Closed hxnoyd closed 1 year ago
Hi! I am gonna check it... Few questions: 1) Are you sure that application uses direct syscalls, called from the main module? If it uses them via DLL, they won't be included in the log. 2) Are your sure that the execution path that you deployed uses direct syscalls?
ok, I checked it and I see what is the reason. The syscalls are actually called via NTDLL. This is the part of the code responsible for the syscalls implementation:
https://github.com/fortra/nanodump/blob/main/source/syscalls-asm.asm
example:
NtOpenProcess PROC
mov [rsp +8], rcx
mov [rsp+16], rdx
mov [rsp+24], r8
mov [rsp+32], r9
mov rcx, 0CD9B2A0Fh
push rcx
sub rsp, 028h
call SW3_GetSyscallAddress
add rsp, 028h
pop rcx
push rax
sub rsp, 028h
call SW2_GetSyscallNumber
add rsp, 028h
pop r11
mov rcx, [rsp+8]
mov rdx, [rsp+16]
mov r8, [rsp+24]
mov r9, [rsp+32]
mov r10, rcx
jmp r11
NtOpenProcess ENDP
While the syscall is extracted in the main application, yet, it isn't called from the main application. Actually, the jmp r11
redirects the exection to NTDLL
.
Step 1 - in the main application:
Step 2 - in the NTDLL (where the syscall is actually called):
This is how it looks in the tracelog:
Long story short - it is not a bug in the tracer, because the tracer is supposed to log the syscalls only from the module that is under the observation.
I'm trying to use tiny trace to trace Nanodump (https://github.com/fortra) syscalls but with no success.
For example, I'm trying to trace NtCreateFile, used to write the dump on disk, using the following in
params.txt
:My
TinyTracer.ini
hasTRACE_SYSCALL=True
:When running nanodump, the
nanodump.x64.exe.tag
file does not seem to be tracing the syscall:I'm probably doing something wrong. Could you give me some hints?
Thanks in advance!