Hi

how do I set a Hwardware Breakpoint using masm ?
i have read Iczelion tutorials, but it does not say anything about setting hardware breakpoints.

thanks
Posted on 2006-12-10 21:31:30 by Insano
SetThreadContext and updating the DRx values in the context...
Posted on 2006-12-11 09:50:15 by f0dder
what i am doing wrong.

i am catching CREATE_PROCESS_DEBUG_EVENT and CREATE_THREAD_DEBUG_EVENT
then i use the hThread member to updating the debug registers ( DR0 and DR7 )
DR0 = the data address i am trying to watch
DR7 = 30002h (break on data read/write, len=1, global enable)

but i am not catching the breakpoint exceptions.

is DR7 wrong ? or what i am doing wrong thanks
Posted on 2006-12-12 16:37:59 by Insano
i have changed DR7 to 30303h and seems i am catching the breakpoint but the exceptioncode is EXCEPTION_SINGLE_STEP and the ExceptionAddress is pointing to the next instruction 00401060  which is JNZ 0040107F.

00401059  CMP BYTE PTR mydata, 0
00401060  JNZ 0040107F


is this correct ?
I tought exceptioncode  should be EXCEPTION_BREAKPOINT and ExceptionAddress should be current address trying to read from data 00401059  CMP BYTE PTR mydata, 0

Posted on 2006-12-12 19:10:44 by Insano
EXCEPTION_BREAKPOINT occurs when you reach an INT3. Many debuggers will do byte patching where they want to set breakpoints which is why they get the exception. When you set DR7, iirc, you are using single step mode. So yea, this is correct. If you're dead set on catching EXCEPTION_BREAKPOINT, you could setup a list containing the offset and byte, then wherever you wish to put your breakpoints, add the byte and offset to the list and overwrite the byte using WriteProcessMemory. Then, when you reach EXCEPTION_BREAKPOINT check your address against your offset list and fix the byte. You seem like you've got everything under control, so I'm sure you won't have any problems implementing it.

Regards,
Bryant Keller
Posted on 2006-12-13 13:16:33 by Synfire
for a memory bp, optional way is to set memory area
to PAGE_GUARD and catch STATUS_GUARD_PAGE_VIOLATION;
or PAGE_NOACCESS and catch STATUS_ACCESS_VIOLATION

pExceptionRecord.ExceptionInformation[1*4] contains R/W address
Posted on 2006-12-17 12:53:46 by drizz
I agree .. I generally used the 'pagefault method' for monitoring arbitrary addresses rather than using DRx or injecting int 3.

Rather than setting up 'guard pages' though, think about using VirtualProtect(Ex) to alter the rwx privileges for one or more BYTES of memory.. works for both code and data, doesn't require maintaining a list.. and there's never a chance of tripping over unexpected CC's :)

This is probably the cleanest way of doing this I know of, although there's a number of variations on this idea (mostly used in protection schemes, eg div0 fault etc).
Posted on 2006-12-17 23:38:19 by Homer
thank you.

I have another question.
when i get a EXCEPTION_DEBUG EVENT how can i know which thread caused the exception ?
I am using DEBUG_EVENT-dwThreadId member on OpenThread function, but it returns different handles.. why is that ?

thanks
Posted on 2006-12-23 18:33:52 by Insano
A handle is a handle, you can have multiple handles (with different numeric values) referencing the same object. You need to compare thread IDs, not handles.
Posted on 2006-12-23 18:39:11 by f0dder
sorry, i meant
when i get a EXCEPTION_DEBUG EVENT how can i get the real handle of thread that caused the exception ?

A handle is a handle, you can have multiple handles (with different numeric values) referencing the same object. You need to compare thread IDs, not handles.


i didn't know that, i thought there was only one handle.
so that means i can use safely OpenThread returned handle.

thank you.

Posted on 2006-12-23 19:17:46 by Insano

sorry, i meant
when i get a EXCEPTION_DEBUG EVENT how can i get the real handle of thread that caused the exception ?

maintain a linked list updating it on EventCreateThread and EventExitThread
then to get the thread handle, you do a simple search by threadid.
Posted on 2006-12-23 19:57:30 by drizz
That's exactly how I did it - I never found a clean way of obtaining thread id by thread handle, so I made an associative list via the 'create thread event' notifications, and just searched it whenever an exception occurred to find a match... the only problem comes when threads terminate..

here's a quote from one of my project sources:

;A thread has terminated.. the dbgevent tells us the thread's exitcode..
;How ****useless is that? We have no idea WHICH thread terminated,
;and the only way we can REALLY find out is to enumerate all threads !!
;What a totally stupid ****idea.
;Now we're FORCED to do just that, so we can dump that thread's struct
;from our pThreads collection ... how droll.. oh it gets worse too..
;There's no way to enumerate the threads of just one Process,
;we're forced to enumerate EVERY ****THREAD IN EXISTANCE !!


I'm sure there's a better way, but I never found it.

Posted on 2006-12-23 20:03:35 by Homer