Dynamic Tracing of Binary Code Execution
iTrace is a dynamic application execution tracer, essentially analogous to strace except that it traces application-level function calls instead of syscalls. The tool has also been extended to provide automatic disassembling and program state inspection (registers, memory, etc.). With it, one can trace the control flow of a running process, generate control flow graphs, determine how input data to a program is used, and other helpful tasks which can facilitate program debugging or reverse engineering of obfuscated binaries.
The current implementation is able to handle tracing of Linux x86 binaries using Linux's ptrace interface. iTrace simply forks a child which execs the target binary as a traced process. The target process is then single-stepped. To generate control flow graphs, iTrace looks for a CALL or RET instruction and logs a function call site (INV) or function return (RET), respectively. The following instruction pointer address after either a CALL or RET is also logged as a function (EXE) or resumption of a function (RES). A similar technique is used for both conditional (JCC, TCJ, FTJ) and unconditional jumps (JMP, TAR).
If memory inspection is enabled, iTrace will also perform an automatic inspection of referenced registers and memory as the traced process executes. This is implemented by performing a disassembly of the currently executing instruction, and logging the values of any used registers or referenced memory locations and their contents.
Though the only platforms and architectures currently supported are Linux and x86 systems, the tool is architected to easily allow for porting to others. Also, other ptrace-based systems on x86 may work with the current implementation.
2005 (1 publication)
Reverse Engineering of Network Signatures
Proceedings of the Asia Pacific Information Technology Security Conference (AusCERT 2005)