The Community for Technology Leaders
2009 16th Working Conference on Reverse Engineering (2009)
Lille, France
Oct. 13, 2009 to Oct. 16, 2009
ISSN: 1095-1350
ISBN: 978-0-7695-3867-9
pp: 43-52
ABSTRACT
For a long time, dynamic tracing has been an enabling technique for reverse engineering tools. Tracing can not only be used to record the control flow of a particular component such as a piece of malware itself, it is also a way to analyze the interactions of a component and their impact on the rest of the system. Unlike Unix-based systems, for which several dynamic tracing tools are available, Windows has been lacking appropriate tools. From a reverse engineering perspective, however, Windows may be considered the most relevant OS, particularly with respect to malware analysis. In this paper, we present NTrace, a dynamic tracing tool for the Windows kernel, drivers, system libraries, and applications that supports function boundary tracing. NTrace incorporates 2 novel approaches: (1) a way to integrate with Windows Structured Exception Handling and (2) a technique to instrument binary code on IA-32 architectures that is both safe and more efficient than DTrace.
INDEX TERMS
Reverse engineering, Software debugging, Operating system kernels
CITATION

M. von Löwis, A. Polze, J. Passing and A. Schmidt, "NTrace: Function Boundary Tracing for Windows on IA-32," 2009 16th Working Conference on Reverse Engineering(WCRE), Lille, France, 2009, pp. 43-52.
doi:10.1109/WCRE.2009.12
91 ms
(Ver 3.3 (11022016))