Tracing shellcodes

By default, Tiny Tracer traces the main executable. However, sometimes the main executable (especially if it is a malware or a protected application) may allocate additional memory pages and unpack there some code.

Usually we want to trace what happens there too. That's why TinyTracer has the option FOLLOW_SHELLCODES enabled (see run_me.bat).

set FOLLOW_SHELLCODES=1

In some cases you may want to disable it, then just change the value to 0.

set FOLLOW_SHELLCODES=0

Example

To test what is the difference between those two settings, you may try to run this example.

Fragment of the tag file generated with FOLLOW_SHELLCODES=1:

1000;section: 
1005;->.teddy
6b001;section: .teddy
6b0ed;kernel32.VirtualAlloc
6b11b;kernel32.VirtualAlloc
6b1ad;kernel32.VirtualFree
6b1b8;called: ?? [b337000+0]
> b337000+74;kernel32.GetModuleHandleA
> b337000+8a;kernel32.GetProcAddress
> b337000+9e;kernel32.GetProcAddress
> b337000+c4;kernel32.VirtualAlloc
> b337000+fb;kernel32.VirtualFree

At the line 6b1b8;called: ?? [b337000+0] the execution was redirected to the shellcode.
The lines starting with > indicate the calls made from within the shellcode.

Tiny Tracer Wiki, by hasherezade

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Tracing shellcodes

Example

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally