DISQUS

Matasano Chargen: Rafal Wojtczuk’s User-Mode Single Stepping: 100x Faster Than Debuggers

  • Halvar · 3 years ago
    The question is the value for single stepping malicious code in a situation like:

    call $+5
    pop ebp
    mov eax, [ebp+5]
    cmp eax, 0xBADDEED
    jnz you're tracing me

    High speed is good of course, but single-steps
    are usually only needed on truly nasty code,
    and in truly nasty code heavy modification of
    the target address space should be avoided.
  • Ryan Russell · 3 years ago
    Is it fast enough that I can still accidentally have it tracing through the message handler loop, and not kiss my process goodbye? 'Cause I can't seem to do that in Paimei.
  • Thomas Ptacek · 3 years ago
    PaiMei shouldn't hit any breakpoint more than once in a run (at least in stalker mode), so a tight loop shouldn't be a problem.
  • Ryan Russell · 3 years ago
    Yeah, that's with Restore Breakpoints on. I don't like functions being left out of the chain I'm trying to follow, if I can help it. I need to look into how hard it will be to have a little more fine-grain control over which breakpoints you track. Obviously, it can be done since you can take one sample and exclude it, so it should just be some UI to twiddle those sets.
  • jeremy · 3 years ago
    psst.. your last Detours link in the post points to the UMSS link.
  • Thomas Ptacek · 3 years ago
    Thanks, Jeremy.
  • arkon · 1 year ago
    Halvar,
    in a way you're right, but if they implemented their tracer well, then 'call $+5' will result in the 'real' eip and thus your trick won't work.