Skip to content

TraceHook v0.0.2

Since I have recently managed to find some time and come back to TraceHook project development, I decided to mark the result of a-few-hour-long session with the next version number – 0.0.2. Until now, the application has been designed for my own purposes – it was written to handle particular problems and work under certain conditions, although I am slowly trying to implement additional options, that might turn out to be handy for wider public.

The main purpose and used techniques remain the same – it is still all about tracing and dumping process trees marked as malware (for which TraceHook was created in the first place). The engine itself is build with a kernel driver, responsible for handling the current process list in a safe manner,receiving and managing the notify signals, regarding events such as program creation/termination, as well as a majority of other available options.

The new version has been mainly enhanced with a new dump file format – Windows MiniDump. As opposed to a full raw memory dump, performed entirely in kernel-mode, the minidump file is written to from user-mode. Moving the dumping function to user area makes it possible to extend the project with more, safe functions implementing new file formats, depending on the user’s needs.

A complete package (EXE + sources): TraceHook.zip (50 kB)

Options:

-=*( TraceHook v0.0.2 by j00ru//vx )*=-
 Usage: TraceHook.exe <target executable> [options]

 Available options:
 -pPATH       Sets the dump destination directory to PATH.
              The default dump path is C:\dump.

 -iINTERVAL   Turns the counter mode on. Makes the application terminate
              and automatically dump all the monitored processes after the
              specified amount of time.
              Note: The INTERVAL value is the number of seconds to wait till
                    dumping all processes.

 -m           Activates the MiniDump mode.
 -h           Displays this message.

— CHANGELOG —

2009-10-03: TraceHook v0.0.2
 * Added dump path manipulation option.
 * Added time interval option.
 * Added additional dump file format - Windows MiniDump.
 * Fixed a Denial of Service vulnerability described at http://j00ru.vexillium.org/?p=141#comment-69
 * Fixed many other minor code issues

— TODO —

*** TraceHook v0.0.2 --> v0.0.3
 - Move the dumping process entirely to user-mode, for easier development and safer execution
 - Change the ProcessList structure to sth based on LIST_ENTRY (safer solution ?)
 - Add more dump file formats, i.e. module-only dumps
 - Add support for multiple malware process trees
 - Create some kind of GUI, user-friendly interface

Downloading and testing the application is strongly advised (as well as sending bug reports) !

{ 2 } Comments

  1. Cyclops | 11-Oct-09 at 09:35:57 | Permalink

    Nice one j00ru :)
    MiniDump will be pretty useful for windbg.

  2. Malcom | 28-Oct-09 at 04:22:08 | Permalink

    Ciekawe ;)
    Jedna funkcja jest zrodlem malych wycieków pamieci ;p

Post a Comment

Your email is never published nor shared. Required fields are marked *