tiny_tracer

📖 README.md

REFACT

• Optimizations: increased speed of tracing, lowered memory consumption

Requires Intel Pin 3.26 or above.
I am sorry but Intel does not allow for distribution of compiled Pin Tools. So, you need to compile them from the sources.
Follow the instructions to build and install.

📖 README.md

FEATURE

• Added Stop Offsets
• Added Tracing with Disassembly
• Detection of Heaven's Gate
• Added new AntiVm bypasses, allowing to trace some of the VMProtect variants (#61, #26)

Requires Intel Pin 3.26 or above.
I am sorry but Intel does not allow for distribution of compiled Pin Tools. So, you need to compile them from the sources.
Follow the instructions to build and install.

📖 README.md

BUGFIX

• Fixed ANTIDEBUG=2 not working for 32-bit applications (wrong size of the passed argument)
• Fixed backward compatibility with older Pin versions (use INS_OperandWidth instead of INS_OperandSize)

Requires Intel Pin 3.26 or above.
I am sorry but Intel does not allow for distribution of compiled Pin Tools. So, you need to compile them from the sources.
Follow the instructions to build and install.

📖 README.md

FEATURE

• Allow to select whether or not debug symbols should be used for name resolution - can be enabled/disabled via INI file ( Issue #39 ) [ details ]
• Bypass AntiDebug technique basing on Trap Flag. Resolved problems with tracing applications protected by VMProtect with Debugger Detection enabled (bypassed mode: "Debugger: User-mode + Kernel-mode") ( Issue #26 )
• Support detecting some of the AntiVM techniques ( WMI query parameters tracing ) - can be enabled/disabled via INI file [ details ]
• Support detecting more AntiDebug techniques ( i.e. searching for Software Breakpoints )

REFACT

• Removed dependency from windows.h

Requires Intel Pin 3.26 or above.
I am sorry but Intel does not allow for distribution of compiled Pin Tools. So, you need to compile them from the sources.
Follow the instructions to build and install.

📖 README.md

BUGFIX

• Use export symbols only ( Issue #39 )

Requires Intel Pin 3.26 or above.
I am sorry but Intel does not allow for distribution of compiled Pin Tools. So, you need to compile them from the sources.
Follow the instructions to build and install.

📖 README.md

BUGFIX

• Fixed Tracer crashing while trying to dump some Unicode strings ( Issue #38 )

FEATURE

• Added an option of tracking common Antidebug techniques. Bypass Trap Flag. (Issue #32) [details]
• Added an option to track interrupts (Issue #34) [details]
• Added functions filtering (Issue #33) [details]

Requires Intel Pin 3.26 or above.
I am sorry but Intel does not allow for distribution of compiled Pin Tools. So, you need to compile them from the sources.
Follow the instructions to build and install.

📖 README.md

FEATURE

• Added a possibility to map syscalls to functions, using supplied table. Automatic syscalls to function name resolution on Windows. (More info: Wiki )
• When syscalls table is loaded, parameters of the syscalls can be traced also by the corresponding function's name.
• Print function's name before listing the parameters (a workaround against some concurrency issues, causing the function's parameters to be printed not immediately after the logged call)
• Enabled syscalls logging by default

Requires Intel Pin 3.26 or above.
I am sorry but Intel does not allow for distribution of compiled Pin Tools. So, you need to compile them from the sources.
Follow the instructions to build and install.

📖 README.md

FEATURE

• Added tracing syscalls and their parameters ( #22 ) - read more here
• Added Linux support

REFACT

• Refactored checking if the event comes from a particular module

Requires Intel Pin 3.19 or above.
I am sorry but Intel does not allow for distribution of compiled Pin Tools. So, you need to compile them from the sources.
Follow the instructions to build and install.

📖 README.md

BUGFIX

• Fixed a significant slowdown in tracing of some applications ( Issue #17 )

Requires Intel Pin 3.19 or above.
I am sorry but Intel does not allow for distribution of compiled Pin Tools. So, you need to compile them from the sources.
Follow the instructions to build and install.

📖 README.md

FEATURE

• Allow to log indirect calls to local functions (read more here)
• If Sleep was hooked, add the information into the trace log

BUGFIX

• Fixed a case when parameters are reported, but not the name (issue #14)

Requires Intel Pin 3.19 or above.
I am sorry but Intel does not allow for distribution of compiled Pin Tools. So, you need to compile them from the sources.
Follow the instructions to build and install.

📖 README.md

FEATURE

• Allow to hook NtDelayExecution (Sleep, SleepEx), and replace the slept time with your own value. Can be enabled by the TinyTracer.ini file. Read more here.

