Instream
Instream prints the flat-line instruction stream of an executing program, the sequence of instructions that actually gets executed. Like single-stepping through it with a debugger (you can achieve something similar with GDB scripting). This implementation uses the hardware single-stepping feature (a.k.a. MSR tracing) of modern processors to do its job efficiently.
Example
$ tar xf instream-0.1.tar.gz $ cd instream-0.1 $ make $ ./instream ./hello | less [7174] Done attaching onto 7176 Target received signal 19 Target received signal 19 Entry point: 400410 400410 (02) 31ed XOR EBP, EBP 400412 (03) 4989d1 MOV R9, RDX 400415 (01) 5e POP RSI 400416 (03) 4889e2 MOV RDX, RSP 400419 (04) 4883e4f0 AND RSP, -0x10 40041d (01) 50 PUSH RAX 40041e (01) 54 PUSH RSP 40041f (07) 49c7c090054000 MOV R8, 0x400590 400426 (07) 48c7c120054000 MOV RCX, 0x400520 40042d (07) 48c7c7fd044000 MOV RDI, 0x4004fd 400434 (05) e8b7ffffff CALL 0x4003f0 ...
It should be possible to build Instream with just a C compiler, all dependencies are bundled with the source.
Notes
The mechanism Instream uses is to take control of the target through ptrace, open the ELF file to find its entry point, and inject code at the entry point. This code enables the hardware tracing features. It would be straightforward to instead turn on tracing once the target reaches a given address, or to trace at the per-branch level instead (and disassemble more code). Distorm3 is used for code disassembly (it is included in the source archive below).
Downloads
- instream-0.1.tar.gz (461 KB): Source code and repository for version 0.1 (April 2014)