Git Product home page Git Product logo

peekaboo's Introduction

Peekaboo

deepcode

Peekaboo is an attempt to provide an easily extensible and usable dynamic trace format. Peekaboo provides definitions for typical properties expected for dynamic traces like instruction addresses, memory operand info, register info, etc. The trace is structured as a collection of files each corresponding to some piece of information which the trace support. Currently, peekaboo has a execution tracer that is built on top of DynamoRIO. There are future plans for a PIN execution tracer and different conversion tools to convert traces obtained from other tools to peekaboo format.

Architectures

Currently Support

AMD64, X86

Going to Support

AARCH64, AARCH32

C/C++ library: libpeekaboo

How to build

cd libpeekaboo
make

How to install

This is for your easy deployment, not required for the tracer or the trace reader.

sudo make install

How to uninstall

sudo make uninstall

Tracer (DynamoRIO)

Dependency

How to build

Before building the tracer, you need to build libpeekaboo in libpeekaboo directory.

cd peekaboo_dr
mkdir build
cd build
DynamoRIO_DIR=($DynamoRIO_PATH) cmake ..
make

Then you will have a file named 'libpeekaboo_dr.so' under the build folder.

How to start tracing

Say, you want to run with command ls in 64-bit mode:

($DynamoRIO_PATH)/bin64/drrun -c ($Peekaboo_PATH)/peekaboo_dr/build/libpeekaboo_dr.so -- ls

What you can get

You should get a folder in the current directory like this:

ls-31401
├────insn.bytemap
├────process_tree.txt
└────31401
      ├────insn.trace
      ├────memfile
      ├────memrefs
      ├────metafile
      ├────proc_map
      └────regfile

If the application forked during tracing, there will be other sub folders. The structure will be like this (child PID is 32109):

fork-32105
├────insn.bytemap
├────process_tree.txt
├────32105
|     ├────insn.trace
|     ├────memfile
|     ├────memrefs
|     ├────metafile
|     ├────proc_map
|     └────regfile
└────32109
      ├────insn.trace
      ├────memfile
      ├────memrefs
      ├────metafile
      ├────proc_map
      └────regfile

Trace Reader (C/C++)

Dependency

(Optional) For disassembly function

  • (Recommended) libcapstone-dev
  • (Alternative) binutils-dev>=2.29

How to build

In the project home directory:

make

How to use

Usage: ./read_trace [Options] path_to_trace_dir
Options:
  -r                    Print register values.
  -m                    Print memory values.
  -y                    Print syscalls. Not compatible with -p.
  -s <instr id>         Print trace starting from the given id. Below zero for reversed order.
  -e <instr id>         Print trace till the given id.
  -a <memory addr>      Search for all instructions accessing given memory address.
  -p <pattern file>     Search for instruction patterns in trace. See pattern.txt for samples. Not compatible with -c.
  -h                    Print this help.

Example 1: Print all instructions inside the trace

./read_trace ./ls-31401/31401

Example 2: Print those instructions from the 100th to the 200th

./read_trace -s 100 -e 200 ./ls-31401/31401

Example 3: Print instructions with their memory access address and register values

./read_trace -mr ./ls-31401/31401

Example 4: Search for instruction patterns in the trace

Let's say you want to search for a code snippet with following instructions:

  • ...
  • push rbp
  • mov rbp,rsp
  • ...

You can create a pattern.txt with their rawbytes:

55       # push  rbp
48 89 e5 # mov   rbp,rsp

Then use pattern.txt to search:

./read_trace -p pattern.txt ./ls-31401/31401

We have created a pattern.txt as an example.

Example 5: Search for instructions which accessed a specific address

If you want to get all instructions that read/write 0x7fbfc3c3ccde:

./read_trace -a 0x7fbfc3c3ccde ./ls-31401/31401

Example 6: Show all system calls inside the trace

./read_trace -c ./ls-31401/31401

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.