A
simple example of determining the process ID of a Windows process and running a trace
on it is shown in the following:
# tasklist /FI "IMAGENAME eq calc.exe"
Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
calc.exe 1844 Console 0 2,704 K
# ./process_stalker -a 1844 -b calc.exe.bpl -r 0 --one-time --no-regs
For brevity, the console output of process_stalker is omitted. The example shows how a
process ID might be obtained, using the Windows tasklist command, and then passed
to the process_stalker command to initiate a trace. The process_stalker command
expects to be told the name of a breakpoint list, calc.exe.bpl in this case, which was previously
generated using the IDA plug-in component of Process Stalker. Once a trace is
complete, the post-processing utilities (a set of Python scripts) are used to process and
merge the trace results to yield graphs annotated with the gathered trace data.
Profiling Tools
Profiling tools are used to develop statistics about how much time a program spends in
various sections of code. This might include information on how frequently a particular
Chapter 14: Advanced Reverse Engineering
341
Gray Hat Hacking: The Ethical Hacker??™s Handbook
342
function is called, and how much execution time is spent in various functions or loops.
Pages:
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617