Introduction to CoreTrace

Demo January 2021

Today we're excited to show you one of our most popular tools, CoreTrace. CoreTrace is a powerful tool that's used to capture and inspect system calls.

Tracing system calls is a dynamic analysis reverse engineering technique that offers a quick way to understand a program's behavior.

With Corellium, you can trace system calls using either strace, a standard command-line Linux tool, or our proprietary CoreTrace tool. strace is included in Corellium virtual devices, and it is implemented with ptrace.

What makes CoreTrace so powerful is it's implemented with the help of our hypervisor. Applications can employ anti-debugging techniques to detect and prevent ptrace-based tracing. However, these techniques cannot prevent, or even easily detect, hypervisor-based tracing. What's more, CoreTrace can trace the entire system at once, and it’s not limited to a single process.

Because this tool traces all threads in the system, it can rapidly produce a large amount of data. Often, though, you may be interested in a particular target. CoreTrace makes it easy to filter by specific processes and threads for more targeted analysis.

Performing a trace is very simple. After applying any filters, simply click "Start Trace," perform your desired action, and then click "Stop Trace." It may take a few moments for the log to finish building. Then, you can simply download the log for inspection. This will provide every system call that took place in real time, giving a holistic view of the full system. This information can also be easily exported and shared with others.

Happy Virtualizing!