Welcome to NTrace

NTrace is a dynamic function boundary tracing toolkit for Windows NT-based systems on x86. It works on Windows versions from Windows Server 2003 SP1 onward and is capable of tracing both user and kernel mode components.

To trace execution, all that is required are public symbols (.pdb files) — this means that NTrace can not only be used to trace execution of your own modules nut also of Windows system libraries, drivers, and the kernel itself.

NTrace uses a novel approach of instrumenting binary code on the fly by leveraging certain aspects of the Microsoft hotpatching infrastructure. This allows NTrace to be both very robust and fast: On x86, NTrace outperforms DTrace by a factor of almost three!

For a quick walkthrough of NTrace, you can take a look at these screencasts linked to on the right. To learn more about how NTrace works and the performance measurements conducted, please consult the following paper:

Johannes Passing, Alexander Schmidt, Martin von Löwis, and Andreas Polze: NTrace: Function Boundary Tracing for Windows on IA-32 (10 pages).

In Proceedings of the 16th Working Conference on Reverse Engineering. October 13-16, 2009, Lille, France. To appear.

This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author’s copyright.
In most cases, these works may not be reposted without the explicit permission of the copyright holder.

Copyright is held by IEEE Computer Society. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works, must be obtained from the IEEE.

Contact:
Manager, Copyrights and Permissions / IEEE Service Center / 445
Hoes Lane / P.O. Box 1331 / Piscataway, NJ 08855-1331, USA.
Telephone: + Intl. 908-562-3966.

For a more in-depth discussion of the technical details, you can also read Johannes Passing‘s master’s thesis, which NTrace is the result of:

Johannes Passing: Dynamic Tracing of Windows NT Kernel Mode Components (90 pages).

Master’s thesis, October 2008, Hasso-Plattner-Institut, Potsdam, Germany.

Please write to jpassing at acm dot org to be emailed a copy.

Disambiguation

If you are looking for NTrace, the tracing framework for C#, please go to the NTrace page on Codeplex.

The two projects are unrelated and merely share the name.

Screencasts

Part 1. Kernel Mode NTrace:
Tracing NTFS and the I/O manager

Part 2: User Mode NTrace

Part 2. User Mode NTrace:
Tracing COM loading a DLL

Screencasts are around 3 minutes each.

About NTrace

NTrace is the result of Johannes Passing's master's thesis written in 2008 at the Operating Systems and Middleware group of the Hasso-Plattner-Institut at University of Potsdam.

Currently, NTrace is still a a research project and not yet publicly available. If you are interested in using NTrace for academic or commercial purposes, please contact Johannes via email: jpassing at acm dot org.