Metasm HowTo: bintrace

Mon 19 July 2010 by alex

Finally, here is the tool we presented at RECON. Our objective is to demonstrate that the use of Metasm allow to quickly and efficiently develop tools, in this particular case we have developed a basic code tracing tool.

bintrace provides few modules: TraceOS, TraceDB, TraceEngine and BranchTraceEngine. They are designed to be mixed in Metasm debugger objects: WinDebugger, LinDebugger, or any custom debuggers implementing Metasm's debug API. The tracing engine can use a database (currently DataMapper and Sqlite3), and provides a nice GUI (don't forget to check the totally awesome rasta color scheme in trace replay mode).

For this project, performance or stealth have not been considered as priority objectives (well, not considered at all). Also please note that currently the metasm Windows debugger supports only 32-bit binaries, and needs a 32-bit ruby interpreter as well.

In order to support MSR branch tracing, a wrapper around MSR registers is available for Windows 7 (using a lovely DynLdr component) and Linux (should be OK for most 2.6.x kernels, you'll need the msr kernel module available). The target Windows 7 have to be booted using the /DEBUG switch, then the wrapper also provides direct kernel memory read/write access. Supporting Windows XP should be pretty straightforward using NtSystemDebugControl API, see: Branch Tracing with Intel MSR Registers, from Pedram Amini. The MSR mode will work only if you run the ruby script as administrator.


No more talk. The sources are available here, and there is even some sort of documentation. There you'll find among other things how to install de DB back-end. As usual an interactive support is available over IRC: #metasm channel on the Freenode network. Feel free to come and discuss about Metasm, unicorn, life or the universe.

Happy tracing!