search

hasherezade / tiny_tracer

A Pin Tool for tracing API calls etc
1.25k stars 138 forks source link

Implement syscall parameters tracing #22

Closed ergrelet closed 2 years ago

ergrelet commented 2 years ago

Hi,

Here's a second PR that completes the previous one. I re-used the existing "params" file to store the configuration for syscalls as well, mainly for the sake of simplicity. The changes are backward compatible so this shouldn't break anything for people that don't use the feature. Tell me if you wish to separate the two configurations (for functions and for syscalls).

Example of a params.txt file:

kernel32;LoadLibraryW;1
kernel32;LoadLibraryA;1
kernel32;GetProcAddress;2
advapi32;RegQueryValueW;3
kernel32;CreateFileW;6
ntdll;ZwQuerySystemInformation;4
<SYSCALL>;0x36;4
<SYSCALL>;0x20;2

Example of a trace output:

1bd8;SYSCALL:0x36
    Arg[0] = 0
    Arg[1] = ptr 0x000000a18caff860 -> {\x00\x00\x00\x00\x00\x00\x00\x00}
    Arg[2] = 0x0000000000000040 = 64
    Arg[3] = ptr 0x000000a18caff8a0 -> {\x00\x00\x00\x00\x00\x00\x00\x00}
hasherezade commented 2 years ago

Looks good, thank you! Regarding the separate files - for now I think there is no need, it can be all in one. But I will test it in more details in upcoming weekend, and think about it.