-
Notifications
You must be signed in to change notification settings - Fork 57
Home
Some of these are already done but trying to figure out how to glue some areas together. If you want to work on anything let me know and I can drop code into a different branch or something.
- Code Coverage map it back to source and do colorized overlays with WPF code syntax highlighting window from https://github.com/icsharpcode/AvalonEdit
- More performance graphs & related trace info
- Use https://github.com/mono/CppSharp to "reflect" the public symbols emitted from https://github.com/google/syzygy to enhance symbol output and overall code/state comprehension
- Demo of RoP compiler for blockfighters
Each of these should generally detect/emulate/alter the status of the malicious (or just misguided :) block.
rflags - The register that informs some state Context - Changes here either in SetThreadContex and the VEH record in memory Callout - Protect changes that would alter our precedence for being called. AsyncStuff - Blah =)
- What about Symbols?
Symbol support is on the way, I don't like the slowness of single threaded access to PDB's through MS DIA SDK (super old also btw), looking to use @google/syzygy or something (unfortunately @Microsoft/microsoft-pdb not ready yet). Upcoming symbols will enhance the UI's and console tools and also allow more flexiable configuration of what to log at runtime (this is the main area I want performance for since I want to avoid as much slowdown as possible, it's likely going to take form as a bitmap which informs the hook weather or not to perform any logging).
- It's not working for me!?!@ (Thanks for looking into this InGap Jeong (laughfool), look for some of his tools based on EhTrace soon!!!)
I confirmed EhTrace working well on Windows 10 x64 (CPU: skylake) If you execute EhTrace on Windows 7 x64. it requires kernel patch. Because, BTF (single step on branch : DR7 |= 0x300) is hardware feature. And recently most Intel CPU support BTF feature. But Windows 7 x64 is allow to use BTF for only few cpu. (I think Windows 8, too). So, If you execute EhTrace on Windows 7 x64, you have to patch the kernel How to patch kernel? simple way is just download below file. and run. http://fdbg.x86asm.net/add_debugctl_support_ws2008R2_w7.UEFI.BIOS.ver048.zip
For detail informations check below link. http://fdbg.x86asm.net/debugctl.article.txt
You can also try to boot with /debug and run as administrator to use the re-added DEBUG MSR method.