The Community for Technology Leaders
2009 16th Working Conference on Reverse Engineering (2009)
Lille, France
Oct. 13, 2009 to Oct. 16, 2009
ISSN: 1095-1350
ISBN: 978-0-7695-3867-9
pp: 43-52
For a long time, dynamic tracing has been an enabling technique for reverse engineering tools. Tracing can not only be used to record the control flow of a particular component such as a piece of malware itself, it is also a way to analyze the interactions of a component and their impact on the rest of the system. Unlike Unix-based systems, for which several dynamic tracing tools are available, Windows has been lacking appropriate tools. From a reverse engineering perspective, however, Windows may be considered the most relevant OS, particularly with respect to malware analysis. In this paper, we present NTrace, a dynamic tracing tool for the Windows kernel, drivers, system libraries, and applications that supports function boundary tracing. NTrace incorporates 2 novel approaches: (1) a way to integrate with Windows Structured Exception Handling and (2) a technique to instrument binary code on IA-32 architectures that is both safe and more efficient than DTrace.
Reverse engineering, Software debugging, Operating system kernels

M. von Löwis, A. Polze, J. Passing and A. Schmidt, "NTrace: Function Boundary Tracing for Windows on IA-32," 2009 16th Working Conference on Reverse Engineering(WCRE), Lille, France, 2009, pp. 43-52.
104 ms
(Ver 3.3 (11022016))