The forthcoming Windows 10 feature update will bring support for DTrace, the open source debugging and diagnostic tracing tool originally built for Solaris. The port was announced at the Ignite conference last year, and today the instructions, binaries, and source code are now available.
DTrace lets developers and administrators get a detailed look at what their system is doing: they can track kernel function calls, examine properties of running processes, and probe drivers.
After its initial Solaris release, DTrace spread to a wide range of other Unix-like operating systems. Today, it’s available for Linux, FreeBSD, NetBSD, and macOS. The original Solaris code was released under Sun’s Common Development and Distribution License. Microsoft has ported the CDDL portions of DTrace and built an additional driver for Windows that performs some of the system-monitoring roles. The latter driver will ship with Windows; the CDDL parts are all a separate download.
The big fly in the ointment is that DTrace currently requires Windows to be booted with a kernel debugger attached. DTrace works by inserting bits of code into the system functions being analyzed; this means that there’s no overhead for kernel features that aren’t being traced, as they don’t contain any DTrace code at all. However, DTrace isn’t the only software out there that modifies kernel memory: rootkits will patch the operating system’s kernel so that, for example, process enumeration functions don’t show the running rootkit.
Accordingly, Microsoft long ago introduced Windows’ Kernel Patch Protection (KPP, aka PatchGuard). KPP monitors certain pieces of kernel memory to look for modifications, and it crashes the system if any are detected. DTrace falls foul of PatchGuard’s protection.
Booting with a kernel debugger disables PatchGuard, thereby letting DTrace make the modifications it needs. Microsoft’s developers say they have ideas for how they might enable DTrace in a PatchGuard-compliant way in the future. But for now, we have to pick one or the other.