首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 看雪社区
  2. 外文翻译
    3. 发新帖
onlyu 当前任务――翻译完,待整理
2004-8-14 09:15 5081

onlyu 当前任务――翻译完,待整理

zmworm 活跃值
4
2004-8-14 09:15
5081
Hit跟踪[Hit trace]
Hit trace gives you the possibility to check which parts of the code were executed and which not. The method implemented in OllyDbg is rather straightforward. It sets INT3 breakpoint on every command within the specified region. When breakpoint executes, OllyDbg removes it and marks command as hit. As each trace breakpoint executes only once, this method is very fast.

When using hit trace, special care must be taken not to set breakpoint on data, or with high probability application will crash. For this reason, you must analyze code to enable corresponding menu options. I recommend that you select strict or heuristical procedure recognition. Fuzzy option is too error-tolerant and often finds non-existing procedures.

When you set trace breakpoint even on a single command within the module, OllyDbg allocates trace buffers of twice the size of code section.

Note that when you remove hit trace, you simultaneously remove forced run trace.

See also: Disassembler menu, Run trace, Trace options

$#KRun跟踪[Run trace]
Run trace is the way to backtrace program execution that precedes some event. You can also use run trace for simple profiling. Basically, OllyDbg executes debugged program step-by-step, like in animation, but it doesn't redraw windows and - most important - logs addresses, contents of registers, messages and known operands to the run trace buffer. If debugged code is self-modified, you can save original commands. Start run trace by pressing Ctrl+F11 (run trace into, entering subroutines) or Ctrl+F12 (run trace over, executing calls at once), and stop it with F12 or Esc.

#You can specify a set of conditions that are checked on each step of the run trace (shortcut: Ctrl+T). Run trace stops if any condition is met. Conditions include:

•        Pause when EIP is in the address range;
•        Pause when EIP is outside the address range;
•        Pause when some condition is true;
•        Pause when next command is suspicious, i.e. potentially invalid (according to the rules set in Analysis 3), accesses non-existing memory, sets single-step trap flag or accesses stack beyond the actual ESP. Notice that this option can significantly (up to 20%) slow down the speed of run trace;
•        Pause after specified number of commands is traced (more precisely, added to run trace buffer). Note that counter doesn't autorestart. That is, if you set command count to 10, trace will pause once after 10 commands are executed, and not on every 10th command.
•        Pause when next command matches one of the specified patterns. You can use imprecise commands and operands and matching 32-bit registers RA and RB. Like R32, they substitute any general-purpose 32-bit register but have the same values within the command. RA and RB in this case must be different. For example, in program that consists of XOR EAX,EAX; XOR ESI,EDX, pattern XOR R32,R32 matches both commands; XOR RA,RA matches only the first one, and pattern XOR RA,RB matches only XOR ESI,EDX.

Of course, run trace requires plenty of memory, in average 16 to 35  bytes per command depending on the mode, and is very slow. On a 500-MHz processor under Windows NT it can trace up to 5000 commands per second. Windows 95 is slower: only 2200 commands per second. But in many cases, for example when program jumps to the non-existing address, this is the only way to find the reason. You can exclude quasi-linear sequences of commands (with sole exit at the end of the sequence) from the run trace. When OllyDbg encounters excluded sequence, it sets temporary breakpoint at the command that immediately follows excluded block and runs it at once. Of course, any return or jump to outside would make correct tracing impossible, so OllyDbg checks the piece of code you want to exclude and in hard cases asks you for confirmation.

In most cases you are not interested in tracing system API code. Trace option "Always trace over system DLLs" allows you to trace over API functions in trace/animation into modes. OllyDbg assumes that module is system if it resides in system folder. From the Modules window you can mark any DLL as system or non-system.

To make execution faster, you can limit run trace to selected commands or pieces of code by setting run trace breakpoints and running program. I call this "forced run trace". Basically, run trace breakpoints are non-removable hit trace breakpoints. If you delete hit trace, you simultaneously remove run trace.

Trace commands mentioned at the beginning of this topic automatically open trace buffer. You can specify its size (up to 64 MB) in Options. This buffer is circular and, when full, discards the oldest records.

