Frequently Asked Questions

Question: What are the system requirements for running Etch?

Answer: To run Etch, you'll need Windows NT 4.0 or Windows 95, 32 MB of physical memory, and a large swap file. We estimate that a large binary like WinWord needs at least 150 MB of swap space.

Question: What are the system requirements for writing tools in Etch?

Answer: In addition to the requirements listed above, you'll need: Microsoft Visual C++ to develop the tools and Microsoft Access to modify the database tables that the user interface uses. You will also install Visual Basic to guarantee that you have all the files needed for Visual Etch.

Answer: You can see the details of the current Etch execution in the "Check List" and "Run Details" windows of the Visual Etch "Running Experiment" window. In addition, you can see in detail exactly what command Etch is executing by selecting "Status Windows | Console.." from the menu options in the Running Experiment window. Be patient, sometimes it takes a while for Etch output to be reflected in the console window. You can also look in the task manager window to see if Etch is making progress.

Answer: Yes. However, you'll need to make sure that you are not using the same project, nor sharing temporary directories. By default, Visual Etch places its project directory in a temporary directory under the system directory that is called username.temp (for a specific "username"), so this normally is not an issue.

Question: What kinds of binaries can I etch?

Answer: You can etch 32-bit PE format Windows binaries, including both executables and DLLs. Certain kinds of instruction sequences found in hand-written assembly language will fail when Etched, but these sequences occur rarely in practice. Examples include self-modifying code, code that jumps into the middle of an instruction, and code that uses pointers to instructions to refer to data.

Question:Does Etch work on 16 bit codes?

Answer: No. If you notice that a program is using a DLL called something like "foo16.dll" then you have a strong clue that it is relying on 16-bit code; since Etch does not support 16-bit code, that DLL should be omitted from the list of DLLs to be etched and patched (using the Modules window).

Question: Can I etch an already-etched binary?

Answer: Yes, although this is not currently supported directly through the Visual Etch interface. Etching an etched binary requires special naming and special modifications to the tools you will use.

Question: Can Etch be used with multithreaded programs?

Answer: There should be no problem using Etch on multithreaded programs, provided that the tool to be used is thread safe. Specifically, if your tool manipulates shared data structures, then the tool should enforce whatever locking is required to access those data structures.

Question: Can I run Etch on a multiprocessor?

Answer: Probably, but we have not tried it yet.

Question: What additional link flags do I need to specify when using MSVC 5.0 so that I can produce object files that Etch can process?

Answer: If you are linking from the command line, then you need to add the flag "/fixed:no" to your link command. If you are linking from within msdev, then you need to add the flag to your project settings: invoke the "Project->Settings" menu command, select the "Link" tab in the dialog that appears, and then add the flag "/fixed:no" to the "Project Options" text window at the bottom right of the window.

Question: I want to instrument a DirectDraw application and the DLLs that it loads. Do I have to do anything special?

Answer: By default, Etch transforms every DLL used by the program, say "foo.dll", into either "foo-patch.dll" or "foo-etch.dll". The "-patch" DLL is created when the user specifies that foo.dll is not to be etched. Although the code for the DLL is not changed, we modify the imports used by the DLL, therefore we produce a new version with a new name. The "-etch" DLL is created when Etch modifies the code within the specific DLL.

Question: What if I don't want to change the names of programs or DLLs when they have been etched?

Answer: The UI supports this directly from the Modules screen; select "Use Original Module Name" for the component you wish not to rename. However, if you do this for DLLs, then you will get in trouble if your analysis routine also uses the DLL, because your analysis routine will end up instrumenting itself (which will be like a dog chasing its tail). There is no problem doing this for executables.

Question: Suppose my runtime analysis code relies on a function in a DLL that has been etched. What happens?

Answer: By default, Etch renames DLLs (eg, foo.dll becomes foo-etch.dll). In addition, your analysis code will be linked against the unetched version of the DLL. Consequently, your analysis code will be using a different DLL than your program. As long as the DLL is written in such a way that it can withstand being loaded twice (with different names at different address) into the same address space, then everything should work fine. If, though, the DLL is sensitive to its name or location, or somehow shares with other DLLs through a non-standard interface, then this multiple loading of the same DLLs may cause problems.

Question: My program (and the DLLs it links with) loads lots of DLLs explicitly with the Win32 LoadLibrary call. Will it run properly after being etched?

