InjectionTracer
InjectionTracer is a PIN tool that aims to help the analysis of malware that uses process injection. It allows you to:
- Understand rapidly the injection technique used, by looking at the Windows API involved.
- Stop the execution before the remote thread is executed, and put a breakpoint on the entrypoint.
- Automatically dump the injected code and fix PE Image on disk (ImageBase and Section Alignment).
Installation
To install this tool you will need to download first:
- Visual Studio (also community edition is ok). Make sure to have C++ Windows development kit
- Intel PIN > 3.19 (you can download it from HERE)
Then simply follow those 5 steps:
- Extract the zip containing IntelPIN inside C:\ and rename it to "pin" so that you should have the pin executable at C:\pin\pin.exe
- Move into C:\pin\source\tools and clone the repo.
- Open the file C:\pin\source\tools\InjectionTracer\InjectionTracer.sln with Visual Studio.
- Build the project in Release mode, both x86 and x64.
If everything is ok, you should find InjectionTracer.dll inside C:\pin\source\tools\InjectionTracer\Release and C:\pin\source\tools\InjectionTracer\x64\Release
- Double click on "addContextMenu.reg" file inside the Runner folder
Now you should find the context menu when you do a right click on an executable or a DLL.
