The Community for Technology Leaders
2013 20th Working Conference on Reverse Engineering (WCRE) (2009)
Lille, France
Oct. 13, 2009 to Oct. 16, 2009
ISSN: 1095-1350
ISBN: 978-0-7695-3867-9
pp: 43-52
ABSTRACT
For a long time, dynamic tracing has been an enabling technique for reverse engineering tools. Tracing can not only be used to record the control flow of a particular component such as a piece of malware itself, it is also a way to analyze the interactions of a component and their impact on the rest of the system. Unlike Unix-based systems, for which several dynamic tracing tools are available, Windows has been lacking appropriate tools. From a reverse engineering perspective, however, Windows may be considered the most relevant OS, particularly with respect to malware analysis. In this paper, we present NTrace, a dynamic tracing tool for the Windows kernel, drivers, system libraries, and applications that supports function boundary tracing. NTrace incorporates 2 novel approaches: (1) a way to integrate with Windows Structured Exception Handling and (2) a technique to instrument binary code on IA-32 architectures that is both safe and more efficient than DTrace.
INDEX TERMS
Reverse engineering, Software debugging, Operating system kernels
CITATION
Martin von Löwis, Andreas Polze, Johannes Passing, Alexander Schmidt, "NTrace: Function Boundary Tracing for Windows on IA-32", 2013 20th Working Conference on Reverse Engineering (WCRE), vol. 00, no. , pp. 43-52, 2009, doi:10.1109/WCRE.2009.12
98 ms
(Ver 3.3 (11022016))