首页
社区
课程
招聘
[下载]Hit Tracing in OllyDbg ( 07.30.2008 )
发表于: 2008-8-2 09:14 7370

[下载]Hit Tracing in OllyDbg ( 07.30.2008 )

2008-8-2 09:14
7370
Hit Tracing in OllyDbg ( 07.30.2008 )

Today's blog entry is based on the recent Tipping Point DVLabs blog entry "Hit Tracing in WinDbg" by Cody Pierce.
The DvLabs posting demonstrates how to dynamically analyze a 32-bit Windows binary file in WinDbg using hit tracing. Hit tracing is the process of dynamically tracking execution flow in order to narrow your field of focus when reverse engineering a binary file. This saves you from wasting time looking at uninteresting parts of the code.

While Cody Pierce focused on using WinDbg for hit tracing, we're going to show you how to use OllyDbg.

Implementing hit tracing in OllyDbg is rather straightforward.

Set an INT3 breakpoint on every command within the region of interest.
When a command with a breakpoint executes, OllyDbg removes the breakpoint and marks the instruction as a hit.

When dynamically reverse engineering a binary file, one problem with logging executed regions of code is that a lot of the code that gets logged (contains hits), we don't really care about, like GUI events. We'll call this UNINTERESTING CODE. The code we do want to focus on is INTERESTING CODE.

To solve the problem of highlighting only INTERESTING CODE we'll use a plugin that Moti wrote for OllyDbg "back in the day," called "OllySnake." This plugin overlays the built-in OllyDbg hit trace feature to filter out UNINTERESTING CODE.

So, how does the plugin work?

As an example, let's say that we want to narrow our focus to the notepad.exe code that handles the "About" command.

First, we instruct OllyDbg to trace all events that occur when we execute notepad.exe (including the "uninteresting events," such as GUI events like mouse movements, etc.).
Next, we save the hit trace snapshot.
Now that we have a snapshot of the UNINTERESTING CODE, we click on the "About" menu item to trigger and log the INTERESTING CODE.
Finally, we save a hit trace snapshot that includes both the UNINTERESTING CODE and the INTERESTING CODE.

Can you guess what we do next? We diff the two snapshots to find just the INTERESTING CODE!


http://www.openrce.org/downloads/details/188/OllySnake
http://securitylabs.websense.com/content/Assets/BlogMedia/hit_trace.mov

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 1
支持
分享
最新回复 (4)
雪    币: 391
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
什么东东啊,给点中文解释吧
2008-8-2 22:39
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
看不太明白!!想来是个好用的插件吧?
2008-8-3 09:46
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
谢谢,比较运行代码的.
2008-9-13 18:16
0
雪    币: 205
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
晕,看不明白英文
2008-9-13 18:32
0
游客
登录 | 注册 方可回帖
返回
//