Description
itrace is a dynamic application execution tracer, essentially analagous to strace except that it traces application-level
function calls instead of syscalls. The tool has also been extended to provide
automatic disassembling and program state inspection (registers, memory, etc.).
With it, one can trace the control flow of a running process, generate control
flow graphs, determine how input data to a program is used, and other helpful
tasks which can facilitate program debugging or reverse engineering of
obfuscated binaries.
Implementation
The current implementation is able to handle tracing of Linux x86 binaries
using Linux's ptrace interface. itrace simply forks a child which execs the
target binary as a traced process. The target process is then single-stepped.
To generate control flow graphs, itrace looks for a CALL or RET instruction and
logs a function call site (
If memory inspection is enabled, itrace will also perform an automatic inspection of referenced registers and memory as the traced process executes. This is implemented by performing a disassembly of the currently executing instruction, and logging the values of any used registers or referenced memory locations and their contents.
Though the only platforms and architectures currently supported are Linux and x86 systems, the tool is architected to easily allow for porting to others. Also, other ptrace-based systems on x86 may work with the current implementation.
INV) or function return
(RET), respectively. The following instruction pointer address
after either a CALL or RET is also logged as a function (EXE) or
resumption of a function (RES). A similar technique is used for
both conditional (JCC, TCJ, FTJ) and
unconditional jumps (JMP, TAR).If memory inspection is enabled, itrace will also perform an automatic inspection of referenced registers and memory as the traced process executes. This is implemented by performing a disassembly of the currently executing instruction, and logging the values of any used registers or referenced memory locations and their contents.
Though the only platforms and architectures currently supported are Linux and x86 systems, the tool is architected to easily allow for porting to others. Also, other ptrace-based systems on x86 may work with the current implementation.
Planned Future Work
There are quite a few extensions I would like to make to this tool. This
includes, in no particular order:
- incorporate modules to handle other platforms and architectures
- extraction and use of symbol tables from binaries and dynamic libraries
- matching of instructions, memory accesses, etc. to allow one to determine what code touches certain parts of memory, e.g. a string like, oh, "This product is not registered." ;-)
- instruction caching to reduce ptrace overhead
- execution over basic blocks instead of single-stepping, again to reduce ptrace overhead
- incorporation of function descriptions to enable output of function arguments
Sections
Recent Project News
A new release of itrace has been made. The main
change has been the addition of memory inspection, as well as numerous
bugfixes.
Source can be downloaded here.
Source can be downloaded here.
An initial release of itrace, a dynamic
application execution tracer, has been made. I find it useful
in reverse engineering stripped binaries, perhaps you might as well.
I have quite a list of improvements I would like to make to this
tool, though, including bringing its featureset closer to strace, improving its support for
reverse engineering, as well as porting its functionality to
more platforms and architectures.
Source can be downloaded here.
Source can be downloaded here.