# aliyun-functraceplus **Repository Path**: aliyun/aliyun-functraceplus ## Basic Information - **Project Name**: aliyun-functraceplus - **Description**: No description available - **Primary Language**: Unknown - **License**: GPL-3.0 - **Default Branch**: master - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 0 - **Forks**: 0 - **Created**: 2025-05-08 - **Last Updated**: 2025-05-11 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README [English](./README.md) | 简体中文 # FUNCTRACEPLUS FUNCTRACEPLUS, 一款用于针对特定Windows API函数进行函数跟踪的IDA插件。 ## Overview FUNCTRACEPLUS是由阿里云云安全团队开发的一款进行函数跟踪的插件,旨在帮助安全研究人员对一些二进制程序中的关键Windows API函数实现自动化的函数跟踪。它并不能像Rohitab开发的APIMonitor那样可以跟踪成千上万的Windows API函数,但是它提供了一个灵活的框架执行自定义hook函数。IDA提供的函数跟踪功能缺少函数的参数和返回值信息,并且耗时较长,FUNCTRACEPLUS执行自定义的hook函数中可以提供这些信息且耗时更短。 ## 运行环境 目前,FUNCTRACEPLUS需要在python3环境和IDA 8.3版本之上才能正常工作,低于8.3的版本尚未测试. ## 使用方法 在functions目录中创建一个python文件,例:kernel32.py,在该文件中实现hook函数,例:VirtualAlloc。 - 复制functions目录到IDA安装目录下的python/(\\)3目录下。 - 创建一个IDA脚本文件,使用add_hook_functions接口添加需要监控的函数,请参考下方示例。 ## 例子 ### file_ops 下面的测试代码监控文件读写操作,请保存以下代码为文件,使用IDA Pro(File -> Script File)加载文件,在IDA Pro的输出窗口中会打印相关的日志 ```python from functions.functraceplus import FuncTracePlus if __name__ == "__main__": ftp = FuncTracePlus(ignore_bp=False) ftp.hook() ftp.add_hook_functions("kernel32", "CreateFileA", 7) # add_hook_functions(module_name, function_name, function_arg_count) ftp.add_hook_functions("kernel32", "CreateFileW", 7) ftp.add_hook_functions("kernel32", "ReadFile", 5) ftp.add_hook_functions("kernel32", "WriteFile", 5) ftp.add_hook_functions("kernel32", "CloseHandle", 1) ``` - file_ops_x86.exe关键测试结果 ```c++ 2025-02-02 17:26:11,618 - DEBUG - hook function exec: 0x7bdc8 => kernel32!CreateFileW(lpFileName=example.txt, dwDesiredAccess=GENERIC_WRITE, dwShareMode=FILE_SHARE_READ|FILE_SHARE_WRITE, lpSecurityAttributes=0x12ff6f0, dwCreationDisposition=CREATE_ALWAYS, dwFlagsAndAttributes=FILE_ATTRIBUTE_NORMAL, hTemplateFile=0x0) = 0xcc => HANDLE 2025-02-02 17:26:11,633 - DEBUG - hook function exec: 0x71255 => kernel32!WriteFile(hFile=0xcc, lpBuffer=0x12fe2fc, Buffer Preview: [48 65 6C 6C 6F ...], nNumberOfBytesToWrite=15, lpNumberOfBytesWritten=0x12fe2f8, lpOverlapped=0x0) = 0x1 -> BOOL 2025-02-02 17:26:11,641 - DEBUG - hook function exec: 0x71255 => kernel32!WriteFile(hFile=0xcc, lpBuffer=0x12fe2f8, Buffer Preview: [D5 E2 CA C7 D2 ...], nNumberOfBytesToWrite=24, lpNumberOfBytesWritten=0x12fe2f4, lpOverlapped=0x0) = 0x1 -> BOOL 2025-02-02 17:26:11,648 - DEBUG - hook function exec: 0x719e2 => kernel32!CloseHandle(0xcc)=0x1 2025-02-02 17:26:11,655 - DEBUG - hook function exec: 0x7bdc8 => kernel32!CreateFileW(lpFileName=example.txt, dwDesiredAccess=GENERIC_READ, dwShareMode=FILE_SHARE_READ|FILE_SHARE_WRITE, lpSecurityAttributes=0x12ff6f0, dwCreationDisposition=OPEN_EXISTING, dwFlagsAndAttributes=FILE_ATTRIBUTE_NORMAL, hTemplateFile=0x0) = 0xcc => HANDLE 2025-02-02 17:26:11,663 - DEBUG - hook function exec: 0x73667 => kernel32!ReadFile(hFile=0xcc, lpBuffer=0x167d1e0, nNumberOfBytesToRead=4096, lpNumberOfBytesRead=0x12ff700, lpOverlapped=0x0) = 0x1 -> BOOL 2025-02-02 17:26:11,706 - DEBUG - hook function exec: 0x73667 => kernel32!ReadFile(hFile=0xcc, lpBuffer=0x167d1e0, nNumberOfBytesToRead=4096, lpNumberOfBytesRead=0x12ff700, lpOverlapped=0x0) = 0x1 -> BOOL 2025-02-02 17:26:11,713 - DEBUG - hook function exec: 0x719e2 => kernel32!CloseHandle(0xcc)=0x1 ``` - file_ops_x64.exe关键测试结果 ```c++ 2025-02-02 17:22:41,345 - DEBUG - hook function exec: 0x7ff6b932239c => kernel32!CreateFileW(lpFileName=example.txt, dwDesiredAccess=GENERIC_WRITE, dwShareMode=FILE_SHARE_READ|FILE_SHARE_WRITE, lpSecurityAttributes=0xe1894ff610, dwCreationDisposition=CREATE_ALWAYS, dwFlagsAndAttributes=FILE_ATTRIBUTE_NORMAL, hTemplateFile=0x0) = 0xd4 => HANDLE 2025-02-02 17:22:41,445 - DEBUG - hook function exec: 0x7ff6b9317e5d => kernel32!WriteFile(hFile=0xd4, lpBuffer=0xe1894fe230, Buffer Preview: [48 65 6C 6C 6F ...], nNumberOfBytesToWrite=15, lpNumberOfBytesWritten=0xe1894fe220, lpOverlapped=0x0) = 0x1 -> BOOL 2025-02-02 17:22:41,496 - DEBUG - hook function exec: 0x7ff6b9317e5d => kernel32!WriteFile(hFile=0xd4, lpBuffer=0xe1894fe230, Buffer Preview: [D5 E2 CA C7 D2 ...], nNumberOfBytesToWrite=24, lpNumberOfBytesWritten=0xe1894fe220, lpOverlapped=0x0) = 0x1 -> BOOL 2025-02-02 17:22:41,547 - DEBUG - hook function exec: 0x7ff6b931763c => kernel32!CloseHandle(0xd4)=0x1 2025-02-02 17:22:41,596 - DEBUG - hook function exec: 0x7ff6b932239c => kernel32!CreateFileW(lpFileName=example.txt, dwDesiredAccess=GENERIC_READ, dwShareMode=FILE_SHARE_READ|FILE_SHARE_WRITE, lpSecurityAttributes=0xe1894ff610, dwCreationDisposition=OPEN_EXISTING, dwFlagsAndAttributes=FILE_ATTRIBUTE_NORMAL, hTemplateFile=0x0) = 0xdc => HANDLE 2025-02-02 17:22:41,646 - DEBUG - hook function exec: 0x7ff6b93197eb => kernel32!ReadFile(hFile=0xdc, lpBuffer=0x2b23f0f0da0, nNumberOfBytesToRead=4096, lpNumberOfBytesRead=0xe1894ff768, lpOverlapped=0x0) = 0x1 -> BOOL 2025-02-02 17:22:41,787 - DEBUG - hook function exec: 0x7ff6b93197eb => kernel32!ReadFile(hFile=0xdc, lpBuffer=0x2b23f0f0da0, nNumberOfBytesToRead=4096, lpNumberOfBytesRead=0xe1894ff768, lpOverlapped=0x0) = 0x1 -> BOOL 2025-02-02 17:22:41,793 - DEBUG - hook function exec: 0x7ff6b931763c => kernel32!CloseHandle(0xdc)=0x1 ``` ### mem_ops 下面的测试代码监控内存操作,请保存以下代码为文件,使用IDA Pro(File -> Script File)加载文件,在IDA Pro的输出窗口中会打印相关的日志 ```python from functions.functraceplus import FuncTracePlus if __name__ == "__main__": ftp = FuncTracePlus(ignore_bp=False) ftp.hook() ftp.add_hook_functions("kernel32", "VirtualAlloc", 4) ftp.add_hook_functions("kernel32", "VirtualFree", 3) ftp.add_hook_functions("kernel32", "VirtualProtect", 4) ``` - mem_ops_x86.exe的关键测试结果 ```c++ 2025-02-02 18:26:22,963 - DEBUG - hook function exec: 0x571f79 => kernel32!VirtualAlloc(lpAddress=0x0, dwSize=1024, flAllocationType=MEM_COMMIT|MEM_RESERVE, flProtect=PAGE_READWRITE) = 0x1400000 -> LPVOID 2025-02-02 18:26:22,983 - DEBUG - hook function exec: 0x572006 => kernel32!VirtualProtect(lpAddress=0x1400000, dwSize=1024, flNewProtect=PAGE_READONLY, lpflOldProtect=0xeffbe8) = 0x1 -> BOOL 2025-02-02 18:26:22,991 - DEBUG - hook function exec: 0x572074 => kernel32!VirtualFree(lpAddress=0x1400000, dwSize=0, dwFreeType=MEM_DECOMMIT) = 0x1 -> BOOL ``` - mem_ops_x64.exe的关键测试结果 ```c++ 2025-02-02 18:21:12,312 - DEBUG - hook function exec: 0x7ff716eb59c0 => kernel32!VirtualAlloc(lpAddress=0x0, dwSize=1024, flAllocationType=MEM_COMMIT|MEM_RESERVE, flProtect=PAGE_READWRITE) = 0x1f4a6970000 -> LPVOID 2025-02-02 18:21:12,327 - DEBUG - hook function exec: 0x7ff716eb5a51 => kernel32!VirtualProtect(lpAddress=0x1f4a6970000, dwSize=1024, flNewProtect=PAGE_READONLY, lpflOldProtect=0x314816fd80) = 0x1 -> BOOL 2025-02-02 18:21:12,334 - DEBUG - hook function exec: 0x7ff716eb5acf => kernel32!VirtualFree(lpAddress=0x1f4a6970000, dwSize=0, dwFreeType=MEM_DECOMMIT) = 0x1 -> BOOL ``` ## LICENSE [GPL 3.0](LICENSE.GPL)