Skip to content

The INI file

hasherezade edited this page Dec 10, 2024 · 59 revisions

Some settings can be configured with the help of INI file. The default version of this file can be found in the install32_64 directory.

TinyTracer.ini:

ENABLE_SHORT_LOGGING=True
USE_DEBUG_SYMBOLS=False
FOLLOW_SHELLCODES=1
;FOLLOW_SHELLCODES:
; 0 : trace only the main target module
; 1 : follow only the first shellcode called from the main module
; 2 : follow also the shellcodes called recursively from the the original shellcode
; 3 : follow any shellcodes
TRACE_RDTSC=False
TRACE_INT=False
TRACE_SYSCALL=True
LOG_SECTIONS_TRANSITIONS=True
LOG_SHELLCODES_TRANSITIONS=True
LOG_INDIRECT_CALLS=False
HEXDUMP_SIZE=8
HOOK_SLEEP=False
SLEEP_TIME=10
STOP_OFFSET_TIME=30
;STOP_OFFSET_TIME (dec): 
; For how many seconds the execution should pause on a stop offset (defined by stop_offsets.txt)
DISASM_START=0
;DISASM_START (hex):
; An RVA in the traced module from which the disasm should start
DISASM_STOP=0
;DISASM_STOP (hex):
; An RVA in the traced module on which the disasm should end
DISASM_CTX=False
;DISASM_CTX:
; When in disasm mode: show the registers changed by every instruction
ANTIDEBUG=0
;ANTIDEBUG: (Windows only)
; 0 : Disabled
; 1 : Standard
; 2 : Deep (may lead to some false positives)
ANTIVM=0
;ANTIVM: (Windows only)
; 0 : Disabled
; 1 : Standard
; Settings for ANTIVM enabled:
EMULATE_HYPERV=False
; Settings for ANTIDEBUG enabled:
EMULATE_SINGLE_STEP=True
;EMULATE_SINGLE_STEP:
; On True: when the trap flag was set, throw the SINGLE_STEP exception
; On False: the trap flag will be removed and ignored (no exception)

You may change the default path to your INI file by editing the variable SETTINGS_FILE:

Example:

rem The ini file specifying the settings of the tracer
set SETTINGS_FILE=%PIN_TOOLS_DIR%\TinyTracer.ini

Example:

SETTINGS_FILE=$PIN_CONFIGS_DIR"/TinyTracer.ini"

Options

ENABLE_SHORT_LOGGING

This option accepts boolean values. In case if it is disabled, full path of the DLL is logged. Example:

4934b;called: C:\Windows\SysWOW64\kernel32.dll.GetProcAddress

Otherwise only the DLL name is logged:

4934b;kernel32.dll.GetProcAddress

USE_DEBUG_SYMBOLS

This option accepts boolean values. In case if it is disabled, the functions names are resolved basing on the module's exports table only.

When enabled, debug symbols will be used (if accessible). In this mode, functions names are also automatically demangled.

FOLLOW_SHELLCODES

Allows to enable various degrees of shellcode tracing. More details explained here

TRACE_RDTSC

Log occurrences of the RDTSC instruction (which is often used to detect that process is being watched/debugged).

By default, TinyTracer tries to bypass the anti-tracing check based on RDTSC, yet it does not log the occurrence of this instruction, in order to avoid possible noise.

TRACE_INT

Log occurrences of interrupts.

TRACE_SYSCALL

Enable tracing syscalls. More information here.

LOG_SECTIONS_TRANSITIONS

Log the offsets where the execution switches between one section of the traced module and another.

Example - fragment of the log made with this option enabled:

1b41d;called: C:\Windows\SysWOW64\kernel32.dll.HeapDestroy
17012;[.vmp0] -> [.vmp1]
8b38e;section: [.vmp1]
a3f70;[.vmp1] -> [.vmp0]
16ff2;section: [.vmp0]
17012;[.vmp0] -> [.vmp1]
a3f72;section: [.vmp1]
8ce24;called: C:\Windows\SysWOW64\kernel32.dll.LocalFree
a3f70;called: C:\Windows\SysWOW64\kernel32.dll.ExitProcess

We can see the execution going back and forth between two sections: .text and .vmp0. This characteristics is common for protectors using virtualization.

If we disable this option, we won't see those transitions anymore. Example:

1b41d;called: C:\Windows\SysWOW64\kernel32.dll.HeapDestroy
8ce24;called: C:\Windows\SysWOW64\kernel32.dll.LocalFree
a3f70;called: C:\Windows\SysWOW64\kernel32.dll.ExitProcess

LOG_SHELLCODES_TRANSITIONS

Log the offsets where the execution switches between one shellcode and another.

