What is Footsteps? An excerpt from the User's Guide introduction is the best way to answer the question.
Footsteps is a tool to peer into the inner working of any piece of code loaded into Windows, including user mode (ring 3) programs, kernel mode (ring 0) Windows components and device drivers and has two main components: the Recorder and the Analyzer.
The first one records (literally) the execution of a given piece of code, memorizing each machine instruction along with the processor state and eventual memory operands, in a memory buffer.
The buffer content is then saved to a file, which is fed to the Analyzer. This program creates a readable listing of the instruction stream as well as a summary of the function calls and a cross reference between memory operands and instructions operating on them.
By using the breakpoint registers present on x86 CPUs, Footsteps lets the user start the recording at an address of choice in the memory space.
Alternatively, exploiting the data breakpoint feature of the processor, it can track all accesses to a given memory location, recording only the instructions which interact with the specified addresses, thus building a global cross reference list.
Foosteps accomplishes this on a live system, and there's no need for a second PC as is the case when using a kernel debugger.
Additionally, Footsteps comes with an SDK which you can use to write your own control applications. For instance, you could write an application to automatically record a function of choice and save the recording, repeating the process with different input parameters. This could be used to obtain a count of the executed instructions under different conditions - for performance evaluation purposes.
Do you want to know more? Go on reading the User's Guide introduction.
Do you want to try it? Click here to download it. This package also contains the complete user guide.
|