!track (track and map function calls and returns to the symbols)

Command

!track : track function calls and return adderesses and map them to the symbols

Syntax

!track [tree] [Count (hex)]

!track [reg] [Count (hex)]

Description

Creates tracking records of function calls and return addresses by instrumenting instructions.

Parameters

[tree](optional)

The results will be shown in the 'tree' style. (default)

[reg](optional)

The results will be shown in 'tree' style while registers are also shown.

[Count (hex)]

The number of instructions to perform the instrument (This is not the number of calls.).

Examples

The following example shows the tracking results (function calls and return addresses) for an unlimited number of instructions.

If you want to see registers (i.e., parameters) to the 'call' instructions, you can use the reg parameter.

SDK

To track instructions, you need to use the following function in libhyperdbg:

Remarks

This command will set a Monitor Trap Flag in debuggee and continue just the current executing core. After executing one instruction, it halts the debuggee again.

If the currently executing instruction is a call instruction, it will follow and enter the call instruction to find the recursive calls and returns (ret instructions).

If you load symbols and you don't want to see function names, you turn addressconversion off in the 'settings' command.

This command is able to track from user-mode to kernel-mode and kernel-mode to user-mode.

Beginning with HyperDbg version 0.3, the inclusion of support for this command has been implemented.

Requirements

None

Related

i (instrumentation step-in)