-
Notifications
You must be signed in to change notification settings - Fork 142
The INI file
Some settings can be configured with the help of INI file. The default version of this file can be found in the install32_64 directory.
ENABLE_SHORT_LOGGING=True
USE_DEBUG_SYMBOLS=False
FOLLOW_SHELLCODES=1
;FOLLOW_SHELLCODES:
; 0 : trace only the main target module
; 1 : follow only the first shellcode called from the main module
; 2 : follow also the shellcodes called recursively from the the original shellcode
; 3 : follow any shellcodes
TRACE_RDTSC=False
TRACE_INT=False
TRACE_SYSCALL=True
LOG_SECTIONS_TRANSITIONS=True
LOG_SHELLCODES_TRANSITIONS=True
LOG_INDIRECT_CALLS=False
HEXDUMP_SIZE=8
HOOK_SLEEP=False
SLEEP_TIME=10
STOP_OFFSET_TIME=30
;STOP_OFFSET_TIME (dec):
; For how many seconds the execution should pause on a stop offset (defined by stop_offsets.txt)
DISASM_START=0
;DISASM_START (hex):
; An RVA in the traced module from which the disasm should start
DISASM_STOP=0
;DISASM_STOP (hex):
; An RVA in the traced module on which the disasm should end
ANTIDEBUG=0
;ANTIDEBUG: (Windows only)
; 0 : Disabled
; 1 : Standard
; 2 : Deep (may lead to some false positives)
ANTIVM=0
;ANTIVM: (Windows only)
; 0 : Disabled
; 1 : Standard
; Settings for ANTIVM enabled:
EMULATE_HYPERV=False
; Settings for ANTIDEBUG enabled:
EMULATE_SINGLE_STEP=True
;EMULATE_SINGLE_STEP:
; On True: when the trap flag was set, throw the SINGLE_STEP exception
; On False: the trap flag will be removed and ignored (no exception)
You may change the default path to your INI file by editing the variable SETTINGS_FILE:
- On Windows: in
run_me.bat.
Example:
rem The ini file specifying the settings of the tracer
set SETTINGS_FILE=%PIN_TOOLS_DIR%\TinyTracer.ini- On Linux: in
tiny_runner.sh.
Example:
SETTINGS_FILE=$PIN_CONFIGS_DIR"/TinyTracer.ini"This option accepts boolean values. In case if it is disabled, full path of the DLL is logged. Example:
4934b;called: C:\Windows\SysWOW64\kernel32.dll.GetProcAddress
Otherwise only the DLL name is logged:
4934b;kernel32.dll.GetProcAddress
This option accepts boolean values. In case if it is disabled, the functions names are resolved basing on the module's exports table only.
When enabled, debug symbols will be used (if accessible). In this mode, functions names are also automatically demangled.
Allows to enable various degrees of shellcode tracing. More details explained here
Log occurrences of the RDTSC instruction (which is often used to detect that process is being watched/debugged).
By default, TinyTracer tries to bypass the anti-tracing check based on RDTSC, yet it does not log the occurrence of this instruction, in order to avoid possible noise.
Log occurrences of interrupts.
Enable tracing syscalls. More information here.
Log the offsets where the execution switches between one section of the traced module and another.
Example - fragment of the log made with this option enabled:
1b41d;called: C:\Windows\SysWOW64\kernel32.dll.HeapDestroy
17012;[.vmp0] -> [.vmp1]
8b38e;section: [.vmp1]
a3f70;[.vmp1] -> [.vmp0]
16ff2;section: [.vmp0]
17012;[.vmp0] -> [.vmp1]
a3f72;section: [.vmp1]
8ce24;called: C:\Windows\SysWOW64\kernel32.dll.LocalFree
a3f70;called: C:\Windows\SysWOW64\kernel32.dll.ExitProcess
We can see the execution going back and forth between two sections: .text and .vmp0. This characteristics is common for protectors using virtualization.
If we disable this option, we won't see those transitions anymore. Example:
1b41d;called: C:\Windows\SysWOW64\kernel32.dll.HeapDestroy
8ce24;called: C:\Windows\SysWOW64\kernel32.dll.LocalFree
a3f70;called: C:\Windows\SysWOW64\kernel32.dll.ExitProcess
Log the offsets where the execution switches between one shellcode and another.
How long will be the hexdump printed after the pointer (while tracing parameters).
Example - a hexdump of the length 8:
Arg[0] = ptr 0x76fb0000 -> {MZ\x90\x00\x03\x00\x00\x00}
Printable characters are dumped as literals, while non-printable, in form: \x{hex:ASCII value}.
WARNING: This feature is currently implemented for Windows only
Enable NtDelayExecution hook, which allows you to change the slept time. In order to enable, set:
HOOK_SLEEP=TrueSleep time in milliseconds (active if HOOK_SLEEP is enabled). This value will replace the original sleep time in all the hooked functions (which call NtDelayExecution).
Wait time in seconds. If the list of stop offsets is defined, this option specifies for how long an execution should pause on a single offset. Details described here: Stop Offsets
DISASM_START and DISASM_STOP are virtual offsets (RVA) relative to the traced module. If they are defined, TinyTracer will produce the disassembly of all the instructions executed within the range.
Details described here: Tracing with disasembly
Allows to log indirect calls (and jumps) to local functions. More information here.
WARNING: This feature is currently implemented for Windows only
Log occurrences of selected AntiDebug techniques. The occurrences are tagged with [ANTIDEBUG] label. May contain links to materials describing a corresponding technique. Example:
309a39;section: [.vmp2]
3dcccb;kernel32.LocalAlloc
3db8e6;[ANTIDEBUG] --> PEB!BeingDebugged accessed
3dcc56;ntdll.ZwQueryInformationProcess
3dcc58;[ANTIDEBUG] --> ^ ntdll!NtQueryInformationProcess (ProcessDebugPort);https://anti-debug.checkpoint.com/techniques/debug-flags.html#using-win32-api-ntqueryinformationprocess-processdebugport
3df7e2;ntdll.ZwQueryInformationProcess
3df7e4;[ANTIDEBUG] --> ^ ntdll!NtQueryInformationProcess (ProcessDebugObjectHandle);https://anti-debug.checkpoint.com/techniques/debug-flags.html#using-win32-api-ntqueryinformationprocess-processdebugobjecthandle
3dcccb;ntdll.NtSetInformationThread
When run in this mode, tracer will also attempt to autoremove the Trap Flag (to bypass the technique that interrupts the tracing).
Supported options:
| Value | Meaning |
|---|---|
| 0 | Disabled |
| 1 | Standard |
| 2 | Deep (may lead to some false positives) |
WARNING: This feature is currently implemented for Windows only
Log occurrences of selected AntiVM techniques. The occurrences are tagged with [ANTIVM] label. May contain links to materials describing a corresponding technique. Example:
3002;fastprox.[??0CWbemGuidToClassMap@@QEAA@XZ+700]*
305f;fastprox.[?GetInstanceObject@CWbemObjectArrayPacket@@AEAAJAEAVCWbemObjectPacket@@PEAPEAUIWbemClassObject@@AEAVCWbemClassCache@@@Z+550]*
3d21;fastprox.?Get@CWbemObject@@UEAAJPEBGJPEAUtagVARIANT@@PEAJ2@Z
3d23;[ANTIVM] --> ^ WMI query - device ID;https://evasions.checkpoint.com/techniques/wmi.html#generic-wmi-queries
baa0;msvcrt.wcsstr
Supported options:
| Value | Meaning |
|---|---|
| 0 | Disabled |
| 1 | Standard |
This feature is a work in progress.
Works if ANTIVM is enabled. By default, if ANTIVM is enabled, TinyTracer will modify the output of CPUID to hide VM-related artifacts. However, if EMULATE_HYPERV is enabled, it will instead emulate a machine with HyperV enabled (modify the CPUID to impersonate HyperV). This option may be helpful in bypassing VMProtect. It forces the VMProtect-stub to choose a different execution path, that may allow for easier bypass.
Works if ANTIDEBUG is enabled. Defines how TinyTracer will behave if the TrapFlag was set.
| Value | Meaning |
|---|---|
| True | throw the SINGLE_STEP exception after the trap flag |
| False | remove and ignore the trap flag (no exception) |
Setting the option EMULATE_SINGLE_STEP to False may help bypassing some variants of VMProtect.