You can explicitly open or clear run trace buffer by selecting 'Debug|Open or clear run trace' from the main OllyDbg menu. After run trace buffer is open, OllyDbg logs all pauses in execution, even those that were not caused by run trace. For example, you can step through the program by pressing F7 or F8 and then backtrace the execution using keys Plus and Minus. Notice that these keys browse through the history when run trace buffer is closed. If you step through the run trace, Registers and Information panes get grayed to emphasize that registers they display are not actual. Trace buffer doesn't save top of stack or contents of memory referenced by registers. Registers, Information and Stack use actual memory state to interprete registers from the run trace.

#OllyDbg can count how many times every command appears in the run trace buffer. In the Disassembler window, select 'View|Profile data'. This command replaces Comments column by Profile. Or, if bar is displayed, click it several times until it displayes Profile information. Notice that displayed count is dynamical and doesn't account for the old commands discarded from the trace buffer. You can also view profile data for the whole module, sorted by hit count, in a separate Profile window.

Special Disassembler command 'Run trace|Add entries of all procedures' allows to check how frequently each recognized procedure is called. Another command 'Run trace|Add branches in procedure' forces trace on all recognized jump destinations within the procedure. In this case, profile allows to find the most frequently executed branch and optimize it for speed.

Option 'Search for|Last record in run trace' in Disassembler pop-up menu finds whether and when given command was executed for the last time.

Run trace window displays the contents of trace buffer. For each command, there is the contents of integer registers that were changed by the command (more precisely, changed from given record to next). If you doubleclick some command, window selects all occurences of the command in the trace buffer and you can quickly browse them by pressing Plus and Minus. If option 'Trace|Synchronize CPU and Run trace' is set, Disassembler will follow Run trace window.

Notice that when you remove hit trace, you simultaneously remove forced run trace.

See also: Disassembler menu, Hit trace, Trace options
------------------------翻译完后,把译文跟在后面-------------

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
点赞1
打赏
分享
最新回复 (1)
onlyu
雪    币: 127
活跃值: (212)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
私信
onlyu 2 2004-8-14 10:49
2
0
译文:

Hit跟踪

    Hit 跟踪能够使您有可能检查代码的哪一部分被执行了,哪一部分没有。OllyDbg中实现的方法相当简单。它在指定的区域中的每一个命令处设置一个INT 3断点。当发生中断的时候,OllyDbg把它去除掉,并把命令标志为[hit]。因为每个跟踪断点只执行一次,这种方法就非常快速。
    当用Hit跟踪的时候,特别要注意的是不用在数据中设置断点,否则应用程序极有可能崩溃。基于这个原因,您必须分析代码来打开相关的菜单选项。我建议您选择严格或者启发式函数识别。模糊的选项容忍的错误太多,而且经常会找到不存在的函数。
    当您在模块中设置在一个简单的命令上设置跟踪断点的时候,OllyDbg会开辟两倍于代码段大小的缓冲区。
    注意当您退出hit跟踪的时候,您同时也退出了被动运行的run跟踪。

参考:反汇编菜单,Run跟踪,跟踪选项

$#KRun跟踪[Run trace]

    Run跟踪是一种先于某些事件之前的往回跟踪程序运行的一种方法。您还可以使用Run跟踪来简单的评估一下。基本上,OllyDbg是一步一步地执行被调试程序的,就像动画演示一样,除了它不能重画窗口,最重要的是能记录地址,寄存器的内容,消息和已知的操作数到Run跟踪缓冲区里去。如果被调试代码是自修改的,您就能够保存原始的命令。可以通过按Ctrl+F11(跟进,进入子程序)开始Run跟踪或者Ctrl+F12(跟出,立刻执行call),并用F12或者Esc停止跟踪。

#您可以指定在Run跟踪时的每一步执行时的条件集(快捷键:Ctrl+T)。如果条件符合,Run跟踪将暂停。条件包括:

?  当EIP在某个地址范围之内的时候暂停;
?  当EIP在某个地址范围之外的时候暂停;
?  当某些条件为真的时候暂停;
?  当下一条指令可以的时候暂停,如可能为非法指令(根据在Analysis 3中设定的规则而定),访问不存在的内存,设置了单步陷阱标志或者访问超过真正的ESP的值的堆栈。注意这个选项会明显的(大约20%)减慢Run跟踪的速度;
?  在跟踪(更确切的说,是添加到Run跟踪的缓冲去里面的指令)的指令达到指定的指令数量的时候暂停。注意计数器不能自动重启。也就是说,如果您设置指令数目为10,跟踪10条指令被执行直到暂停,并不是每10条指令暂停一次。
?   当下一条指令符合指定的样式的时候暂停。你可以使用不精确的指令和操作数并符合32位寄存器RA和RB。如R32,它们代替任何通用32位寄存器,但是在命令中有相同的值。在这种情况下,RA和RB是不同的。例如,在含有XOR EAX,EAX;XOR ESI,EDX指令的程序中,样式XOR R32,R32都符合这两条指令;XOR RA,RA只符合第一个,而样式XOR RA,RB只符合XOR ESI,EDX。

