Tracing parameters of functions
Tiny Tracer allows you to log parameters with which the selected functions (or syscalls) have been called.
The parameters are logged only if the call was made from the module that was set as the object of tracing (TRACED_MODULE). This helps filtering out the noise.
In order to enable this option, you need to:
- Create a list of functions that you want to watch, in the following format:
[module_name];[func_name];[params_count]
For example:
Windows¹:
Kernel32;LoadLibraryW;1
kernel32;LoadLibraryA;1
KERNEL32;GetProcAddress;2
Linux:
libc.so;_IO_puts;1
¹ TinyTracer comes with a default list for Windows: install32_64/params.txt
-
Save this list into a file.
-
Supply the path to the file into the PIN Tool, as a parameter
-b [your_list].
In both runners, for Windows (run_me.bat) as well as for Linux (tiny_runner.sh), this parameter is already set, leading to the default list. You can update the file name into WATCH_BEFORE variable, or replace the default file with your own.
Windows example ( run_me.bat ):
rem WATCH_BEFORE - a file with a list of functions which's parameters will be logged before execution
rem The file must be a list of records in a format: [dll_name];[func_name];[parameters_count]
set WATCH_BEFORE=%PIN_TOOLS_DIR%\params.txtCurrently TinyTracer allows you to watch up to 10 parameters per function.
The watched functions are listed at the beginning of tracer's execution:
The logger can display a parameter in one of the formats:
- ASCII string (i.e.
Arg[1] = ptr 0x006d9fe8 -> "FlsAlloc") - Wide string (i.e.
Arg[1] = ptr 0x0058ee24 -> L"{7790769C-0471-11d2-AF11-00C04FA35D02}") -
UNICODE_STRING(i.e.Arg[1] = ptr 0x0058ee3c -> U"C:\Windows\system32\calc.exe") - constant (i.e.
Arg[0] = 0x0000016c) - pointer, with a hexdump of a defined length (i.e.
Arg[0] = ptr 0x0058ee50 -> {\x00\x00\x00\x00\x01\x00\x00\x00})
Detection of which of the formats should be applied happens automatically.
Sample results:
ecdc;kernel32.GetProcAddress
Arg[0] = ptr 0x74a10000 -> {MZ\x90\x00\x03\x00\x00\x00}
Arg[1] = ptr 0x0039a670 -> "FlsSetValue"
655d;kernel32.CreateFileW
Arg[0] = ptr 0x006d0e3e -> L"C:\Users\tester\Desktop\demo.exe"
Arg[1] = 0x80000000 = 2147483648
Arg[2] = 0x00000001 = 1
Arg[3] = 0
Arg[4] = 0x00000003 = 3
Arg[5] = 0x00000080 = 128
69de;ntdll.RtlCreateProcessParametersEx
Arg[0] = ptr 0x0058ee50 -> {\x00\x00\x00\x00\x01\x00\x00\x00}
Arg[1] = ptr 0x0058ee3c -> U"C:\Windows\system32\calc.exe"
Arg[2] = ptr 0x0058ee24 -> U"C:\Windows\System32"
Arg[3] = ptr 0x0058ee2c -> U"C:\Windows\system32\"
Arg[4] = ptr 0x0058ee3c -> U"C:\Windows\system32\calc.exe"
For automatic generation of params.txt basing on the executable's Import Table, try: