search

hasherezade / tiny_tracer

A Pin Tool for tracing API calls etc
1.25k stars 138 forks source link

Crash on dumping parameters #38

Closed hasherezade closed 1 year ago

hasherezade commented 1 year ago

Test case

Issue

When dumping of the parameters is selected, produced trace is incomplete.

Using the default params.txt:

kernel32;LoadLibraryW;1
kernel32;LoadLibraryA;1
kernel32;GetProcAddress;2
advapi32;RegQueryValueW;3
kernel32;CreateFileW;6

The end of the tracelog: 

17710;msvcrt.__iob_func
17610;msvcrt.fflush
15492;kernel32.GetCurrentProcess
d479;kernel32.LoadLibraryA

When LoadLibraryA was removed from params.txt, the tracelog continues. Example:

175f0;msvcrt.fwrite
17710;msvcrt.__iob_func
17610;msvcrt.fflush
15492;kernel32.GetCurrentProcess
d479;kernel32.LoadLibraryA
d480;kernel32.GetProcAddress
13ad8;called: ?? [15440000+5c]
> 15440000+6e;SYSCALL:0x50(NtProtectVirtualMemory)
> 15440000+70;nim.[unnamedImageEntryPoint+125ee]*
13b09;called: ?? [15440000+2e]
[...]

Possible crash on dumping parameters of LoadLibraryA.

hasherezade commented 1 year ago

After the fix parameters were successfully traced:

17710;msvcrt.__iob_func
17610;msvcrt.fflush
15492;kernel32.GetCurrentProcess
d479;kernel32.LoadLibraryA
LoadLibraryA:
    Arg[0] = ptr 0x00000000160d25a0 -> "amsi"

d480;kernel32.GetProcAddress
GetProcAddress:
    Arg[0] = ptr 0x00007ffd17580000 -> {MZ\x90\x00\x03\x00\x00\x00}
    Arg[1] = ptr 0x00000000160d25d0 -> "AmsiScanBuffer"

13ad8;called: ?? [16970000+5c]
> 16970000+6e;SYSCALL:0x50(NtProtectVirtualMemory)
> 16970000+70;nim_sample.[unnamedImageEntryPoint+125ee]*
13b09;called: ?? [16970000+2e]