Academic publications
NTrace: Function Boundary Tracing for Windows on IA-32
with Alexander Schmidt, Martin von Löwis, and Andreas Polze.
Abstract: For a long time, dynamic tracing has been an enabling technique for reverse engineering tools. Tracing can not only be used to record the control flow of a particular component such as a piece of malware itself, it is also a way to analyze the interactions of a component and their impact on the rest of the system. Unlike Unix-based systems, for which several dynamic tracing tools are available, Windows has been lacking appropriate tools. From a reverse engineering perspective, however, Windows may be considered the most relevant OS, particularly with respect to malware analysis. In this paper, we present NTrace, a dynamic tracing tool for the Windows kernel, drivers, system libraries, and applications that supports function boundary tracing. NTrace incorporates 2 novel approaches: (1) a way to integrate with Windows Structured Exception Handling and (2) a technique to instrument binary code on IA-32 architectures that is both safe and more efficient than DTrace.
In Proceedings of the 16th Working Conference on Reverse Engineering. October 13-16, 2009, Lille, France.
The slides contain animations, so prefer the PPTX version.
Dynamic Tracing of Windows NT Kernel Mode Components
Abstract: Dynamic tracing can be utilized for a variety of purposes, debugging, performance evaluation,
and program analysis being amongst them. Although the implementations of respective
tracing systems tend to differ sharply, a limited number of tracing techniques can be
identified which all of these solutions base on. Based on this insight, part I of this thesis
discusses these tracing techniques in detail and proposes an appropriate classification
scheme. This scheme promises to allow both current and future tracing solutions to be
classified based on their usage of these tracing techniques.
In its second part, this thesis discusses NTrace, a dynamic function boundary tracing
solution for Windows NT kernel mode components that has been developed as part of
this effort. NTrace not only demonstrates how synergies with Microsoft’s Hotpatching
technology can be utilized in order to achieve safety regarding runtime code modification.
It also stands out due to deep integration with the exception handling infrastructure of
Windows, Structured Exception Handling. With the ability to trace exception unwinds,
NTrace is able to yield more precise results than a sheer function entry/exit tracing approach
would allow.
By not restricting the usage to customized kernel versions but providing support for retail
editions of IA-32 Windows NT, NTrace also promises general applicability. Finally, the
performance of NTrace, and the overhead imposed by tracing activity, is discussed in part
III, which concludes the thesis.
Master’s thesis, October 2008, Hasso-Plattner-Institut, Potsdam, Germany.