Answer: Yes, although you will have to help Etch identify the set of DLLs used by your program. While Etch can automatically find the set of DLLs that are loaded statically by your program, there is no systematic way to find every dynamically-loaded DLL. The DLLwatch tool is, however, an effective way to do this.

Question:What happens if I fail to tell Etch about DLLs used within my program?

Answer: Problems can be caused when a DLL references another DLL that was neither etched nor patched (e.g., a DLL dynamically loads another DLL that was not listed in the Modules window). This is because the second DLL may in turn include references to other DLLs that themselves have been etched. But, since the second DLL has not itself been modified, it will include references to unetched versions of those otherwise etched DLLs, resulting in two (or more) versions of the same DLL executing in the instrumented address space.

It may be important for a program to not refer to both the instrumented (or patched) and uninstrumented (or unpatched) versions of the same DLL. To test for this, use the DLLwatch tool in order to find the DLLs loaded by the application. Or, use the monitor program to discover the set of DLLs loaded into the address space as the program runs (you can invoke monitor using the "create command shell" option from the UI). You should add any DLLs as appropriate to the list of DLLs shown in the "Modules" window.

Answer: There are a variety of problems that could cause an etched program to fail. Here, we describe some of the individual problems you can run into and present point solutions.

Some specific problems

• Problem: The original target program was not installed correctly. Test for this by running the original (unetched) target program to verify that it runs. If not, reinstall the target software.

• Problem: Etch produces the message "The application failed to initialize properly." It is possible that there is a bug in the tool runtime code, e.g., a bad pointer that is dereferenced in ProgramBefore or in per-instruction instrumentation code. In this case, use the Microsoft Visual C++ debugger to debug the tool. To invoke the debugger from the command line, use the create command shell option from the UI. This will create a window in the directory containing the etched binary, where you can type:

  > msdev target.exe

  While debugging symbols are not available for the etched program, they are available for the tool runtime code. You can simply open the source file for the tool and set a breakpoint at the appropriate line. In some cases it is easier to debug by writing a standalone program that invokes the tool directly, rather than from etch.

• Problem: The application and the tool both perform floating point operations, but the save floating point context option is off. In this case, you must turn on save floating point context option. Saving and restoring the floating point state costs hundreds of cycles per call. If performance is a concern, remove floating point operations from the tool if possible.

• Problem: The application or one of its DLLs refers to data above the top of the stack. Turn off the fast context save option. This will preserve 48 bytes above the top of the stack when making calls into the tool runtime code.

• Problem: The application is referring to both instrumented and uninstrumented copies of DLLs. This might happen if the full set of DLLs was not identified when the program was etched. To test for this, use the DLLwatch tool (but exclude all DLLs from etching) in order to monitor the program for calls to LoadLibrary and GetModuleHandle. Or, use the monitor program to discover the set of DLLs loaded into the address space as the program runs. Invoke this using the create command shell option from the UI, as described for msdev above. Finally, add any DLLs as appropriate to the list of DLLs known to the UI.

• Problem: There is a conflict between DLLs used by both the application and the tool. Typically this occurs when your tool uses a DLL that is also used by your target program, and the DLL has been etched. Because Etch ensures that your tool will use the unetched version of the DLL, you can end up with two copies of the DLL active in your address space.

• Problem: I've looked at all of the problems listed above and nothing seems to get the application running. It is possible that a (not yet identified) bug in Etch could have introduced a bug into the application when instrumenting either the executable or one of its DLLs. First, check to see if you can execute the application using the null instrumentation tool. If this tool does not work, then the problem is likely the way that the application is being invoked by etch, rather than a problem with Etch code modification and rewriting. If this tool does work, however, then check to see if a bug was introduced into the executable.

  Here's a short list of things to check in order to get your etched application running:

  • Does the original (unetched) program run? If the original program does not run when invoked from the command line, then the problem is with the program, not with Etch. Fix the program and try again.

  • Does the program run when invoked from within the Visual Etch user interface? To see, choose the "run original" action option from the UI. If the program does not run, then it cannot be invoked from Visual Etch. (Some Microsoft networking services have this problem). In general, this means that certain environment variables need to be set in order for the program to run.

