Go Back   Exetools > General > General Discussion


Thread Tools Display Modes
Old 03-12-2019, 21:17
chants chants is online now
Join Date: Jul 2016
Posts: 447
Rept. Given: 1
Rept. Rcvd 30 Times in 18 Posts
Thanks Given: 357
Thanks Rcvd at 701 Times in 326 Posts
chants Reputation: 30
Next Windows release will include DTrace support

This is some pretty interesting news as it might be useful for reversing when the kernel is involved.

The forthcoming Windows 10 feature update will bring support for DTrace, the open source debugging and diagnostic tracing tool originally built for Solaris. The port was announced at the Ignite conference last year, and today the instructions, binaries, and source code are now available.
DTrace lets developers and administrators get a detailed look at what their system is doing: they can track kernel function calls, examine properties of running processes, and probe drivers. DTrace commands use the DTrace scripting language, with which users can specify which information is probed and how to report that information.
After its initial Solaris release, DTrace spread to a wide range of other Unix-like operating systems. Today, it's available for Linux, FreeBSD, NetBSD, and macOS. The original Solaris code was released under Sun's Common Development and Distribution License. Microsoft has ported the CDDL portions of DTrace and built an additional driver for Windows that performs some of the system-monitoring roles. The latter driver will ship with Windows; the CDDL parts are all a separate download.
The big fly in the ointment is that DTrace currently requires Windows to be booted with a kernel debugger attached. DTrace works by inserting bits of code into the system functions being analyzed; this means that there's no overhead for kernel features that aren't being traced, as they don't contain any DTrace code at all. However, DTrace isn't the only software out there that modifies kernel memory: rootkits will patch the operating system's kernel so that, for example, process enumeration functions don't show the running rootkit.
Accordingly, Microsoft long ago introduced Windows' Kernel Patch Protection (KPP, aka PatchGuard). KPP monitors certain pieces of kernel memory to look for modifications, and it crashes the system if any are detected. DTrace falls foul of PatchGuard's protection.
Booting with a kernel debugger disables PatchGuard, thereby letting DTrace make the modifications it needs. Microsoft's developers say they have ideas for how they might enable DTrace in a PatchGuard-compliant way in the future. But for now, we have to pick one or the other.
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Does Windows 2K/XP support 64bit program? fsheron General Discussion 6 04-20-2005 04:52

All times are GMT +8. The time now is 11:10.

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX