blabberer
September 27th, 2007, 09:07
nice to know this discipline is being accepted and being taught at university levels
the pdf should have a few more reviews and research
Quote:
OllyDbg, however, has one major shortcoming: its inability to trace into SYSENTERcalls. This command, introduced by the Intel Pentium II processor, was designedfor making fast system calls. It is often invoked by Windows Structured Excep-tion Handler, and thus employed by many advanced protection schemes. Theseprotection schemes use the exception handler to execute necessary code, check ifa program is being debugged, and clear the debug registers. When OllyDbg hitsa SYSENTER command, however, it is unable to trace into it, and simply executesuntil the next exception. This is a major shortcoming of the debugger, and requiresthe user to break at SYSENTER commands, analyze the registers, and then deter-mine where the target code of the SYSENTER command is, in order to trace intoit.
|
is sysenter the only culprit was it able to enter int 2e and int 2bs in processors where sysenter didnt exist
simply executes until the next exception ??? which exception?? whats he talking about ??
Code:
Call stack of main thread
Address Stack Procedure / arguments Called from Frame
0012FD2C 77F42DF7 Includes 7FFE0302 ntdll.ZwQueryInformationProc 0012FEE0
0012FD30 77E4A011 Maybe ntdll.ZwQueryInformationProcess kernel32.77E4A00F 0012FEE0
0012FD34 FFFFFFFF hProcess = FFFFFFFF
0012FD38 00000001 InfoClass = 1
0012FD3C 0012FEB8 Buffer = 0012FEB8
0012FD40 00000020 Bufsize = 20 (32.)
0012FD44 00000000 pReqsize = NULL
0012FEE4 004A320C ? <JMP.&KERNEL32.GlobalMemoryStatus> OLLYDBG.004A3207 0012FEE0
0012FEE8 0012FEEC pMemStat = 0012FEEC
0012FF0C 004A2AFF ? OLLYDBG.004A31FC OLLYDBG.004A2AFA
0012FF28 004A3059 OLLYDBG.004A2AD4 OLLYDBG.004A3054
0012FF2C 00000001 Arg1 = 00000001
0012FF3C 004A3020 OLLYDBG.004A3024 OLLYDBG.004A301B 0012FF38
0012FF48 004A2861 OLLYDBG.004A2FFC OLLYDBG.004A285B 0012FF44
0012FF54 004A27C1 OLLYDBG.004A2FFC OLLYDBG.004A27BB 0012FF50
0012FF60 004ACBDF OLLYDBG.004A27B4 OLLYDBG.004ACBDA 0012FF5C
0012FF64 00000100 Arg1 = 00000100
0012FF6C 004AD151 Includes OLLYDBG.004ACBDF OLLYDBG.004AD14E 0012FF90
0012FF94 004AD2F3 OLLYDBG.004AD0C8 OLLYDBG.004AD2EE 0012FF90
0012FF98 0050A658 Arg1 = 0050A658
0012FF9C 00000000 Arg2 = 00000000
Code:
0012FD2C 77F42DF7 RETURN to ntdll.ZwQueryInformationProcess+0C
Log data
Address Message
7FFE0302 Unable to set breakpoint
7FFE0302 Unable to set breakpoint
7FFE0302 Hardware breakpoint 1 at 7FFE0302
7FFE0302 Hardware breakpoint 1 at 7FFE0302
77F42DF7 Hardware breakpoint 2 at ntdll.77F42DF7
77F42DEB >/$ B8 A1000000 MOV EAX,0A1
77F42DF0 |. BA 0003FE7F MOV EDX,7FFE0300
77F42DF5 |. FFD2 CALL EDX
77F42DF7 \. C2 1400 RETN 14
the user to break at SYSENTER commands, analyze the registers, and then determine where the target code of the SYSENTER command is, in order to trace in to it.
if he knows the register how come he could trace into it with ollydbg does someone have any ideas (user mode only)?
anyway nice to see some momentum