An introduction to DBI with PIN and TinyTracer.
TinyTracer Wiki
github.com/hasherezade/tiny_tracer/wiki
Dynamic Binary Instrumentation Frameworks: I know you're there spying on me (PDF)
https://www.coresecurity.com/sites/default/files/private-files/publications/2016/05/corelabs-FalconRiva_2012.pdf
Pwning Intel piN Why DBI is unsuitable for security applications (PDF)
https://kirschju.re/docs/kirsch-2018-pwning-intel-pin.pdf
In this lab we use the TinyTracer PINTool to replicate the tracing techniques we covered in the previous labs without requiring a debugger.
The lab4.exe binary implements the same algorithm found in the first lab however there are some additional anti-debug checks that will prevent API tracing with x64dbg.
Open lab4.exe in x64dbg and run to observe the anti-debug message.
Ensure TinyTracer is installed and configured as detained in the Tooling Setup section of this lab manual.
Run lab4.exe with TinyTracer by right clicking on the binary and selecting Run with PIN (TinyTracer).
The trace may take a few minutes to complete but once completed TinyTracer will write a .tab file in the same directory as the target binary with the same name as the target binary.
Open the .tab trace file and inspect the API calls that have been logged. Arguments can be logged for specific calls by updating the params.txt configuration file in the TinyTracer directory.
Add the module, API name, and number of arguments separated by ; for each API that you wish to log arguments. For example, kernel32;LoadLibraryW;1
What are the anti-debug tricks used in the binary? You can use this site as a reference for different checks: https://anti-debug.checkpoint.com/
What is the file path check?