User Tools

Site Tools


ida_pro_tracing

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

ida_pro_tracing [2013/05/21 08:48]
xvilka [Preparations]
ida_pro_tracing [2013/05/21 20:39] (current)
xvilka
Line 2: Line 2:
  
 1. IDA Pro 6.0 and above 1. IDA Pro 6.0 and above
-2. installed qemu-0.14 and above+ 
 +2. installed qemu-1.4.0 and above
  
 ==== Preparations ==== ==== Preparations ====
Line 10: Line 11:
 2 Run relocate script 2 Run relocate script
  
-3. Place bios.rom, vgacirrus-bios.bin (from qemu site), bios_name.idb,​ linux.img in the current folder+3. Place bios.bin, vgacirrus-bios.bin (from qemu site), bios_name.idb,​ linux.img in the current folder
  
-4. Start qemu in debugging mode "qemu -s -S -L . -m 256 -hda linux.img+4. Start qemu in debugging mode "qemu-system-i386 ​-s -S -L . -m 256 -hda linux.img
 -localtime -M pc -nographic"​ -localtime -M pc -nographic"​
  
Line 33: Line 34:
 Then open debugger options dialog Then open debugger options dialog
 {{1.png}} {{1.png}}
- 
 Check “Stop on debugging start” , enable logging of all events. check “Reconstruct the stack”, “Show debugger breakpoint instructions” Check “Stop on debugging start” , enable logging of all events. check “Reconstruct the stack”, “Show debugger breakpoint instructions”
  
Line 56: Line 56:
 Here we can see an example of tracing WritePCI_SL function (SL means for me “StackLess”) Here we can see an example of tracing WritePCI_SL function (SL means for me “StackLess”)
 {{6.png}} {{6.png}}
 +
 +Usually i’m using database notepad for saving some PCI, PNP, IOports information about your BIOS platform (for example outputs of lscpi, dmesg, lsusb, dmidecode, etc...):
 +{{7.png}}
 +
 +==== Examples ====
 +
 +1 Recognize pci_writes:
 +
 +We already find WritePCI functions
 +{{8.png}}
 +then we need find values, which bios write ot the pci port:
 +
 +so, let this piece of code run:
 +{{9.png}}
 +then go to the trace window and find value of eax in the out 0xCF8, eax line:
 +{{10.png}}
 +as we can see eax=0x80003B60. It is 00:07.3 device register BAR2
 +Also. for example we want to know, all calls of WritePCI_SL function, and values which it write somewhere. This is very simple - just add breakpoint to this function:
 +{{11.png}}
 +all calls we can see in the function calls window:
 +{{12.png}}
 +As we can see, we need add meaningfull comments in the line, where we can see “jmp WritePCI_SL” , so we can see these comments in each line in the function calls window
ida_pro_tracing.1369126095.txt.gz · Last modified: 2013/05/21 08:48 by xvilka