Jump to content
Tuts 4 You
Sign in to follow this  
LCF-AT

Hardware data/read/execute breakpoints...

Recommended Posts

Nacho_dj

Look, to enable DRX:
DR7 := DR7 OR (1 shl (2*X))

 

To disable DRX:

DR7 := DR7 XOR (1 shl (2*X))
 

 

To check which HWBP was triggered, check this pseudocode in Delphi:

 

X := 0

while DR6 AND 1 = 0 do

begin

  DR6 := DR6 shr 1;

  Inc(X);

end;

 

Here you get the number of DRX register being triggered.

 

Note that X can be 0, 1, 2, 3

Edited by Nacho_dj (see edit history)

Share this post


Link to post
LCF-AT

Hi Nacho and thanks again for the info but now I am still confused. :) Can you not create any quick ASM commands for me?Also by the way,so there are commands to use DR0 - DR7 (mov eax,DR6) etc so can I use them too anyhow without to read the context?So if I call them = AV C0000096.


 


greetz


Share this post


Link to post
cypher

Here's a little tool I did for you:


 


drxcalc.png


 


- Set DRx Mode, Type, Size and copy out "DR7 Value" you need to set. It will give you the value for a single DRx to be set. If you want more then first calc DR0 then DR1 and binary "or" the results.


- Copy DR6 Result to "DR6 Value" and see which DRx got hit.


 


Now with this tool everythign should be eeeaaasy :punk:


 


Cant attach files in this thread, so grab it here


 


 


PS: And no, you cannot set/get DRx directly, you need to set/get context. Also set DR6 to 0 after handling because CPU doesnt always clear it !


Edited by cypher (see edit history)
  • Like 2

Share this post


Link to post
LCF-AT

Coolio! :)


 


Big-O-thank you for this little tool helper cypher.Ok wait....so if I wanna set a HWBP xy then I set this in your tool above and the value which comes out at DR7 I have to use copy then into context before I call STC API.Ok so I think this I did understand so far. :)


 


Verify Exsample:



DR7: 00070402 = HWBP R/W | 2 bytes | global | DR0 Slot <-- Right?

And what is with DR6?


 


Ok I have test this now but I get this....



I set context before call to STC
----------------------------------------------------
004104D0 00010017
004104D4 010073AB notepad.010073AB <-- BP
004104D8 00000000
004104DC 00000000
004104E0 00000000
004104E4 00000000
004104E8 00070402 <--- Now I run app + BP at KI API and it stop at KI and the context there says... 0007FCDC 0001003F
0007FCE0 010073AB notepad.010073AB
0007FCE4 00000000
0007FCE8 00000000
0007FCEC 00000000
0007FCF0 FFFF0FF0 <---
0007FCF4 00070400 <--- and the AV is...
0007FCC0 C0000005 <-- Access vio why this and not single schtep?

So at the address 010073AB and above are just nop commands.So why I get a AVio etc.


 


Also if I copy FFFF0FF0 to DR6 in your tool then I get nassing. :) Just if I change the last bit to not 0.Hhmmmmmmmm!Whats wrong now?Its me again?I am getting more and more confused.


 


About the DR0 and more.So you mean then I have to to .....


 


00070402 or 00700408 = 0077040A = DR0 and DR1 to copy then in DR7.Right or not?I thought it would be more easier to handle but now I see it isn't or I am to dummie for this.DaMutDuNochMerMachenGel. :)


 


PS: So could add this more DR0 / DR1 / DR2 / DR3 calcuation also into your tool later.So I don't wanna "or" the entire values always manually if I test here.Thank you.


 


PS2: Short re-question,so what was it again with the global and local choice?The different I mean and where is it better to use global or local etc?


 


greetz


Share this post


Link to post
mrexodia

always use local :D

Share this post


Link to post
cypher

- Your DR7 verify example is correct.


 


- Your DR6 result of FFFF0FF0 means that it wasnt a HWBP that caused the exception.


 


- 00070402 (DR0) or 00700408 (DR1) = 77040A = DR0 and DR1 both set. Correct !


- Mode local gets killed by task-switch, global doesnt. Usually you only want local.


Edited by cypher (see edit history)

Share this post


Link to post
cypher

Little update for the tool -> https://bitbucket.org/cypherpunk/drx_calc/downloads/drx_calc.rar


 


multi.png


 


You can now "Keep" the current value and it gets OR-ed to the others you already kept.


 


So you define DR0, then click "Keep", it gets saved to the "Dr7 Multi" field. Then define DR1, click "Keep" and it gets OR-ed to the value already in "multi". etc..


Then you copy and use the value in "DR7 Multi".


Click "Clear" to start over again.


Edited by cypher (see edit history)
  • Like 1

Share this post


Link to post
LCF-AT

Hi again,


 


thanks for the new tool version. :)


Ok so now I have test again and the HWBP seems to work now also with multi set HWBPs. :) Now I get also....


DR6: FFFF0FF1 <-- 1 = DR0 ...


DR6: FFFF0FF2 <-- 2 = DR1 was triggered


DR6:FFFF0FF8 <-- 8 = DR3 ....


DR6:FFFF0FF4 <-- 4 = DR2...


etc


....ok so if I enter the value in your tool then I get the right results but what I don't get is the exception reason (singlestep / Exception / T-bit) in your tool.Why?


 


All in all I am happy now so the HWBPs all slots do work now if I enter the right DR7 values so thank you again very much for this helpfully tool cypher. :)


 


greetz



 


Share this post


Link to post
cypher

Exception reason is empty usually.

SingleStep would mean bp was reached by single stepping on it.

