Improved dotNET Tracer

kao

dotNET Tracer is a great tool created by my friend Kurapica. It provides information really useful for analyzing different .NET protections, like which modules are being loaded, which functions are being JIT-compiled, and so on.
DotNET Tracer main window

Unfortunately, it is missing some features and has some small bugs. For example, DisguiserNET.Sample.GUI unpackme by li0nsar3c00l (another friend of mine!) detects dotNET tracer and refuses to run:

Disguiser detects dotNET Tracer

Cause of the problem

It's actually quite simple. dotNET Tracer is using .NET CLR Profiling APIs to gather the information. To do that, it needs to set several environment variables, as you can see in the Form_Main.cs:

ProcessStartInfo ProcessSInfo = new ProcessStartInfo(this.toolStripTextBox_FileName.Text, this.toolStripTextBox_args.Text);
ProcessSInfo.EnvironmentVariables.Add("COR_ENABLE_PROFILING", "1");
ProcessSInfo.EnvironmentVariables.Add("COR_PROFILER", "{7A460847-6B67-4C0C-883E-21B233A6DEF8}");
ProcessSInfo.EnvironmentVariables.Add("COMPLUS_ProfAPI_ProfilerCompatibilitySetting", "EnableV2Profiler");

After profiling dll (system.dll) is initialized, it resets first 2 environment variables, but forgot to reset the 3rd one. Disguiser detects presence of that variable and crashes. Oops.

Solution

After spending some time on both tracer and the unpackme, I'm happy to present a fixed version of dotNET Tracer. So far I have improved:

  1. Created workaround for li0n's anti-profiler trick;
  2. Added logging of "Module load finished" events. This prints imagebase for loaded DLLs and thus makes dumping resources from memory easier;
  3. When you close dotNET Tracer, traced process will be killed automatically.

Disguiser runningjust fine
Now I can spend more time on the unpackme.. 🙂

Download link for binaries: http://www.mediafire.com/?8zfaukefx39i32n
I respect Kurapica's wishes and therefore source code will not be made available.

11 thoughts on “Improved dotNET Tracer

  1. Made some updates
    * Added commandline support
    * improved right-click-jumps to .net Reflector

    {hidden link}
    _________________________________________________________________________
    btw incase you like to sign up at the Black Storm forum that python line might
    [ chr(int (x, 16) ) for x in "68 65 6C 70".split() ]
    you to asker their registration question. 🙂
    "".join( [ chr(int (x, 2) ) for x in "0b1001000 0b1100101 0b1101100 0b1101100 0b1101111 0b100000 0b1010111 0b1101111 0b1110010 0b1101100 0b1100100 0b100001".split() ] )

    1. Comment approved, even though I generally don't allow other people to do self-promotions on my blog. 😉

      Disclaimer: I haven't checked the link above. Use at your own risk.

  2. can you give us the updated version of tracer? i cant seems to register to blackstorm due to questions indicated to them. also can i request to register me in blackstorm? thanks

    1. My version is still available, download link is in the end of the post. If you want Kurapica's version, just google for some public links. There are lots of them..

      Please remember that this blog post was written in year 2015, there might be a better tools now.

  3. Thank you again admin Kao.Your so good . Can you please accept me as your friend in gmail or any chatting app so i can talk and send you message .

Leave a Reply

  • Be nice to me and everyone else.
  • If you are reporting a problem in my tool, please upload the file which causes the problem.
    I can`t help you without seeing the file.
  • Links in comments are visible only to me. Other visitors cannot see them.

two  −  one  =