    毫无疑问,Run跟踪需要足够的内存,根据模式每个指令平均占16到35字节。在500-MHZ处理器,WindowsNT环境下,它每秒能跟踪5000条指令。Windows95慢一些:仅仅每秒钟2200条指令。但是在许多情况下,例如当一个程序跳转到不存在的地址的时候,这是寻找原因的唯一的方法。您可以从Run跟踪中排除准――线性序列的指令(在序列的最后用单纯的exit)。当OllyDbg遇到这些排除的序列是,它在这个命令中设置一个临时断点并立即到达排除的块,并立即运行它。当然了,任何返回或者跳转到外面将会使正确跟踪成为可能,所以OllyDbg检查您想排除的代码块,并强烈的询问您是否确认。

    在大多数情况下,您对跟踪系统API代码不感兴趣。跟踪选项"总是跟过系统DLL"允许你在跟踪/动画模式下跟过API函数。如果它在系统目录下,OllyDbg就假设那个模块是系统的。从模块窗口您可以标志任何DLL为系统的或者非系统的。

    为了使执行更快速,您可以提高设置Run跟踪断点并运行程序来限制Run跟踪到选定的指令或者到代码块。我把这个称作“强迫Run跟踪”。基本上Run跟踪断点是非可移hit跟踪断点。如果您退出了hit跟踪,您也同时退出了Run跟踪。

    在这个话题的开始提到的跟踪命令自动打开跟踪缓冲区。您可以在选项中指定它的大小(最高64MB)。这个缓冲区是循环使用的,当满了的时候,会丢弃老的记录。

    您可以通过从OllyDbg主菜单中选择'调试|打开或者清除Run跟踪',来明确的打开或者清除Run跟踪缓冲区。在Run跟踪缓冲区打开后,OllyDbg记录在执行过程中的所有暂停,甚至那些不是由Run跟踪引起的暂停。例如,你可以通过按F7或者F8单步运行程序然后通过使用+键和-键来往回跟踪程序的执行。注意这些键在Run跟踪缓冲区已经关闭的时候查看历史记录。如果你单步通过的Run跟踪,寄存器和信息窗会变黑来强调它们所显示的寄存器并不是实际的寄存器。跟踪缓冲区并不保存栈顶或由寄存器所指向的内存的内容。寄存器,信息,和栈在Run跟踪的时候使用实际的内存状态来解释寄存器的变化。

    #OllyDbg能够记下每个指令在Run跟踪缓冲区里面出现的次数。在反汇编窗口中,选择'查看|镜像数据'。这个命令用镜像取代了注释栏。或者,如果光条显示,单击它几次直到它显示镜像信息。注意显示出来的数字是动态的,而且不对已经从跟踪缓冲区中丢弃的指令镜像。您还可以查看对整个模块的镜像数据,按触发次数排序的,在一个独立的镜像窗口中。

    特定的反汇编命令'Run 跟踪|添加所以函数的入口点'能够检查每个认出的函数被调用的次数。另外一个命令''Run 跟踪|在函数中添加分支'强迫跟踪所有认出的在函数中的跳转目标。在这种情况下,镜像允许寻找最频繁执行的分支并在速度上作优化。

    在弹出菜单反汇编中的'查找|跟踪过程中的最新记录'选项查找给定的命令是否可执行和何时执行的。

    Run跟踪窗口显示跟踪缓冲区的内容。对每个指令来说有被指令改变的整数寄存器的内容(更精确的说是给定的记录变成下一个)。如果您双击某些指令,窗口选择所有在跟踪缓冲区里的所有指令,而且您可以通过按+和-键来快速地浏览。如果选项'跟踪|同步CPU和Run跟踪'被设置了,反汇编器将跟随Run跟踪窗口。

注意当您退出hit跟踪时,您同时也强行退出了Run跟踪。

参考:反汇编菜单,Hit跟踪,跟踪选项。

(译文完)
游客
登录 | 注册 方可回帖
 回帖  表情 雪币赚取及消费
高级回复
返回