Skip to content

hasherezade/tiny_tracer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

661 Commits
install32_64
install32_64
 
 
.appveyor.yml
.appveyor.yml
 
 
.gitignore
.gitignore
 
 
AntiDebug.cpp
AntiDebug.cpp
 
 
AntiDebug.h
AntiDebug.h
 
 
AntiVm.cpp
AntiVm.cpp
 
 
AntiVm.h
AntiVm.h
 
 
CppProperties.json
CppProperties.json
 
 
Crc.h
Crc.h
 
 
DisasmCache.h
DisasmCache.h
 
 
EvasionWatch.cpp
EvasionWatch.cpp
 
 
EvasionWatch.h
EvasionWatch.h
 
 
ExportsInfo.cpp
ExportsInfo.cpp
 
 
ExportsInfo.h
ExportsInfo.h
 
 
FuncWatch.cpp
FuncWatch.cpp
 
 
FuncWatch.h
FuncWatch.h
 
 
LICENSE.txt
LICENSE.txt
 
 
ModuleInfo.cpp
ModuleInfo.cpp
 
 
ModuleInfo.h
ModuleInfo.h
 
 
PinLocker.h
PinLocker.h
 
 
ProcessInfo.cpp
ProcessInfo.cpp
 
 
ProcessInfo.h
ProcessInfo.h
 
 
README.md
README.md
 
 
Settings.cpp
Settings.cpp
 
 
Settings.h
Settings.h
 
 
SysUtil.cpp
SysUtil.cpp
 
 
SysUtil.h
SysUtil.h
 
 
ThreadMapper.cpp
ThreadMapper.cpp
 
 
ThreadMapper.h
ThreadMapper.h
 
 
TinyTracer.cpp
TinyTracer.cpp
 
 
TinyTracer.h
TinyTracer.h
 
 
TraceLog.cpp
TraceLog.cpp
 
 
TraceLog.h
TraceLog.h
 
 
TrackReturns.cpp
TrackReturns.cpp
 
 
TrackReturns.h
TrackReturns.h
 
 
Util.cpp
Util.cpp
 
 
Util.h
Util.h
 
 
build_env.bat
build_env.bat
 
 
find_sdk_win.sh
find_sdk_win.sh
 
 
install_vs.bat
install_vs.bat
 
 
make_linux.sh
make_linux.sh
 
 
make_mingw.sh
make_mingw.sh
 
 
makefile
makefile
 
 
makefile.rules
makefile.rules
 
 
mini_pe.h
mini_pe.h
 
 
tasks.vs.json
tasks.vs.json
 
 

Repository files navigation

tiny_tracer

Codacy Badge Commit activity Last Commit Build status

GitHub release GitHub release date

A Pin Tool for tracing:

Evades some of the known anti-debug and anti-VM techniques

Generates a report in a .tag format (which can be loaded into other analysis tools):

RVA;traced event

i.e.

345c2;section: .text
58069;called: C:\Windows\SysWOW64\kernel32.dll.IsProcessorFeaturePresent
3976d;called: C:\Windows\SysWOW64\kernel32.dll.LoadLibraryExW
3983c;called: C:\Windows\SysWOW64\kernel32.dll.GetProcAddress
3999d;called: C:\Windows\SysWOW64\KernelBase.dll.InitializeCriticalSectionEx
398ac;called: C:\Windows\SysWOW64\KernelBase.dll.FlsAlloc
3995d;called: C:\Windows\SysWOW64\KernelBase.dll.FlsSetValue
49275;called: C:\Windows\SysWOW64\kernel32.dll.LoadLibraryExW
4934b;called: C:\Windows\SysWOW64\kernel32.dll.GetProcAddress
...

🚧 How to build

It was tested with Intel Pin 4.2.

You can build it on Windows or on Linux. Detailed descriptions available here.

If you have any problems with building the project on Windows, you can use the test builds from the AppVeyor server. Select the platform, and then 'Artifacts'. Check the 'Console' output to see what version of Pin is required to use them. Then, follow the installation instructions.

⚙ Usage

📖 Details about the usage you will find on the project's Wiki.

🛠 Helpers

For automatic generation of params.txt for API arguments tracing, try IAT-Tracer by YoavLevi

WARNINGS

  • In order for Pin to work correctly, Kernel Debugging must be DISABLED.
  • In install32_64 you can find a utility that checks if Kernel Debugger is disabled (kdb_check.exe, source), and it is used by the Tiny Tracer's .bat scripts. This utility sometimes gets flagged as a malware by Windows Defender (it is a known false positive). If you encounter this issue, you may need to exclude the installation directory from Windows Defender scans.
  • Since the version 3.20 Pin has dropped a support for old versions of Windows. If you need to use the tool on Windows < 8, try to compile it with Pin 3.19.

🤔 Questions? Ideas? Join Discussions!

About

A Pin Tool for tracing API calls etc

Topics

reverse-engineering dbi malware-analysis api-trace intel-pintools

Resources

Readme

License

GPL-2.0 license
Activity

Stars

1.7k stars

Watchers

40 watching

Forks

166 forks
Report repository

Releases 30

4.0 Latest
May 28, 2026
+ 29 releases

Packages

 
 
 

Contributors

Languages