the way to track shellcode executed by a new thread

[kmkw926]

Hello.

Some malware deploys shellcode on private memory and executes it in a "new thread" by calling CreateThread or NtCreateThreadEx.
I'm wondering it's possible that current implementation of TinyTracer can track a shellcode executed by new thread.
When I analysed a malware that uses this technich, it seemed not to track by TinyTracer as no API call log was shown in tag file.
And also, I checked repository wiki and tiny tracer ini file, but I couldn't find any relative options.

I think it will become more useful by this.
thank you.

[hasherezade]

Hello @kmkw926 !
Yes, you can follow the shellcode executed in a new thread (or any other method) by enabling in TinyTracer.ini:

FOLLOW_SHELLCODES=3

[kmkw926]

I tried again after changing FOLLOW_SHELLCODES option to 3, and I got the result that I want !
thank you for advice !