Flag: Tornado! Hurricane!

Blogs >> Sirmabus's Blog

Created: Tuesday, July 31 2007 19:44.03 CDT Modified: Wednesday, August 1 2007 18:29.30 CDT
Printer Friendly ...
Real Time Tracing
Author: Sirmabus # Views: 3538

My little real time code tracing tool is really taking off.
See for some basic info on using the CPU trace mechanism:
http://www.openrce.org/blog/view/535/Branch_Tracing_with_Intel_MSR_Registers

I've had an idea to track in real time what a process is doing in it's code space for around three years now, and have been playing with technology to do it.
Basically something to help a reverse engineer locate specific code inside of a process.

Using a simple KMD I've got the flexibility and speed (speed could be better) to do what I need now.

The real acid test is the ability to load in a modern game, like "WOW", "LOTRO", etc., and trace all threads in real time. Something I can now do. And that's no simple feat.
At least not with out some sort of ICE.  Is you have $20,000+ hardware you can do this already, but this CPU feature and software setup anyone with a modern PC can do it.

These types of process (current games and multimedia application) hog most of the system resources when they are active.
Try tracing a running game, or any other near real time software using the debugging APIs.  An "exercise in futility"..

Playing with the simple UI I've got going, and some current tests show that I might have something useful.  If it all works right, it will be something that people haven't really seen before.

Besides my intended use, there are a number of other possibilities to do with this technology.  
Such as real time code coverage tools, malware/security tracing, performance profiling, etc.

Hopefully I will have a demo (pictures, video, working tool) of it soon. And I intend to share the knowledge.
Be interesting to see what (if at all) people will do with it and if they find it useful or not..


Blog Comments
phantal Posted: Wednesday, August 1 2007 11:30.42 CDT
  Bravo!

  I was looking for good code coverage tools, and a good tool for tracing through a call tree akin to Paimei, but kept running into walls.  Paimei is cool, but it suffers from the inability to work with binaries that are large.  Bullseye's code coverage tool is cool, but 1) it decreases performance of the client application (not as much as others, though), 2) requires you to recompile the project (if you're tracing an app you don't have source to, scratch that idea), and 3) its instrumentation mechanism creates some problems when the code is doing some creative things that aren't common.

  I'll be interested to see more.  Keep us in the loop.

-Brian

Raindog Posted: Wednesday, August 1 2007 13:48.24 CDT
yeah keep us posted.

Sirmabus Posted: Thursday, September 20 2007 08:09.45 CDT
Built a E6750 Core2 Duo based system, so now that I've had a chance to test on a dual core, and tried a dual CPU Xeon, both are working well.


Work on the DS (Debug Store) method has been a bit delayed for more R&D.
It turns out the DS control block and buffers (used for both Branch trance BTS and PEBS) requires a certain setup that might not be compatible with at least WindowsXP.

It will take a at least one or more kernel hacks to make it work optimally. For one, it will need a thread context switch hook to turn on BTS for threads of interest, and off otherwise.

According to this post on the Intel dev site using DS store should make it around 4x faster over the Interrupt per branch setup:
http://softwarecommunity.intel.com/isn/community/en-us/forums/thread/980330.aspx

There is little published information on the web period. Seems that the few people that ventured into the area never returned..
If you have R&D'ed the area, and other wise can lead me to more information on a working DS setup for WindowsXP, please send me the URL(s).






Add New Comment
Comment:









There are 31,320 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit