-
Notifications
You must be signed in to change notification settings - Fork 163
Tracing syscalls
hasherezade edited this page Mar 20, 2023
·
18 revisions
Tracing syscalls can be enabled in TinyTracer.ini, by setting:
TRACE_SYSCALL=Trueanalogously, it can be disabled by:
TRACE_SYSCALL=FalseTracing parameters of selected syscalls can be enabled similarly to tracing parameters of functions.
In order to enable this option, you need to:
- Create a list of syscalls that you want to watch, in the following format:
<SYSCALL>;[syscal number];[params_count]
Example:
<SYSCALL>;0x36;4
<SYSCALL>;0x20;2- Append it to the same file that is used to watch parameters of functions, i.e.
params.txt.
Note, that if the syscalls table is loaded, syscalls parameters can also be traced by the corresponding function's name.
Example:
params.txt
ntdll;NtSetInformationThread;4
<SYSCALL>;0x19;4
Fragment of the tracelog generated with the above settings:
[...]
7605;SYSCALL:0xd(NtSetInformationThread)
NtSetInformationThread:
Arg[0] = 0xfffffffffffffffe = 18446744073709551614
Arg[1] = 0x0000000000000011 = 17
Arg[2] = 0
Arg[3] = 0
75c1;SYSCALL:0x19(NtQueryInformationProcess)
SYSCALL:0x19:
Arg[0] = 0xffffffffffffffff = 18446744073709551615
Arg[1] = 0x0000000000000007 = 7
Arg[2] = ptr 0x000000f6befcf690 -> {\x00\x00\x00\x00\x00\x00\x00\x00}
Arg[3] = 0x0000000000000004 = 4
[...]