Academic publications

Posted on

NTrace: Function Boundary Tracing for Windows on IA-32

with Alexander Schmidt, Martin von Löwis, and Andreas Polze.

Abstract: For a long time, dynamic tracing has been an enabling technique for reverse engineering tools. Tracing can not only be used to record the control flow of a particular component such as a piece of malware itself, it is also a way to analyze the interactions of a component and their impact on the rest of the system. Unlike Unix-based systems, for which several dynamic tracing tools are available, Windows has been lacking appropriate tools. From a reverse engineering perspective, however, Windows may be considered the most relevant OS, particularly with respect to malware analysis. In this paper, we present NTrace, a dynamic tracing tool for the Windows kernel, drivers, system libraries, and applications that supports function boundary tracing. NTrace incorporates 2 novel approaches: (1) a way to integrate with Windows Structured Exception Handling and (2) a technique to instrument binary code on IA-32 architectures that is both safe and more efficient than DTrace.

In Proceedings of the 16th Working Conference on Reverse Engineering. October 13-16, 2009, Lille, France.

The slides contain animations, so prefer the PPTX version.

Dynamic Tracing of Windows NT Kernel Mode Components

Abstract: Dynamic tracing can be utilized for a variety of purposes, debugging, performance evaluation, and program analysis being amongst them. Although the implementations of respective tracing systems tend to differ sharply, a limited number of tracing techniques can be identified which all of these solutions base on. Based on this insight, part I of this thesis discusses these tracing techniques in detail and proposes an appropriate classification scheme. This scheme promises to allow both current and future tracing solutions to be classified based on their usage of these tracing techniques.

In its second part, this thesis discusses NTrace, a dynamic function boundary tracing solution for Windows NT kernel mode components that has been developed as part of this effort. NTrace not only demonstrates how synergies with Microsoft’s Hotpatching technology can be utilized in order to achieve safety regarding runtime code modification. It also stands out due to deep integration with the exception handling infrastructure of Windows, Structured Exception Handling. With the ability to trace exception unwinds, NTrace is able to yield more precise results than a sheer function entry/exit tracing approach would allow.

By not restricting the usage to customized kernel versions but providing support for retail editions of IA-32 Windows NT, NTrace also promises general applicability. Finally, the performance of NTrace, and the overhead imposed by tracing activity, is discussed in part III, which concludes the thesis.

Master’s thesis, October 2008, Hasso-Plattner-Institut, Potsdam, Germany.

Any opinions expressed on this blog are Johannes' own. Refer to the respective vendor’s product documentation for authoritative information.
« Back to home