GitHub - e-valente/wusstrace: Automatically exported from code.google.com/p/wusstrace

e-valente / wusstrace Public

Notifications You must be signed in to change notification settings
Fork 0
Star 1

Automatically exported from code.google.com/p/wusstrace

Notifications

Name		Name	Last commit message	Last commit date
Latest commit History 7 Commits
libwst		libwst
pywuss		pywuss
COPYING		COPYING
Makefile		Makefile
Nt.txt		Nt.txt
NtGdi.txt		NtGdi.txt
NtUser.txt		NtUser.txt
README		README
bitset.cc		bitset.cc
bitset.hh		bitset.hh
common.cc		common.cc
common.hh		common.hh
config.hh		config.hh
console.cc		console.cc
console.hh		console.hh
debug.hh		debug.hh
fixdump.py		fixdump.py
hook-asm.S		hook-asm.S
hook.cc		hook.cc
hook.hh		hook.hh
logger.cc		logger.cc
logger.hh		logger.hh
parse_ntapi.py		parse_ntapi.py
pending.cc		pending.cc
pending.hh		pending.hh
wusstrace-dll.cc		wusstrace-dll.cc
wusstrace.cc		wusstrace.cc
wusstrace.xsd		wusstrace.xsd
wusstrace.xsl		wusstrace.xsl

Repository files navigation

WUSSTrace
=========

WUSSTrace is a user-space syscall tracer for Microsoft Windows developed for
fine grained syscall tracing: it supports the majority of Windows system calls
(except GUI system calls), the majority of argument types, and dumps faithfully
all the supported types. WUSSTrace produces easy-to-parse XML traces leveraging
the Boost serialization library. Tracing is performed by injecting a shared
library in the address space of the traced process and by hooking the stubs
KiFastSystemCall and KiIntSystemCall in ntdll.dll.


How to compile WUSSTrace
========================

In order to compile WUSSTrace you need: the MinGW compiler and the Boost
serialization library. Once your development environment is ready simply run
"make".


How to use WUSSTrace
====================

To trace the execution of a program you just have to run WUSSTrace and specify
on the command line the name of the program to trace. By default WUSSTrace does
not dump on disk the system calls intercepted. To do that you have to add the
options "-d PATH/PREFIX" to the command line to specify where to store the
traces. To find you other valid command line options run WUSSTrace with no
arguments.

The system calls traces produced are XML documents. WUSSTrace comes with a
Python interface, called PyWUSS, that facilitates the analysis of XML traces. 


Limitations
===========

At the moment WUSSTrace only intercepts system calls invoked using
KiIntSystemCall. Support for hooking KiFastSystemCall has not been implemented
yet only because of time constraint. Consequently, if your machine supports
"sysenter" WUSSTrace will not work. To workaround this limitation you can
perform your analyses from within VirtualBox, which virtualizes a IA-32 CPU
without the support for "sysenter". 

WUSSTrace has been tested only on Microsoft Windows XP SP2. 


Copyright
=========

WUSSTrace is copyrighted (2010) by Lorenzo Martignoni and Roberto Paleari.

It is licensed under GPLv3+ (GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>). For further information about the license
please read the file COPYING included in the distribution.


Contact information
===================

Bug reports, patch submissions, and any other useful contribution are very
welcome; just drop an email to:

* Lorenzo Martignoni <lorenzo@security.dico.unimi.it> 
* Roberto Paleari <roberto@security.dico.unimi.it>