Skip to content

Releases: hasherezade/tiny_tracer

1.9

08 Oct 00:19
@hasherezade hasherezade
1.9
d446d0c
Compare
Choose a tag to compare
1.9

📖 README.md

FEATURE

  • Allow to hook NtDelayExecution (Sleep, SleepEx), and replace the slept time with your own value. Can be enabled by the TinyTracer.ini file. Read more here.
HOOK_SLEEP=True // enable Sleep hooking
SLEEP_TIME=10 // the new sleep value (in milliseconds)

Requires Intel Pin 3.19 or above.
I am sorry but Intel does not allow for distribution of compiled Pin Tools. So, you need to compile them from the sources.
Follow the instructions to build and install.

Assets 2
Loading

1.8

27 Aug 02:22
@hasherezade hasherezade
1.8
76c1b65
Compare
Choose a tag to compare
1.8

📖 README.md

FEATURE

Example:

69de;ntdll.RtlCreateProcessParametersEx
	Arg[0] = ptr 0x0058ee50 -> {\x00\x00\x00\x00\x01\x00\x00\x00}
	Arg[1] = ptr 0x0058ee3c -> U"C:\Windows\system32\calc.exe"
	Arg[2] = ptr 0x0058ee24 -> U"C:\Windows\System32"
	Arg[3] = ptr 0x0058ee2c -> U"C:\Windows\system32\"
	Arg[4] = ptr 0x0058ee3c -> U"C:\Windows\system32\calc.exe"

BUGFIX

  • In parameters tracing:
    • while dumping constants: fixed printing a parameter in decimal

Requires Intel Pin 3.19 or above.
I am sorry but Intel does not allow for distribution of compiled Pin Tools. So, you need to compile them from the sources.
Follow the instructions to build and install.

Assets 2
Loading

1.7

16 Jul 22:40
@hasherezade hasherezade
1.7
4e95284
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
1.7

📖 README.md

FEATURE

  • Do not allow to run if Kernel Debugger is enabled (it causes Pin to freeze)
  • In parameters tracing:
    • add hexdump preview of non-string parameters
    • dump pointer before every string
    • while dumping numbers: show hexadecimal and decimal representation of the same number

Example:

37c82;kernel32.GetProcAddress
	Arg[0] = ptr 0x00007ffce43c0000 -> {MZ\x90\x00\x03\x00\x00\x00}
	Arg[1] = ptr 0x00007ff67921fb50 -> "PssCaptureSnapshot"

Requires Intel Pin 3.19 or above.
I am sorry but Intel does not allow for distribution of compiled Pin Tools. So, you need to compile them from the sources.
Follow the instructions to build and install.

Assets 2
Loading

1.6.1

07 Jun 23:04
@hasherezade hasherezade
1.6.1
aefb063
Compare
Choose a tag to compare
1.6.1

📖 README.md

REFACT

  • Refactored to build with the latest Pin: 3.19

Requires Intel Pin 3.19 or above.
I am sorry but Intel does not allow for distribution of compiled Pin Tools. So, you need to compile them from the sources.
Follow the instructions to build and install.

Assets 2
Loading

1.6

20 Mar 21:11
@hasherezade hasherezade
1.6
8ece20e
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
1.6

📖 README.md

FEATURE

BUGFIX

  • Improved accuracy of recursive shellcode tracing

Requires Intel Pin 3.16 or 3.18.
I am sorry but Intel does not allow for distribution of compiled Pin Tools. So, you need to compile them from the sources.
Follow the instructions to build and install.

Assets 2
Loading

1.5.1

15 Mar 15:04
@hasherezade hasherezade
1.5.1
e9a39c3
Compare
Choose a tag to compare
1.5.1

📖 README.md

REFACT

  • Internal refactoring. Removed limit of watched functions. Remove duplicated watch entries.

FEATURE

  • Added a custom, more flexible tool for loading DLLs

Requires Intel Pin 3.16 or above.
I am sorry but Intel does not allow for distribution of compiled Pin Tools. So, you need to compile them from the sources.
Follow the instructions to build and install.

Assets 2
Loading

1.5

12 Mar 12:47
@hasherezade hasherezade
1.5
e1aa0eb
Compare
Choose a tag to compare
1.5

📖 README.md

FEATURE

  • Allow to trace parameters with which the selected functions were called ( read more here )

Requires Intel Pin 3.16 or above.
I am sorry but Intel does not allow for distribution of compiled Pin Tools. So, you need to compile them from the sources.
Follow the instructions to build and install.

Assets 2
Loading

1.4.2

26 Nov 13:38
@hasherezade hasherezade
1.4.2
8246030
Compare
Choose a tag to compare
1.4.2

📖 README.md

BUGFIX

  • Fixed a typo in the logger: RTDSC -> RDTSC

Requires Intel Pin 3.16 or above.
I am sorry but Intel does not allow for distribution of compiled Pin Tools. So, you need to compile them from the sources.
Follow the instructions to build and install.

Assets 2
Loading

1.4.1

14 Aug 17:47
@hasherezade hasherezade
1.4.1
52608f8
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
1.4.1

📖 README.md

REFACT

  • Updated to build with the latest Pin (3.16)

Requires Intel Pin 3.16 or above.
I am sorry but Intel does not allow for distribution of compiled Pin Tools. So, you need to compile them from the sources.
Follow the instructions to build and install.

Assets 2
Loading

1.4

25 Jul 07:13
@hasherezade hasherezade
1.4
67ed5b3
Compare
Choose a tag to compare
1.4

📖 README.md

REFACT

  • Cleanup and refactoring of all the code, improved stability of tracing

FEATURE

  • Tracing of CPUID instructions
  • "Time patching": altering RDTSC output to decrease delays (defense against anti-tracing)
  • Tracing of RDTSC (optional, can be enabled in run_me.bat)
  • Allow for recursive tracing of shellcodes (optional, can be enabled in run_me.bat - option 2)

BUGFIX

  • Fixed invalid calls origins generated in some traces (Issue #5)
  • Fixed bug in the elevation script - breaking on names with spaces

Requires Intel Pin 3.7 to 3.15.
I am sorry but Intel does not allow for distribution of compiled Pin Tools. So, you need to compile them from the sources.
Follow the instructions to build and install.

Assets 2
Loading