Skip to content

Instantly share code, notes, and snippets.

@codenulls

codenulls/trace_execution_x64dbg.py

Last active November 10, 2023 01:14
Show Gist options
  • Save codenulls/a449b47af6de646c2d8645bffe031cde to your computer and use it in GitHub Desktop.
Save codenulls/a449b47af6de646c2d8645bffe031cde to your computer and use it in GitHub Desktop.
Download ZIP
Stops the execution at conditional jumps. The output is printed to the log file in x64dbg.
Raw
trace_execution_x64dbg.py
# taken from https://gist.github.com/deeso/44e6dc40ea7a4d77fc458742eb96f4c1
from x64dbgpy import pluginsdk
import x64dbgpy.pluginsdk._scriptapi as script
def loadBytes(va, count):
return list(script.Read(va, count))
def disasm_at(addr):
inst = pluginsdk.x64dbg.DISASM_INSTR()
res = pluginsdk.x64dbg.DbgDisasmAt(addr, inst)
return inst
def check_ifStopExec(ea):
b1 = pluginsdk.memory.ReadByte(ea)
b2 = pluginsdk.memory.ReadByte(ea+1)
if b1 == 0x0f:
if b2 >= 0x80 and b2 <= 0x8F:
return True
return False
def main(force=False):
ea = pluginsdk.register.GetRIP()
try:
x = 0
while True:
pluginsdk.debug.StepIn()
ea = pluginsdk.register.GetRIP()
if ea & 0x70000000 == 0x70000000 and not force:
print ("In system library addr space, so returning control to user: 0x%08x" % ea)
break
disasminstr = disasm_at(ea)
instrsize = disasminstr.instr_size
instrbytes = ""
for c in loadBytes(ea, instrsize):
instrbytes += "%02x " % ord(c)
print("%0.8x: %-15s %s" % (ea, instrbytes, disasminstr.instruction))
if check_ifStopExec(ea):
#print ("N=%d 0x%08x %02x %02x" % (x, ea, b1, b2))
#print ("Stopping at 0x%08x" % (ea))
break
b1 = pluginsdk.memory.ReadByte(ea)
b2 = pluginsdk.memory.ReadByte(ea+1)
x += 1
except KeyboardInterrupt:
pass
except:
raise
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment