View Full Version : a public question to the owl, concerning a tracer

December 14th, 2000, 20:51
hi owl,
I just wonder if you got my e-mails
I'm actually looking for the best solution :
the tracer state's machine is on the dll I installed into the target's context, and the tracing thread too. At the opposite of icedump's, I have to send a much bigger structure to the state machine, the eip check is not one single interval, but a table of possible addresses that could contain up to 5000 entries. What's the best solution to communicate with my iat resolver ? IPC ? mapped file ? something else ?
TIA to give me some detail about the best solution, the reusability of the dll depends a lot on this.
Just to report you, I'm actually at the emulating seh install attempt stage, I've to say that at this point I could just implement all the icedump's tracer protections.



The Owl
December 15th, 2000, 04:25
yes, i got all your mails (the net is not *such* an unreliable medium after all ;-), but i've been just way too busy this week to even barely think about them - sorry, will do that at the weekend).

December 15th, 2000, 14:46
Take your time, I'm not struck at this point, I'm just reversing icedump's source to include the most possible features into my tracer,
the exchanges with my main app can be done later, but I really don't want to make an IPC interface too complicated, this dll must be easily reusable.
best regards,


Lord Soth
December 16th, 2000, 01:28
This question might seem dumb, but what are you coding tsehp ?


December 17th, 2000, 19:21
a module, containing the state machine, is installed and attached into the target process, then a thread is created to trace some thunkslots,
when the trace is finished, I have to report my main app about the address it found, the main app is another process, so I'm looking for the better way to intercommunicate between the two processes.
If I have a lot of data to transmit, windows messages seems not very good, so I'm asking for the better solution.

December 18th, 2000, 05:24
Every time I want to exchange a lot of data between processes, I use a shared memory between them (that's the way Microsoft APIMON works...).
Obviously you have to protect (synchronize) the accesses to the common memory with a Mutex.

Furthermore, if your injected module is a DLL, it is very easy to build it with a shared section, so you have no need to dynamically allocate the shared memory with the MapViewOfFile API): it is a sort of static shared memory...

Please have a look at http://support.microsoft.com/support/kb/articles/Q125/6/77.asp


December 18th, 2000, 17:30
thanks dindon,
just what I needed, I didn't know that it was such an easy task with a dll.