Skip navigation.
Home

Generating Ether-like Trace Files for VERA

I've had a few people email me about how to use non-Ether generated trace files in VERA. To help with this, I ran a trace with Ether of the Notepad.exe included with Windows XP.

Notepad.exe Trace file

If you want to generate instruction traces external from Ether, you just need to make sure it follows the same format. First, you should start with the standard instruction trace boilerplate. It looks like this:

After init:
        shared_page_ptr: 0xffff830000fd9000
        shared_page_mfn: 0xfd9
        domid_source: 0
        event_channel_port: 34
Shared Page va: 0x7fde19b77000
Shared Page test:
        Page-Sharing is A-OK!

Trying to bind to local port...
Success, bound to local port: 35
Trying to get first pending notification...
Taking off suprious pending notification...
Setting filter by name to: notepad.exe
Execution of Target detected:
        Image Base:  0x1000000
        Image Size:  0x14000
        Entry Point: 0x100739d

After this, all you need to do is have a listing of instructions. Right now the only thing I'm parsing is the instruction address, so there's no need to include the actual instruction. Later versions of VERA will use the disassembly.

100739d: push   0x70
100739d: push   0x70
100739f: push   0x01001898
10073a4: call   0x01007568
1007568: push   0x010075BA
100756d: mov    eax, fs:[0x00000000]
1007573: push   eax

At the end of the file, after all the instructions make sure you include two "Handling sigint" messages:

1007519: jnz    0x01007522
100751b: push   esi
100751c: call   [0x1001318]
Handling sigint
Handling sigint

That should be all you need to use VERA for your own uses. As always, let me know if there are any bugs you observe.

Works!

Great, thank you, know it works and I generated some nice graphs!

Cheers