snoopy Posted June 9, 2014 Posted June 9, 2014 (edited) Hey Guys I am having a question about memory breakpoints, like Olly implements. The main issue is that doing it myself with a dll I am injecting into the process, the concept is extremely slow. While breakpointing with Olly it's just as fast as any other breakpoints. I am having a spot inside the program I want to set the breakpoint on. I copied this spot into a variable called: [HardwareBreakpointAddress] I am hooking KiUserExceptionDispatcher to catch the exceptions. I know I could also install a Vectored Exception Handler but this seems to suit just fine aswell. The code is WORKING, it's just I am wondering why it is so terrible slow. Is it because of the way the trapflag is being set? Export KiUserExceptionDispatcher_hook: ;------------------------------------------------------------- ;ntdll!KiUserExceptionDispatcher: ;7de80124 fc cld ;7de80125 8b4c2404 mov ecx,dword ptr [esp+4] // ;7de80129 8b1c24 mov ebx,dword ptr [esp] // ;------------------------------------------------------------- cld mov ecx, D[esp+04h] //Pointer to the context record mov ebx, D[esp] //Pointer to the exception record pushad cmp D[ebx], EXCEPTION_SINGLE_STEP //Single Step Exception 0x80000004 je > __checkdrx jmp > __checkpg __checkdrx: push ecx mov esi, ecx invoke SetSingleStepMode, [MainThreadIdHandle], FALSE // clear trap flag invoke VirtualProtect, [HardwareBreakpointAddress], 1, PAGE_EXECUTE_READWRITE | PAGE_GUARD, offset OldProtection pop ecx jmp > __allgood __done: mov eax, [esi+CONTEXT.Eax] mov [breakPointValue], eax xor eax, eax invoke ResumeThread, [DLLThreadHandle] invoke SuspendThread, [MainThreadIdHandle] __allgood: popad invoke NtContinue, ecx, 1 nop nop __checkpg: cmp D[ebx], STATUS_GUARD_PAGE_VIOLATION jne > __goback push ecx mov esi, ecx mov eax, [esi+CONTEXT.Eip] cmp eax, [HardwareBreakpointAddress] je < __done invoke VirtualProtect, [HardwareBreakpointAddress], 1, PAGE_EXECUTE_READWRITE, offset OldProtection invoke SetSingleStepMode, [MainThreadIdHandle], TRUE // set trap flag jmp < __allgood __goback: popad push [KiUserExceptionDispatcher_ret] ret SetSingleStepMode Frame pThread, bSet //If bSet==1 then set the single step, otherwise unset it. mov [context.ContextFlags], CONTEXT_FULL invoke GetThreadContext, [pThread], offset context cmp B[bSet], 0 je > or W[context.ContextFlags], 0100h // set trap flag jmp > SetFlagContext : and W[context.ContextFlags], 0FEFFH // clear trap flag SetFlagContext: invoke SetThreadContext, [pThread], offset context ret Endf Edited June 9, 2014 by snoopy
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now