Tracing defined local functions

In case if you want to trace a functions that are statically linked, or otherwise local to the traced module, you can provide an additional file defining those functions.

The function definitions file

The file must be located in the same directory as the one where the TAG file will be stored. It needs to have be named by the following pattern: [traced_module_name].func.csv.

It must contain the list of functions defined as: the function RVA, and the custom name.

[RVA],[func_name]

The compatible functions list can be generated from IDB, using IDA_IFL plugin.

Example:

Traced module name: SparkLauncher.dll. Functions definitions name: SparkLauncher.dll.func.csv. Content:

ce80,decrypt_string

If the file exists in the expected location, it will be loaded automatically at the tracer start. You can notice how many functions were added by the initialization message printed by TinyTracer, for example:

Custom definitions: 1

Whenever the defined function is called, the call will be listed in the tracelog (the TAG file).

Tracing arguments of the local functions

Once the custom functions are defined, we can use their names just as we would use the exported names of modules.

For example, we can further trace their arguments, by adding them to the params list, in the same way as we would do with the exported APIs.

Example:

Add to the params.txt:

SparkLauncher;decrypt_string;1

Tiny Tracer Wiki, by hasherezade

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Tracing defined local functions

The function definitions file

Tracing arguments of the local functions

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally