Log in

View Full Version : INT3 and process

Hero
September 22nd, 2004, 00:47
Hi all
I'm working on an protection algorithm
for my proposal.
I ask my question here because crackers
are the best protectors if they want!

My algorithm is based on using INT3 in
the process.I want to know what will be
happened if we get an INT3 in an normal
process(not in Debuge mode).Is it works
similar to normal breakpoint?
In addtion can I change this process used
register values using SetThreadContext
when it get to this INT3?

thanks
sincerely yours
Neitsa
September 22nd, 2004, 03:42
Hello,

Quote:

I want to know what will be
happened if we get an INT3 in an normal
process(not in Debuge mode)


It will crash ! All interruptions under windows user-mode programs have to be handled by a SEH.

Quote:

Is it works similar to normal breakpoint?


there's two type of INT3 :

The 0xCC opcode, and the two opcodes 0xCD03 which the form of the INT n instruction with n=3. They are handled in different ways. This is well explained in the Intel manuals. "normal breakpoint" as you said should be "software breakpoints. When a debugger is puting a breakpoint, it is just writing a 0CCh opcode in the program and it's handling the error.

There's another type of breakpoints, which is hardware breakpoint. There is only 4 hardware BP's, cause they are working with Drx (Debug Registers) and there's only 4 Drx for putting an adress (Dr0 to Dr3). They are called hardware 'cause it's an hardware feature of the CPU. Those Drx are accessible only directly (in the form of mov reg,Drx or mov Drx,Reg) under the kernel-mode (AKA Ring0 mode) which is the privileged mode of the CPU and accessible only from a device driver. You can access them with the Get-Set/ThreadContext...

Quote:

In addtion can I change this process used
register values using SetThreadContext
when it get to this INT3?


This is a way of accessing Registers (even EIP or the Drx) but you can't from the process currently running. You must do it from another process, since you must halt the thread to do it, with SuspendThread and resume the thread with ResumeThread. When you get to an INT3 you must have a SEH that will handles the INT ! the Get-Set/ThreadContext are generally used with a debugger, but it can be used with another thread, but remember that you must handle the INT first, and you can't use those API on the thread where those API will be executed.

Hope this could help.

Regards, Neitsa.
Hero
September 22nd, 2004, 09:01
Thanks for detailed help.
I make a new thread that explain my algorithm of protection.
If you can please consider with it and suggest better way.
sincerely yours