Need help with execution-trace-viewer?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

teemu-l
150 Stars 29 Forks MIT License 34 Commits 4 Opened issues

Description

Tool for viewing and analyzing execution traces

Services available

!
?

Need anything else?

Contributors list

# 231,131
Python
x64dbg
pyqt5
33 commits
# 362
C++
C
Electro...
Windows
1 commit

Execution Trace Viewer

Execution Trace Viewer is an application for viewing, editing and analyzing execution traces. It was originally made for reverse engineering obfuscated code, but it can be used to analyze any kind of execution trace.

Execution Trace Viewer

Features

  • open, edit and save execution traces
  • search & filter trace by disasm, reg values, memory address/value, etc
  • add comments and bookmarks
  • write python plugins
  • supports x64dbg traces

Dependencies

Install & run

git clone https://github.com/teemu-l/execution-trace-viewer

pip install pyqt5 yapsy qdarkstyle capstone python tv.py

Trace file formats

Following file formats are supported:

  • .tvt - Default file format. Developed from x64dbg trace format. 3 differences with x64dbg format: comments, disasm and bookmarks added.

  • .trace32 / .trace64 - x64dbg file format. Only reading supported. Loading x64dbg traces is slow because the code needs to be disassembled.

  • json - Traces can be saved and loaded from json text files.

Traces folder contains one sample trace. It is ~11k lines of obfuscated code (by VMProtect3). All the handlers are disassembled and added to bookmarks table.

Plugins

Execution Trace Viewer can be extended by Python3 plugins. Plugins are launched from plugins menu or from right-click menu on trace table. Check the example plugins and core/api.py for more info.

More plugins:

Filters

Example filters:

| Filter | Description | | ------------------------ | ------------------------------------------------------------- | | disasm=push|pop | disasm contains word push or pop (push, pushfd, pop, etc) | | regeax=0x1337 | show rows where eax is 0x1337 | | regany=0x1337 | any reg value is 0x1337 | | memvalue=0x1337 | read or write value 0x1337 to memory | | memreadvalue=0x1337 | read value 0x1337 from memory | | memaddr=0x4f20 | read from or write to memory address 0x4f20 | | memreadaddr=0x40400 | read from memory address 0x40400 | | memwriteaddr=0x40400 | write to memory address 0x40400 | | opcodes=c704 | filter by opcodes | | rows=20-50 | show only rows 20-50 | | regex=0x40?00 | case-sensitive regex search for whole row (including comment) | | regex=READ | show insctructions which read memory | | iregex=junk|decrypt | inverse regex, rows with 'junk' or 'decrypt' are filtered out | | comment=decrypt | filter by comment |

It's possible to join multiple filters together:

disasm=xor/reg_any=0x1337 ; show all xor instructions where atleast one register value is 0x1337

For more complex filtering you can create a filter plugin and save the result list using api.setfilteredtrace(). Then show the trace by calling api.showfilteredtrace().

Find

Finds next or previous row that contains specified keyword/value in trace.

Using Find in plugin

Find previous memory write:

from core.filter_and_find import TraceField
current_row = 500
next_row = find(
    trace=trace_data.trace,
    field=TraceField.MEM,
    keyword='WRITE',
    start_row=current_row,
    direction=-1
)

Trace fields: DISASM, REGS, MEM, MEMADDR, MEMVALUE, COMMENT, ANY

DISASM field supports multiple keywords: "xor/shl/shr". MEM field checks all three fields in mem access (access, addr and value). Integers must be given in hexadecimal.

Themes

Dark theme can be disabled by editing prefs.py:

USE_DARK_THEME = False

To-Do

  • add support for more trace formats & architectures
  • fix x64dbg trace problem: if memory content doesn't change on write operation, the access is shown as 'READ' (bad design of the file format?)
  • documentation

License

MIT

Author

Developed by Teemu Laurila.

Contact:

print(''.join(map(chr,[k^86 for k in [34,51,51,59,35,58,55,22,38,36,57,34,57,56,59,55,63,58,120,53,57,59]])))

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.