x64dbg conditional branches logger [Plugin]

[Kurapica]

Hi

 

This is just a work in progress so don't expect too much.

Please test it and report if you find bugs.

I use it like this :

First you need 2 break points to trace between, Start and End.

 

1 - Throw your target in the debugger.

2 - The Start point should break.

3 - Start the plugin.

4 - Enter the name of the module you are interested in, the plugin will try to detect the name where RIP is now.

5 - Enter the target VA, i.e the point where logging should stop, It's your End point from above.

 

There will be single stepping into this module but if RIP goes out of this module then there will be stepping over

in those external modules unless there is a call back into the that target module then there will be a single step into the target module.

 

5 - stepping will continue until we hit the 2nd point.

6 - The plugin will show a message box telling we have ended tracing.

7 - now you can save the result to a log file which looks like this in the image below.

8 - you can use any diffing system to compare the results between 2 traces, here I used a plugin for Notepad++.

 

 

Ktracer.rar

[samoray]

This is a very handy plugin, Please continu developping it.

will you please make a 32bit version.

Thanks for your efforts

[Kurapica]

I was told that the developers of x64dbg have already implemented tracing but they still have to do the GUI.

maybe it's not useful to keep working on this but it was a simple idea for a problem I had.

Lately I fixed some bugs and added this checkbox to suspend the debugger

redraws during tracing, which made tracing go much faster !

 

Ktracer.rar

[samoray]

Embedded tracing capability that was added to x64dbg is much complex than your plugin /or/ I didnt understand how it really works (I'm used to work with tracing in Olly and its very simple and effective).

will you please, try that embedded tracing and show me some short tutorial on how to configure conditions ?

Thanks Kurapica

[mrexodia]

Tracing is currently working, but it doesn't work the same way as Olly does (eg it doesn't record data). This makes it slightly useless for the avarage user. Data recording is currently being added at https://github.com/x64dbg/x64dbg/pull/807 follow the progress there if you're interested.

As for a tutorial on tracing in x64dbg:

Also there is this resource available called a manual, I understand nobody knows about this particular one but it's the best source for your information  http://help.x64dbg.com/en/latest/commands/debug-control/TraceIntoConditional.html

[Kurapica]

Excellent work Mr. exodia !

The the only difference is that my plugin records some data which can be studies later and that

I don't provide the ability to set conditions although it's not hard at all, it just allows an end VA to be reached as the end flag.

I think each one has a different usage and this even makes x64dbg more useful.

[samoray]

Thanks for all of you for your efforts,

@Kurapica: for the moment, waiting for trace function to be updated on x64dbg, will you please make a 32x version of your plugin as it is indeed what I'm missing for the moment.

thanks in advance 

[Kurapica]

I can't say it's very stable because I compiled it quickly for 32bit.

I'm interested more in the 64 bit version now.

Ktracer.rar

[samoray]

Thanks for your help  I'll try it and report back 

[Kurapica]

Bugs fixed and output improved ...

Ktracer.dp32

Ktracer.dp64

[samoray]

@Kurapica:

Thank you for your great help,

is it possible to include logging of registers and its values?.

 

[mrexodia]

Just a quick inquiry, will you be making this plugin open source? It might be an interesting example plugin  

[Kurapica]

I will make it open source but I think it still needs more work before that.

[mrexodia]

Okay, cool! You could very easily add conditional tracing too. Just use DbgValFromString (or DbgFunctions()->ValFromString for more control) and you can allow the user to type any expression (including rip==va). See http://help.x64dbg.com/en/latest/introduction/Expressions.html for more information.

[Gyver75]

HI Kurapica,

i downloaded your plugin but ver32 is not recognized by last version of x64_dbg. The 64 bit version of your plugin instead works fine.

[samoray]

@gyver75: the plugin works fine I just tested it and no problem on the 32bit version.

try to delete it and replace by new copy .

[Gyver75]

nope, i downloaded again and put plugin ( 32 bit ver) in 32/plugin folder of x64dbg but nothing, it doesn't appear in the menu of plugins ehn launch the debugger x32dbg . I have win10 pro . 

 

 

Edited July 25, 2016 by Gyver75

[kao]

@Gyver75: For me it works out of the box. But most likely you're missing "Microsoft Visual C++ 2010 Redistributable Package (x86)". Try installing this: https://www.microsoft.com/en-us/download/details.aspx?id=8328

 

[Gyver75]

thx kao, y are right! Problem solved

[Kurapica]

@Mr. eXoDia

Source code : https://github.com/KurapicaBS/x64_tracer

Edited August 12, 2016 by Kurapica

[mrexodia]

 

[mrexodia]

Has the tracer improved in speed? There have been some performance-related updates recently.

[Kurapica]

It's hard to be accurate on this question without benchmarks which I don't have now.

somehow It feels faster to my eyes but the real difference happens when I tick the "disable GUI updates" checkbox.

 

[mrexodia]

Okay, I'm asking because (simple) scripts can reach 500 events/s when not disabling GUI updates...

[Kurapica]

500 events / s ?!

I wonder where the bottleneck is in my silly plugin

anyway I think it's still useful as the "Animate" function in ollydbg.