Unable to trace Nanodump syscalls

Question

Unable to trace Nanodump syscalls

Closed this issue a year ago · 2 comments

I'm trying to use tiny trace to trace Nanodump (https://github.com/fortra) syscalls but with no success.

For example, I'm trying to trace NtCreateFile, used to write the dump on disk, using the following in params.txt:

ntdll;NtCreateFile;11
<SYSCALL>;0x55;11

My TinyTracer.ini has TRACE_SYSCALL=True:

ENABLE_SHORT_LOGGING=True
FOLLOW_SHELLCODES=1
;FOLLOW_SHELLCODES:
; 0 : trace only the main target module
; 1 : follow only the first shellcode called from the main module
; 2 : follow also the shellcodes called recursively from the the original shellcode
; 3 : follow any shellcodes
TRACE_RDTSC=False
TRACE_SYSCALL=True
LOG_SECTIONS_TRANSITIONS=True
LOG_SHELLCODES_TRANSITIONS=True
HEXDUMP_SIZE=8
HOOK_SLEEP=False
SLEEP_TIME=10
LOG_INDIRECT_CALLS=False

When running nanodump, the nanodump.x64.exe.tag file does not seem to be tracing the syscall:

54be;kernel32.HeapFree
54a6;kernel32.GetProcessHeap
54be;kernel32.HeapFree
9722;ntdll.[ZwCreateFile+12]*
9779;ntdll.[NtWriteFile+12]*
94b8;ntdll.[NtClose+12]*
13800;msvcrt.strrchr
13a30;msvcrt.__iob_func
13878;msvcrt.fprintf

I'm probably doing something wrong. Could you give me some hints?

Thanks in advance!

Answer 1 · 2023-03-31T18:47:19.000Z

Hi! I am gonna check it...
Few questions:

Are you sure that application uses direct syscalls, called from the main module? If it uses them via DLL, they won't be included in the log.
Are your sure that the execution path that you deployed uses direct syscalls?

Answer 2 · 2023-03-31T20:01:06.000Z

ok, I checked it and I see what is the reason. The syscalls are actually called via NTDLL.
This is the part of the code responsible for the syscalls implementation:

https://github.com/fortra/nanodump/blob/main/source/syscalls-asm.asm

example:

NtOpenProcess PROC
	mov [rsp +8], rcx
	mov [rsp+16], rdx
	mov [rsp+24], r8
	mov [rsp+32], r9
	mov rcx, 0CD9B2A0Fh
	push rcx
	sub rsp, 028h
	call SW3_GetSyscallAddress
	add rsp, 028h
	pop rcx
	push rax
	sub rsp, 028h
	call SW2_GetSyscallNumber
	add rsp, 028h
	pop r11
	mov rcx, [rsp+8]
	mov rdx, [rsp+16]
	mov r8, [rsp+24]
	mov r9, [rsp+32]
	mov r10, rcx
	jmp r11
NtOpenProcess ENDP

While the syscall is extracted in the main application, yet, it isn't called from the main application. Actually, the jmp r11 redirects the exection to NTDLL.

Step 1 - in the main application:

Step 2 - in the NTDLL (where the syscall is actually called):

This is how it looks in the tracelog:

Long story short - it is not a bug in the tracer, because the tracer is supposed to log the syscalls only from the module that is under the observation.