2013 20th Working Conference on Reverse Engineering (WCRE) (2009)
Oct. 13, 2009 to Oct. 16, 2009
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/WCRE.2009.12
For a long time, dynamic tracing has been an enabling technique for reverse engineering tools. Tracing can not only be used to record the control flow of a particular component such as a piece of malware itself, it is also a way to analyze the interactions of a component and their impact on the rest of the system. Unlike Unix-based systems, for which several dynamic tracing tools are available, Windows has been lacking appropriate tools. From a reverse engineering perspective, however, Windows may be considered the most relevant OS, particularly with respect to malware analysis. In this paper, we present NTrace, a dynamic tracing tool for the Windows kernel, drivers, system libraries, and applications that supports function boundary tracing. NTrace incorporates 2 novel approaches: (1) a way to integrate with Windows Structured Exception Handling and (2) a technique to instrument binary code on IA-32 architectures that is both safe and more efficient than DTrace.
Reverse engineering, Software debugging, Operating system kernels
Martin von Löwis, Andreas Polze, Johannes Passing, Alexander Schmidt, "NTrace: Function Boundary Tracing for Windows on IA-32", 2013 20th Working Conference on Reverse Engineering (WCRE), vol. 00, no. , pp. 43-52, 2009, doi:10.1109/WCRE.2009.12