A Linux x64 tool to trace registers and memory regions.

Overview

HellTracer

Description

A Linux x64 tool to trace registers and memory regions.

Build the tool

  1. Clone the repository.
  2. Compile the tool with make.
  3. Add the generated bin directory to your path using PATH=$PATH:~/path/to/the/repo/bin.

How to use ?

Syntax

helltracer binary [-param value] [--flag]

Parameters

entry -> Specifies the program entry point. e.g: 'entry 0x401000'
start -> Specifies the program start address for tracing. e.g: 'entry 0x4010f0'
end -> Specifies the program end address for tracing. e.g: 'entry 0x40115e'
mem -> Turns on tracing of the specified memory range. e.g: 'mem ascii=[[rbp-0x40]:4]', 'mem ascii=[@0x40200f:15]', 'mem [rsi]'
args -> Specifies the arguments to be passed to the traced binary. e.g: 'args "./name.bin hello world"'
output -> Specifies the output file (.csv). e.g: 'output out.csv'

Flags

help -> Displays the help message.
reg_name -> Turns on tracing of register reg_name. e.g: 'rip', 'rcx', 'rsp', 'all'

Example

Command

The following command will write to ./out.csv, the content of the rip register in hexadecimal and of memory region starting at 0x40200F and of size 11 in ASCII and memory region starting at RSI of size 5 in ASCII, during the execution of the binary ./example.bin with program arguments "./example.bin username password" when rip is contained between 0x400000 and 0x500000, with entry point defined at 0x4011a0.
sudo helltracer ./example.bin -output ./out.csv -args "./example.bin username password" -entry 0x4011a0 -start 0x400000 -end 0x500000 --rip -mem ascii=[@0x40200f:11] -mem ascii=[rsi:5]

Result

Here is the beginning of the resulting CSV file :

result.png

You might also like...
x64 Windows kernel driver mapper, inject unsigned driver using anycall
x64 Windows kernel driver mapper, inject unsigned driver using anycall

anymapper x64 Windows kernel driver mapper, inject unsigned driver using anycall This project is WIP. Todo Fix: Can't make API calls from IAT nor func

Easily hook WIN32 x64 functions

About Library for easy hooking of arbitrary functions in WIN32 x64 executables. Only requires target function address. Disassembles the function prolo

Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10!
Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10!

Ninja UUID Shellcode Runner Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10! Now supports running Cobalt

Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10!
Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10!

Ninja UUID Shellcode Runner Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10! Now supports running Cobalt

An open-source x64/x32 debugger for windows.
An open-source x64/x32 debugger for windows.

x64dbg An open-source binary debugger for Windows, aimed at malware analysis and reverse engineering of executables you do not have the source code fo

Vmpfix - Universal x86/x64 VMProtect 2.0-3.X Import fixer
Vmpfix - Universal x86/x64 VMProtect 2.0-3.X Import fixer

vmpfix VMPfix is a dynamic x86/x64 VMProtect 2.0-3.x import fixer. The main goal of this project was to build correct and reliable tool to fix imports

A C++ expression - x64 JIT

NativeJIT NativeJIT is an open-source cross-platform library for high-performance just-in-time compilation of expressions involving C data structures.

x64 PE-COFF virtualization driven obfuscation engine

Singularity Prerequisite To use and build this library you will have to have the following installed: Python version 2.7 / 3.4 or higher Git msbuild (

Hygieia, a vulnerable driver traces scanner written in C++ as an x64 Windows kernel driver.

Hygieia The Greek goddess of health, her name is the source for the word "hygiene". Hygieia is a windows driver that works similarly to how pagewalkr

Owner
Aurélien Tournebise
Aurélien, 20 years old IT student, passionate about computer security.
Aurélien Tournebise
Full Apex/EAC/Origin Trace Files Cleaner

Apex Cleaner Full Apex/EAC/Origin Trace Files Cleaner This is the best cleaner I've ever made. So this is a Full Apex Legends trace cleaner. Mostly my

Sarnax 51 Sep 29, 2022
android analysis tools, jni trace by native hook, libc hook, write log with caller's addr in file or AndroidLog

编译方法 unix like mkdir "build" cd build cmake .. -DNDK=your_ndk_path/Android/sdk/ndk/22.0.7026061 -DANDROID_ABI=armeabi-v7a make -j8 或者使用andriod studio编

pony 55 Sep 6, 2022
Terrain generator with 5 visually distinct biomes, spread them in regions and smooth their borders

termProject This is the repository of my term project: a terrain generator. Abstract The larger the scenario of a game, more time a player will spend

João Carlos Becker 13 Jun 9, 2021
CredBandit - Proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon communication channel

CredBandit CredBandit is a proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process a

anthemtotheego 169 Sep 24, 2022
A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks.

manual-syscall-detect A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks. Description A full write-up of this to

Conor Richard 67 Sep 9, 2022
A FREE Windows C development course where we will learn the Win32API and reverse engineer each step utilizing IDA Free in both an x86 and x64 environment.

FREE Reverse Engineering Self-Study Course HERE Hacking Windows The book and code repo for the FREE Hacking Windows book by Kevin Thomas. FREE Book Do

Kevin Thomas 1k Oct 4, 2022
Obfuscate calls to imports by patching in stubs. ICO works on both X86 and X64 binaries.

ICO adds a new section into the image, then begins building stubs for each import that uses a extremely basic routine to decrypt an RVA and places them into the section.

null 39 Sep 24, 2022
A D++ Discord Bot template for Visual Studio 2019 (x64 and x86)

D++ Windows Bot Template A D++ Discord Bot template for Visual Studio 2019 (x64 and x86, release and debug). The result of this tutorial. This templat

brainbox.cc 22 Sep 14, 2022
very basic and minimalistic hooking "library" for windows (x64 support soon)

IceHook very basic and minimalistic hooking "library" for windows (x64 support soon) Example how to use: typedef void(__stdcall* twglSwapBuffers)(HDC

null 5 Jul 25, 2022
x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration

anycall x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration Read: https://www.godeye.club/2021/05/14/0

Kento Oki 150 Sep 27, 2022