Jump to content
Tuts 4 You

x64dbg conditional branches logger [Plugin]


Kurapica

Recommended Posts

Hi

 

This is just a work in progress so don't expect too much.

Please test it and report if you find bugs.

I use it like this :

First you need 2 break points to trace between, Start and End.

 

1 - Throw your target in the debugger.

2 - The Start point should break.

3 - Start the plugin.

4 - Enter the name of the module you are interested in, the plugin will try to detect the name where RIP is now.

5 - Enter the target VA, i.e the point where logging should stop, It's your End point from above.

 

There will be single stepping into this module but if RIP goes out of this module then there will be stepping over

in those external modules unless there is a call back into the that target module then there will be a single step into the target module.

 

5 - stepping will continue until we hit the 2nd point.

6 - The plugin will show a message box telling we have ended tracing.

7 - now you can save the result to a log file which looks like this in the image below.

8 - you can use any diffing system to compare the results between 2 traces, here I used a plugin for Notepad++.

2016_06_25_140922.jpg

 

 

Ktracer.rar

  • Like 6
Link to comment

This is a very handy plugin, Please continu developping it.

will you please make a 32bit version.

Thanks for your efforts

Link to comment

I was told that the developers of x64dbg have already implemented tracing but they still have to do the GUI.

maybe it's not useful to keep working on this but it was a simple idea for a problem I had.

Lately I fixed some bugs and added this checkbox to suspend the debugger

redraws during tracing, which made tracing go much faster !

2016_06_28_014020.jpg

 

Ktracer.rar

  • Like 1
Link to comment

Embedded tracing capability that was added to x64dbg is much complex than your plugin /or/ I didnt understand how it really works (I'm used to work with tracing in Olly and its very simple and effective).

will you please, try that embedded tracing and show me some short tutorial on how to configure conditions ?

Thanks Kurapica

Link to comment

Tracing is currently working, but it doesn't work the same way as Olly does (eg it doesn't record data). This makes it slightly useless for the avarage user. Data recording is currently being added at https://github.com/x64dbg/x64dbg/pull/807 follow the progress there if you're interested.

As for a tutorial on tracing in x64dbg:

GOz3iBa.png

YUq9hAf.png

duSZQOV.png

Also there is this resource available called a manual, I understand nobody knows about this particular one but it's the best source for your information :D http://help.x64dbg.com/en/latest/commands/debug-control/TraceIntoConditional.html

  • Like 4
Link to comment

Excellent work Mr. exodia !

The the only difference is that my plugin records some data which can be studies later and that

I don't provide the ability to set conditions although it's not hard at all, it just allows an end VA to be reached as the end flag.

I think each one has a different usage and this even makes x64dbg more useful.

  • Like 2
Link to comment

Thanks for all of you for your efforts,

@Kurapica: for the moment, waiting for trace function to be updated on x64dbg, will you please make a 32x version of your plugin as it is indeed what I'm missing for the moment.

thanks in advance 

Link to comment

Just a quick inquiry, will you be making this plugin open source? It might be an interesting example plugin :) 

Link to comment
  • 3 weeks later...

HI Kurapica,

i downloaded your plugin but ver32 is not recognized by last version of x64_dbg. The 64 bit version of your plugin instead works fine.

Link to comment

@gyver75: the plugin works fine I just tested it and no problem on the 32bit version.

try to delete it and replace by new copy .

Link to comment

nope, i downloaded again and put plugin ( 32 bit ver) in 32/plugin folder of x64dbg but nothing, it doesn't appear in the menu of plugins ehn launch the debugger x32dbg . I have win10 pro . 

 

 

Edited by Gyver75
Link to comment
  • 3 weeks later...
  • 4 weeks later...

It's hard to be accurate on this question without benchmarks which I don't have now.

somehow It feels faster to my eyes but the real difference happens when I tick the "disable GUI updates" checkbox.

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...