NTrace is a dynamic function boundary tracing toolkit for Windows NT-based systems on x86. It works on Windows versions from Windows Server 2003 SP1 onward and is capable of tracing both user and kernel mode components.
To trace execution, all that is required are public symbols (.pdb files) — this means that NTrace can not only be used to trace execution of your own modules nut also of Windows system libraries, drivers, and the kernel itself.
NTrace uses a novel approach of instrumenting binary code on the fly by leveraging certain aspects of the Microsoft hotpatching infrastructure. This allows NTrace to be both very robust and fast: On x86, NTrace outperforms DTrace by a factor of almost three!
For a quick walkthrough of NTrace, you can take a look at these screencasts linked to on the right. To learn more about how NTrace works and the performance measurements conducted, please consult the following paper:
In Proceedings of the 16th Working Conference on Reverse Engineering. October 13-16, 2009, Lille, France. To appear.
In most cases, these works may not be reposted without the explicit permission of the copyright holder.
Copyright is held by IEEE Computer Society. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works, must be obtained from the IEEE.
Manager, Copyrights and Permissions / IEEE Service Center / 445
Hoes Lane / P.O. Box 1331 / Piscataway, NJ 08855-1331, USA.
Telephone: + Intl. 908-562-3966.
For a more in-depth discussion of the technical details, you can also read Johannes Passing‘s master’s thesis, which NTrace is the result of:
Master’s thesis, October 2008, Hasso-Plattner-Institut, Potsdam, Germany.
Please write to jpassing at acm dot org to be emailed a copy.