Is there a way to add custom arguments?
Ou7law007 opened this issue · 4 comments
My sample uses ntdll routines, hence most string arguments are passing as UNICODE_STRINGs, like always, which show up as pointers which is not helpful.
I can't attach a debugger and inspect memory unfortunately. Actually I can inspect memory but I can't pause the process at a function call.
Another solution that I'm working on rn is just to inject a dll at start and hook the functions. But if tiny tracer could detect UNICODE_STRING args, that would be awesome.
Currently, there is no possibility to dump structures, such as UNICODE_STRING. But there is a possibility to dump a hexadecimal buffer of a defined length. So, it can be used as a workaround to still preview those strings (if they are in a continues block of memory, which is often the case).
Mind telling me how?
Although, I can't know what length a string is before it's defined. Does it not work with null terminated string?
A UNICODE_STRING argument should be added I think, since UNICODE_STRING are so common among malware.
@Ou7law007 - thanks, it works fine! I checked and I responded you. Please clean it up to follow the project's convention and I will merge it.