Flag: Tornado! Hurricane!

 Forums >>  Brainstorms - General  >>  Good Binary Code Profilers?

Topic created on: February 11, 2008 15:22 CST by dELTA .

When the subject of profilers came up briefly in some discussion over at the RCE Forums a while ago, I remember catching myself feeling surprised that they are practically never mentioned in reversing contexts. Coverage tools like pStalker are sometimes (but rarely) mentioned in practical reversing contexts, and I guess that compared to the more complex profilers, these code coverage tools are also the most natural, but for some purposes, a more profiler centric tool would be more efficient, e.g. in the event of pin-pointing some code that consumes lots of CPU power (e.g. a bug or other suspect piece of code like this one: http://www.woodmann.com/forum/showthread.php?t=11302) or when you want to efficiently pinpoint e.g. some encryption/decryption code, checksum code or similar, where the same code blocks are hit a very high number of times during a short period of time. And of course, the target will be an executable for which we don't have the source code.

My Google searches about this subject have been hard to make good results of. Partly because of the ambiguous "profiler" word, but mostly because most profiler software seems to be primarily aimed and centered around analyzing programs that you already have the source code for. Also, the area of code profiling (let alone binary, source code-less, code profiling) is so small in relation to other areas of interest, that it is easily drowned even more in irrelevant search results, and this also makes it very hard to find out which, if any, products are popular or good within this field.

So, which tools do/have you all used and/or recommend for binary profiling as described above?

To clarify: What I'm primarily looking for is logging of code execution hits on the basic block level, with hit counters and sorting in decreasing order of the most frequently hit code blocks (possibly of the approximate kind, i.e. it's not necessary that the hits are counted exactly by means of breakpoints, many profilers use sampling techniques too, to speed up the process at the cost of more approximative results).

Two well-known sampling-based profilers are the ones from Intel and AMD (see the Profiler CRCETL entry at: http://www.woodmann.com/collaborative/tools/index.php/Category:Profiler_Tools), but I'm not sure if there are other ones more focused on source code-less binary profiling, or even more interesting if there are some known ones (maybe in the form of OllyDbg or IDA plugins?) that work on a more exact (i.e. non-sampling) breakpoint-based (of INT3, or even better, memory access breakpoint type) basic block level?

All good tips and ideas are appreciated, anyone?

  RolfRolles     February 11, 2008 18:01.29 CST
Ilfak released a simple IDA coverage plugin that could be modified to your needs.  The big problem with statically-driven binary-only code coverage tools is that if they incorrectly decide something is code (specifically, a function) when it's actually data, and set a software breakpoint on that "code":  at best you get undefined behavior, at worst you get a crash.  Code/data separation is undecidable in general.

A pure dynamic option might be something like a DynamoRIO extension.

  MohammadHosein     February 11, 2008 18:50.35 CST
are you looking for something that PaiMei cannot provide ?

  dELTA     February 12, 2008 06:37.55 CST
Thanks for the tip Rolf. I remember that plugin, but I also remember that it was just a pure code coverage "one break per block" tool, and just like Ilfak says in the related blog entry (at: http://www.hexblog.com/2006/03/coverage_analyzer.html):

"Since we do not have 'real' breakpoints that have to be kept intact after firing, the logic becomes very simple (note that the most difficult part of breakpoint handling is resuming the program execution after it: you have to remove the breakpoint, single step, put the breakpoint back and resume the execution - and the debugged program can return something unexpected at any time, like an event from another thread or another exception)."

Thus, the needed modifications are most likely relatively big to accomplish the counting feature, which would require persistent breakpoints. :-/

And MohammadHosein, yes, this could of course most likely be _implemented_ with the help of PaiMei, just like it could be _implemented_ as e.g. an OllyDbg plugin or an IDA Pro plugin. This would require quite some work though, and in order not to have to invent the wheel again, I was hoping to find out that someone had already created such a tool, hence my question. Thanks for your reply anyway though!

  pedram     February 12, 2008 09:38.21 CST
If you're only interested in profiling select DLLs or the main executable then PaiMei's PStalker GUI tool should do it straight for you. Alternatively, some minor changes to the tracer_msr_branch.py pydbg script should get you exactly what you need.

  dELTA     February 12, 2008 17:35.14 CST
Hey Pedram, does the pStalker GUI tool really include code block hit counters and the ability to sort code blocks based on those? I must have missed this completely in that case?

Thanks for the tip about the coding/patching possibilities too.

  dELTA     February 15, 2008 16:10.58 CST
For anyone interested, my similar inquiry over at the RCE Forums has turned into quite an interesting discussion at this point, with references to some really cool tools:


  alton   June 17, 2013 05:37.55 CDT
I really like your way of expressing the opinion and sharing the information.

Note: Registration is required to post to the forums.

There are 31,207 total registered users.

Recently Created Topics
Robbinhood ransomwar...
Information on the t...
Information on the m...
Order Finax, Fincar ...
Information on the m...
Order Proscar (Finas...
Order Proscar, Finax...
Order Finasteride, F...
How to view IDA Pro'...
reverse MC9S12DG128

Recent Forum Posts
Finding the procedur...
Question about debbu...
Looking for an advan...
Looking for an advan...
Looking for an advan...
Identify RVA data in...
let 'IDAPython' impo...
How to find specific...
Problem with ollydbg
How can I write olly...

Recent Blog Entries
Android Application Reversing

Breaking IonCUBE VM

Anatomy of a code tracer

IAT Patcher - new tool for ...

CryptoShark: code tracer ba...

More ...

Recent Blog Comments
ComPuer on:
Android Application Reversing

nieo on:
IAT Patcher - new tool for ...

djnemo on:
Kernel debugger vs user mod...

acel on:
Kernel debugger vs user mod...

pedram on:
frida.github.io: scriptable...

More ...

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit