What is the BD flag that this is referring to ? I didn't find it in the literature.
; dro.asm COM File This code goes resident when run !!
;
; Old anti-debugging code
; Never beeps when traced, why is that ?
;
; Will lock up window if debug or grdb.exe "proceeds" through the program !!
;
; This program may not work because from the comments it uses global debug settings,
; and XP needs local ones at least in native windows. I think it needs local settings
; in a DOS shell too, but am not sure on that.
;
; Another problem is if you use any debugger to step through code that hooks
; int 1 or int 3, the debugger is likely to tromp any settings you make to the interrupt table
; for those interrupts. That may not be an issue with this code as it seems to go TSR instead
; of issuing the int13 directly.
;
; Another problem is that int 13h is not supported in the XP dos shell - I'm not sure off-hand
; if the breakpoint will ever be reached, e.g. does XP run the interrupt in real mode and then
; abort the shell, or does it detect the access in PMODE and abort the shell before the breakpoint
; is reached in the vm? I don't know the answer off-hand.
;
; Thanks for your comments; as a result I updated GRDB to have an option for turning its
; hardware breakpoint functionality off :)
;
.MODEL TINY
.386p
.CODE
ORG 100h
START:
;--------------------
Copyright:
mov ah,09
mov dx,offset CMsg
int 21h
jmp short OverCop
CMsg db 0dh,0ah,'80386 DEBUG REGISTERS.',0dh,0ah
db 'Written 1995',0dh,0ah
db 'Beeps when Int 13 entry point reached','$'
OverCop:
;--------------------
mov ax,3513h ; Get INT 13 address
int 21h
; Converting ES:BX to a physical address
; ES*10h+BX, store it to EAX
; IDA Pro doesn't disassemble the rest of this code
; on it's first analysis
xor eax,eax
mov ax,es
mov cl,4
shl eax,cl
and ebx,0000FFFFh
add eax,ebx
mov dr0,eax ; DR0 contains address of breakpoint
xor eax,eax ; DR6 - status register
mov dr6,eax ; Clear it
; DR7 - control register
xor eax,eax ; Disabling all Debug Breakpoints, and
; clearing LEN0 and RW0 (our Breakpoint is
; a Code Breakpoint)
or al,2 ; G0 - it's global breakpoint
mov dr7,eax
pushf ; Clear TraceFlag
pop ax
and ah,0FEh
push ax
popf
mov dx,offset Tracer ; Set our Exception handler
mov ax,2501h
int 21h
mov dx,offset theend ; TSR
int 27h
TRACER: ; Exception handler
push bp eax
mov bp,sp
mov eax,dr6 ; status register
;* here you can include test of BD flag
int 3 ; debug and grdb never see this instruction ?
test eax,00004000h ; single step tracing ?
;int 3
jz HardBreak ;
; single step tracing occured, it was used by us to
; restore our hardware breakpoint (see further)
; DR0 is a Hardware breakpoint again
xor eax,eax
mov dr6,eax
or eax, 00000002h ; Setting Exception by DR0
and eax,0FFF0FFFFh ; Code Exception
mov dr7,eax
and word ptr ,0FEFFh ; Clearing trace flag in stack
jmp short exitrace
HardBreak: ; DR0 Exception handler
mov eax,dr6 ; Clear status register
xor eax,eax
mov dr6,eax
mov eax,dr7
and eax,0FFFFFFFDh
mov dr7,eax ; Disable DR0 Hardware Breakpont, or else
; recycling when return (ResumeFlag doesn't
; resumes... making it by the handle)
; The purpose of our hardware breakpoint
;mov ax,0E07h ; Sound a beep This doesn't work, try next 3 lines
;int 10h
mov dl,07h
mov ah,02h
int 21h
; Insert everything you need.
SetTF: ; Setting usual tracing for further
; DR0 resuming
or word ptr ,0100h ;
;
ExiTrace:
pop eax bp
iret
TheEnd:
End Start
; dro.asm COM File This code goes resident when run !!
;
; Old anti-debugging code
; Never beeps when traced, why is that ?
;
; Will lock up window if debug or grdb.exe "proceeds" through the program !!
;
; This program may not work because from the comments it uses global debug settings,
; and XP needs local ones at least in native windows. I think it needs local settings
; in a DOS shell too, but am not sure on that.
;
; Another problem is if you use any debugger to step through code that hooks
; int 1 or int 3, the debugger is likely to tromp any settings you make to the interrupt table
; for those interrupts. That may not be an issue with this code as it seems to go TSR instead
; of issuing the int13 directly.
;
; Another problem is that int 13h is not supported in the XP dos shell - I'm not sure off-hand
; if the breakpoint will ever be reached, e.g. does XP run the interrupt in real mode and then
; abort the shell, or does it detect the access in PMODE and abort the shell before the breakpoint
; is reached in the vm? I don't know the answer off-hand.
