FlySky Posted August 11, 2010 Share Posted August 11, 2010 Hey guys,New to the forum and wondering the following. Been doing reversing for a while now and recently jumped into unpacking. What I am facing atm is that a lot of packers are detecting hardware breakpoints. I am currently on Windows 7 64 bit version and none of the Ollydbg plugins are working for me, so I started looking in writing my own hooks. Been programming / coding for a couple of years in assembly and I am hoping you guys could push me in the right direction about hooking to prevent hardware breakpoint detection.The hardware breakpoint detection is accessed and controlled from an exception handler. So I read up about it and found out an area to hook could be hooking KiUserExceptionDispatcher in kernel32.dll by injecting a dll. But I am not sure what to code in the hook is anyone having an code snippets about hooking NtSetThreadContext, GetThreadContext or KiUserExceptionDispatcher, preferably in ASM but C++ would mostlikely do aswell.I am using it to create my own plugin set.Thanks in advance,FlySky Link to comment
revert Posted August 11, 2010 Share Posted August 11, 2010 I admire that you are trying to write your own plugin to accomplish this, it's the best way to learn.But fortunately I've done what you asked already with my Stealth64 plugin. It works on Win7(or Vista) x64 and I already added the hooks to KiUserExceptionDispatcher to handle hardware breakpoint hiding.You'll need beta 1.2 for Win7. If you have problems with it, try starting with a clean Olly and adding Stealth64. It should work fine.After that you can start adding other plugins 1 by 1 to see if they are x64 compatible.Cheers,revert Link to comment
FlySky Posted August 12, 2010 Author Share Posted August 12, 2010 The method I am using atm for hooking is by injecting a DLL into the running process and jump from system dlls loaded by the process to my own dll hook KiUserExceptionDispatcher.[esp+4] holds the pointer to the ContextRecord in which I have acces to the debug registers. Simply clearing debug register 7 would disable the breakpoint from what I understand from it.But what happens to the exception? Since the hardware breakpoint causes an exception, the hardware breakpoint is probably detected earlier ?Simply clearing the debugregister 7 (enabled/ disabled bits) it still crashes. Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now