Jump to content
Tuts 4 You
Sign in to follow this  
Kurapica

x64dbg conditional branches logger [Plugin]

Recommended Posts

Kurapica

Hi

 

This is just a work in progress so don't expect too much.

Please test it and report if you find bugs.

I use it like this :

First you need 2 break points to trace between, Start and End.

 

1 - Throw your target in the debugger.

2 - The Start point should break.

3 - Start the plugin.

4 - Enter the name of the module you are interested in, the plugin will try to detect the name where RIP is now.

5 - Enter the target VA, i.e the point where logging should stop, It's your End point from above.

 

There will be single stepping into this module but if RIP goes out of this module then there will be stepping over

in those external modules unless there is a call back into the that target module then there will be a single step into the target module.

 

5 - stepping will continue until we hit the 2nd point.

6 - The plugin will show a message box telling we have ended tracing.

7 - now you can save the result to a log file which looks like this in the image below.

8 - you can use any diffing system to compare the results between 2 traces, here I used a plugin for Notepad++.

2016_06_25_140922.jpg

 

 

Ktracer.rar

  • Like 6

Share this post


Link to post
samoray

This is a very handy plugin, Please continu developping it.

will you please make a 32bit version.

Thanks for your efforts

Share this post


Link to post
Kurapica

I was told that the developers of x64dbg have already implemented tracing but they still have to do the GUI.

maybe it's not useful to keep working on this but it was a simple idea for a problem I had.

Lately I fixed some bugs and added this checkbox to suspend the debugger

redraws during tracing, which made tracing go much faster !

2016_06_28_014020.jpg

 

Ktracer.rar

  • Like 1

Share this post


Link to post
samoray

Embedded tracing capability that was added to x64dbg is much complex than your plugin /or/ I didnt understand how it really works (I'm used to work with tracing in Olly and its very simple and effective).

will you please, try that embedded tracing and show me some short tutorial on how to configure conditions ?

Thanks Kurapica

Share this post


Link to post
mrexodia

Tracing is currently working, but it doesn't work the same way as Olly does (eg it doesn't record data). This makes it slightly useless for the avarage user. Data recording is currently being added at https://github.com/x64dbg/x64dbg/pull/807 follow the progress there if you're interested.

As for a tutorial on tracing in x64dbg:

GOz3iBa.png

YUq9hAf.png

duSZQOV.png

Also there is this resource available called a manual, I understand nobody knows about this particular one but it's the best source for your information :D http://help.x64dbg.com/en/latest/commands/debug-control/TraceIntoConditional.html

  • Like 4

Share this post


Link to post
Kurapica

Excellent work Mr. exodia !

The the only difference is that my plugin records some data which can be studies later and that

I don't provide the ability to set conditions although it's not hard at all, it just allows an end VA to be reached as the end flag.

I think each one has a different usage and this even makes x64dbg more useful.

  • Like 2

Share this post


Link to post
samoray

Thanks for all of you for your efforts,

@Kurapica: for the moment, waiting for trace function to be updated on x64dbg, will you please make a 32x version of your plugin as it is indeed what I'm missing for the moment.

thanks in advance 

Share this post


Link to post
Kurapica

I can't say it's very stable because I compiled it quickly for 32bit. :D

I'm interested more in the 64 bit version now.

Ktracer.rar

  • Like 1

Share this post


Link to post
samoray

Thanks for your help :P I'll try it and report back 

Share this post


Link to post
samoray

@Kurapica:

Thank you for your great help,

is it possible to include logging of registers and its values?.

 

Share this post


Link to post
mrexodia

Just a quick inquiry, will you be making this plugin open source? It might be an interesting example plugin :) 

Share this post


Link to post
Kurapica

I will make it open source but I think it still needs more work before that.

Share this post


Link to post
mrexodia

Okay, cool! You could very easily add conditional tracing too. Just use DbgValFromString (or DbgFunctions()->ValFromString for more control) and you can allow the user to type any expression (including rip==va). See http://help.x64dbg.com/en/latest/introduction/Expressions.html for more information.

Share this post


Link to post
Gyver75

HI Kurapica,

i downloaded your plugin but ver32 is not recognized by last version of x64_dbg. The 64 bit version of your plugin instead works fine.

Share this post


Link to post
samoray

@gyver75: the plugin works fine I just tested it and no problem on the 32bit version.

try to delete it and replace by new copy .

Share this post


Link to post
Gyver75

nope, i downloaded again and put plugin ( 32 bit ver) in 32/plugin folder of x64dbg but nothing, it doesn't appear in the menu of plugins ehn launch the debugger x32dbg . I have win10 pro . 

 

 

Edited by Gyver75 (see edit history)

Share this post


Link to post
Gyver75

thx kao, y are right! Problem solved ;)

Share this post


Link to post
mrexodia

 

  • Like 3

Share this post


Link to post
mrexodia

Has the tracer improved in speed? There have been some performance-related updates recently.

Share this post


Link to post
Kurapica

It's hard to be accurate on this question without benchmarks which I don't have now.

somehow It feels faster to my eyes but the real difference happens when I tick the "disable GUI updates" checkbox.

 

Share this post


Link to post
mrexodia

Okay, I'm asking because (simple) scripts can reach 500 events/s when not disabling GUI updates...

Share this post


Link to post
Kurapica

500 events / s ?!

I wonder where the bottleneck is in my silly plugin :(

anyway I think it's still useful as the "Animate" function in ollydbg.

 

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...