Generating Ether-like Trace Files for VERA
I've had a few people email me about how to use non-Ether generated trace files in VERA. To help with this, I ran a trace with Ether of the Notepad.exe included with Windows XP.
If you want to generate instruction traces external from Ether, you just need to make sure it follows the same format. First, you should start with the standard instruction trace boilerplate. It looks like this:
After init: shared_page_ptr: 0xffff830000fd9000 shared_page_mfn: 0xfd9 domid_source: 0 event_channel_port: 34 Shared Page va: 0x7fde19b77000 Shared Page test: Page-Sharing is A-OK! Trying to bind to local port... Success, bound to local port: 35 Trying to get first pending notification... Taking off suprious pending notification... Setting filter by name to: notepad.exe Execution of Target detected: Image Base: 0x1000000 Image Size: 0x14000 Entry Point: 0x100739d
After this, all you need to do is have a listing of instructions. Right now the only thing I'm parsing is the instruction address, so there's no need to include the actual instruction. Later versions of VERA will use the disassembly.
100739d: push 0x70 100739d: push 0x70 100739f: push 0x01001898 10073a4: call 0x01007568 1007568: push 0x010075BA 100756d: mov eax, fs:[0x00000000] 1007573: push eax
At the end of the file, after all the instructions make sure you include two "Handling sigint" messages:
1007519: jnz 0x01007522 100751b: push esi 100751c: call [0x1001318] Handling sigint Handling sigint
That should be all you need to use VERA for your own uses. As always, let me know if there are any bugs you observe.