[FEATURE] Added new option: show context in a disasm mode

hasherezade · Nov 29, 2024 · b5358bc · b5358bc
1 parent 1830d5d
commit b5358bc
Show file tree

Hide file tree

Showing 4 changed files with 98 additions and 2 deletions.
diff --git a/Settings.cpp b/Settings.cpp
@@ -26,6 +26,7 @@
 #define KEY_EMULATE_SINGLE_STEP         "EMULATE_SINGLE_STEP"
 #define KEY_DISASM_START                "DISASM_START"
 #define KEY_DISASM_STOP                 "DISASM_STOP"
+#define KEY_DISASM_CTX                  "DISASM_CTX"
 
 t_shellc_options ConvertShcOption(int value)
 {
@@ -204,6 +205,10 @@ bool fillSettings(Settings &s, std::string line)
         s.disasmStop = util::loadInt(valStr, true);
         isFilled = true;
     }
+    if (util::iequals(valName, KEY_DISASM_CTX)) {
+        s.disasmCtx = loadBoolean(valStr);
+        isFilled = true;
+    }
     return isFilled;
 }
 
@@ -263,6 +268,7 @@ bool Settings::saveINI(const std::string &filename)
     myfile << KEY_EMULATE_SINGLE_STEP << DELIM << std::dec << booleanToStr(this->emulateSingleStep) << "\r\n";
     myfile << KEY_DISASM_START << DELIM << std::hex << this->disasmStart << "\r\n";
     myfile << KEY_DISASM_STOP << DELIM << std::hex << this->disasmStop << "\r\n";
+    myfile << KEY_DISASM_CTX << DELIM << std::dec << booleanToStr(this->disasmCtx) << "\r\n";
     myfile.close();
     return true;
 }

diff --git a/Settings.h b/Settings.h
@@ -119,7 +119,7 @@ class Settings {
         useDebugSym(false),
         isHyperVSet(false),
         emulateSingleStep(true),
-        disasmStart(0), disasmStop(0)
+        disasmStart(0), disasmStop(0), disasmCtx(false)
     {
     }
 
@@ -146,6 +146,7 @@ class Settings {
     bool emulateSingleStep; // If the Trap Flag is set, throw a SINGLE_STEP exception emulating the typical behavior. Works when antidebug is enabled. 
     int disasmStart;
     int disasmStop;
+    bool disasmCtx; // show context in a disasm mode
 
     SyscallsTable syscallsTable; //Syscalls table: mapping the syscall ID to the function name
     FuncWatchList funcWatch; //List of functions, arguments of which are going to be logged

diff --git a/TinyTracer.cpp b/TinyTracer.cpp
@@ -10,6 +10,7 @@
 #include <string>
 #include <set>
 #include <sstream>
+#include <bitset>
 
 #include "TinyTracer.h"
 
@@ -154,6 +155,86 @@ inline ADDRINT getReturnFromTheStack(const CONTEXT* ctx)
     return retAddr;
 }
 
+std::string dumpContext(const std::string& disasm, const CONTEXT* ctx)
+{
+    const char* reg_names[] = {
+        "rdi",
+        "rsi",
+        "rbp",
+        "rsp",
+        "rbx",
+        "rdx",
+        "rcx",
+        "rax",
+        "r8",
+        "r9",
+        "r10",
+        "r11",
+        "r12",
+        "r13",
+        "r14",
+        "r15",
+        "flags"
+    };
+    const REG regs[] =
+    {
+        REG_GDI,
+        REG_GSI,
+        REG_GBP,
+        REG_STACK_PTR,
+        REG_GBX,
+        REG_GDX,
+        REG_GCX,
+        REG_GAX,
+#ifdef _WIN64
+        REG_R8,
+        REG_R9,
+        REG_R10,
+        REG_R11,
+        REG_R12,
+        REG_R13,
+        REG_R14,
+        REG_R15,
+#endif
+        REG_GFLAGS
+    };
+    const size_t regsCount = sizeof(regs) / sizeof(regs[0]);
+    static ADDRINT values[regsCount] = { 0 };
+    static ADDRINT spVal = 0;
+
+    static REG trackedReg = REG_STACK_PTR;
+    static ADDRINT changedTracked = 0;
+
+    std::stringstream ss;
+
+    ADDRINT Address = getReturnFromTheStack(ctx);
+    if (Address != spVal) {
+        ss << "[rsp] -> 0x" << std::hex << Address << "; ";
+        spVal = Address;
+    }
+    bool anyChanged = false;
+    bool _hasTrackedRes = false;
+    REG changedReg = REG_STACK_PTR; //last changed
+    for (size_t i = 0; i < regsCount; i++) {
+        REG reg = regs[i];
+        const ADDRINT Address = (ADDRINT)PIN_GetContextReg(ctx, reg);
+        if (values[i] == Address) continue;
+        anyChanged = true;
+        values[i] = Address;
+        changedReg = reg;
+        if (reg == REG_GFLAGS) {
+            ss << reg_names[i] << " = b" << std::bitset<8>(Address) << "; ";
+            continue;
+        }
+        ss << reg_names[i] << " = 0x" << std::hex << Address << "; ";
+    }
+    std::string out = ss.str();
+    if (!out.empty()) {
+        return "{ " + out + "}";
+    }
+    return "";
+}
+
 VOID SaveHeavensGateTransitions(const ADDRINT addrFrom, const ADDRINT addrTo, ADDRINT seg, const CONTEXT* ctx = NULL)
 {
     PinLocker locker;
@@ -904,6 +985,12 @@ VOID LogInstruction(const CONTEXT* ctxt, THREADID tid, const char* disasm)
         if (!base && rva == (ADDRINT)m_Settings.disasmStop) {
             ss << " # disasm end";
         }
+        if (m_Settings.disasmCtx) {
+            const std::string ctxStr = dumpContext(disasm, ctxt);
+            if (!ctxStr.empty()) {
+                traceLog.logLine("\t\t\t\t" + ctxStr);
+            }
+        }
         traceLog.logInstruction(base, rva, ss.str());
     }
 

diff --git a/install32_64/TinyTracer.ini b/install32_64/TinyTracer.ini
@@ -24,6 +24,9 @@ DISASM_START=0
 DISASM_STOP=0
 ;DISASM_STOP (hex):
 ; An RVA in the traced module on which the disasm should end
+DISASM_CTX=False
+;DISASM_CTX:
+; When in disasm mode: show the registers changed by every instruction
 ANTIDEBUG=0
 ;ANTIDEBUG: (Windows only)
 ; 0 : Disabled
@@ -40,4 +43,3 @@ EMULATE_SINGLE_STEP=True
 ;EMULATE_SINGLE_STEP:
 ; On True: when the trap flag was set, throw the SINGLE_STEP exception
 ; On False: the trap flag will be removed and ignored (no exception)
-