NativeTimelessTracer¶

The NativeTimelessTracer’s purpose is to provide a standard means of performing timeless tracing. It is similar in concept to other timeless debuggers such as qira and rr.

Caveats¶

The major caveat for now is that it is going to be substantially slower than the other timeless debugger options. Performance will hopefully be improved in future releases.

Since this is a newer feature, it is currently only tested against:

Linux (i386 and x64)

Why?¶

Timeless Debugging (or really, timeless tracing for revenge) is helpful for more thoroughly inspecting what happens during program execution. Instead of re-running an application and setting different break points each time, the tracer will attempt to gather all relevant information at each instruction step so that you can go forwards and backwards in time of the binary execution (thus, “timeless”).

revenge’s implementation has a goal of being platform and architecture independent. Meaning, the same syntax you would use to timeless trace on an amd64 Windows machine should work on an i386 MacOS or an ARM Linux.

Also, due to revenge’s modularity, the timeless tracer will be used as a core component to other techniques and analysis engines, making it a building block, not an endpoint.

How do I use it?¶

The timeless tracer can be run just like any other Technique. Once the trace is acquired, you can manually look through it, or use an Analysis module (coming soon).

NativeTimelessTracer¶

class revenge.techniques.native_timeless_tracer.NativeTimelessTracer(process)[source]¶

Bases: revenge.techniques.Technique

Performs timeless tracing.

Examples

#
# Global apply
#

# Setup the tracer
timeless = process.techniques.NativeTimelessTracer()
timeless.apply()

# Continue execution
process.memory[process.entrypoint].breakpoint = False

# Keep checking back to your trace
print(timeless)

# Grab your specific trace
t = list(timeless)[0]
print(t)
print(t[-50:])

# Look at the trace items individually
ti = t[0]
print(ti.context)
print(ti.context.rax)

#
# Call apply
#

# Also can apply this per-call
time = process.memory['time']
time(0, techniques=timeless)

TYPE = 'stalk'¶

apply(threads=None)[source]¶: Applies this technique, optionally to the given threads.

remove()[source]¶: Removes this technique.

NativeTimelessTrace¶

class revenge.techniques.native_timeless_tracer.NativeTimelessTrace(process, thread)[source]¶

Bases: object

start()[source]¶: Start tracing.

stop()[source]¶: Stop tracing.

wait_for(address)[source]¶: Don’t return until the given address is hit in the trace.

NativeTimelessTraceItem¶

class revenge.techniques.native_timeless_tracer.NativeTimelessTraceItem(process, context=None, depth=None, previous=None)[source]¶

Bases: object

property context¶

classmethod from_snapshot(process, snapshot, previous=None)[source]¶

Creates a NativeTimelessTraceItem from a snapshot returned by timeless_snapshot()

Parameters

process (revenge.Process) – Process object
snapshot (dict) – Timeless snapshot dictionary
previous (NativeTimelessTraceItem, optional) – Previous timeless trace item to use for differential generation

property instruction¶: Returns the assembly instruction object for this item.