OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Saturday, September 8 2007 17:15.00 CDT

Modified: Tuesday, September 18 2007 16:09.04 CDT

This is an imported entry. View original.

Printer Friendly ...

SpiderPig Memory Tracer

Author: Piotr

# Views: 2814

Firstly, lets start with a little SpiderPig introduction:

In last few days i decided to finish the prototype of my old memory tracer idea, which stayed in my drawer for some time already. Generally, i was trying to build it for Immunity Debugger Plugin Challenge but i had some problems with the debugger itself since it crashed most of the time while working with SpiderPig, so ive hacked some functions of the debugger itself, and now its pretty stable - but guess its not suitable for the challenge so i will not submit it.

Main idea of SpiderPig is to trace a specified memory region (or specified register value), and also be able to trace all the childs regions that were created by refferencing to previously traced regions. So whenever a previously traced memory region will be refferenced or any other memory region which bases on previously traced memory region will be created, SpiderPig will snort it.

Since i dont want to speak about tracing technique itself, i will just show you some basic-sample output of the trace:

Following code will be traced (its really dumb so dont try to think what it does, but look at the stack and global variables), of course im not tracing every intruction of the code, that would be to easy and to slow...

/* some gibberish */

/* some globals */
int g1 = 0;
int g2 = 0;
int g3 = 0;
int g4 = 0;

/* you can use following procedure in your own software if you want :) */
int sub1(int param1)
{
g1 = (param1 * 55) + GetTickCount();
g1 ^= 0x66;
g1 ^= 33;
return g1;
}

void yo(int param)
{
char buff[10];
g2 = g3 = param;
sub1(param);
memset((void*)&buff;,0x0,param);
}

int main(void)
{
int our_param = 5; // <--- we will be tracing this _asm { lea eax,our_param int 3 }; // just an breakpoint if (our_param > 10)
return 0;

yo(our_param);

our_param = 0;
return 0;
}

#0 Tracing State (our_param = 555 (sample))

The condition (our_param > 10) is met, and we end the program execution, and thats how SpiderPig reports it:

#1 Tracing State (our_param = 5 (sample))

The condition (our_param > 10) is not met, and we continue the program execution, so here we have (click to expand):

Also a clearer graph is available here

Graph Legend:

blue node - shows the child node (child object)
red node - shows the instruction wich refferenced the object
Defined regs - shows the traced regs at current moment
Created at - shows where the object was created
Destroyed at - shows where the object was destroyed

#Conlusions

If you ever tried reversing something or some bug finding routines, sooner or later you will get tired of tracing memory variables that flows in all directions, SpiderPig is an idea to make it faster and less harmful task. Of course its a prototype, there are many things to be done and many thing to be changed (because i think i missed some important points already :)). What i can say, stack tracing is really painful, so in future versions i will try to avoid it as far as i can, also currently it has some problems with larger applications.

So heres a little TODO list:

TODO:

stable tracing driver
take care of node dupilcation
miniregions (and yes, they are not standard mini regions)
stack tracing avoidance methods (heuristics)
multithreading

Thats all! *hrum* *hrum*

If you wish to comment on this blog entry, please do so on the original site it was imported from.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit