[FEATURE] Added new option: follow child processes

hasherezade · Dec 10, 2024 · f7421e1 · f7421e1
1 parent adf6e49
commit f7421e1
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 5 deletions.
diff --git a/Settings.cpp b/Settings.cpp
@@ -8,6 +8,7 @@
 #define DELIM '='
 
 #define KEY_FOLLOW_SHELLCODES           "FOLLOW_SHELLCODES"
+#define KEY_FOLLOW_CHILDPROCESSES       "FOLLOW_CHILDPROCESSES"
 #define KEY_LOG_RTDSC                   "TRACE_RDTSC"
 #define KEY_LOG_INT                     "TRACE_INT"
 #define KEY_LOG_SYSCALL                 "TRACE_SYSCALL"
@@ -131,6 +132,10 @@ bool fillSettings(Settings &s, const std::string &line)
         s.followShellcode = ConvertShcOption(val);
         isFilled = true;
     }
+    if (util::iequals(valName, KEY_FOLLOW_CHILDPROCESSES)) {
+        s.followChildprocesses = loadBoolean(valStr);
+        isFilled = true;
+    }
     if (util::iequals(valName, KEY_LOG_RTDSC)) {
         s.traceRDTSC = loadBoolean(valStr);
         isFilled = true;
@@ -250,6 +255,7 @@ bool Settings::saveINI(const std::string &filename)
         return false;
     }
     myfile << KEY_FOLLOW_SHELLCODES << DELIM << this->followShellcode << "\r\n";
+    myfile << KEY_FOLLOW_CHILDPROCESSES << DELIM << this->followChildprocesses << "\r\n";
     myfile << KEY_LOG_RTDSC << DELIM << booleanToStr(this->traceRDTSC) << "\r\n";
     myfile << KEY_LOG_INT << DELIM << booleanToStr(this->traceINT) << "\r\n";
     myfile << KEY_LOG_SYSCALL << DELIM << booleanToStr(this->traceSYSCALL) << "\r\n";

diff --git a/Settings.h b/Settings.h
@@ -103,6 +103,7 @@ class Settings {
 
     Settings() 
         : followShellcode(SHELLC_FOLLOW_FIRST),
+        followChildprocesses(false),
         traceRDTSC(false),
         traceINT(false),
         traceSYSCALL(true),
@@ -128,6 +129,7 @@ class Settings {
 
     t_shellc_options followShellcode;
 
+    bool followChildprocesses; // Follow Child Processes
     bool traceRDTSC; // Trace RDTSC
     bool traceINT; // trace INT
     bool traceSYSCALL; // Trace syscall instructions (i.e., syscall, int 2Eh, sysenter)

diff --git a/TinyTracer.cpp b/TinyTracer.cpp
@@ -1312,6 +1312,17 @@ static void OnCtxChange(THREADID threadIndex,
     _SaveTransitions(addrFrom, addrTo, FALSE);
 }
 
+BOOL FollowChild(CHILD_PROCESS childProcess, VOID * userData)
+{
+    if (m_Settings.followChildprocesses) {
+        OS_PROCESS_ID childPid = CHILD_PROCESS_GetId(childProcess);
+        std::cerr << "Following Subprocess: " << childPid << std::endl;
+        return TRUE;
+    }
+    // If the callback return FALSE, the child is not followed
+    return FALSE;
+}
+
 /*!
 * The main procedure of the tool.
 * This function is called when the application image is loaded but not yet started.
@@ -1390,8 +1401,11 @@ int main(int argc, char *argv[])
     }
 
     // init output file:
-    traceLog.init(KnobOutputFile.Value(), m_Settings.shortLogging);
-
+    int pid = PIN_GetPid();
+    std::stringstream filename;
+    filename << KnobOutputFile.Value() << "_" << pid << ".log";
+    traceLog.init(filename.str(), m_Settings.shortLogging);
+
     // Register function to be called for every loaded module
     IMG_AddInstrumentFunction(ImageLoad, NULL);
 
@@ -1418,10 +1432,13 @@ int main(int argc, char *argv[])
     std::cerr << "Tracing module: " << app_name << std::endl;
     if (!KnobOutputFile.Value().empty())
     {
-        std::cerr << "See file " << KnobOutputFile.Value() << " for analysis results" << std::endl;
+        std::cerr << "See file " << filename.str() << " for analysis results" << std::endl;
     }
     std::cerr << "===============================================" << std::endl;
 
+    // Register the callback function for child processes
+    PIN_AddFollowChildProcessFunction(FollowChild, 0);
+
     // Start the program, never returns
     PIN_StartProgram();
     return 0;

diff --git a/install32_64/TinyTracer.ini b/install32_64/TinyTracer.ini
@@ -6,6 +6,7 @@ FOLLOW_SHELLCODES=1
 ; 1 : follow only the first shellcode called from the main module
 ; 2 : follow also the shellcodes called recursively from the the original shellcode
 ; 3 : follow any shellcodes
+FOLLOW_CHILDPROCESSES=False
 TRACE_RDTSC=False
 TRACE_INT=False
 TRACE_SYSCALL=True

diff --git a/install32_64/run_me.bat b/install32_64/run_me.bat
@@ -97,8 +97,8 @@ if [%IS_ADMIN%] == [A] (
 
 set ADMIN_CMD=%PIN_TOOLS_DIR%\sudo.vbs
 
-set DLL_CMD=%PIN_DIR%\pin.exe -t %PINTOOL% -m "%TRACED_MODULE%" -o %TAG_FILE% -s %SETTINGS_FILE% -b "%WATCH_BEFORE%" -x "%EXCLUDED_FUNC%" -p "%STOP_OFFSETS%" -l "%SYSCALLS_TABLE%" -- "%DLL_LOAD%" "%TARGET_APP%" %DLL_EXPORTS%
-set EXE_CMD=%PIN_DIR%\pin.exe -t %PINTOOL% -m "%TRACED_MODULE%" -o %TAG_FILE% -s %SETTINGS_FILE% -b "%WATCH_BEFORE%" -x "%EXCLUDED_FUNC%" -p "%STOP_OFFSETS%" -l "%SYSCALLS_TABLE%" -- "%TARGET_APP%" %EXE_ARGS%
+set DLL_CMD=%PIN_DIR%\pin.exe -follow_execv -t %PINTOOL% -o %TAG_FILE% -s %SETTINGS_FILE% -b "%WATCH_BEFORE%" -x "%EXCLUDED_FUNC%" -p "%STOP_OFFSETS%" -l "%SYSCALLS_TABLE%" -- "%DLL_LOAD%" "%TARGET_APP%" %DLL_EXPORTS%
+set EXE_CMD=%PIN_DIR%\pin.exe -follow_execv -t %PINTOOL% -o %TAG_FILE% -s %SETTINGS_FILE% -b "%WATCH_BEFORE%" -x "%EXCLUDED_FUNC%" -p "%STOP_OFFSETS%" -l "%SYSCALLS_TABLE%" -- "%TARGET_APP%" %EXE_ARGS%
 
 ;rem "Trace EXE"
 if [%PE_TYPE%] == [exe] (