https://github.com/hasherezade/tiny_tracer
A Pin Tool for tracing API calls etc
https://github.com/hasherezade/tiny_tracer
api-trace dbi intel-pintools malware-analysis reverse-engineering
Last synced: 24 days ago
JSON representation
A Pin Tool for tracing API calls etc
- Host: GitHub
- URL: https://github.com/hasherezade/tiny_tracer
- Owner: hasherezade
- Created: 2018-07-18T17:58:20.000Z (almost 8 years ago)
- Default Branch: master
- Last Pushed: 2025-04-26T18:40:22.000Z (about 1 year ago)
- Last Synced: 2025-04-26T19:34:51.317Z (about 1 year ago)
- Topics: api-trace, dbi, intel-pintools, malware-analysis, reverse-engineering
- Language: C++
- Homepage:
- Size: 1.11 MB
- Stars: 1,414
- Watchers: 40
- Forks: 149
- Open Issues: 9
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - hasherezade/tiny_tracer - A Pin Tool for tracing API calls etc (C++)
README
# tiny_tracer
[](https://app.codacy.com/gh/hasherezade/tiny_tracer/dashboard?utm_source=gh&utm_medium=referral&utm_content=&utm_campaign=Badge_grade)
[](https://github.com/hasherezade/tiny_tracer/commits)
[](https://github.com/hasherezade/tiny_tracer/commits)
[](https://ci.appveyor.com/project/hasherezade/tiny-tracer)
[](https://github.com/hasherezade/tiny_tracer/releases)
[](https://github.com/hasherezade/tiny_tracer/releases)
A Pin Tool for tracing:
+ API calls, including [input and output of selected functions](https://github.com/hasherezade/tiny_tracer/wiki/Tracing-function-input-and-output)
+ [defined local functions](https://github.com/hasherezade/tiny_tracer/wiki/Tracing-defined-local-functions)
+ selected instructions: [RDTSC](https://c9x.me/x86/html/file_module_x86_id_278.html), [CPUID](https://c9x.me/x86/html/file_module_x86_id_45.html), [INT](https://c9x.me/x86/html/file_module_x86_id_142.html)
+ [inline system calls, including parameters of selected syscalls](https://github.com/hasherezade/tiny_tracer/wiki/Tracing-syscalls)
+ transition between sections of the traced module (helpful in finding OEP of the packed module)
+ [executed instructions in defined code fragments](https://github.com/hasherezade/tiny_tracer/wiki/Tracing-with-disassembly)
Evades some of the known [anti-debug](https://github.com/hasherezade/tiny_tracer/wiki/The-INI-file#antidebug) and [anti-VM](https://github.com/hasherezade/tiny_tracer/wiki/The-INI-file#antivm) techniques
Generates a report in a `.tag` format (which can be [loaded into other analysis tools](https://github.com/hasherezade/tiny_tracer/wiki/Using-the-TAGs-with-disassemblers-and-debuggers)):
```txt
RVA;traced event
```
i.e.
```txt
345c2;section: .text
58069;called: C:\Windows\SysWOW64\kernel32.dll.IsProcessorFeaturePresent
3976d;called: C:\Windows\SysWOW64\kernel32.dll.LoadLibraryExW
3983c;called: C:\Windows\SysWOW64\kernel32.dll.GetProcAddress
3999d;called: C:\Windows\SysWOW64\KernelBase.dll.InitializeCriticalSectionEx
398ac;called: C:\Windows\SysWOW64\KernelBase.dll.FlsAlloc
3995d;called: C:\Windows\SysWOW64\KernelBase.dll.FlsSetValue
49275;called: C:\Windows\SysWOW64\kernel32.dll.LoadLibraryExW
4934b;called: C:\Windows\SysWOW64\kernel32.dll.GetProcAddress
...
```
## 🚧 How to build
It was tested with [Intel Pin 4.2](https://software.intel.com/en-us/articles/pin-a-binary-instrumentation-tool-downloads).
You can build it [on Windows](https://github.com/hasherezade/tiny_tracer/wiki/Installation#on-windows) or [on Linux](https://github.com/hasherezade/tiny_tracer/wiki/Installation#on-linux). Detailed descriptions available [here](https://github.com/hasherezade/tiny_tracer/wiki/Installation).
*If you have any problems with building the project on Windows, you can use the test builds from the [AppVeyor server](https://ci.appveyor.com/project/hasherezade/tiny-tracer). Select the platform, and then 'Artifacts'. Check the 'Console' output to see what version of Pin is required to use them. Then, follow the [installation instructions](https://github.com/hasherezade/tiny_tracer/wiki/Installation).*
## âš™ Usage
📖 Details about the usage you will find on [the project's Wiki](https://github.com/hasherezade/tiny_tracer/wiki).
## 🛠Helpers
For automatic generation of [`params.txt` for API arguments tracing](https://github.com/hasherezade/tiny_tracer/wiki/Tracing-parameters-of-functions), try [IAT-Tracer](https://github.com/YoavLevi/IAT-Tracer) by [YoavLevi](https://github.com/YoavLevi)
## WARNINGS
+ In order for Pin to work correctly, Kernel Debugging must be **DISABLED**.
+ In [`install32_64`](https://github.com/hasherezade/tiny_tracer/tree/master/install32_64) you can find a utility that checks if Kernel Debugger is disabled (`kdb_check.exe`, [source](https://github.com/hasherezade/pe_utils/tree/master/kdb_check)), and it is used by the Tiny Tracer's `.bat` scripts. This utility sometimes gets flagged as a malware by Windows Defender (it is a known false positive). If you encounter this issue, you may need to [exclude](https://support.microsoft.com/en-us/windows/add-an-exclusion-to-windows-security-811816c0-4dfd-af4a-47e4-c301afe13b26) the installation directory from Windows Defender scans.
+ Since the version 3.20 Pin has dropped a support for **old versions of Windows**. If you need to use the tool on Windows < 8, try to compile it with Pin 3.19.
---
🤔 Questions? Ideas? Join [Discussions](https://github.com/hasherezade/tiny_tracer/discussions)!
---