C++ Implementation of Branch Tracer.
- Copyright (c) 2019 YoungJoong Kim. tf-branch-malware is licensed under the MIT license.
- This repository aims to write branch based windows debugger.
- Windows 10
- Visual Studio 2019
Compile solution with visual studio or msbuild.
msbuild .\Brancher\Brancher.sln /p:configuration=Debug
Make log file on C:\dbg
mkdir C:\dbg
echo "" > C:\dbg\log.txt # branch tracer open existing log file not creating new
Default is debug mode and it will run internet explorer as sample.
CTRL + F5 to run Helper on visual studio, or run on cmd.
cd .\Brancher\Brancher
..\x64\Debug\Helper.exe # Helper run branch tracer based on relative path
On release mode, place Brancher.dll on C:\dbg\Brancher64.dll and target program on C:\dbg\sample.exe.
msbuild .\Brancher\Brancher.sln /p:configuration=Release
mv .\Brancher\x64\Release\Brancher.dll C:\dbg\Brancher64.dll
cp C:\Windows\notepad.exe C:\dbg\sample.exe
echo "" > C:\dbg\log.txt # reinitialize log
.\Brancher\x64\Release\Helper.exe
Sample log file.
+00007FF730C9B842,00007FFF4E004CC0,msvcrt.dll,memset
+00007FF730C84279,00007FFF4D83E420,KERNEL32.DLL,GetCommandLineW
+00007FF730C84289,00007FF730C81130,,
+00007FF730C8117C,00007FFF4F6CCDE0,ntdll.dll,EtwEventRegister
+00007FF730C811A9,00007FFF4F6F3720,ntdll.dll,EtwEventSetInformation
+00007FF730C811B9,00007FF730C9AEC0,,
+00007FF730C84298,00007FFF4DC0DE40,combase.dll,CoCreateGuid
+00007FF730C84331,00007FFF4D83EEB0,KERNEL32.DLL,HeapSetInformation
+00007FF730C8433E,00007FFF4DBBF1A0,combase.dll,CoInitializeEx
+00007FF730C84354,00007FF730C9A8B0,,
+00007FF730C9A8DE,00007FFF4DC5C850,combase.dll,RoInitialize
+00007FF730C9A903,00007FFF4DBC9260,combase.dll,WindowsCreateStringReference
+00007FF730C9A94E,00007FFF4DBC3FC0,combase.dll,RoGetActivationFactory
+00007FF730C9A971,00007FFF4F70FC10,ntdll.dll,RtlRetrieveNtUserPfn
+00007FF730C9AAD7,00007FFF4F70FC10,ntdll.dll,RtlRetrieveNtUserPfn
+00007FF730C9AAE6,00007FF730C9AEC0,,