I'm writing a small tool that uses win32 debug APIs and was wondering what might be the most efficient approach to break on entering a PE section. Using EXCEPTION_SINGLE_STEP and checking at every step if EIP is in the correct section is indeed slow. OllyDbg does this very efficiently, so there must be a better/faster way of doing it. How?

Posted on 2005-05-07 11:30:28 by yaa
You could temporarily patch the byte at the entrypoint to a 0CCh (int3) opcode, catch EXCEPTION_BREAKPOINT, and patch back the byte?
Posted on 2005-05-07 12:33:16 by f0dder
Yes, that could be a good solution.
How about changing the access to PAGE_NOACCESS catching afterwards the EXCEPTION_ACCESS_VIOLATION exception? Does anyone see cons against this approach?

Posted on 2005-05-07 16:23:59 by yaa
That ought to work, too - and might be a slightly more elegant solution, since you don't force the page the entrypoint is in to be copy-on-write'd. Very slight improvement, though :)
Posted on 2005-05-07 16:32:52 by f0dder