    In this case, you may need to run this program from the command line. To do this, first etch the application as normal, using the UI. Second, open up a command window in the cache directory. Third, set your environment variables as necessary and run "etch-run-me.bat" from that directory.

  • Does the tool work? If you're using a tool whose correctness you suspect, try using a different tool. Our favorite simple tool is "instruction count." If this works, then the problem is most likely with your tool. Try a few more simple tools (e.g., data references, opcode histogram). If other simple tools work, then the problem is definitely with the tool you've specified.

  • Was there a problem when etching the application executable? Check the "problems" window to see if there is an error message indicating that the primary executable could not be etched. If such a message exists, then this program cannot be etched.

  • Does this program have a dependency on the name used for its executable file? Some programs rely on having a specific name; for example, Adobe's Acrobat Reader expects to be called acrord.exe. By default, Etch changes the name of any file it touches (it does this to make it easy for you to determine which versions of the programs you are working with; for DLLs, it does this to defeat the NT DLL sharing logic, which would have your program use a non-etched DLL were that DLL loaded, and would have future programs use your etched DLL, were your etched program still running). Go to the Modules window and check the "Use Original Module Name" for the primary executable. (Notice: DO NOT DO THIS FOR DLLs, AS THIS CAN CAUSE BAD BEHAVIOR WHEN ATTEMPTING TO LOAD AN ETCHED DLL FOR WHICH THE UNETCHED VERSION HAS ALREADY BEEN LOADED BY ANOTHER PROCESS).

    If the program executes when you do not rename the executable, then you've solved the problem. From now on, do not rename the executable when etching this program.

  • Does the executable access text or stack memory in bad ways? Select the "check data references" tool, select the "Modules" window, and disable the etch option for all DLLs. The "check data references" tool will report on any program data references to the instrumented text segment or to unused addresses on the stack. Both can cause a program to fail. If such a reference occurs, this program may not be etchable.

  • Was there a problem when etching the DLLs? Check the problems window. Is there an error message naming one of the program's DLLs? If so, then deselect Etch option for the DLL from the "Modules" window and try running again. You should still include the patch option.

  • Did the program ever reference a DLL that was not etched? An etched program will complain via a dialog window if it references any DLLs that have been neither patched nor etched. If you see such a window, add the DLL named in the dialog into the Modules list and try again.

  • Is the problem related to transforming the code in a DLL or is it related to creating new versions of a DLL? The "Dll Test" tool will determine if the problem is in the way that the code is being transformed or in the changing environment that Etch creates. Select the Dll Test tool as an action and execute it. If the program executes correctly, then the problem is not with Etch environment management; instead the problem likely lies with the tool or is caused by a program behaving badly with respect to its code segment.

  • Does the program run if DLLs are not etched? First, try to determine if there is a bad executable. To do this, rerun the "Check Data References" tool described above, but this time include all of the DLLs. If this tool reports a bad reference, then remove the offending DLL from the Modules list and try again. Repeat until there are no more offending references. Rerun your original experiment. If everything works, you've identified DLLs that cannot be etched with this program. (Note that if used to check OLE32.DLL, the check references tool may report an illegal reference to the text section of the executable. It turns out that in practice this reference will not affect the correct execution of the etched executable.)

    If you don't see a bad data reference, then it's possible that Etch is failing to correctly transform one or more DLLs. You now need to determine which DLL, when etched, is causing the problem. Again, use a simple tool (e.g., instruction count) to make sure that the tool is not causing the problem. To determine which DLL is bad, use whatever search strategy you like. The simplest approach is to begin with all of the DLLs Patched but not Etched. Then enable etching of the DLLs one at a time, running Etch on the executable plus the previously "known good" DLLs. When you discover that the DLL you just added is causing trouble, disable etching on that DLL. Eventually, you will come up with a set of DLLs that can not be included.

    This failure indicates that one of two things is happening: either you have specified a DLL that can neither be etched nor patched, or you are specifying a DLL that can be patched, but not etched. Both problems reflect bugs in Etch, but at different levels. In the first case, Etch is failing to recreate the DLL environment that NT and the program is expecting. In the second case, Etch is failing to faithfully transform the executable. Note that the second case could be caused by a badly-behaving executable (e.g., one that operates on its text segment).

