The ERESI tracer library : libetrace
The ERESI tracer library is an embedded tracing library that furnishes a high-level API for tracing programs without any OS-level support (without ptrace) by injecting a minimalistic tracer code into the target binary program. Libetrace is designed to allow tracing of programs on hardened production systems at full frequency of execution without stepping and without relying on a pre-existing debug API. Its features are scriptable directly from the ERESI runtime system and integrated into Etrace.
The main features of the ERESI tracer library are:
- Capability of tracing without a pre-existing functions signatures database.
- Capability of creating sets of functions to be traced (called a trace).
- Capability of managing traces using regular expressions over function names.
- Capability of enabling or disabling traces.
- Capability of enabling or disabling a function within a trace.
- Capability of automatically excluding special problematic functions from tracing.
- Capability of using debug information when available (not mandatory) for better output.
Latest news for libetrace
| July 3 2008 | Libetrace now contains the whole tracing API. |
| January 1 2008 | Libetrace was unmerged from libelfsh. |
Portability of libetrace
| Architecture | INTEL | SPARC32 | SPARC64 | MIPS32 | Others |
| Traces support | Yes | Yes | Yes | Yes | Yes |
| Argument counting | Yes | No | No | No | No |
Unavailable features are the subject of contributions, if someone else has not taken over the implementation of the feature on the bts.
Dependencies
The ERESI tracer library depends on other components from the ERESI framework :
- libelfsh : the ELF shell library, for injecting the tracer into the traced binary.
- libedfmt : the ERESI debug format library, for grabbing debug information when available.
- libaspect : the ERESI support library, for exporting its hash table and profiling API.
Articles featuring libetrace
The algorithm behind Etrace and libetrace has been detailed into a (quite) recent article of us. However, this article has focused more on Etrace itself than libetrace, since libetrace has only been recently unmerged from libelfsh.
- Next generation debuggers for reverse engineering
Etrace is an embedded tracer which was built for tracing internal and external calls. Most tracers do not trace internal calls because they rely on a statically stored function prototypes list. Despite the fact that it provides a correct prototype on those functions, you cannot deal with unknown functions. Etrace is a tracer built to deal with every functions. It means you do not have to create a function prototypes database.
