Tracing DLLs
After the complete installation Tiny Tracer allows you to trace EXE files as well as DLL files, simply by choosing an option from the context menu:
If you choose to trace a DLL, it is being loaded and run by an app that is set in run_me.bat - variable DLL_LOAD. By default it is an app dll_load that is a part of the package.
The PE that was selected from the menu is also the one that is set as a traced module (TRACED_MODULE). It means the API calls that are executed from this module are being logged.
If you run the DLL by the Tiny Tracer context menu, by default, its DllMain will be called.
If you wish to run specific exports, you may set them in the run_me.bat:
rem The exports that you want to call from a dll, in format: [name1];[name2] or [#ordinal1];[#ordinal2]
set DLL_EXPORTS=""For example, if I want to run an export named ServiceMain I need to set:
rem The exports that you want to call from a dll, in format: [name1];[name2] or [#ordinal1];[#ordinal2]
set DLL_EXPORTS="ServiceMain"After editing the run_me.bat you can run your DLL from the context menu, and the specific exports will be called after the DllMain.
Remember to revert the changes in the file after use.
Sometimes, you may want to trace not the calls made by the executable that you run, but those made by one of the DLLs loaded within. TinyTracer allows you to choose explicitly the module that you want to trace.
You can change it by editing the option (TRACED_MODULE) in run_me.bat.
You will see the line:
rem TRACED_MODULE - by default it is the main module, but it can be also a DLL within the traced process
set TRACED_MODULE=%TARGET_APP%You need to change the traced module to your DLL, i.e.:
rem TRACED_MODULE - by default it is the main module, but it can be also a DLL within the traced process
set TRACED_MODULE=user32.dll