Author Topic: Most efficient way to break when entering a PE section??? (Read 1853 times)

yaa · « **on:** 2005-05-07 16:30:28 »

Hello,

I'm writing a small tool that uses win32 debug APIs and was wondering what might be the most efficient approach to break on entering a PE section. Using EXCEPTION_SINGLE_STEP and checking at every step if EIP is in the correct section is indeed slow. OllyDbg does this very efficiently, so there must be a better/faster way of doing it. How?
Thx.

yaa

f0dder · « **Reply #1 on:** 2005-05-07 17:33:16 »

You could temporarily patch the byte at the entrypoint to a 0CCh (int3) opcode, catch EXCEPTION_BREAKPOINT, and patch back the byte?

yaa · « **Reply #2 on:** 2005-05-07 21:23:59 »

Yes, that could be a good solution.
How about changing the access to PAGE_NOACCESS catching afterwards the EXCEPTION_ACCESS_VIOLATION exception? Does anyone see cons against this approach?

yaa

f0dder · « **Reply #3 on:** 2005-05-07 21:32:52 »

That ought to work, too - and might be a slightly more elegant solution, since you don't force the page the entrypoint is in to be copy-on-write'd. Very slight improvement, though

Author Topic: Most efficient way to break when entering a PE section??? (Read 1853 times)

yaa

Most efficient way to break when entering a PE section???

f0dder

Re: Most efficient way to break when entering a PE section???

yaa

Re: Most efficient way to break when entering a PE section???

f0dder

Re: Most efficient way to break when entering a PE section???