BinTrace is a tool to record and dump traces of an executable program and its data.

The tool is based on the dynamic instrumentation framework PIN from Intel. Currently PIN is only working with the x86 architecture. Additionally, bintrace currently is limited to the Linux platform but will be ported to Windows when there is the need to. Actually, building for Windows might work but is disabled and not tested. As PIN works fine on Windows and bintrace are plugins for PIN things should be straight forward.

Features:

The bintrace tool is organized in a modular fashion and can enable/disable the various tracer plugins using command line parameters, see the README for invokation examples or use the shell script trace.sh with parameter --help for a description of the available tracer plugins and invocation parameters. The tool is able to dump at any time of program execution the executable code images, the Heap, the Stack and the Registers. Additionally the tracer can record the control flow transfers (only dynamically computed ones or all) during the whole program execution. Last but not least it is possible to output a textual dump of the instructions executed and the branches that were taken using this tracer plugin. Additionally, it is possible to record the calls to malloc() and free() and their parameters and return values.

Purpose:

The trace output of bintrace is stored on disk using Google's Protocol Buffers and is meant to be loaded into the BinDead binary analyzer to run an analysis on it.

The Protocol Buffer format can be found in the protocol definition file. From that use the Protocol Buffers compiler to generate readers/writers for the language you need. Current generated bindings are for C++ and Java.