Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Hooking to defeat hardware breakpoints

FlySky
FlySky
in Programming and Coding

Featured Replies

Posted

Hey guys,

New to the forum and wondering the following. Been doing reversing for a while now and recently jumped into unpacking. What I am facing atm is that a lot of packers are detecting hardware breakpoints. I am currently on Windows 7 64 bit version and none of the Ollydbg plugins are working for me, so I started looking in writing my own hooks. Been programming / coding for a couple of years in assembly and I am hoping you guys could push me in the right direction about hooking to prevent hardware breakpoint detection.

The hardware breakpoint detection is accessed and controlled from an exception handler. So I read up about it and found out an area to hook could be hooking KiUserExceptionDispatcher in kernel32.dll by injecting a dll. But I am not sure what to code in the hook is anyone having an code snippets about hooking NtSetThreadContext, GetThreadContext or KiUserExceptionDispatcher, preferably in ASM but C++ would mostlikely do aswell.

I am using it to create my own plugin set.

Thanks in advance,

FlySky

    •
    • Like 1

    I admire that you are trying to write your own plugin to accomplish this, it's the best way to learn.

    But fortunately I've done what you asked already with my Stealth64 plugin.

    It works on Win7(or Vista) x64 and I already added the hooks to KiUserExceptionDispatcher to handle hardware breakpoint hiding.

    You'll need beta 1.2 for Win7.

    If you have problems with it, try starting with a clean Olly and adding Stealth64. It should work fine.

    After that you can start adding other plugins 1 by 1 to see if they are x64 compatible.

    Cheers,

    revert

    • Author

    The method I am using atm for hooking is by injecting a DLL into the running process and jump from system dlls loaded by the process to my own dll hook KiUserExceptionDispatcher.

    [esp+4] holds the pointer to the ContextRecord in which I have acces to the debug registers. Simply clearing debug register 7 would disable the breakpoint from what I understand from it.

    But what happens to the exception? Since the hardware breakpoint causes an exception, the hardware breakpoint is probably detected earlier ?

    Simply clearing the debugregister 7 (enabled/ disabled bits) it still crashes.

    Check your PM :)

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.