Log in

View Full Version : WIN32 DEBUG API(AGAIN)

canuckcracker
July 27th, 2004, 21:59
Hello,

I'm just trying to single step one of my applications via the windows DEBUG API(I have read icezelions great tutorials) but I'm stuck and I'm not sure if it's something I'm doig wrong or what.

http://the.xlabs.org/debug.csrc -> src for my program
http://the.xlabs.org/output -> the program output

When I catch the EXCEPTION_SINGLE_STEP and EIP is at 77xxx

Is this correct?(is this kernel32 addrsss space?) or is somethig wrong here?

I can only trace exactly 8352 instructions like this and then i get no more
events.

I've also tried to modify my Eip and set it to the atcual entrypoint of the program, using this i can trace 10 instructions & thats it.

It doesn't crash or anything, i just dont get anymore events and the program doesnt load on either case.

Any pointers is appreciated! thanks
doug
July 27th, 2004, 22:18
Search this board for
Debug Api

Particularly, this thread: http://www.woodmann.net/forum/showthread.php?t=6098&highlight=Debug+Api

contains useful information - check post #5.
bilbo
July 28th, 2004, 03:18
Really doug's answer hits the spot.
Some other words could be interesting...

Quote:
When I catch the EXCEPTION_SINGLE_STEP and EIP is at 77xxx Is this correct?(is this kernel32 addrsss space?) or is somethig wrong here?


As nikolatesla20 pointed out, the first event is a bonus added by Windows for the debugger. It is an EXCEPTION_DEBUG_EVENT, and you are stuck inside NTDLL.DLL

Code:
_DbgBreakPoint@0 proc near

          int 3

          retn  ; <-- HERE!!!

_DbgBreakPoint@0 endp


The best thing you can do here is
Code:


          ContinueDebugEvent(..., ..., DBG_CONTINUE);




Quote:
I can only trace exactly 8352 instructions like this and then i get no more events.

That's interesting!

The reason of the program hanging is due to entering in Ring-0 (kernel mode) with the Trap Flag set in EFLAGS. This require more investigation to better understand the underneath mechanics...

If you use printf(), your trace will stop some instructions before at a meaningless point, but if you use OutputDebugString() you will see the very last traced EIP, which on Windows XP/Pentium must be
Code:


7FFE0300:      mov edx, esp

7FFE0302:      sysenter  ; <-- HERE!!!

                    ret


Even if you comment out printf()/OutputDebugString(), the application hangs, so simply avoid to set TrapFlag from ring 3 when you enter ring 0!

Regards, bilbo
canuckcracker
July 29th, 2004, 21:15
Hi Bilbo,

Thanks for your reply.

I've now set a breakpoint on the EntryPoint so that I avoid tracing inside of
NTDLL, however, I end up back inside of NTDLL(77xxxx address) and the same happens ..

Anyways, I've gone another route and just used ReadProcMem to search for the exact place I want in the program and then set a break here, works good. But I'd stll like to be able to trace from the very beginning and trace the WHOLE program if i ever wanted to -- is that possible?

Thanks

I've also done as nikola suggests and I WriteProcessMemory AFTER i catch the windows breakpoint, i think something is wrong with how i restore the byte at which i placed the breakpoint?? not sure.. but the program just crashes..

NEW SRC is here:

http://the.xlabs.org/debug.csrc
Iwarez
July 30th, 2004, 00:51
You have to flush the instruction cache after you write the new bytes and set the eip 1 byte back to account for the breakpoint instruction if I remember well.
bilbo
July 30th, 2004, 04:06
Quote:
You have to flush the instruction cache after you write the new bytes

that's not necessary, AFAIK

Quote:
and set the eip 1 byte back to account for the breakpoint instruction if I remember well.

That's your error canuckcracker! Your restored instruction will never executed, and garbled codes can be executed instead.
On Windows breakpoint you did not need to execute again INT3, but here, on entry point, it is necessary to restart from your saved code!
Then, do not forgive to initialize sinfo - on XP your snippet does not run... E.g.
Code:
STARTUPINFO sinfo = {sizeof(sinfo)};


Quote:
trace the WHOLE program if i ever wanted to -- is that possible?

As I told you, you just must be careful to skip all kernel code: you cannot enter ring 0 with the trace flag set. And next, are you really interested to trace also system libraries, such as KERNEL32?

I started some years ago a similar project, but then I lost interest in it, because a tracer can easily be defeated by the traced application.
Anyway, let me know if you make some progress.

Best regards, bilbo
disavowed
July 30th, 2004, 18:29
Quote:
[Originally Posted by bilbo]
Quote:
You have to flush the instruction cache after you write the new bytes
that's not necessary, AFAIK

msdn recommends it, but i have never done it and have never had any problems from not doing it

Quote:
and set the eip 1 byte back to account for the breakpoint instruction if I remember well.

you only have to do that if you overwrote existing code with your own int3. otherwise, you can just dbg_continue.
evaluator
July 31st, 2004, 02:09
well, 2 years, ago i found for Tsehp trikie&comfort way
for Single-Step tracing on XP:

discard "Fast System Call" 'greats' & Return back to INT2E.

however, until yesterday i not looked in problem about
m$'s Errorneous managment for SYSENTER. ok now i looked

in one word, after SYSENTER_with_TFlag FS-register is loosing.
in same one word, save FS value on SYSENTER,
and after SYSENTER check & restore it via SEH_CONTEXT;

of course best way is back to grEat INTs.