Giters

hasherezade / tiny_tracer

A Pin Tool for tracing API calls etc

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Possible false positive origins of "calls"

Dump-GUY opened this issue · comments

commented

I found some wrong RVA origin of calls traced in .tag. I found out that many traced api saved in .tag file have RVA origin in many assembler instructions (not call).. Like mov, push... So I can't figure it out where is problem... The code is not self modyfing and also not packed...
I used pin version 3.15, tiny tracer 1.3.2 and compiled it in Visual studio 2019. Tested on win7 Pro 64bit.
Tested sample: RemcosRAT - pass:infected (https://www105.zippyshare.com/v/FGP4Yhw5/file.html) ; dd488af61f792c89265fd783f3ec4a18

bookmarks_showing_not_call_origins2

bookmarks_showing_not_call_origins

commented

After some tests win 10 64bit 1909 produced same results as on win7 64bit. But I tested another samples and from 15 samples there was only issue with the Remcosrat (link included before), where as I said all origins of real calls/jmps are resolved right only few another assembler instructions are wrong.. But this was reproducible only with Remcosrat sample. I also tried to compile it on win7 64 bit with same results. It would be probably some pin issue relevant on rare sample.

commented

Thank you for reporting. I spent full day trying to debug it and making experiments.
First I tried to reproduce it on my main machine, using different VMs: Windows 7 32 bit, and Windows 10 64 bit - but I got clean traces:

  1. The trace from Windows 7
  2. The trace from Windows 10

Then, after many attempts, I found a machine where I managed to reproduce it (Windows 7 32 bit, real machine). The glitches are consistent with what you observed, so i can rather exclude concurrency issues from possible reasons.

Also, I used exactly the same package (PIN + Tiny Tracer), the same builds - on both machines, and on one it was working well, but not on the other. Interestingly, the results from the same physical machine seems to be the same, no matter what VMs we are using. So maybe it is related with how PIN handles some differences in a processor?

For now I am catching up with my work to meet some close deadlines, but once I am done, I will dig through it again.

commented

It seems that it is fixed now. Feel free to close this issue if you think all tests are passed. Thank you for your contribution in improving TinyTracer!