Kayaker
January 28th, 2003, 17:41
Hi All
I've decided to publicly release the Softice Backtrace Disassembler project I've been playing with for close to 2 years. With the help of Clandestiny it has turned into a very useful personal reversing tool we want to share with the general programming and reversing community at large.
Nicknamed TraceDump, this is a Win9x tool made to work in conjunction with the BACKTRACE feature of any SoftIce version 4.05 or earlier (Driver Studio support might be possible if there is enough interest). It allows convenient viewing and saving of the recorded backtrace addresses as disassembled text. Presently there is no way to do this other than looking at the backtrace in Softice and perhaps doing multiple screendumps.
Backtraces of a target program can be produced, either before or after fully loading, and in either a running or suspended state be immediately disassembled into a listview for analysis. The ability to produce a backtrace of a section of code and then suspend the process in SoftIce (with the usual 'jmp eip' technique) and disassemble it is extremely useful for analyzing programs that overwrite code or use anti-tracing techniques.
TraceDump can be used as a replacement loader for the default SoftIce Symbol Loader, accessible from a right-click Explorer shell context menu, allowing you to break at WinMain to begin general tracing or setting up of a Backtrace for later disassembly.
Multiple instances of a memory-context Disassembler, which can be run independantly, can be opened with the Backtrace results to further disassemble selected code, trace calls or jumps, including Redirected API addresses, or analyze any valid system memory.
Imports and packer redirected API calls executed during the Backtrace can be listed and saved, serving as a simple API Monitor. Standard PE Header and Import information is also available.
A very useful feature is the ability to break into SoftIce at any time after the program is loaded, in the same memory context as the target program. Since TraceDump is loaded as an injected dll and shares the same memory space, the target program will be accessed in the correct memory context for any Softice related analysis.
With the right Backtrace you can now leisurely examine all the code flow during a programs execution, including Self Modifying Code (SMC), and unpacking code which accesses high memory regions outside of the normal program range. Since the SoftIce Backtrace records the exact sequence of instruction addresses executed, the disassembled code is virtually free of all SMC obfuscation. The ability to generate fully deobfuscated code in a text format is possibly one of the most unique and useful features of TraceDump.
The help file is complete and contains backtracing examples and hints for making the most of the utility. If you no longer have Win9x installed but might want to reconsider using the powerful feature of the Softice backtrace again, the pictures and text will help you decide. There is essentially no limit to the size of the backtrace or saved disassembled text that can be produced, beyond RAM and the specific target program considerations.
On a personal note: Why version 2.0? I released version 1.0 ages ago, a very basic prototype luckily long dead and buried in which you had to search for and dump your own backtrace buffer from memory before disassembling it. I was fortunate that Clandestiny came along and said "Hey, why don't you code a vxd that will auto dump the buffer?" So we got our hands dirty with Softice code and Clandestiny coded the dumper vxd with radical notions like runtime patching interrupts into winice code and hooking them so we could track the buffer pointers to always accurately dump the correct backtrace. We played with the idea of realtime disassembly of the backtrace line by line as it was recorded, but this proved very problematic and as it turns out being able to suspend the process and dump the trace at any time is just as effective.
A lot was learned while coding this and I think we both crashed our systems enough times that all the bugs are worked out or error handled, but if not, all the usual disclaimers apply and all feedback is appreciated. Hope you find it useful
Cheers,
Kayaker
and
Clandestiny
I've decided to publicly release the Softice Backtrace Disassembler project I've been playing with for close to 2 years. With the help of Clandestiny it has turned into a very useful personal reversing tool we want to share with the general programming and reversing community at large.
Nicknamed TraceDump, this is a Win9x tool made to work in conjunction with the BACKTRACE feature of any SoftIce version 4.05 or earlier (Driver Studio support might be possible if there is enough interest). It allows convenient viewing and saving of the recorded backtrace addresses as disassembled text. Presently there is no way to do this other than looking at the backtrace in Softice and perhaps doing multiple screendumps.
Backtraces of a target program can be produced, either before or after fully loading, and in either a running or suspended state be immediately disassembled into a listview for analysis. The ability to produce a backtrace of a section of code and then suspend the process in SoftIce (with the usual 'jmp eip' technique) and disassemble it is extremely useful for analyzing programs that overwrite code or use anti-tracing techniques.
TraceDump can be used as a replacement loader for the default SoftIce Symbol Loader, accessible from a right-click Explorer shell context menu, allowing you to break at WinMain to begin general tracing or setting up of a Backtrace for later disassembly.
Multiple instances of a memory-context Disassembler, which can be run independantly, can be opened with the Backtrace results to further disassemble selected code, trace calls or jumps, including Redirected API addresses, or analyze any valid system memory.
Imports and packer redirected API calls executed during the Backtrace can be listed and saved, serving as a simple API Monitor. Standard PE Header and Import information is also available.
A very useful feature is the ability to break into SoftIce at any time after the program is loaded, in the same memory context as the target program. Since TraceDump is loaded as an injected dll and shares the same memory space, the target program will be accessed in the correct memory context for any Softice related analysis.
With the right Backtrace you can now leisurely examine all the code flow during a programs execution, including Self Modifying Code (SMC), and unpacking code which accesses high memory regions outside of the normal program range. Since the SoftIce Backtrace records the exact sequence of instruction addresses executed, the disassembled code is virtually free of all SMC obfuscation. The ability to generate fully deobfuscated code in a text format is possibly one of the most unique and useful features of TraceDump.
The help file is complete and contains backtracing examples and hints for making the most of the utility. If you no longer have Win9x installed but might want to reconsider using the powerful feature of the Softice backtrace again, the pictures and text will help you decide. There is essentially no limit to the size of the backtrace or saved disassembled text that can be produced, beyond RAM and the specific target program considerations.
On a personal note: Why version 2.0? I released version 1.0 ages ago, a very basic prototype luckily long dead and buried in which you had to search for and dump your own backtrace buffer from memory before disassembling it. I was fortunate that Clandestiny came along and said "Hey, why don't you code a vxd that will auto dump the buffer?" So we got our hands dirty with Softice code and Clandestiny coded the dumper vxd with radical notions like runtime patching interrupts into winice code and hooking them so we could track the buffer pointers to always accurately dump the correct backtrace. We played with the idea of realtime disassembly of the backtrace line by line as it was recorded, but this proved very problematic and as it turns out being able to suspend the process and dump the trace at any time is just as effective.
A lot was learned while coding this and I think we both crashed our systems enough times that all the bugs are worked out or error handled, but if not, all the usual disclaimers apply and all feedback is appreciated. Hope you find it useful
Cheers,
Kayaker
and
Clandestiny
