Skip to content
/ etherannotate_xen Public

EtherAnnotate Xen Ether Modification - Adds a feature to Ether that pulls register values and potential string values at each instruction during an instruction trace.

6 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

jeads-sec/etherannotate_xen

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
ConvertUTF.c
ConvertUTF.c
 
 
ConvertUTF.h
ConvertUTF.h
 
 
Makefile
Makefile
 
 
README
README
 
 
ether.c
ether.c
 
 
ether.h
ether.h
 
 
ether_main.c
ether_main.c
 
 
ether_main.h
ether_main.h
 
 
etherannotate_xen.diff
etherannotate_xen.diff
 
 
hashtable.c
hashtable.c
 
 
hashtable.h
hashtable.h
 
 
hashtable_private.h
hashtable_private.h
 
 
logdump.sh
logdump.sh
 
 
nativeapi.h
nativeapi.h
 
 
ntapi.l
ntapi.l
 
 
ntapi.y
ntapi.y
 
 
parameters.c
parameters.c
 
 
parameters.h
parameters.h
 
 
parameters.l
parameters.l
 
 
parameters.y
parameters.y
 
 
pe.h
pe.h
 
 
prepare_domain.sh
prepare_domain.sh
 
 
saved_parameters.c
saved_parameters.c
 
 
syscalls.c
syscalls.c
 
 
syscalls.h
syscalls.h
 
 
unpack.c
unpack.c
 
 
unpack.h
unpack.h
 
 
winternl.h
winternl.h
 
 

Repository files navigation

EtherAnnotate Xen Ether Modifications

Prerequisites: 
   * Install Xen and Ether as described here: http://ether.gtisc.gatech.edu/source.html

This is a copy of the modified Ether controller software from the Xen Ether research project.  All modifications have occurred within ether.(c|h) and ether_main.(c|h).  Additional changes were made to the Xen Ether hypervisor to eliminate a double-pause bug which severely limited the speed of EtherAnnotate and these changes are listed in the patch file etherannotate_xen.diff (applying this patch to the Xen Ether hypervisor is highly recommended but should be optional)

Usage:
   1) Run ./ether [dom_id] instrtrace [process_name.exe] > [output_file.trace] in the Xen Ether host
   2) Run [process_name.exe] inside domain [dom_id] and either let it run until termination or kill it explicitly
   3) Close ./ether using CTRL-C and the specialized EtherAnnotate trace file should be complete
   4) Copy [output_file.trace] to a machine with EtherAnnotate IDA Pro plugin installed and follow the instructions for that software (http://github.com/inositle/etherannotate_ida)

About

EtherAnnotate Xen Ether Modification - Adds a feature to Ether that pulls register values and potential string values at each instruction during an instruction trace.

Resources

Readme
Activity

Stars

6 stars

Watchers

2 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages