Jump to content
Tuts 4 You

Hardware data/read/execute breakpoints...


Recommended Posts

Look, to enable DRX:
DR7 := DR7 OR (1 shl (2*X))

 

To disable DRX:

DR7 := DR7 XOR (1 shl (2*X))
 

 

To check which HWBP was triggered, check this pseudocode in Delphi:

 

X := 0

while DR6 AND 1 = 0 do

begin

  DR6 := DR6 shr 1;

  Inc(X);

end;

 

Here you get the number of DRX register being triggered.

 

Note that X can be 0, 1, 2, 3

Edited by Nacho_dj
Link to comment

Hi Nacho and thanks again for the info but now I am still confused. :) Can you not create any quick ASM commands for me?Also by the way,so there are commands to use DR0 - DR7 (mov eax,DR6) etc so can I use them too anyhow without to read the context?So if I call them = AV C0000096.


 


greetz


Link to comment

Here's a little tool I did for you:


 


drxcalc.png


 


- Set DRx Mode, Type, Size and copy out "DR7 Value" you need to set. It will give you the value for a single DRx to be set. If you want more then first calc DR0 then DR1 and binary "or" the results.


- Copy DR6 Result to "DR6 Value" and see which DRx got hit.


 


Now with this tool everythign should be eeeaaasy :punk:


 


Cant attach files in this thread, so grab it here


 


 


PS: And no, you cannot set/get DRx directly, you need to set/get context. Also set DR6 to 0 after handling because CPU doesnt always clear it !


Edited by cypher
  • Like 2
Link to comment

Coolio! :)


 


Big-O-thank you for this little tool helper cypher.Ok wait....so if I wanna set a HWBP xy then I set this in your tool above and the value which comes out at DR7 I have to use copy then into context before I call STC API.Ok so I think this I did understand so far. :)


 


Verify Exsample:



DR7: 00070402 = HWBP R/W | 2 bytes | global | DR0 Slot <-- Right?

And what is with DR6?


 


Ok I have test this now but I get this....



I set context before call to STC
----------------------------------------------------
004104D0 00010017
004104D4 010073AB notepad.010073AB <-- BP
004104D8 00000000
004104DC 00000000
004104E0 00000000
004104E4 00000000
004104E8 00070402 <--- Now I run app + BP at KI API and it stop at KI and the context there says... 0007FCDC 0001003F
0007FCE0 010073AB notepad.010073AB
0007FCE4 00000000
0007FCE8 00000000
0007FCEC 00000000
0007FCF0 FFFF0FF0 <---
0007FCF4 00070400 <--- and the AV is...
0007FCC0 C0000005 <-- Access vio why this and not single schtep?

So at the address 010073AB and above are just nop commands.So why I get a AVio etc.


 


Also if I copy FFFF0FF0 to DR6 in your tool then I get nassing. :) Just if I change the last bit to not 0.Hhmmmmmmmm!Whats wrong now?Its me again?I am getting more and more confused.


 


About the DR0 and more.So you mean then I have to to .....


 


00070402 or 00700408 = 0077040A = DR0 and DR1 to copy then in DR7.Right or not?I thought it would be more easier to handle but now I see it isn't or I am to dummie for this.DaMutDuNochMerMachenGel. :)


 


PS: So could add this more DR0 / DR1 / DR2 / DR3 calcuation also into your tool later.So I don't wanna "or" the entire values always manually if I test here.Thank you.


 


PS2: Short re-question,so what was it again with the global and local choice?The different I mean and where is it better to use global or local etc?


 


greetz


Link to comment

- Your DR7 verify example is correct.


 


- Your DR6 result of FFFF0FF0 means that it wasnt a HWBP that caused the exception.


 


- 00070402 (DR0) or 00700408 (DR1) = 77040A = DR0 and DR1 both set. Correct !


- Mode local gets killed by task-switch, global doesnt. Usually you only want local.


Edited by cypher
Link to comment

Little update for the tool -> https://bitbucket.org/cypherpunk/drx_calc/downloads/drx_calc.rar


 


multi.png


 


You can now "Keep" the current value and it gets OR-ed to the others you already kept.


 


So you define DR0, then click "Keep", it gets saved to the "Dr7 Multi" field. Then define DR1, click "Keep" and it gets OR-ed to the value already in "multi". etc..


Then you copy and use the value in "DR7 Multi".


Click "Clear" to start over again.


Edited by cypher
  • Like 1
Link to comment

Hi again,


 


thanks for the new tool version. :)


Ok so now I have test again and the HWBP seems to work now also with multi set HWBPs. :) Now I get also....


DR6: FFFF0FF1 <-- 1 = DR0 ...


DR6: FFFF0FF2 <-- 2 = DR1 was triggered


DR6:FFFF0FF8 <-- 8 = DR3 ....


DR6:FFFF0FF4 <-- 4 = DR2...


etc


....ok so if I enter the value in your tool then I get the right results but what I don't get is the exception reason (singlestep / Exception / T-bit) in your tool.Why?


 


All in all I am happy now so the HWBPs all slots do work now if I enter the right DR7 values so thank you again very much for this helpfully tool cypher. :)


 


greetz



 


Link to comment

Exception reason is empty usually.

SingleStep would mean bp was reached by single stepping on it.

Exception means illegally accessing debug register

T-Bit is related to TSS and I don't understand that completely myself.

So a normal hwbp hit only has info about which drx and rest is empty.

Glad I could help with the tool.

  • Like 1
Link to comment

Ah ok and all clear so far now so that I now can handle the necessary basics of it. :) Of course your tool does help me lot so without this I still would not get this handling in my head and would getting confused more and more. :)


 


Just can say thank you again cypher. :)


Also thank you for all others too of course.


 


greetz


Link to comment

Hi again,


 


so I have a small another request about your tool cypher.So could you maybe also add a another option (almost same as DR6 to enter the value to read below what DR was set and which exception etc) but this time with DR7 too to enter a xy DR7 context and your tool does show what was used (Mode Type Size & DRx's).Almost the same as would I setup a DR7 value as your tool does do it already but also I wanna have a decompiler for DR7 values. :) You know what I mean right.Maybe you can add this then in a window and nice sortet or something if you need to show max 4 infos of all for each HWBP.



---------------------------------------
DR7: 33330455 | Decompile |
---------------------------------------
DRx Mode | Type | Size
---------------------------------------
DR0: Local | R/W | 1
DR1: Local | R/W | 1
DR2: Local | R/W | 1
DR3: Local | R/W | 1
---------------------------------------

Something like this maybe. :) Would be very great if you could add this feature too if its not to much requires of me.So then I could later also use this new feature to check exceptions logs more in detail quickly you know.I say already thank you so far.


 


greetz


Link to comment

Its possible but takes a bit of time and I'm currently working on a new olly plugin with Aguila.

So I won't add that before next week.

But why do you need to parse dr7 as you set that yourself?

Ps: you can't receive any new PM says t4y

Link to comment

Sounds nice if you could do this also you don't need to hurry so I can wait so far.So the new feature is just for checking the DR7 to see what was set etc.So sometimes I use a exception logger tool to get a full log with DRx values etc and then I could just copy this in your tool to get more details without to check this by myself etc. :) Thank again.


 


PS: Oh ok,so I need to delete some PMs (to lazy at the moment to check what I can trash etc) to get new PMs.Just use any older PM topic (Scylla...) to PM me.


 


greetz


Link to comment

Hello cypher,


 


very goooooood! :) Thank you again.


So now I have again a little tiny request about the tool look and the new DR7 decode.So I see that the entire block keep just grayed (ghost look) etc so this is not very good.So could you make it so that if a DRx is decode and used that you then enable this DRx in your tool?So I mean the font (Schrift) etc like in the first DR7 control panel so you know what I mean right?So I don't like this ghost font thing etc.Would be nice if you could change this too later just if possible. :)


 


Thank again you for this little helpfully tool cypher.


 


PS: Could you also add a minimize button too?


 


greetz


Link to comment

Redownload the tool. I made the GUI minimizable.


 


The elements are greyed out because those elements are disabled = only the program can set them. Unfortunately you cant make disabled elements "black" again.


If I would enable those elements, they would be black but the user could click around which you dont want to for read-only fields.


 


So I'll leave that like it is :P


Link to comment

Hi,


 


1.) Buhhhhhhh! :)


2.) I did redownload but there is no minimize button.Only still the X is to see.


3.) Re-Buhhhhhh! ;)


 


PS: Yes I know but you could also enable these windows and setup it so that if the user does click around on the fields that then nothing happens etc.Would be also working so or?Something like this maybe etc.


 


greetz


Link to comment

Hi cypher,


 


ohhhhhhh very nice. :) New version looks good with enabled elements + minimize b"U"ttOn-"g". :) Thanks again for your work cypher (dafür hast du dir auch eine extra Milchschnitte verdient). ;)


 


greetz


Link to comment

Thanks again for your work cypher (dafür hast du dir auch eine extra Milchschnitte verdient). ;)

 

your welcome. I'll have a Schweinsbraten and a Helles instead of the Milchschnitte ! :thanks:

Link to comment

Yo. :) A triple Schweinsbraten as "appetizer" sounds also very good. :)


 


Did you already laughed today?If not then just watch this. :)


>http://www.youtube.com/watch?v=1qfAa6c7mlM


Link to comment

PS: If you guys have trouble to watch the video on this forum or if you can't see it (firefox block enabled) then I post the direct links.


 


Video without subtitle and bad quality.



http://www.youtube.com/watch?v=1qfAa6c7mlM

Video with English subtitle and in HD  :)



http://www.youtube.com/watch?v=0HfuxgQJ8sk

Just watch this video and I promise you will laugh very much. :) If not then you better visit a doctor. ;)


 


Have fun.


  • Like 1
Link to comment

PS: If you guys have trouble to watch the video on this forum or if you can't see it (firefox block enabled) then I post the direct links.

 

Video without subtitle and bad quality.


http://www.youtube.com/watch?v=1qfAa6c7mlM

Video with English subtitle and in HD  :)


http://www.youtube.com/watch?v=0HfuxgQJ8sk

Just watch this video and I promise you will laugh very much. :) If not then you better visit a doctor. ;)

 

Have fun.

 

cracked me up

  • Like 1
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...