User Tools

Site Tools


ida_pro_tracing

====== Differences ====== This shows you the differences between two versions of the page.

Link to this comparison view

ida_pro_tracing [2013/05/21 08:46]
xvilka [Preparations]
ida_pro_tracing [2013/05/21 20:39] (current)
xvilka
Line 2: Line 2:
  
 1. IDA Pro 6.0 and above 1. IDA Pro 6.0 and above
-2. installed qemu-0.14 and above+ 
 +2. installed qemu-1.4.0 and above
  
 ==== Preparations ==== ==== Preparations ====
Line 10: Line 11:
 2 Run relocate script 2 Run relocate script
  
-3. Place bios.rom, vgacirrus-bios.bin (from qemu site), bios_name.idb,​ linux.img in the current folder+3. Place bios.bin, vgacirrus-bios.bin (from qemu site), bios_name.idb,​ linux.img in the current folder
  
-4. Start qemu in debugging mode "qemu -s -S -L . -m 256 -hda linux.img+4. Start qemu in debugging mode "qemu-system-i386 ​-s -S -L . -m 256 -hda linux.img
 -localtime -M pc -nographic"​ -localtime -M pc -nographic"​
  
Line 33: Line 34:
 Then open debugger options dialog Then open debugger options dialog
 {{1.png}} {{1.png}}
- 
 Check “Stop on debugging start” , enable logging of all events. check “Reconstruct the stack”, “Show debugger breakpoint instructions” Check “Stop on debugging start” , enable logging of all events. check “Reconstruct the stack”, “Show debugger breakpoint instructions”
  
 Then push the “Set specific options” button, and see this dialog: Then push the “Set specific options” button, and see this dialog:
 {{2.png}} {{2.png}}
 +Set packet size (-1 = infinite, that sometimes can crash qemu or IDA)
 +Disable “Software breakpoints at EIP+1“ and enable “Use CS:IP in real mode”
 +Then push the button “Memory map” and see this dialog:
 +{{3.png}}
 +Then right click on the memory map choose “Insert” and add MEMORY segment:
 +{{4.png}}
 +Choose start address 0xF0000, end address 0x100000, base address 0xF000, name (any you want), class CODE, 16-bit and RWX rights. ​
 +Save all
 +Also you can setup verbose tracing:
 +
 +Debugger->​Tracing->​Tracing options:
 +{{5.png}}
 +I’m usually choose trace all events (because we are in the BIOS!), and save all them to the trace log file. “Trace over debugger segments” and “Trace over library functions” are disabled, because these options disable a lot of tracing inside functions.
 +
 +Then we can start debugger (we need choose “attach to the process” because we already have running bios, stopped at the entry point in the qemu)
 +
 +Here we can see an example of tracing WritePCI_SL function (SL means for me “StackLess”)
 +{{6.png}}
 +
 +Usually i’m using database notepad for saving some PCI, PNP, IOports information about your BIOS platform (for example outputs of lscpi, dmesg, lsusb, dmidecode, etc...):
 +{{7.png}}
 +
 +==== Examples ====
 +
 +1 Recognize pci_writes:
 +
 +We already find WritePCI functions
 +{{8.png}}
 +then we need find values, which bios write ot the pci port:
 +
 +so, let this piece of code run:
 +{{9.png}}
 +then go to the trace window and find value of eax in the out 0xCF8, eax line:
 +{{10.png}}
 +as we can see eax=0x80003B60. It is 00:07.3 device register BAR2
 +Also. for example we want to know, all calls of WritePCI_SL function, and values which it write somewhere. This is very simple - just add breakpoint to this function:
 +{{11.png}}
 +all calls we can see in the function calls window:
 +{{12.png}}
 +As we can see, we need add meaningfull comments in the line, where we can see “jmp WritePCI_SL” , so we can see these comments in each line in the function calls window
ida_pro_tracing.txt · Last modified: 2013/05/21 20:39 by xvilka