2009 16th Working Conference on Reverse Engineering (2009)
Oct. 13, 2009 to Oct. 16, 2009
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/WCRE.2009.12
For a long time, dynamic tracing has been an enabling technique for reverse engineering tools. Tracing can not only be used to record the control flow of a particular component such as a piece of malware itself, it is also a way to analyze the interactions of a component and their impact on the rest of the system. Unlike Unix-based systems, for which several dynamic tracing tools are available, Windows has been lacking appropriate tools. From a reverse engineering perspective, however, Windows may be considered the most relevant OS, particularly with respect to malware analysis. In this paper, we present NTrace, a dynamic tracing tool for the Windows kernel, drivers, system libraries, and applications that supports function boundary tracing. NTrace incorporates 2 novel approaches: (1) a way to integrate with Windows Structured Exception Handling and (2) a technique to instrument binary code on IA-32 architectures that is both safe and more efficient than DTrace.
Reverse engineering, Software debugging, Operating system kernels
M. von Löwis, A. Polze, J. Passing and A. Schmidt, "NTrace: Function Boundary Tracing for Windows on IA-32," 2009 16th Working Conference on Reverse Engineering(WCRE), Lille, France, 2009, pp. 43-52.