Exception means illegally accessing debug register

T-Bit is related to TSS and I don't understand that completely myself.

So a normal hwbp hit only has info about which drx and rest is empty.

Glad I could help with the tool.

  • Like 1

Share this post


Link to post
LCF-AT

Ah ok and all clear so far now so that I now can handle the necessary basics of it. :) Of course your tool does help me lot so without this I still would not get this handling in my head and would getting confused more and more. :)


 


Just can say thank you again cypher. :)


Also thank you for all others too of course.


 


greetz


Share this post


Link to post
LCF-AT

Hi again,


 


so I have a small another request about your tool cypher.So could you maybe also add a another option (almost same as DR6 to enter the value to read below what DR was set and which exception etc) but this time with DR7 too to enter a xy DR7 context and your tool does show what was used (Mode Type Size & DRx's).Almost the same as would I setup a DR7 value as your tool does do it already but also I wanna have a decompiler for DR7 values. :) You know what I mean right.Maybe you can add this then in a window and nice sortet or something if you need to show max 4 infos of all for each HWBP.



---------------------------------------
DR7: 33330455 | Decompile |
---------------------------------------
DRx Mode | Type | Size
---------------------------------------
DR0: Local | R/W | 1
DR1: Local | R/W | 1
DR2: Local | R/W | 1
DR3: Local | R/W | 1
---------------------------------------

Something like this maybe. :) Would be very great if you could add this feature too if its not to much requires of me.So then I could later also use this new feature to check exceptions logs more in detail quickly you know.I say already thank you so far.


 


greetz


Share this post


Link to post
cypher

Its possible but takes a bit of time and I'm currently working on a new olly plugin with Aguila.

So I won't add that before next week.

But why do you need to parse dr7 as you set that yourself?

Ps: you can't receive any new PM says t4y

Share this post


Link to post
LCF-AT

Sounds nice if you could do this also you don't need to hurry so I can wait so far.So the new feature is just for checking the DR7 to see what was set etc.So sometimes I use a exception logger tool to get a full log with DRx values etc and then I could just copy this in your tool to get more details without to check this by myself etc. :) Thank again.


 


PS: Oh ok,so I need to delete some PMs (to lazy at the moment to check what I can trash etc) to get new PMs.Just use any older PM topic (Scylla...) to PM me.


 


greetz


Share this post


Link to post
cypher

LCF wanted an update  :please: , so here it comes


 


drx7_decode.png


 


Simply enter a DR7 Value and it will decode it and tell you which DRx was set with which type, mode and size.


 


Download the update


Share this post


Link to post
LCF-AT

Hello cypher,


 


very goooooood! :) Thank you again.


So now I have again a little tiny request about the tool look and the new DR7 decode.So I see that the entire block keep just grayed (ghost look) etc so this is not very good.So could you make it so that if a DRx is decode and used that you then enable this DRx in your tool?So I mean the font (Schrift) etc like in the first DR7 control panel so you know what I mean right?So I don't like this ghost font thing etc.Would be nice if you could change this too later just if possible. :)


 


Thank again you for this little helpfully tool cypher.


 


PS: Could you also add a minimize button too?


 


greetz


Share this post


Link to post
cypher

Redownload the tool. I made the GUI minimizable.


 


The elements are greyed out because those elements are disabled = only the program can set them. Unfortunately you cant make disabled elements "black" again.


If I would enable those elements, they would be black but the user could click around which you dont want to for read-only fields.


 


So I'll leave that like it is :P


Share this post


Link to post
LCF-AT

Hi,


 


1.) Buhhhhhhh! :)


2.) I did redownload but there is no minimize button.Only still the X is to see.


3.) Re-Buhhhhhh! ;)


 


PS: Yes I know but you could also enable these windows and setup it so that if the user does click around on the fields that then nothing happens etc.Would be also working so or?Something like this maybe etc.


 


greetz


Share this post


Link to post
LCF-AT

Hi cypher,


 


ohhhhhhh very nice. :) New version looks good with enabled elements + minimize b"U"ttOn-"g". :) Thanks again for your work cypher (dafür hast du dir auch eine extra Milchschnitte verdient). ;)


 


greetz


Share this post


Link to post
cypher

Thanks again for your work cypher (dafür hast du dir auch eine extra Milchschnitte verdient). ;)

 

your welcome. I'll have a Schweinsbraten and a Helles instead of the Milchschnitte ! :thanks:

Share this post


Link to post
LCF-AT

Yo. :) A triple Schweinsbraten as "appetizer" sounds also very good. :)


 


Did you already laughed today?If not then just watch this. :)


>http://www.youtube.com/watch?v=1qfAa6c7mlM


Share this post


Link to post
LCF-AT

PS: If you guys have trouble to watch the video on this forum or if you can't see it (firefox block enabled) then I post the direct links.


 


Video without subtitle and bad quality.



http://www.youtube.com/watch?v=1qfAa6c7mlM

Video with English subtitle and in HD  :)



http://www.youtube.com/watch?v=0HfuxgQJ8sk

Just watch this video and I promise you will laugh very much. :) If not then you better visit a doctor. ;)


 


Have fun.


  • Like 1

Share this post


Link to post
JeRRy

PS: If you guys have trouble to watch the video on this forum or if you can't see it (firefox block enabled) then I post the direct links.

 

Video without subtitle and bad quality.


http://www.youtube.com/watch?v=1qfAa6c7mlM

Video with English subtitle and in HD  :)


http://www.youtube.com/watch?v=0HfuxgQJ8sk

Just watch this video and I promise you will laugh very much. :) If not then you better visit a doctor. ;)

 

Have fun.

 

cracked me up

  • Like 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...