-
Notifications
You must be signed in to change notification settings - Fork 161
Tracing shellcodes
By default, Tiny Tracer traces the main executable. However, sometimes the main executable (especially if it is a malware or a protected application) may allocate additional memory pages and unpack there some code.
Usually we want to trace what happens there too. That's why TinyTracer has the option FOLLOW_SHELLCODES enabled (see run_me.bat).
set FOLLOW_SHELLCODES=1
In some cases you may want to disable it, then just change the value to 0.
set FOLLOW_SHELLCODES=0
To test what is the difference between those two settings, you may try to run this example.
Fragment of the tag file generated with FOLLOW_SHELLCODES=1:
1000;section:
1005;->.teddy
6b001;section: .teddy
6b0ed;kernel32.VirtualAlloc
6b11b;kernel32.VirtualAlloc
6b1ad;kernel32.VirtualFree
6b1b8;called: ?? [b337000+0]
> b337000+74;kernel32.GetModuleHandleA
> b337000+8a;kernel32.GetProcAddress
> b337000+9e;kernel32.GetProcAddress
> b337000+c4;kernel32.VirtualAlloc
> b337000+fb;kernel32.VirtualFree
At the line:
6b1b8;called: ?? [b337000+0]
- the execution was redirected into a shellcode. The base address of the shellcode was
b337000.
The lines starting with>indicate the calls made from within this shellcode.
If we run the same file with tracing shellcodes disabled (FOLLOW_SHELLCODES=0):
1000;section:
1005;->.teddy
6b001;section: .teddy
6b0ed;kernel32.VirtualAlloc
6b11b;kernel32.VirtualAlloc
6b1ad;kernel32.VirtualFree
6b1b8;called: ?? [b347000+0]
1014;section:
1014;called: ?? [b33f000+17]
271d6;called: ?? [b454000+6c0]
We will see only the calls from the main module into the shellcode, but we will not see what happens inside the shellcode.