Skip to content

TinyTracer - API/Instruction Tracer for Unpacking Cheatsheet

TinyTracer - API/Instruction Tracer for Unpacking Cheatsheet

TinyTracer (by hasherezade) is a dynamic tracing tool built on Intel Pin. It runs a target executable and produces a tracelog of API calls and selected instructions, logging each event as an offset relative to the module (RVA) so the output stays meaningful even for relocated code. Because Pin instruments at a low level, TinyTracer is unaffected by most anti-debug tricks that a packer’s stub uses, which makes it excellent for pinpointing a sample’s Original Entry Point (OEP) and watching what it actually does.

For authorized malware analysis. Run untrusted samples only in an isolated VM/sandbox.

Requirements

  • Intel Pin (the dynamic binary instrumentation framework)
  • Windows (x86/x64) analysis VM
  • TinyTracer’s compiled TinyTracer.dll (Pintool)

Installation

StepHow
Get PinDownload Intel Pin and set PIN_ROOT
Get TinyTracerDownload a release or build the Pintool
Helper scriptsUse the bundled run_me.bat / installer helpers
VerifyRun against a known EXE and check the .tag/log output

Running a Trace

# Conceptual invocation (via the bundled helper or pin directly)
pin.exe -t TinyTracer.dll -o output.tag -- target.exe
FlagPurpose
-t TinyTracer.dllLoad TinyTracer as the Pintool
-o FILEOutput tracelog (.tag) path
-m MODULELimit tracing to a module
-bTrace basic blocks / more granular events
-- target argsThe program to trace and its arguments

What the Tracelog Contains

EntryMeaning
RVA;called: FUNCAn API call, at a module-relative address
Section transitionsExecution moving between sections (unpacking)
TLS callbacksEarly anti-analysis/execution hooks
Sub-callsOptionally, internal call targets

The RVA-based logging is the key: even after a packer unpacks and jumps into new code, entries stay anchored to the module so you can map them back in a disassembler.

Finding the OEP

The classic use: watch where execution lands after the packer stub finishes.

StepWhat to look for
1Run the packed sample under TinyTracer
2Watch for a jump into a previously-unwritten section
3The first “real” API bursts (GetModuleHandle, etc.) mark unpacked code
4Note the RVA — that region is your OEP candidate
5Dump at that point (e.g. with PE-sieve) and analyze statically

Integration with the Toolkit

ToolRole alongside TinyTracer
PE-sieveDump the unpacked module found at the OEP
x64dbgSet a breakpoint at the OEP RVA for deeper analysis
Detect It EasyIdentify the packer before tracing
GhidraMap traced RVAs to disassembly

Common Workflows

# Behavioral trace of a sample's API usage
pin -t TinyTracer.dll -o sample.tag -- sample.exe
# → review sample.tag for suspicious API sequences (crypto, network, injection)

# OEP hunting for an unknown packer
# 1) trace, 2) find the section-transition into unpacked code,
# 3) PE-sieve to dump, 4) analyze the clean binary
AspectTinyTracerx64dbg (manual)API Monitor
BasisPin instrumentationInteractive debuggerAPI hooking
Anti-debug resistanceHighNeeds ScyllaHideModerate
OutputRVA tracelogInteractiveLive API log
Best forAutomated OEP/behavior tracingHands-on steppingWatching API calls

Resources