K2 / EhTrace

ATrace is a tool for tracing execution of binaries on Windows.
235 stars 57 forks source link
bb-graph capstone coverage graph profile ransomware-prevention ransonware rop-gadgets trace tracing-binaries

Eh'Trace (pronounced ATrace) is a binary tracing tool for Windows.

LOGO

Implemented in C but has some interesting properties that may make it suitable for tracing binaries when other methods are not sufficient, in particular EhTrace does not require changes to a binary to enable traces, despite being able to collect the same information as hooker type instrumentation, zero knowledge is needed to inspect complete code coverage and binary execution flow, register state and more.

Upcoming changes for DEFCON24

RANSOM WARRIOR -- Enforced key escrow for defending against or otherwise neutralizing ransom ware =)

RoP Defender -- Simple gadget reduction check to ensure balanced call/ret semantics

And more!!

We maintain high performance using an adaption of some known methods for high performance tracing, yet there is no requirement to use a debugger or enable debug/trace MSR capabilities.

Why is it high perf?

Branch stepping not single stepping. We get for free basic block's and do not have to worry about multipath evaluation or doing complex static analysis. State is automatically maintained temporally due to the nature of VEH. All of this is inproc also which saves context switching that impacts typical debug engines. Next update is to include get_tsc into the current struct to demonstate our event rate more clearly.

In 10 seconds; 428,833,152 (32 byte events) each event is a basic block head

CSW16 demo of notepad generated this trace, no symbols FLAMING/initial no symbols flame gtraph BB graph/with capstone dissassembly BB graph/coverage CSW16 run of notepad.exe

Associated projects

YOU NEED DBGHELP.DLL AND SYMSRV.DLL I'LL CHECK THEM IN LATER I THINK THEY ARE REDISTABLE?

More help/info on how todo whatever soon.