Uninformed: Informative Information for the Uninformed

Vol 5» 2006.Sep


Installing the Stalker

A walkthrough of installation for Process Stalker and required components will be covered briefly in this document, however, more detailed steps and descriptions are provided in Pedram's supporting manual. The .bpl file generated by the IDA plug-in will spit out a breakpoint list for entries within each block. The IDA plug-in process_stalker.plw must be inserted into the IDA Pro plug-ins directory. Restarting IDA will allow the application to load the plug-in. A successful installation of the IDA plug-in in the log window will be similar to the following:

[*] pStalker> Process Stalker  Profiler
[*] pStalker> Pedram Amini <pedram.amini@gmail.com>
[*] pStalker > Compiled on Sep 21 2006

Generating a .bpl file can be started by pressing Alt+5 within the IDA application. A dialog appears. Make sure that ``Enable Instruction Colors,'' ``Enable Comments,'' and ``Allow Self Loops'' are all selected. Pressing OK will prompt for a ``Save as'' dialog. The .bpl file must be named relative to its given name. For example, if calc.exe is being watched, the file name must be calc.exe.bpl. In our case, pluto.sys is being watched, so the file name must be pluto.sys.bpl. A successful generation of a .bpl file will produce the following output in the log window:

[*] pStalker> Profile analysis 25% complete.
[*] pStalker> Profile analysis 50% complete.
[*] pStalker> Profile analysis 7% complete.
[*] pStalker> Profile analysis 100% complete.

Opening the pluto.sys.bpl file will show that records are colon delimited:

pluto.sys:0000002e:0000002e
pluto.sys:0000006a:0000006a
pluto.sys:0000007c:0000007c