Posted on October 2, 2018 by Florian Pester
We are proud to announce that today we are releasing Tycho 1.1. This release features USB 3 Debug Port Support, System Call Interpretation, and a plugin for IDA Pro that shows memory information directly within IDA.
With the new support for USB 3 Debug Cables the communication between Tycho and the virtualization platform on the target is now significantly faster. This enables large memory dumps and features that transfer a lot of data between the two components, such as System Call Interpretation.
Every USB 3 port on every machine can be used as a USB 3 Debug port. This enables us to expand to platforms that do not have Intel’s vPro or a serial port in the future.
With Tycho 1.0 we introduced the system call semantic breakpoint. This feature allows a user to stop the execution of a sample at any system call it executes. Even if the sample goes around the Windows low level libraries and executes the
sycall instruction directly.
System Call Interpretation gives you full control over any executed system calls. System call breakpoints without any interpretation left you with just the register state and a lot of work to make sense of the system call parameters, or follow pointers. With Tycho’s System Call Interpretation you have rich semantic information right at your fingertips. For each system call you can now view and modify parameters, follow pointers, and view and modify buffer contents. You can also modify any return values.
Tycho can now provide IDA Pro with information about the memory structure of your sample. This greatly simplifies using Tycho with IDA Pro: