICENSE Create LICENSE Oct 11, 2017
README.md
example.py fix and add example code Oct 16, 2017
test.py update test.py Mar 15, 2017

README.md

unitracer

Windows API tracer for malware

Requirements

  • Unicorn 1.0
  • Capstone
  • some dlls

Features

  • Windows API trace/hook
  • setup special data of TIB, PEB, LDR...
  • using original PE parser (faster than pefile)

Usage

import unitracer
from unicorn.x86_const import *


uni = unitracer.Windows()

# add search path for dll
uni.dll_path.insert(0, "dlls")

# change stack
uni.STACK_BASE = 0x60000000
uni.STACK_SIZE = 0x10000

# load binary
uni.load_pe('./samples/AntiDebug.exe')
# uni.load_code(open('./samples/URLDownloadToFile.sc').read())

# add api hooks
def IsDebuggerPresent(ut):
    emu = ut.emu
    retaddr = ut.popstack()
    print "IsDebuggerPresent"
    emu.reg_write(UC_X86_REG_EAX, 0)
    ut.pushstack(retaddr)

uni.api_hooks['IsDebuggerPresent'] = IsDebuggerPresent

# add original hooks
def myhook(ut, address, size, userdata):
    if address == 0xdeadbeef:
        ut.dumpregs(["eax", "ebx"])

uni.hooks.append(myhook)

# suppress verbose output (disassemble)
uni.verbose = False

uni.start(0)

Sample

  • running samples/URLDownloadToFile.sc sample

TODO

  • 64 bit
  • etc...
You can’t perform that action at this time.