Closed Ou7law007 closed 3 years ago
hasherezade
commented
3 years ago Currently, there is no possibility to dump structures, such as UNICODE_STRING. But there is a possibility to dump a hexadecimal buffer of a defined length. So, it can be used as a workaround to still preview those strings (if they are in a continues block of memory, which is often the case).
Ou7law007
commented
3 years ago Mind telling me how?
Although, I can't know what length a string is before it's defined. Does it not work with null terminated string?
A UNICODE_STRING argument should be added I think, since UNICODE_STRING are so common among malware.
Ou7law007
commented
3 years ago I created a pull request: https://github.com/hasherezade/tiny_tracer/pull/10 Have a look!
hasherezade
commented
3 years ago @Ou7law007 - thanks, it works fine! I checked and I responded you. Please clean it up to follow the project's convention and I will merge it.
My sample uses ntdll routines, hence most string arguments are passing as UNICODE_STRINGs, like always, which show up as pointers which is not helpful.
I can't attach a debugger and inspect memory unfortunately. Actually I can inspect memory but I can't pause the process at a function call.
Another solution that I'm working on rn is just to inject a dll at start and hook the functions. But if tiny tracer could detect UNICODE_STRING args, that would be awesome.