HEXDUMP_SIZE

How long will be the hexdump printed after the pointer (while tracing parameters).

Example - a hexdump of the length 8:

Arg[0] = ptr 0x76fb0000 -> {MZ\x90\x00\x03\x00\x00\x00}

Printable characters are dumped as literals, while non-printable, in form: \x{hex:ASCII value}.

HOOK_SLEEP

WARNING: This feature is currently implemented for Windows only

Enable NtDelayExecution hook, which allows you to change the slept time. In order to enable, set:

HOOK_SLEEP=True

SLEEP_TIME

Sleep time in milliseconds (active if HOOK_SLEEP is enabled). This value will replace the original sleep time in all the hooked functions (which call NtDelayExecution).

STOP_OFFSET_TIME

Wait time in seconds. If the list of stop offsets is defined, this option specifies for how long an execution should pause on a single offset. Details described here: Stop Offsets

DISASM_START, DISASM_STOP, DISASM_CTX

DISASM_START and DISASM_STOP are virtual offsets (RVA) relative to the traced module. If they are defined, TinyTracer will produce the disassembly of all the instructions executed within the range.

Details described here: Tracing with disasembly

LOG_INDIRECT_CALLS

Allows to log indirect calls (and jumps) to local functions. More information here.

ANTIDEBUG

WARNING: This feature is currently implemented for Windows only

Log occurrences of selected AntiDebug techniques. The occurrences are tagged with [ANTIDEBUG] label. May contain links to materials describing a corresponding technique. Example:

309a39;section: [.vmp2]
3dcccb;kernel32.LocalAlloc
3db8e6;[ANTIDEBUG] --> PEB!BeingDebugged accessed
3dcc56;ntdll.ZwQueryInformationProcess
3dcc58;[ANTIDEBUG] --> ^ ntdll!NtQueryInformationProcess (ProcessDebugPort);https://anti-debug.checkpoint.com/techniques/debug-flags.html#using-win32-api-ntqueryinformationprocess-processdebugport
3df7e2;ntdll.ZwQueryInformationProcess
3df7e4;[ANTIDEBUG] --> ^ ntdll!NtQueryInformationProcess (ProcessDebugObjectHandle);https://anti-debug.checkpoint.com/techniques/debug-flags.html#using-win32-api-ntqueryinformationprocess-processdebugobjecthandle
3dcccb;ntdll.NtSetInformationThread

When run in this mode, tracer will also attempt to autoremove the Trap Flag (to bypass the technique that interrupts the tracing).

Supported options:

Value Meaning
0 Disabled
1 Standard
2 Deep (may lead to some false positives)

ANTIVM

WARNING: This feature is currently implemented for Windows only

Log occurrences of selected AntiVM techniques. The occurrences are tagged with [ANTIVM] label. May contain links to materials describing a corresponding technique. Example:

3002;fastprox.[??0CWbemGuidToClassMap@@QEAA@XZ+700]*
305f;fastprox.[?GetInstanceObject@CWbemObjectArrayPacket@@AEAAJAEAVCWbemObjectPacket@@PEAPEAUIWbemClassObject@@AEAVCWbemClassCache@@@Z+550]*
3d21;fastprox.?Get@CWbemObject@@UEAAJPEBGJPEAUtagVARIANT@@PEAJ2@Z
3d23;[ANTIVM] --> ^ WMI query - device ID;https://evasions.checkpoint.com/techniques/wmi.html#generic-wmi-queries
baa0;msvcrt.wcsstr

Supported options:

Value Meaning
0 Disabled
1 Standard

This feature is a work in progress.

EMULATE_HYPERV

Works if ANTIVM is enabled. By default, if ANTIVM is enabled, TinyTracer will modify the output of CPUID to hide VM-related artifacts. However, if EMULATE_HYPERV is enabled, it will instead emulate a machine with HyperV enabled (modify the CPUID to impersonate HyperV). This option may be helpful in bypassing VMProtect. It forces the VMProtect-stub to choose a different execution path, that may allow for easier bypass.

EMULATE_SINGLE_STEP

Works if ANTIDEBUG is enabled. Defines how TinyTracer will behave if the TrapFlag was set.

Value Meaning
True throw the SINGLE_STEP exception after the trap flag
False remove and ignore the trap flag (no exception)

Setting the option EMULATE_SINGLE_STEP to False may help bypassing some variants of VMProtect.