Tracing

Here are the commands to use the tracing features of the debugger.

See also .

Trace management

Recorded traces can be managed from the . Traces are saved in a directory specified in the dialog.

Saved binary trace files can be loaded, saved and replayed with the new replayer debugger module, diffed against other traces (to spot differences between executions) or displayed in a proximity view (displaying the execution call graph).

Tracing window

Action    name: TracingWindow
 

Opens the 'Tracing' window.

During the execution, the list of traced events is disabled, as it couldn't be continuously synchronized with the execution without rendering the whole tracing very slow.

If a '=' character is displayed in the 'Thread' and 'Address' columns, it indicates that the trace event occurred in the same thread and at the same address as the previous trace event.

Select trace

Load a binary trace file in the 'Tracing' window.

Other options

Show a dialog with additional options for managing trace files.

This command displays a window with all the available commands to manage trace files.

Edit trace description

Show the description of a binary trace file.

This command displays a window with the description of a selected binary trace file and allows to edit it.

Diff to binary trace

Diff the currently loaded trace against a recorded trace.

This command displays a window to select a trace file to diff against the currently loaded trace, displayed in the 'Tracing' window.

Remove binary trace

Delete a binary trace file from disk.

This command displays a window to select a recorded trace file to delete from disk.

Import binary trace

Import a binary trace file from a different IDB.

This command allows to import binary trace files recorded for an IDB with a different MD5. For example, it can be used to load recorded traces from a malware sample which is practically the same, but differs in a few bytes.

Export binary trace

Export to a binary trace file all events displayed in the 'Tracing' window.

Export trace to text file

Export to a text file all events displayed in the 'Tracing' window

Show trace callgraph

Show the callgraph of the loaded trace in a proximity view.

This command displays the callgraph of the currently loaded trace in a proximity view.

Clear trace

Action    name: ClearTrace
 

Instruction tracing

Action    name: ToggleTraceInstructions
 

This command starts instruction tracing. You can then use all the debugger commands as usual: the debugger will save all the modified register values for each instruction.

Internally, the debugger runs the current thread step by step to properly obtain all the required register values. This explains why instruction tracing is slower than a normal execution.

Function tracing

Action    name: ToggleTraceFunctions
 

This command starts function tracing. You can then use all debugger commands as usual: the debugger will save all addresses where a call to a function or a return from a function occurred.

Internally, the debugger runs the current thread step by step to properly detect all function calls and returns. This explains why functions tracing is slower than a normal execution.

Basic block tracing

Action    name: ToggleTraceBasicBlocks
 

This command starts basic block tracing. You can then use all debugger commands as usual: the debugger will save all addresses where a temporary basic block breakpoint was reached.

Internally, the debugger runs the current thread normally, setting temporary breakpoints in the last instruction of every basic block of every function referenced from the current function and also at any call instruction in the middle of the traced basic blocks.

Basic block tracing is slower than normal execution but faster than instruction or function tracing.

Add write trace

 Action    name: WriteTraceAdd
 

This command adds a write trace to the current address.

In fact, write traces are nothing more than breakpoints with special properties: they don't stop and they simply add a trace event when the breakpoints are reached.

Add read/write trace

Action    name: ReadWriteTraceAdd
 

This command adds a read/write trace to the current address.

In fact, read/write traces are nothing more than breakpoints with special properties: they don't stop and they simply add a trace event when the breakpoints are reached.

Add execution trace

This command adds an execution trace to the current address.

In fact, execution traces are nothing more than breakpoints with special properties: they don't stop and they simply add a trace event when the breakpoints are reached.

Internally, the debugger will add a breakpoint instruction at the given address.

Stack trace

Action    name: StackTrace
 

Opens the stack trace window.

This window displays the function calls that brought the current instruction.

The top of the Stack Trace window lists the last function called by the program. Below this is the listing for the previously called functions. Each line indicates the name of the function which called the function represented by the previous line.

Double clicking on a line jumps to the exact address of the instruction realizing this call.

Currently, IDA uses the EBP frame pointer values to gather the stack trace information. It will fail for functions using other methods for the frame.

Tracing options

Action    name: SetupTracing

This dialog box allows you to specify different settings related to the tracing features.

Trace buffer size

  This setting indicates how many tracing events can fit in the trace buffer.
  If the debugger must insert a new event and the buffer is full,
  the oldest tracing event will be removed.
  However, if you specify a size of 0, the buffer size isn't limited.
  Notice that, for example, in the case of an instructions trace,
  all executed instructions could be logged, which would quickly fill
  up the memory!

Trace file

  If a filename is specified, all future traced events will be appended to it.

Trace directory

  The directory were trace files for the current database will be saved. If not
  specified, the IDB directory will be used.

Stop condition

Tracing

  - Trace over debugger segments

      If selected, the debugger will not go step by step in debugger segments
      (segments not available in the database).

  - Trace over library functions

      If selected, the debugger will not go step by step in library functions.

• memorize the return address associated with the last executed call instruction in database segments (the previously saved one is overwritten).

• setup a temporary breakpoint on this address once the IP is in a debugger segment or library function, disable step by step, and run the thread.

• reenable step by step once this temporary breakpoint is reached.

  Copy

  - Do not log already logged IP
  
      If selected, already executed instructions will not be logged if
      they are executed again.
  
  - Skip loops
  
      If selected, tracing will be temporarily disabled for some loops
      constructs.

Highlight

  - Highlight instructions in IDA views

    If selected, recorded instructions will be displayed in IDA views (disassembly
    views) with a different background color.

  - Main color

    The main background color for traced instructions.

  - Diff color

    The background color for the instructions recorded and being diffed against the
    currently loaded trace.

Instruction tracing

  - Log if same IP

    If selected, the debugger will also log all register modifications occurring
    during the execution of prefixed instructions like REP MOVSB, ...

Function tracing

  - Log return instructions

      If selected, the debugger will also log function returns.
      If disabled, only function calls are logged.

Basic block tracing

  - Log basic block instructions

      If selected, all instructions from the current basic block will be logged
      and displayed in the 'Tracing' window, instead of only the last instruction of
      the basic block.