circle-info
The docs have been restructured for better navigation. Found a broken link or have feedback to share? Let us know
here.arrow-up-right
search
Ctrlk

SetupTracing

hashtag
Description

This command opens a dialog box that allows you to specify different settings related to the tracing features.

Tracing options dialog

  • Trace buffer size: This setting indicates how many tracing events can fit in the trace buffer. If the debugger must insert a new event and the buffer is full, the oldest tracing event will be removed. However, if you specify a size of 0, the buffer size isn't limited. Notice that, for example, in the case of an instructions trace, all executed instructions could be logged, which would quickly fill up the memory!

  • Trace file: If a filename is specified, all future traced events will be appended to it.

  • Trace directory: The directory were trace files for the current database will be saved. If not specified, the IDB directory will be used.

  • Stop condition: This IDCarrow-up-right expression will be evaluated before the execution of each instruction. If the expression returns true, the debugger will suspend the execution. Please note that you can use register names in the condition.

Tracing:

  • Trace over debugger segments: If selected, the debugger will not go step by step in debugger segments (segments not available in the database).

  • Trace over library functions: If selected, the debugger will not go step by step in library functions.

circle-info

Enabling these options will speed up the execution, as many instructions (from debugger segments and/or library functions) will not be traced. Disabling these options can quickly fill the Tracing window, as all instructions in DLLs and system functions will be executed step by step. Notice that both options influence the way instruction and function tracings will work.

Internally, the debugger proceeds like this:

  • Memorize the return address associated with the last executed call instruction in database segments (the previously saved one is overwritten).

  • Setup a temporary breakpoint on this address once the IP is in a debugger segment or library function, disable step by step, and run the thread.

  • Reenable step by step once this temporary breakpoint is reached.

  • Do not log already logged IP: If selected, already executed instructions will not be logged if they are executed again.

  • Skip loops: If selected, tracing will be temporarily disabled for some loops constructs.

Highlight:

  • Highlight instructions in IDA views: If selected, recorded instructions will be displayed in IDA views (disassembly views) with a different background color.

Instruction tracing:

  • Log if same IP: If selected, the debugger will also log all register modifications occurring during the execution of prefixed instructions like REP MOVSB, ...

Function tracing:

  • Log return instructions: If selected, the debugger will also log function returns. If disabled, only function calls are logged.

Basic block and function tracing:

  • Log internal instructions: If selected, all instructions from the current basic block will be logged and displayed in the 'Tracing' window, instead of only the last instruction of the basic block.

Last updated

Was this helpful?