Matasano Chargen - Latest Comments in Rafal Wojtczuk&#8217;s User-Mode Single Stepping: 100x Faster Than Debuggershttp://matasanochargen.disqus.com/enTue, 22 Jul 2008 14:45:58 -0000Re: Rafal Wojtczuk&#8217;s User-Mode Single Stepping: 100x Faster Than Debuggershttp://www.matasano.com/log/628/rafal-wojtczuks-user-mode-single-stepping-100x-faster-than-debuggers/#comment-2321187Halvar,<br>in a way you're right, but if they implemented their tracer well, then 'call $+5' will result in the 'real' eip and thus your trick won't work.arkonTue, 22 Jul 2008 14:45:58 -0000Re: Rafal Wojtczuk&#8217;s User-Mode Single Stepping: 100x Faster Than Debuggershttp://www.matasano.com/log/628/rafal-wojtczuks-user-mode-single-stepping-100x-faster-than-debuggers/#comment-2321186Thanks, Jeremy.Thomas PtacekTue, 05 Dec 2006 11:55:50 -0000Re: Rafal Wojtczuk&#8217;s User-Mode Single Stepping: 100x Faster Than Debuggershttp://www.matasano.com/log/628/rafal-wojtczuks-user-mode-single-stepping-100x-faster-than-debuggers/#comment-2321185psst.. your last Detours link in the post points to the UMSS link.jeremyMon, 04 Dec 2006 21:03:08 -0000Re: Rafal Wojtczuk&#8217;s User-Mode Single Stepping: 100x Faster Than Debuggershttp://www.matasano.com/log/628/rafal-wojtczuks-user-mode-single-stepping-100x-faster-than-debuggers/#comment-2321184Yeah, that's with Restore Breakpoints on. I don't like functions being left out of the chain I'm trying to follow, if I can help it. I need to look into how hard it will be to have a little more fine-grain control over which breakpoints you track. Obviously, it can be done since you can take one sample and exclude it, so it should just be some UI to twiddle those sets.Ryan RussellFri, 01 Dec 2006 02:38:53 -0000Re: Rafal Wojtczuk&#8217;s User-Mode Single Stepping: 100x Faster Than Debuggershttp://www.matasano.com/log/628/rafal-wojtczuks-user-mode-single-stepping-100x-faster-than-debuggers/#comment-2321183PaiMei shouldn't hit any breakpoint more than once in a run (at least in stalker mode), so a tight loop shouldn't be a problem.Thomas PtacekFri, 01 Dec 2006 00:18:32 -0000Re: Rafal Wojtczuk&#8217;s User-Mode Single Stepping: 100x Faster Than Debuggershttp://www.matasano.com/log/628/rafal-wojtczuks-user-mode-single-stepping-100x-faster-than-debuggers/#comment-2321182Is it fast enough that I can still accidentally have it tracing through the message handler loop, and not kiss my process goodbye? 'Cause I can't seem to do that in Paimei.Ryan RussellThu, 30 Nov 2006 18:57:14 -0000Re: Rafal Wojtczuk&#8217;s User-Mode Single Stepping: 100x Faster Than Debuggershttp://www.matasano.com/log/628/rafal-wojtczuks-user-mode-single-stepping-100x-faster-than-debuggers/#comment-2321181The question is the value for single stepping malicious code in a situation like:<br><br>call $+5<br>pop ebp<br>mov eax, [ebp+5]<br>cmp eax, 0xBADDEED<br>jnz you're tracing me<br><br>High speed is good of course, but single-steps<br>are usually only needed on truly nasty code, <br>and in truly nasty code heavy modification of <br>the target address space should be avoided.HalvarThu, 30 Nov 2006 12:15:31 -0000