.When the subject of profilers came up briefly in some discussion over at the RCE Forums a while ago, I remember catching myself feeling surprised that they are practically never mentioned in reversing contexts. Coverage tools like pStalker are sometimes (but rarely) mentioned in practical reversing contexts, and I guess that compared to the more complex profilers, these code coverage tools are also the most natural, but for some purposes, a more profiler centric tool would be more efficient, e.g. in the event of pin-pointing some code that consumes lots of CPU power (e.g. a bug or other suspect piece of code like this one: http://www.woodmann.com/forum/showthread.php?t=11302) or when you want to efficiently pinpoint e.g. some encryption/decryption code, checksum code or similar, where the same code blocks are hit a very high number of times during a short period of time. And of course, the target will be an executable for which we don't have the source code.
My Google searches about this subject have been hard to make good results of. Partly because of the ambiguous "profiler" word, but mostly because most profiler software seems to be primarily aimed and centered around analyzing programs that you already have the source code for. Also, the area of code profiling (let alone binary, source code-less, code profiling) is so small in relation to other areas of interest, that it is easily drowned even more in irrelevant search results, and this also makes it very hard to find out which, if any, products are popular or good within this field.
So, which tools do/have you all used and/or recommend for binary profiling as described above?
To clarify: What I'm primarily looking for is logging of code execution hits on the basic block level, with hit counters and sorting in decreasing order of the most frequently hit code blocks (possibly of the approximate kind, i.e. it's not necessary that the hits are counted exactly by means of breakpoints, many profilers use sampling techniques too, to speed up the process at the cost of more approximative results).
Two well-known sampling-based profilers are the ones from Intel and AMD (see the Profiler CRCETL entry at: http://www.woodmann.com/collaborative/tools/index.php/Category:Profiler_Tools), but I'm not sure if there are other ones more focused on source code-less binary profiling, or even more interesting if there are some known ones (maybe in the form of OllyDbg or IDA plugins?) that work on a more exact (i.e. non-sampling) breakpoint-based (of INT3, or even better, memory access breakpoint type) basic block level?
All good tips and ideas are appreciated, anyone?
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}