Variable/Memory/Register stalker

[chaostheory88]

Something like the ImmunitySec debugger which permit to follow the variable/memory/register during the debugging to see how it changes during the execution.

[snare]

I'm not very familiar with Immunity Debugger, could you give me a bit of a summary how it would work in each instance (variable, memory, register) and what the UI layout kinda looks like? You could kind of achieve this with the command view just by like voltron view cmd 'x/16x <someaddr>' but it'd be nice to have something a bit more intelligent that you could add things to track using a command in the debugger.

[chaostheory88]

In the ImmDebugger you have two useful functions: Follow in Dump and Follow in Stack. For example if your register contains a pointer to some data the first of this function permits to have the hex dump of the memory region where the pointer is pointing and the second to access it's value on the stack. So thinking about those functions my idea (I dunno if it will be useful, maybe it's a bullshit, but I'll personally find it useful) is to have for a variable to take it's address and let the debugger analyze the frame or the entire dissassembly (if it is a global var for example) and find each reference in the code about it. After the references are found the debugger should set at each one a breakpoint and start an automated debugging procedure where will be shown just operations performed on/with the variable and taking track of the previous value it had. The same principle I think can applied to a pointer, for example but instead of show the previous values it should show at each breakpoint taken the current status of the memory dump of the memory region where it points. Basically I think it's a sort of list of actions that the code performs on those objects, and shows it sequentially, and maybe the user can put not just one variable or memory or register to observe at time (maybe like the observer pattern??) but a list of them. Is it possible to implement such things in an efficient way?

[snare]

That sounds pretty cool. I think I'll have to have a play with ImmDbg to get a better idea of how it works, but I get the gist. Definitely a lot more complex than what I've done so far, but I think it sounds doable. I was thinking about maybe doing some integration with IDA too after seeing that WinDbg/GDB plugin that synchronises the graph view with the debugger. Could use IDA to do the xref stuff. Though it would be nicer if it didn't depend on it.

[chaostheory88]

Yep I think without the dependencies of IDA would be better, also because having IDA on Linux it's not so simple considering it is not an open source/free tool :) .