Skip to content

Tracing defined local functions

Jump to bottom
hasherezade edited this page Jun 6, 2025 · 13 revisions

In case if you want to trace a functions that are statically linked, or otherwise local to the traced module, you can provide an additional file defining those functions.

The function definitions file (.func.csv)

The file must be located in the same directory as the one where the TAG file will be stored. It needs to have be named by the following pattern: [traced_module_name].func.csv.

It must contain the list of functions defined as: the function RVA, and the custom name.

[RVA],[func_name]

The compatible functions list can be generated from IDB, using IDA_IFL plugin.

Example:

Let say we want to trace the local function decrypt_string:

IDA view

The module name is: SparkLauncher.dll, so first we need to create a file with definitions, named: SparkLauncher.dll.func.csv. Content:

ce80,decrypt_string

We follow the tracing in a typical way. If the file exists in the expected location, it will be loaded automatically at the tracer start. You can notice how many functions were added by the initialization message printed by TinyTracer, for example:

Custom definitions: 1

Whenever the defined function is called, the call will be listed in the tracelog (the TAG file).

Example:

[...]
d321;kernel32.GetProcessHeap
d332;ntdll.RtlAllocateHeap
3781;kernel32.GetProcessHeap
378f;kernel32.HeapFree
ce80;decrypt_string
158d;kernel32.CreateFileW
[...]

Tracing arguments of the local functions

Once the custom functions are defined, we can use their names just as we would use the exported names of modules.

For example, we can further trace their arguments, by adding them to the params list, in the same way as we would do with the exported APIs.

Example:

Add to the params.txt:

SparkLauncher;decrypt_string;1

Sample results in case of tracing function input and output:

d321;kernel32.GetProcessHeap
d332;ntdll.RtlAllocateHeap
3781;kernel32.GetProcessHeap
378f;kernel32.HeapFree
ce80;decrypt_string
decrypt_string:
	Arg[0] = ptr 0x00007ff8a01dcc20 -> {\x10\xc4\xcd_\xff\x847\x93}

decrypt_string changed:
	Arg[0] = ptr 0x00007ff8a01dcc20 -> {\x00CreateF}

decrypt_string returned:
	ptr 0x00007ff8a01dcc21 -> "CreateFileW"

158d;kernel32.CreateFileW

Tiny Tracer Wiki, by hasherezade

Clone this wiki locally