    More than likely, though, the problem is with code discovery. By default, Etch uses an aggressive code-discovery algorithm to find as much code as possible in the executable and the DLLs. At times, the algorithm may be overly aggressive, misinterpreting some data as code. To see if this is happening, go to the Modules menu, re-enable etching on the offending DLLs you discovered from the previous step, but disable "Aggressive code discovery." Rerun the program. If everything works, then you've discovered a problem with code discovery and should contact the developers.

  • Is the problem with a DLL that cannot be patched? There are a few DLLs that NT is intimately involved with (e.g., user32.dll, ntdll.dll, and kernel32.dll). We believe we've found all of these, but there may be others. In these cases, attempts to use an etched or patched DLL will fail, either quietly, or with an error. Often, you can simply omit the DLL from the experiment altogether (by neither etching nor patching). If this does not work, then the program is likely to be unetchable. In either case, please report the error to the developers.

Answer: You don't have sufficient permission to system files and resources required to install Visual Etch. You need to increase your privileges either as administrator on your NT box, or by contacting your local system administrator.

Problem: When I start Vetch, I get an error message "Object so-and-so not found."

Answer: You probably don't have Visual Basic installed correctly. Reinstall VB.

Problem: The graphing option on the output does not work.

Answer: Install a current version of Visual Basic (at least version 4.0) to get the current versions of the DLLs the UI requires. Older versions of the DLLs exist in the system directory and need to be updated.

Answer: All of your program's output can be viewed in the console window. To see it, choose "Console Window" from the options menu in the Etch control window. Much of the output to the console is from Etch and not from your program, so you must scroll down the console until you find the program-generated outputs.

Question:How do I integrate DLLwatch output for a program that I've run outside of the UI?

Answer: Since some programs may not be run from within the UI, it may be necessary to run DLLwatch on your program directly from the command line. Normally, the output from DLLwatch goes into %WORKINGDIR%\dllwatch.output (%WORKINGDIR% is the current experiment folder), so that it can be processed by the UI. In order to do this same function manually, you will need to run (from the same directory where you ran etch-run-me) the program etch-dllwatch-filter (which can be found in the etch\bin directory). After you've done this, you can then import the results from the run using the "options|add explicitly loaded modules" menu option in the Modules window.

Question: How do I create a standalone version of an etched application, that is, a completely self-contained directory that holds everything that the application needs to execute?

Answer: Visual Etch assumes that an etched application will run in the context of Visual Etch -- in particular, it assumes that certain DLLs are on the path.

However, in some cases you may want to run an etched application without making changes to the path or other parts of the environment, in which case these assumptions will not hold. The simplest solution to this problem is to collect all of the requisite DLLs into a single directory. For example, if you've etched Netscape, you could create a copy of the Netscape directory tree, and copy the etched application (netscape-etch.exe) and all of the associated DLLs into the same directory as netscape.exe in the copy of the Netscape directory tree..

Setting up the directory is reasonably straightforward:

• Copy the entire contents of the Visual Etch experiment directory (found by opening a command prompt in the experiment directory from within Visual Etch) to the target directory.

• Change the lines in the etch.config file from pointing to modules in the original application directory to instead point to the modules in the target directory.

• Copy the runtime DLL for the tool used to instrument the program into the target directory. Also, copy any auxiliary DLLs used by the tool. For most tools this will just consist of utils.dll. The tool DLLs and utils.dll can be found in %ETCHROOT%\apps\bin\.

• Copy the Etch runtime DLL etchwrap.dll and etchrt.dll into the target directory.

....EXPERIMENT...> COPY * <target>
....EXPERIMENT...> CD <target>
...target...>notepad etch.config (change first line of 
                 etch.config to <target>\winword-etch.exe)
...target...> COPY %ETCHROOT%\apps\bin\countiref-rt.dll .
...target...> COPY %ETCHROOT%\apps\bin\utils.dll .
...target...> COPY %ETCHROOT%\bin\etchwrap.dll .
...target...> COPY %ETCHROOT%\bin\etchrt.dll .

Question:I wrote a tool and provided a routine in the tool runtime DLL (say, ProgramBefore), and I implement the InstrumentProgram callback in the tool instrumentation DLL. At runtime, though, my ProgramBefore function is never called. What's going on?

Answer: It is possible that you forgot to export your InstrumentProgram callback. Etch can only make callbacks to functions that are exported by the tool instrumentation DLL -- even if InstrumentProgram is implemented, if it is not exported then Etch cannot call it.

