search

microsoft / DTrace-on-Windows

Code for the cross platform, single source, OpenDTrace implementation
Other
473 stars 42 forks source link

No probes after building from source #30

Closed hawkinsw closed 1 year ago

hawkinsw commented 1 year ago

Hello everyone!

You have no idea how cool I think it is that I can run dtrace on Windows! I am a professor teaching a malware analysis course and we spent the better part of three classes learning dtrace for Windows.

I am attempting to build add a few additional "niceties" into the language that are Windows specific for working with unicode strings (not sure whether you will want them, ultimately, but ...)

I have everything working (I think) and I get a new dtrace.exe and dtrace.sys and the the sys file loads properly in the kernel. However, when I run it, the only probes available are the three dtrace-native ones

>  ..\cmd\dtrace.exe -l
   ID   PROVIDER            MODULE                          FUNCTION NAME
    1     dtrace                                                     BEGIN
    2     dtrace                                                     END
    3     dtrace                                                     ERROR

I am sure that I am doing something wrong but I cannot seem to find any debugging output or errors to help me figure out my mistake. If you can help, that would be incredible.

I am running

Build 22621.ni_release.220506-1250

and have 10.0.22621 Windows SDK installed

and have retargeted to that (the way that the docs say).

Again, I would never turn to you for help without having done all I think I can on my own. If you can help, I would sincerely appreciate it!

Thanks again for bringing dtrace to Windows! Will

hawkinsw commented 1 year ago

I am embarrassed to say that everything was working correctly but I was not properly installing the newly built driver. I have now resolved the issues and everything works great.

That said, the process I have built to load new builds to the kernel is laborious. I am not a driver developer so I am sure that there are best practices that I am not following. If there is documentation on a good rebuild/reload workflow, I would great appreciate the pointers.

Again, thank you all the great work you have done on bringing dtrace to Windows!

Will

CodeMaxx commented 1 year ago

Hey @hawkinsw, could you tell me about your current process for installing the newly built driver?

The discussion here might interest you - #8

hawkinsw commented 1 year ago

Thanks for the note, @CodeMaxx ! I will send along more information. I am in the process of (as I said) adding support (mostly for my own interest) and I will update this as soon as my teaching load calms down in the next few days! Thank you for pointing me to #8 . The other bit of "documentation" that really helped was reading through the https://github.com/mandiant/STrace repository.

Thanks again for the note! Will

stevemk14ebr commented 1 year ago

It makes me very happy that my research into dtrace has helped you

CodeMaxx commented 1 year ago

Closing this but happy to continue the discussion.