Problems logging all jumps/calls

[chickenmc]

Hello all,

I am new to x64dbg and I am trying to log all jumps and calls of my main prog1.exe. I am doing so using this command:

TraceSetLog "{p:cip}", "dis.isbranch(cip) && prog1.EntryPoint == mod.entry(dis.branchdest(cip))"

dis.isbranch(cip) will be true if there is a call or jump and the right part will check if I am in my main prog1.exe (because I don't want to log any jumps/calls from dll's that are loaded - I am only interested in prog1.exe)

After that command I type in:

StartRunTrace C:\Users\x64user\Desktop\log.txt

and then start the Run Trace (one million hits will be logged):

TraceOverConditional 0, 1000000

My problem is that only 50-300 EIP values will be logged and then an exception in the kernelbase.dll will occur. I have no idea why. It doesn't matter at which instruction I start the trace, the same amount of 50-300 hits will be logged and then the exception occurs. For the exception msg from the log window see Spoiler:

Spoiler

For prog1.exe this is the exception:

EXCEPTION_DEBUG_INFO:
           dwFirstChance: 1
           ExceptionCode: 000006A6 (RPC_S_INVALID_BINDING)
          ExceptionFlags: 00000001
        ExceptionAddress: 7512C54F kernelbase.7512C54F
        NumberParameters: 0
First chance exception on 7512C54F (000006A6, RPC_S_INVALID_BINDING)!

For a different prog.exe I received this exception:

EXCEPTION_DEBUG_INFO:
           dwFirstChance: 1
           ExceptionCode: E06D7363 (CPP_EH_EXCEPTION)
          ExceptionFlags: 00000001
        ExceptionAddress: 7512C54F kernelbase.7512C54F
        NumberParameters: 3
ExceptionInformation[00]: 19930520
ExceptionInformation[01]: 0018F73C
ExceptionInformation[02]: 0046DC88 prog.0046DC88
First chance exception on 7512C54F (E06D7363, CPP_EH_EXCEPTION)!

Then I came across this plugin which didn't work because the author didn't include all files... I got this error when compiling it: fatal error C1083: Cannot open include file: 'pluginsdk\_plugins.h': No such file or directory

My questions:

1. Can you guys reproduce the issue when you add these commands one by one:

TraceSetLog "{p:cip}", "dis.isbranch(cip) && prog1.EntryPoint == mod.entry(dis.branchdest(cip))"
StartRunTrace C:\Users\x64user\Desktop\log.txt
TraceOverConditional 0, 1000000

2. Are my commands correct or am I doing something wrong?

3. Why is the log file being murmur hashed... I want to log in plain text, is it possible? At least in the log view it is shown in plain text.

Thank you.

[Kurapica]

This is the author of that notorious plugin

I didn't include all the file because they are part of the x64dbg SDK, you can find them

when you download x64dbg, a folder named "pluginsdk".

[chickenmc]

Thanks for the plugin and the hint Kurapica ^^

I will have a look at your plugin. Thanks.

Edited November 12, 2017 by chickenmc

[chickenmc]

Your plugin works flawlessly Kurapica. Thank you.

[mrexodia]

I know you already solved your issue, but here is how to do it from x64dbg without plugins:

• Debug -> Trace into:
• 
• Click "Log File..." and set the file you want to log to.
• Click OK

 

The command StartRunTrace is for something else and allows you to record the executed instructions to a trace64 binary file. You can use it like this:

• go to the trace tab, right click -> start run trace (nothing will happen)
• start a usual trace (just leave everything empty) and wait for it to finish
• go to the trace tab again, right click -> stop run trace, you will see this:

 

[chickenmc]

I appreciate your answer mrexodia!! With your code I get 17000 steps/s which is very nice!

One little thing I noticed is, that I can only use dis.isbranch(cip) as valid log condition. Do you have an idea why my initial condition is not working? I mean this:

dis.isbranch(cip) && program123.EntryPoint == mod.entry(dis.branchdest(cip))

I tested it in the command line and it workes flawlessly, so is it maybe a bug within the trace functionality? Thanks for helping.

[chickenmc]

Please ignore my last post, it works, I had a typo. However I realized the performance of the logging is not the best because the debugger is tracing into all the calls but a StepOver over all uninsteresting calls/modules would make more sense.

I came up with this idea:

The command condition should StepOver a call that is being made to some other module (except prog1 calls). Unfortunately it's not working and I don't know why. The problem I am facing here is, that a call to any module is actually taken and the debugger breaks immediately after that. What am I doing wrong?

 

[mrexodia]

See http://help.x64dbg.com/en/latest/introduction/ConditionalTracing.html specifically the 'switch condition' part:

If switch condition evaluated to 1:

Switch (invert) the step type. If you are tracing in it will switch to out (and the other way around). This allows you to for example not trace into system module calls with the condition mod.party(dis.branchdest(cip)) == 1 or not trace into certain calls.

The command will execute always if the command condition is true, but the StepOver command stops tracing. See http://help.x64dbg.com/en/latest/introduction/ConditionalTracing.html#notes

Edited November 18, 2017 by mrexodia

[chickenmc]

With your hint I made it work, thanks.

 

 

Edited November 18, 2017 by chickenmc

[Markuzzz]

Hello chickenmc,

does this report only the jumps or does it log the jumps there are actually executed ?