Hi
How does Olly handle it to break at a certain address?
I only saw this example:
http://win32assembly.online.fr/tut30.html
but tracing to the whole code and always check the current address is very slow so is there a better solution ?




Posted on 2007-09-14 10:16:16 by Figo
Write an int3 at the address and handle the exception yourself writing back the original byte?
Posted on 2007-09-14 10:22:10 by JimmyClif
Ah ok first thx for the fast answer.
now only to prove i am right
on an INT3 happens an EXCEPTION_BREAKPOINT ?
so i overwrite on the address with CCh and i get a break ?
and i can find it at u.Exception.pExceptionRecord.ExceptionCode==EXCEPTION_BREAKPOINT
Posted on 2007-09-14 10:43:12 by Figo
Ok i have tested it and it works fine  :D

thx again ^^
Posted on 2007-09-14 11:24:06 by Figo
Glad it helped you... :)
Posted on 2007-09-14 11:52:22 by JimmyClif
Theres a much better way than injecting int 13's (which require you to save and restore the byte you are overwriting).

Use VirtualProtectEx to alter the memory page attributes for the BYTE OR BYTE RANGE you wish to monitor.
You can set up the page protection more specifically by selecting to Break or Not Break when the protected memory is Read, Write or Executed. This makes it useful for watching both Code and Data accesses.
Your code will receive an exception for you to handle, it just won't be a BreakPoint Exception.

This method does not require you to save and restore dirty bytes, and if the target is using int13 for its own purposes, this method will not interfere with that.

Have a nice day :)
Posted on 2007-09-14 22:36:16 by Homer
Homer, Int 13?;)

BTW, VirtualProtectEx is not fine grained enough to exacty protect a byte or byte range but an entire page.

dwSize

Specifies the size, in bytes, of the region whose access protection attributes are changed. The region of affected pages includes all pages containing one or more bytes in the range from the lpAddress parameter to (lpAddress+dwSize). This means that a 2-byte range straddling a page boundary causes the protection attributes of both pages to be changed.


Still is a valid method, with more overhead than the simple int3 but works. You just single-step after the exception and then enable the protection again but the problem is that an exception will ocurr even if it is not happening in the breakpointed address so it adds a lot more overhead than simple int3 for this reason.

I'd misread Homer, he never implied that that VirtualProtectEx is byte granular
Posted on 2007-09-14 22:50:06 by LocoDelAssembly
LOL, my spellchecker was enabled.
Int 3, of course.
Posted on 2007-09-15 06:58:10 by Homer