Skip to content

Stop offsets

hasherezade edited this page Aug 24, 2024 · 12 revisions

In some cases, we may want to pause the execution of the traced module (it can be done for variety of reasons, i.e. to dump the unpacked module, connect a debugger after the antidebug checks passed, and so on).

TinyTracer allows to define a list of offsets where its execution will pause (aka "Stop Offsets"). Once such offset is hit, TinyTracer will wait the time defined in TinyTracer.ini as STOP_OFFSET_TIME (in seconds). If STOP_OFFSET_TIME is 0 the feature will be disabled.

A list of Stop Offsets can be defined in a file passed to TinyTracer. By default, it is expected to be in install32_64/stop_offsets.txt. The default path can be changed in run_me.bat (Windows) or tiny_runner.sh (Linux), by editing relevant lines.

Stop offsets are defined as relative offsets within the traced module (RVA). We may also specify how many times the execution should stop at particular offsets (by default it is 0 - meaning infinite times).

Example of the stop offsets list:

1451
11ee;2

Once the offset was hit, TinyTracer will log into the tracelog (and on std::out if available) the information line about the wait.

# Stop offset reached: RVA = 0x11ee. Sleeping 30 s. Hits remaining: 1

After the wait has finished, another line will be logged:

# Resuming execution