Today's blog entry is based on the recent Tipping Point DVLabs blog entry "Hit Tracing in WinDbg" by Cody Pierce. The DvLabs posting demonstrates how to dynamically analyze a 32-bit Windows binary file in WinDbg using hit tracing. Hit tracing is the process of dynamically tracking execution flow in order to narrow your field of focus when reverse engineering a binary file. This saves you from wasting time looking at uninteresting parts of the code.
While Cody Pierce focused on using WinDbg for hit tracing, we're going to show you how to use OllyDbg.
Implementing hit tracing in OllyDbg is rather straightforward.
Set an INT3 breakpoint on every command within the region of interest. When a command with a breakpoint executes, OllyDbg removes the breakpoint and marks the instruction as a hit.
When dynamically reverse engineering a binary file, one problem with logging executed regions of code is that a lot of the code that gets logged (contains hits), we don't really care about, like GUI events. We'll call this UNINTERESTING CODE. The code we do want to focus on is INTERESTING CODE.
To solve the problem of highlighting only INTERESTING CODE we'll use a plugin that Moti wrote for OllyDbg "back in the day," called "OllySnake." This plugin overlays the built-in OllyDbg hit trace feature to filter out UNINTERESTING CODE.
So, how does the plugin work?
As an example, let's say that we want to narrow our focus to the notepad.exe code that handles the "About" command.
First, we instruct OllyDbg to trace all events that occur when we execute notepad.exe (including the "uninteresting events," such as GUI events like mouse movements, etc.). Next, we save the hit trace snapshot. Now that we have a snapshot of the UNINTERESTING CODE, we click on the "About" menu item to trigger and log the INTERESTING CODE. Finally, we save a hit trace snapshot that includes both the UNINTERESTING CODE and the INTERESTING CODE.
Can you guess what we do next? We diff the two snapshots to find just the INTERESTING CODE!