OpenRCE_Piotr
11-24-2007, 06:50 PM
Firstly, lets start with a little SpiderPig introduction:
In last few days i decided to finish the prototype of my old memory tracer idea, which stayed in my drawer for some time already. Generally, i was trying to build it for Immunity Debugger Plugin Challenge but i had some problems with the debugger itself since it crashed most of the time while working with SpiderPig, so ive hacked some functions of the debugger itself, and now its pretty stable - but guess its not suitable for the challenge so i will not submit it.
Main idea of SpiderPig is to trace a specified memory region (or specified register value), and also be able to trace all the childs regions that were created by refferencing to previously traced regions. So whenever a previously traced memory region will be refferenced or any other memory region which bases on previously traced memory region will be created, SpiderPig will snort it.
Since i dont want to speak about tracing technique itself, i will just show you some basic-sample output of the trace:
Following code will be traced (its really dumb so dont try to think what it does, but look at the stack and global variables), of course im not tracing every intruction of the code, that would be to easy and to slow...
#0 Tracing State (our_param = 555 (sample))
The condition (our_param > 10) is met, and we end the program execution, and thats how SpiderPig reports it:
http://piotrbania.com/all/trace_graphs/bad_value_graph.png
#1 Tracing State (our_param = 5 (sample))
The condition (our_param > 10) is not met, and we continue the program execution, so here we have (click to expand):
http://piotrbania.com/all/trace_graphs/dobry_graf_wingra.png (http://piotrbania.com/all/trace_graphs/dobry_graf_wingra.png)
Also a clearer graph is available here (http://piotrbania.com/all/trace_graphs/good_value_graph.png)
Graph Legend:
#Conlusions
If you ever tried reversing something or some bug finding routines, sooner or later you will get tired of tracing memory variables that flows in all directions, SpiderPig is an idea to make it faster and less harmful task. Of course its a prototype, there are many things to be done and many thing to be changed (because i think i missed some important points already
). What i can say, stack tracing is really painful, so in future versions i will try to avoid it as far as i can, also currently it has some problems with larger applications.
So heres a little TODO list:
TODO:
Thats all! *hrum* *hrum*
http://piotrbania.com/all/trace_graphs/dump_screen.png
(http://piotrbania.com/all/trace_graphs/dump_screen.png)
https://www.openrce.org/blog/view/890/SpiderPig_Memory_Tracer
In last few days i decided to finish the prototype of my old memory tracer idea, which stayed in my drawer for some time already. Generally, i was trying to build it for Immunity Debugger Plugin Challenge but i had some problems with the debugger itself since it crashed most of the time while working with SpiderPig, so ive hacked some functions of the debugger itself, and now its pretty stable - but guess its not suitable for the challenge so i will not submit it.
Main idea of SpiderPig is to trace a specified memory region (or specified register value), and also be able to trace all the childs regions that were created by refferencing to previously traced regions. So whenever a previously traced memory region will be refferenced or any other memory region which bases on previously traced memory region will be created, SpiderPig will snort it.
Since i dont want to speak about tracing technique itself, i will just show you some basic-sample output of the trace:
Following code will be traced (its really dumb so dont try to think what it does, but look at the stack and global variables), of course im not tracing every intruction of the code, that would be to easy and to slow...
/* some gibberish */
/* some globals */
int g1 = 0;
int g2 = 0;
int g3 = 0;
int g4 = 0;
/* you can use following procedure in your own software if you want
int sub1(int param1)
{
g1 = (param1 * 55) + GetTickCount();
g1 ^= 0x66;
g1 ^= 33;
return g1;
}
void yo(int param)
{
char buff[10];
g2 = g3 = param;
sub1(param);
memset((void*)&buff;,0x0,param);
}
int main(void)
{
int our_param = 5; // <--- we will be tracing this _asm { lea eax,our_param int 3 }; // just an breakpoint if (our_param > 10)
return 0;
yo(our_param);
our_param = 0;
return 0;
}
#0 Tracing State (our_param = 555 (sample))
The condition (our_param > 10) is met, and we end the program execution, and thats how SpiderPig reports it:
http://piotrbania.com/all/trace_graphs/bad_value_graph.png
#1 Tracing State (our_param = 5 (sample))
The condition (our_param > 10) is not met, and we continue the program execution, so here we have (click to expand):
http://piotrbania.com/all/trace_graphs/dobry_graf_wingra.png (http://piotrbania.com/all/trace_graphs/dobry_graf_wingra.png)
Also a clearer graph is available here (http://piotrbania.com/all/trace_graphs/good_value_graph.png)
Graph Legend:
blue node - shows the child node (child object)
red node - shows the instruction wich refferenced the object
Defined regs - shows the traced regs at current moment
Created at - shows where the object was created
Destroyed at - shows where the object was destroyed
#Conlusions
If you ever tried reversing something or some bug finding routines, sooner or later you will get tired of tracing memory variables that flows in all directions, SpiderPig is an idea to make it faster and less harmful task. Of course its a prototype, there are many things to be done and many thing to be changed (because i think i missed some important points already
). What i can say, stack tracing is really painful, so in future versions i will try to avoid it as far as i can, also currently it has some problems with larger applications.So heres a little TODO list:
TODO:
stable tracing driver
take care of node dupilcation
miniregions (and yes, they are not standard mini regions)
stack tracing avoidance methods (heuristics)
multithreading
Thats all! *hrum* *hrum*
http://piotrbania.com/all/trace_graphs/dump_screen.png
(http://piotrbania.com/all/trace_graphs/dump_screen.png)
https://www.openrce.org/blog/view/890/SpiderPig_Memory_Tracer