Tracing shellcodes

By default, Tiny Tracer traces the main executable. However, sometimes the main executable (especially if it is a malware or a protected application) may allocate additional memory pages and unpack there some code.

Usually we want to trace what happens there too. That's why TinyTracer has the option FOLLOW_SHELLCODES enabled (see TinyTracer.ini).

FOLLOW_SHELLCODES=1

By default, only the first shellcode called from the traced PE is followed. If you want to go deeper, and follow them recursively, change the option to 2.

FOLLOW_SHELLCODES=2

In some cases you may want to disable it, then just change the value to 0.

FOLLOW_SHELLCODES=0

Example

To test what is the difference between those two settings, you may try to run this example.

Fragment of the tag file generated with FOLLOW_SHELLCODES=1:

1000;section: 
1005;->.teddy
6b001;section: .teddy
6b0ed;kernel32.VirtualAlloc
6b11b;kernel32.VirtualAlloc
6b1ad;kernel32.VirtualFree
6b1b8;called: ?? [b337000+0]
> b337000+74;kernel32.GetModuleHandleA
> b337000+8a;kernel32.GetProcAddress
> b337000+9e;kernel32.GetProcAddress
> b337000+c4;kernel32.VirtualAlloc
> b337000+fb;kernel32.VirtualFree

At the line:

6b1b8;called: ?? [b337000+0]

the execution was redirected into a shellcode. The base address of the shellcode was b337000.
The lines starting with > indicate the calls made from within this shellcode.

---

If we run the same file with tracing shellcodes disabled (FOLLOW_SHELLCODES=0):

1000;section: 
1005;->.teddy
6b001;section: .teddy
6b0ed;kernel32.VirtualAlloc
6b11b;kernel32.VirtualAlloc
6b1ad;kernel32.VirtualFree
6b1b8;called: ?? [b347000+0]
1014;section: 
1014;called: ?? [b33f000+17]
271d6;called: ?? [b454000+6c0]

We will see only the calls from the main module into the shellcode, but we will not see what happens inside the shellcode.