;
; Thanks for your comments; as a result I updated GRDB to have an option for turning its
; hardware breakpoint functionality off :)
;
.MODEL TINY
.386p
.CODE
ORG 100h
START:
;--------------------
Copyright:
mov ah,09
mov dx,offset CMsg
int 21h
jmp short OverCop
CMsg db 0dh,0ah,'80386 DEBUG REGISTERS.',0dh,0ah
db 'Written 1995',0dh,0ah
db 'Beeps when Int 13 entry point reached','$'
OverCop:
;--------------------
mov ax,3513h ; Get INT 13 address
int 21h
; Converting ES:BX to a physical address
; ES*10h+BX, store it to EAX
; IDA Pro doesn't disassemble the rest of this code
; on it's first analysis
xor eax,eax
mov ax,es
mov cl,4
shl eax,cl
and ebx,0000FFFFh
add eax,ebx
mov dr0,eax ; DR0 contains address of breakpoint
xor eax,eax ; DR6 - status register
mov dr6,eax ; Clear it
; DR7 - control register
xor eax,eax ; Disabling all Debug Breakpoints, and
; clearing LEN0 and RW0 (our Breakpoint is
; a Code Breakpoint)
or al,2 ; G0 - it's global breakpoint
mov dr7,eax
pushf ; Clear TraceFlag
pop ax
and ah,0FEh
push ax
popf
mov dx,offset Tracer ; Set our Exception handler
mov ax,2501h
int 21h
mov dx,offset theend ; TSR
int 27h
TRACER: ; Exception handler
push bp eax
mov bp,sp
mov eax,dr6 ; status register
;* here you can include test of BD flag
int 3 ; debug and grdb never see this instruction ?
test eax,00004000h ; single step tracing ?
;int 3
jz HardBreak ;
; single step tracing occured, it was used by us to
; restore our hardware breakpoint (see further)
; DR0 is a Hardware breakpoint again
xor eax,eax
mov dr6,eax
or eax, 00000002h ; Setting Exception by DR0
and eax,0FFF0FFFFh ; Code Exception
mov dr7,eax
and word ptr ,0FEFFh ; Clearing trace flag in stack
jmp short exitrace
HardBreak: ; DR0 Exception handler
mov eax,dr6 ; Clear status register
xor eax,eax
mov dr6,eax
mov eax,dr7
and eax,0FFFFFFFDh
mov dr7,eax ; Disable DR0 Hardware Breakpont, or else
; recycling when return (ResumeFlag doesn't
; resumes... making it by the handle)
; The purpose of our hardware breakpoint
;mov ax,0E07h ; Sound a beep This doesn't work, try next 3 lines
;int 10h
mov dl,07h
mov ah,02h
int 21h
; Insert everything you need.
SetTF: ; Setting usual tracing for further
; DR0 resuming
or word ptr ,0100h ;
;
ExiTrace:
pop eax bp
iret
TheEnd:
End Start
Bad code... modifies DRx before setting exception handler etc... for an explanation of the BD flag, grab a copy of the intel manuals, "systems programming guide".
I'm not particularly fond of this snippet of code, nor the way you recently have been posting code snippets with dubious content.
I'm not particularly fond of this snippet of code, nor the way you recently have been posting code snippets with dubious content.
Bad code... modifies DRx before setting exception handler etc... for an explanation of the BD flag, grab a copy of the intel manuals, "systems programming guide".
Good luck.
Thanks, I just found the file and am downloading it. Little large, may take me a while
to read it.
:-)
also most likely will not run on windows, its dos based crap
and dubious content for sure
as for ida not disassembling it, most likely you didnt set ida to disassemble it as 16 bit...
this stuff can be done in windows, infact some protections do it already
but SAFELY...
rerouting interrupts (especially int 13h) IS perilous to say the least
next time put warnings in your posts.....
and dubious content for sure
as for ida not disassembling it, most likely you didnt set ida to disassemble it as 16 bit...
this stuff can be done in windows, infact some protections do it already
but SAFELY...
rerouting interrupts (especially int 13h) IS perilous to say the least
next time put warnings in your posts.....
also most likely will not run on windows, its dos based crap
and dubious content for sure
as for ida not disassembling it, most likely you didnt set ida to disassemble it as 16 bit...
this stuff can be done in windows, infact some protections do it already
but SAFELY...
rerouting interrupts (especially int 13h) IS perilous to say the least
next time put warnings in your posts.....
; dro.asm COM File This code goes resident when run !!
;
; Old anti-debugging code
; Never beeps when traced, why is that ?
;
; Will lock up window if debug or grdb.exe "proceeds" through the program !!
Speaking of dos, is this relic still supported in Vista?
sorry for off-topic...
sorry for off-topic...
nope, afaik it isnt
isnt at all on xp64, so i'd presume vista 32/64 went the same way
i also dont see
; dro.asm COM File This code goes resident when run !!
;
; Old anti-debugging code
; Never beeps when traced, why is that ?
;
; Will lock up window if debug or grdb.exe "proceeds" through the program !!
as a warning, thats more like coders notes..
i was thinking something like this...
One line of vitriol suppressed by management.
isnt at all on xp64, so i'd presume vista 32/64 went the same way
i also dont see
; dro.asm COM File This code goes resident when run !!
;
; Old anti-debugging code
; Never beeps when traced, why is that ?
;
; Will lock up window if debug or grdb.exe "proceeds" through the program !!
as a warning, thats more like coders notes..
i was thinking something like this...
One line of vitriol suppressed by management.