Return value and follow args #70
maxspl
started this conversation in
Show and tell
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi!
I tried to add these two options in a fork:
1. Log return value of syscall and function call
Enabled in the
.ini
file usingLOG_RETURN_VALUE
.I'v used this logic:
CheckIfFunctionReturned
. If one of the instructions after the call is the return one, it indicates we're at the function return.MonitorFunctionArgs
andIPOINT_AFTER
, but it doesn't work for some functions.SyscallCalledAfter
.Output Example
2. Follow the args and return value
Enabled in the
.ini
file viaFOLLOW_ARGS_RETURN
The goal is to track args and returns (if they are valid pointers) of all calls to detect any change (ex: log the first bytes of the allocated memory by VirtualAlloc when filled).
This is done like that :
The output looks like this for a new value pointed to by an arg :
The output looks like this for a new value pointed to by a return pointer:
I plan to add another feature that will enrich the tracking of args and return values: PE and shellcode detection, memory extraction etc.
I hope all this is understandable, but before making a PR, I wanted to submit the idea here and find out if it might be possible to integrate these additions. The changes can be found on this fork (cf. the last two commits): https://github.com/maxspl/tiny_tracer.
Thanks in advance :)
Beta Was this translation helpful? Give feedback.
All reactions