!track (track and map function calls and returns to the symbols)
Description of the '!track' command in HyperDbg.
Command
!track : track function calls and return adderesses and map them to the symbols
Syntax
!track [tree] [Count (hex)]
!track [reg] [Count (hex)]
Description
Creates tracking records of function calls and return addresses by instrumenting instructions.
Parameters
[tree](optional)
The results will be shown in the 'tree' style. (default)
[reg](optional)
The results will be shown in 'tree' style while registers are also shown.
[Count (hex)]
The number of instructions to perform the instrument (This is not the number of calls.).
If you run this command without any parameter, it tries to run instructions in 'tree' style with an unlimited number of instructions. You can pause the execution by pressing CTRL+C.
Examples
The following example shows the tracking results (function calls and return addresses) for an unlimited number of instructions.
If you want to see registers (i.e., parameters) to the 'call' instructions, you can use the reg parameter.
SDK
To track instructions, you need to use the following function in libhyperdbg:
Remarks
This command will set a Monitor Trap Flag in debuggee and continue just the current executing core. After executing one instruction, it halts the debuggee again.
If the currently executing instruction is a call instruction, it will follow and enter the call instruction to find the recursive calls and returns (ret instructions).
If you load symbols and you don't want to see function names, you turn addressconversion off in the 'settings' command.
This command is able to track from user-mode to kernel-mode and kernel-mode to user-mode.
Beginning with HyperDbg version 0.3, the inclusion of support for this command has been implemented.
Requirements
None
Related
Last updated