NativeInstructionTracer

The NativeInstructionTracer’s purpose is to centralize a means of simple stalking. You can specify what types of instructions to return back, and they will be returned in a python class object to help with analysis.

Instruction Tracer

class revenge.techniques.tracer.NativeInstructionTracer(process, from_modules=None, call=False, ret=False, exec=False, block=False, compile=False, callback=None, exclude_ranges=None, include_function=None)

Bases: revenge.techniques.Technique

Parameters

• process – Base process instantiation

• from_modules (list, optional) – Restrict trace returns to those that start from one of the listed modules.

• call (bool, optional) – Trace calls

• ret (bool, optional) – Trace rets

• exec (bool, optional) – Trace all instructions

• block (bool, optional) – Trace blocks

• compile (bool, optional) – Trace on Frida instruction compile

• callback (callable, optional) – Callable to call with list of new instructions as they come in. First arg will be the thread id.

• exclude_ranges (list, optional) – [low, high] range pairs to exclude any trace items from.

• include_function (optional) – resolvable function name or memorybytes object. starts tracing when function is entered and stops tracing when function is exited (call/ret)

Examples

#
# Trace all instructions in process except for those in a given range
# Apply this to the entire program execution
#

trace = process.techniques.NativeInstructionTracer(exec=True, exclude_ranges=[[0x12345, 0x424242]])

# Apply this to the whole program and run
trace.apply()
process.memory[process.entrypoint].breakpoint = False

# Print out the trace
print(trace)

#
# Trace only blocks starting from a given function call downwards.
# Utilize this technique only on a specific call, rather than full program execution
#

trace = process.techniques.NativeInstructionTracer(exec=True, include_function='my_func')
# or
my_func = process.memory['my_func']
trace = process.techniques.NativeInstructionTracer(exec=True, include_function=my_func)

my_func(1,2,3, techniques=trace)

# Trace object should be populated now
print(trace)

TYPE = 'stalk'

apply(threads=None)

Applies this technique, optionally to the given threads.

remove()

Removes this technique.

Trace

class revenge.techniques.tracer.Trace(process, tid, script, callback=None)

Bases: object

append(item)

stop()

Stop tracing.

wait_for(address)

Don’t return until the given address is hit in the trace.

Trace Item

class revenge.techniques.tracer.TraceItem(process, item)

Bases: object

property type