Skip to content

Windows API tracer for malware (oldname: unitracer)

License

Notifications You must be signed in to change notification settings

icchy/tracecorn

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

92 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

unitracer

Windows API tracer for malware

Requirements

  • Unicorn 1.0
  • Capstone
  • some dlls

Features

  • Windows API trace/hook
  • setup special data of TIB, PEB, LDR...
  • using original PE parser (faster than pefile)

Usage

import unitracer
from unicorn.x86_const import *


uni = unitracer.Windows()

# add search path for dll
uni.dll_path.insert(0, "dlls")

# change stack
uni.STACK_BASE = 0x60000000
uni.STACK_SIZE = 0x10000

# load binary
uni.load_pe('./samples/AntiDebug.exe')
# uni.load_code(open('./samples/URLDownloadToFile.sc').read())

# add api hooks
def IsDebuggerPresent(ut):
    emu = ut.emu
    retaddr = ut.popstack()
    print "IsDebuggerPresent"
    emu.reg_write(UC_X86_REG_EAX, 0)
    ut.pushstack(retaddr)

uni.api_hooks['IsDebuggerPresent'] = IsDebuggerPresent

# add original hooks
def myhook(ut, address, size, userdata):
    if address == 0xdeadbeef:
        ut.dumpregs(["eax", "ebx"])

uni.hooks.append(myhook)

# suppress verbose output (disassemble)
uni.verbose = False

uni.start(0)

Sample

  • running samples/URLDownloadToFile.sc sample

TODO

  • 64 bit
  • etc...

About

Windows API tracer for malware (oldname: unitracer)

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages