HOw can i make breakpoint in a dll already loaded into memory like kernel32.dll ??

I want a way that work with both win9x and winNT

thanks for your time.
Posted on 2002-04-20 14:07:32 by Sa6ry
It depends on what debugger you are using.

Be aware that you will receive little or no help from the members of this forum on this particular topic, as you are close to reverse engineering, which is specifically disallowed here.
Posted on 2002-04-21 08:38:18 by sluggy
hi sluggy,
thanks for replay.

i am not asking about how to make it using debugger. i know how to make it using softice .

i am asking how to code it . ??

i want a way that work with both win9x and winNT

i want to learn :(

thanks.
Posted on 2002-04-21 08:58:09 by Sa6ry
I think it depends on where you want to put your bpx opcode (CC in hex)

If your plan is to trace a function you could simply :

yourprocEntry =GetProcAddr
VirtualProtect-> yourprocEntry (deprotect )
WriteProcessMemoryA ->yourprocEntry "CC"
...

Hope this helps...

Axial

BTW: GetProcAddress inside debugger doens't return the TRUE offset , remember that...
Posted on 2002-04-21 10:12:55 by Axial
thanks Axial,

i have a qe . does VirtualProtect allow me to set PAGE_NOACCESS on a dll already loaded like kernel32.dll ??

i have no time now to test it now ( i have an exam tommorw :mad: ) .

if you know a place where i can get source code from related to this subject , i will be so glad.


i think this will help me if god will.

thanks alot for information.
Posted on 2002-04-21 10:52:00 by Sa6ry
Be carefull, what you talk about on this Board.... for now it's ok, but we're watching you :)
Posted on 2002-04-21 10:54:37 by bazik
As far as I remember, you cannot use VirtualProtect on system DLLs,
so it might be a bit hard to set the breakpoint :). For other DLLs
it should work though - and because of copy-on-write the breakpoint
will only be present in the process you're debugging.
If you're writing a debugger, you might want to have a look at the
debugging API, and search for net walkers minidebugger.

Bazik, no need to be nazi before the guy has done anything wrong...
I don't see you questioning iczelion's tut28,29,30 ;).
Posted on 2002-04-21 12:03:21 by f0dder
Hmm Interesting.. I need to find out the parameters that are passed to a specific function .. I wonder if that would work for me :)
Posted on 2002-04-24 10:46:59 by Volcano_88101