Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

memory breakpoints like olly

snoopy
snoopy
in Programming and Coding

Featured Replies

Posted

Hey Guys I am having a question about memory breakpoints, like Olly implements.

The main issue is that doing it myself with a dll I am injecting into the process, the concept is extremely slow.

While breakpointing with Olly it's just as fast as any other breakpoints.

I am having a spot inside the program I want to set the breakpoint on.

I copied this spot into a variable called: [HardwareBreakpointAddress]

I am hooking KiUserExceptionDispatcher to catch the exceptions. I know I could also install a Vectored Exception Handler but this seems to suit just fine aswell.

The code is WORKING, it's just I am wondering why it is so terrible slow.

Is it because of the way the trapflag is being set?

Export KiUserExceptionDispatcher_hook:

;-------------------------------------------------------------

;ntdll!KiUserExceptionDispatcher:

;7de80124 fc cld

;7de80125 8b4c2404 mov ecx,dword ptr [esp+4] //

;7de80129 8b1c24 mov ebx,dword ptr [esp] //

;-------------------------------------------------------------

cld

mov ecx, D[esp+04h] //Pointer to the context record

mov ebx, D[esp] //Pointer to the exception record

pushad

cmp D[ebx], EXCEPTION_SINGLE_STEP //Single Step Exception 0x80000004

je > __checkdrx

jmp > __checkpg

__checkdrx:

push ecx

mov esi, ecx

invoke SetSingleStepMode, [MainThreadIdHandle], FALSE // clear trap flag

invoke VirtualProtect, [HardwareBreakpointAddress], 1, PAGE_EXECUTE_READWRITE | PAGE_GUARD, offset OldProtection

pop ecx

jmp > __allgood

__done:

mov eax, [esi+CONTEXT.Eax]

mov [breakPointValue], eax

xor eax, eax

invoke ResumeThread, [DLLThreadHandle]

invoke SuspendThread, [MainThreadIdHandle]

__allgood:

popad

invoke NtContinue, ecx, 1

nop

nop

__checkpg:

cmp D[ebx], STATUS_GUARD_PAGE_VIOLATION

jne > __goback

push ecx

mov esi, ecx

mov eax, [esi+CONTEXT.Eip]

cmp eax, [HardwareBreakpointAddress]

je < __done

invoke VirtualProtect, [HardwareBreakpointAddress], 1, PAGE_EXECUTE_READWRITE, offset OldProtection

invoke SetSingleStepMode, [MainThreadIdHandle], TRUE // set trap flag

jmp < __allgood

__goback:

popad

push [KiUserExceptionDispatcher_ret]

ret

SetSingleStepMode Frame pThread, bSet

//If bSet==1 then set the single step, otherwise unset it.

mov [context.ContextFlags], CONTEXT_FULL

invoke GetThreadContext, [pThread], offset context

cmp B[bSet], 0

je >

or W[context.ContextFlags], 0100h // set trap flag

jmp > SetFlagContext

:

and W[context.ContextFlags], 0FEFFH // clear trap flag

SetFlagContext:

invoke SetThreadContext, [pThread], offset context

ret

Endf

Edited by snoopy

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.