TinyTracer - API/Instruction Tracer for Unpacking Cheatsheet
TinyTracer (by hasherezade) is a dynamic tracing tool built on Intel Pin. It runs a target executable and produces a tracelog of API calls and selected instructions, logging each event as an offset relative to the module (RVA) so the output stays meaningful even for relocated code. Because Pin instruments at a low level, TinyTracer is unaffected by most anti-debug tricks that a packer’s stub uses, which makes it excellent for pinpointing a sample’s Original Entry Point (OEP) and watching what it actually does.
For authorized malware analysis. Run untrusted samples only in an isolated VM/sandbox.
Requirements
- Intel Pin (the dynamic binary instrumentation framework)
- Windows (x86/x64) analysis VM
- TinyTracer’s compiled
TinyTracer.dll (Pintool)
Installation
| Step | How |
|---|
| Get Pin | Download Intel Pin and set PIN_ROOT |
| Get TinyTracer | Download a release or build the Pintool |
| Helper scripts | Use the bundled run_me.bat / installer helpers |
| Verify | Run against a known EXE and check the .tag/log output |
Running a Trace
# Conceptual invocation (via the bundled helper or pin directly)
pin.exe -t TinyTracer.dll -o output.tag -- target.exe
| Flag | Purpose |
|---|
-t TinyTracer.dll | Load TinyTracer as the Pintool |
-o FILE | Output tracelog (.tag) path |
-m MODULE | Limit tracing to a module |
-b | Trace basic blocks / more granular events |
-- target args | The program to trace and its arguments |
What the Tracelog Contains
| Entry | Meaning |
|---|
RVA;called: FUNC | An API call, at a module-relative address |
| Section transitions | Execution moving between sections (unpacking) |
| TLS callbacks | Early anti-analysis/execution hooks |
| Sub-calls | Optionally, internal call targets |
The RVA-based logging is the key: even after a packer unpacks and jumps into new code, entries stay anchored to the module so you can map them back in a disassembler.
Finding the OEP
The classic use: watch where execution lands after the packer stub finishes.
| Step | What to look for |
|---|
| 1 | Run the packed sample under TinyTracer |
| 2 | Watch for a jump into a previously-unwritten section |
| 3 | The first “real” API bursts (GetModuleHandle, etc.) mark unpacked code |
| 4 | Note the RVA — that region is your OEP candidate |
| 5 | Dump at that point (e.g. with PE-sieve) and analyze statically |
| Tool | Role alongside TinyTracer |
|---|
| PE-sieve | Dump the unpacked module found at the OEP |
| x64dbg | Set a breakpoint at the OEP RVA for deeper analysis |
| Detect It Easy | Identify the packer before tracing |
| Ghidra | Map traced RVAs to disassembly |
Common Workflows
# Behavioral trace of a sample's API usage
pin -t TinyTracer.dll -o sample.tag -- sample.exe
# → review sample.tag for suspicious API sequences (crypto, network, injection)
# OEP hunting for an unknown packer
# 1) trace, 2) find the section-transition into unpacked code,
# 3) PE-sieve to dump, 4) analyze the clean binary
| Aspect | TinyTracer | x64dbg (manual) | API Monitor |
|---|
| Basis | Pin instrumentation | Interactive debugger | API hooking |
| Anti-debug resistance | High | Needs ScyllaHide | Moderate |
| Output | RVA tracelog | Interactive | Live API log |
| Best for | Automated OEP/behavior tracing | Hands-on stepping | Watching API calls |
Resources