HOOK_SLEEP=True // enable Sleep hooking
SLEEP_TIME=10 // the new sleep value (in milliseconds)

Requires Intel Pin 3.19 or above.
I am sorry but Intel does not allow for distribution of compiled Pin Tools. So, you need to compile them from the sources.
Follow the instructions to build and install.

📖 README.md

FEATURE

• Added a script to attach Pin to a running process
• In parameters tracing:
  • allow to define the length of the hexdump via INI file
  • added dumping UNICODE_STRINGs

Example:

69de;ntdll.RtlCreateProcessParametersEx
	Arg[0] = ptr 0x0058ee50 -> {\x00\x00\x00\x00\x01\x00\x00\x00}
	Arg[1] = ptr 0x0058ee3c -> U"C:\Windows\system32\calc.exe"
	Arg[2] = ptr 0x0058ee24 -> U"C:\Windows\System32"
	Arg[3] = ptr 0x0058ee2c -> U"C:\Windows\system32\"
	Arg[4] = ptr 0x0058ee3c -> U"C:\Windows\system32\calc.exe"

BUGFIX

• In parameters tracing:
  • while dumping constants: fixed printing a parameter in decimal

Requires Intel Pin 3.19 or above.
I am sorry but Intel does not allow for distribution of compiled Pin Tools. So, you need to compile them from the sources.
Follow the instructions to build and install.

📖 README.md

FEATURE

• Do not allow to run if Kernel Debugger is enabled (it causes Pin to freeze)
• In parameters tracing:
  • add hexdump preview of non-string parameters
  • dump pointer before every string
  • while dumping numbers: show hexadecimal and decimal representation of the same number

Example:

37c82;kernel32.GetProcAddress
	Arg[0] = ptr 0x00007ffce43c0000 -> {MZ\x90\x00\x03\x00\x00\x00}
	Arg[1] = ptr 0x00007ff67921fb50 -> "PssCaptureSnapshot"

Requires Intel Pin 3.19 or above.
I am sorry but Intel does not allow for distribution of compiled Pin Tools. So, you need to compile them from the sources.
Follow the instructions to build and install.

📖 README.md

REFACT

• Refactored to build with the latest Pin: 3.19

Requires Intel Pin 3.19 or above.
I am sorry but Intel does not allow for distribution of compiled Pin Tools. So, you need to compile them from the sources.
Follow the instructions to build and install.

📖 README.md

FEATURE

• More flexible configuration with the help of INI file
• More options for tracing shellcodes

BUGFIX

• Improved accuracy of recursive shellcode tracing

Requires Intel Pin 3.16 or 3.18.
I am sorry but Intel does not allow for distribution of compiled Pin Tools. So, you need to compile them from the sources.
Follow the instructions to build and install.

📖 README.md

REFACT

• Internal refactoring. Removed limit of watched functions. Remove duplicated watch entries.

FEATURE

• Added a custom, more flexible tool for loading DLLs

Requires Intel Pin 3.16 or above.
I am sorry but Intel does not allow for distribution of compiled Pin Tools. So, you need to compile them from the sources.
Follow the instructions to build and install.

📖 README.md

FEATURE

• Allow to trace parameters with which the selected functions were called ( read more here )

Requires Intel Pin 3.16 or above.
I am sorry but Intel does not allow for distribution of compiled Pin Tools. So, you need to compile them from the sources.
Follow the instructions to build and install.

📖 README.md

BUGFIX

• Fixed a typo in the logger: RTDSC -> RDTSC

Requires Intel Pin 3.16 or above.
I am sorry but Intel does not allow for distribution of compiled Pin Tools. So, you need to compile them from the sources.
Follow the instructions to build and install.

📖 README.md

REFACT

• Updated to build with the latest Pin (3.16)

Requires Intel Pin 3.16 or above.
I am sorry but Intel does not allow for distribution of compiled Pin Tools. So, you need to compile them from the sources.
Follow the instructions to build and install.

📖 README.md

REFACT

• Cleanup and refactoring of all the code, improved stability of tracing

FEATURE

• Tracing of CPUID instructions
• "Time patching": altering RDTSC output to decrease delays (defense against anti-tracing)
• Tracing of RDTSC (optional, can be enabled in run_me.bat)
• Allow for recursive tracing of shellcodes (optional, can be enabled in run_me.bat - option 2)

BUGFIX

• Fixed invalid calls origins generated in some traces (Issue #5)
• Fixed bug in the elevation script - breaking on names with spaces

Requires Intel Pin 3.7 to 3.15.
I am sorry but Intel does not allow for distribution of compiled Pin Tools. So, you need to compile them from the sources.
Follow the instructions to build and install.