Home
Artists
Search
Recent
Random
Posts
DMs
Tags
Random
Importer
Import
FAQ
Account
Register
Favorites
Login
Tracing The Pain Away Introduction (Patreon)
Downloads
Content
Tooling Setup
To complete the labs you will need the following setup.
Windows VM running at least Windows 10 (64bit) 20H1, later versions of 64bit Windows are also acceptable including Windows 11.
A copy of IDA installed, IDA Free will work fine if you don’t have a license.
https://hex-rays.com/ida-free/A copy of x64dbg installed, at least a release from July 2024 or later
https://x64dbg.com/Build and install TinyTracer (you can simply drop the attached pin directory into you c:\ just do not distribute it please)
Install and configure DTrace (require a reboot)
https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace#installing-dtrace-under-windows
A Note About Malware Analysis
All of the tutorial binaries are benign though they may still trigger anti-malware protections. We strongly advise the following precautions when working with all lab binaries.
Ensure your VM is clean of any personal information or files valuable files which are not disposable, this VM is for malware analysis and should be completely disposable.
Take a snapshot of your VM before each lab, you can always revert if you run into trouble.
Keep the downloaded lab binaries in their ZIP containers until they are moved inside your VM. The password for the ZIP files is infected.
Disable anti-malware protections in your VM prior to extracting the lab binaries. Remember this is a disposable VM used for malware analysis.
Disable networking and shared folders for your VM before running any malware.
TinyTracer Setup
PIN is not redistributable which means TinyTracer should be built from source. There is a very good build tutorial on the GitHub here: https://github.com/hasherezade/tiny_tracer/wiki/Installation#on-windows.
If you already have a copy of the built TinyTracer you can follow the installation instructions here: https://github.com/hasherezade/tiny_tracer/wiki/Installation#how-to-install.
We strongly recommend building from c:\pin so that the entire directory can simply be copied to the c:\ drive on your VM.
Once the folder has been copied over run the add_menu.reg in order to add your PIN tracer to the context menu.
Assuming you have used the c:\pin path recommended above the file will be located in c:\pin\source\tools\tiny_tracer\install32_64. The configuration files are also located in this directory.
Once TinyTracer has been installed test tracing a binary by right clicking on it and choosing Run with PIN (Tiny Tracer). This should launch the binary along with a CMD window with some debugging information. The trace file will be saved in the same location as the target binary with the name of the binary and the .tab extension.
DTrace Setup
Comprehensive installation steps for DTrace are provided by Microsoft here: https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace#installing-dtrace-under-windows
Symbols
DTrace requires symbols (specifically from ntoskrnl) so these must be setup prior to use. For the following instructions we are assuming the symbol path is c:\symbols, you will need to adjust the path accordingly if you are using a different location.
Temporarily enable Internet
Set the NTSYMBOL_PATH in System variables with the following value
SRVc:\symbolshttps://msdl.microsoft.com/download/symbolsOpen c:\windows\system32\ntoskrnl.exe in IDA and accept the debug symbol lookup dialogue
Set the x64dbg Symbol Path and Symbol Store in the Preferences menu with the following
Symbol Store: https://msdl.microsoft.com/download/symbols
Symbol Path: c:\symbolsOpen any 64-bit .exe with x64dbg and run until the entry point.
In the Symbols tab right click on any module and select Download Symbols for All Modules
Repeat the above steps with a 32-bit binary and x32dbg. This will pull the symbols for the common modules used by all binaries (ntdll, kernel32, etc.) If you require additional module symbols you will need to repeat the process with a binary that uses the module.