Question:I wrote a tool that exports a runtime call WatchInstruction. But when I run Etch, I get the message, "WatchInstruction not found". How can this be?

Answer: The most likely explanation is that your runtime function is a C++ function, and has had its name mangled. You should surround the DllExport declaration of the function with an 'extern "C" { } '.

Answer: The ArgEtchedImageBase argument type can be used to uniquely identify DLLs. This value is the actual base address of the etched module at runtime, and so is guaranteed to be unique.

Or, you can pass constant strings to runtime routines through the ArgConstString argument type, so you could simply determine the module name (with GetEtchedModuleName) in InstrumentInit, and then pass this string in on each call to InsertCall(CheckInst,...). The ArgString argument type would not be a good solution for this particular problem, because it would allocate space for a new copy of the string for each call to InsertCall(CheckInst,...).]

Question: Does Etch handle synchronization? For example, I have instrumented each instruction to bump a counter. Does Etch worry about the fact that different threads will be changing the value of this counter and hence the existence of a race condition?

Answer: Etch does not handle this; synchronization is entirely the responsibility of the tool writer. Some of the example tools provided with Etch do not take care of synchronization, and hence could report incorrect results when used with a multi-threaded application.

Question: I followed all the directions for creating a new tool, and wrote my own perl script called "mytool.pl". Now whenever I try to etch any application from the UI, using *any* tool, I get the message "Etch process exited prematurely". There is no output in the console window. What did I do wrong?

Answer: You forgot to put a "1;" as the last line of mytool.pl. (This is needed for Perl's mechanism for including files to work properly.)

Question: What does the "Check Data References" tool do?

Answer: It looks for two types of potentially harmful references. First, it checks for references to the instrumented text section. The uninstrumented program should not know that there is an instrumented text section. Second, it checks for references above the stack. Because we save state on the stack before calling instrumentation code, it looks for those references and determines whether saving an additional 48 bytes above the stack will help.

Question: I get a runtime error message "instruction at x touched y. the address could not be read/written". Shouldn't the checkrefs tool have caught this?

Answer: Not necessarily. The check data refs tool does not check for all conditions that lead to an incorrect execution. The check data refs tool only checks for two cases (see above). The fault above could be due to an entirely different problem.

Question: Can I debug an etched program?

Answer: Etch does not maintain debug information when it Etches an executable. Consequently, symbolic debugging is impossible. Machine-language debugging can of course be used. Note that if your runtime analysis routines include debug information, then they can be symbolically debugged.

Question: When an etched binary falls into the debugger, how can I change the "just-in-time" debugger that is invoked when an application generates an exception and asks you to "click Cancel to debug."

Answer: You can change this as follows: (1) run the registry editor -- regedt32.exe, (2) find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Ae Debug, (3) change the value "Debugger" to C:\msdev\bin\msdev.exe -p %ld -e %ld. (assuming msdev.exe can be found in c:\msdev\bin)

Question: I suspect that my program is crashing in DLL initialization code. How can I debug this kind of problem?

Answer: Using the MSDEV debugger, you can step through the DLL initialization code. The hard parts are persuading MSDEV to set a breakpoint early enough and figuring out where the DLL initialization routines actually are. MSDEV discards breakpoints set at arbitrary instructions between runs, so you have to find a place to set a breakpoint that has a symbolic name.

A good symbol to use is the name of a DLL initialization routine that you already know. For example, in an etched program, you could set a breakpoint in ProgramBefore.

Once you've executed the program and hit this breakpoint, you can look up the stack to find the instruction in NTDLL.DLL:LdrpRunInitializeRoutines@4 that calls the entry point of each DLL that is loaded. Set a breakpoint at that call instruction, and now you can step into the entry point of each DLL.

Note that the breakpoint at the call instruction will be discarded by MSDEV between runs. If you absolutely need to see every DLL as it is loaded (i.e., including DLLs that were loaded before the call), you could set a breakpoint at the beginning of LdrpRunInitializeRoutines@4. This breakpoint should be preserved between runs. (You may have to exit and restart MSDEV.)

Tip: Once you've discovered the PCs of LdrpRunInitializeRoutines@4 and of the special call instruction, remember them. They will remain constant as long as you're using the same version of NTDLL.DLL.