NativeInstructionTracer¶
The NativeInstructionTracer
’s purpose is to centralize a means of simple
stalking. You can specify what types of instructions to return back, and they
will be returned in a python class object to help with analysis.
Instruction Tracer¶
-
class
revenge.techniques.tracer.
NativeInstructionTracer
(process, from_modules=None, call=False, ret=False, exec=False, block=False, compile=False, callback=None, exclude_ranges=None, include_function=None)[source]¶ Bases:
revenge.techniques.Technique
- Parameters
process – Base process instantiation
from_modules (list, optional) – Restrict trace returns to those that start from one of the listed modules.
call (bool, optional) – Trace calls
ret (bool, optional) – Trace rets
exec (bool, optional) – Trace all instructions
block (bool, optional) – Trace blocks
compile (bool, optional) – Trace on Frida instruction compile
callback (callable, optional) – Callable to call with list of new instructions as they come in. First arg will be the thread id.
exclude_ranges (list, optional) – [low, high] range pairs to exclude any trace items from.
include_function (optional) – resolvable function name or memorybytes object. starts tracing when function is entered and stops tracing when function is exited (call/ret)
Examples
# # Trace all instructions in process except for those in a given range # Apply this to the entire program execution # trace = process.techniques.NativeInstructionTracer(exec=True, exclude_ranges=[[0x12345, 0x424242]]) # Apply this to the whole program and run trace.apply() process.memory[process.entrypoint].breakpoint = False # Print out the trace print(trace) # # Trace only blocks starting from a given function call downwards. # Utilize this technique only on a specific call, rather than full program execution # trace = process.techniques.NativeInstructionTracer(exec=True, include_function='my_func') # or my_func = process.memory['my_func'] trace = process.techniques.NativeInstructionTracer(exec=True, include_function=my_func) my_func(1,2,3, techniques=trace) # Trace object should be populated now print(trace)
-
TYPE
= 'stalk'¶