Weiss hier jemand wie man mit einem selbstgeschriebenen programm ein anderes debugt bzw. breakpoints setzt? Sodass zb. eine funktion von mir immer ausgeführt wird, wenn in einem anderen prog. der instruction pointer bei einer bestimmten adresse ist .
DETOUR_TRAMPOLINE(BOOL WINAPI GetThreadContext_Trampoline(HANDLE ,LPCONTEXT) ,GetThreadContext); // detour macro for (empty)trampoline
// Function defines void Set_SEH_and_BreakPoints(void); // Set the SEH and breakpoints LPTOP_LEVEL_EXCEPTION_FILTER oldHandler=NULL; // Pointer to existing exception handler
// Global variables DWORD dwBreakPoint=0x100334f; // The hardware-breakpoint (4 available) int nBreakPointJump=0x18; // How many bytes we make EIP to skip from this breakpoint BYTE opcodes[5]; // Original opcodes in GetTickCount() entry-point to be stored for restoring
// DLL entrypoint which OS-loader calls for us after injecting BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch(ul_reason_for_call) { case DLL_PROCESS_ATTACH: DisableThreadLibraryCalls(GetModuleHandle(NULL));
MessageBox(NULL,"We are in and hooked !","SEH_example",0);
// Store original opcodes under GetTickCount() ReadProcessMemory(GetCurrentProcess(),(LPVOID)GetProcAddress(GetModuleHandle("Kernel32"),"GetTickCount"),&opcodes,5,0);
// Hijack GetTickCount to jmp to our GetTickCount_Detour DetourFunction((PBYTE)GetTickCount,(PBYTE)GetTickCount_Detour);
// Hijack also GetThreadContext() to hide debug-registers altering DetourFunctionWithTrampoline((PBYTE)GetThreadContext_Trampoline,(PBYTE)GetThreadContext_Detour);
break;
case DLL_PROCESS_DETACH: // Try to remove all hooks and handlers. DetourRemove((PBYTE) GetThreadContext_Trampoline,(PBYTE) GetThreadContext_Detour); WriteProcessMemory(GetCurrentProcess(),(LPVOID)GetProcAddress(GetModuleHandle("Kernel32"),"GetTickCount"),&opcodes,5,0); if (oldHandler) SetUnhandledExceptionFilter(oldHandler); break; }
return true; }
// Hijacked GetTickCount. This is called when target-app (Notepad) is calling GetTickCount() DWORD WINAPI GetTickCount_Detour() { // From here we add our Structured Exception Handler // We can't add it in the DLLmain since that function is called in // different thread-context and the SEH and Breakpoints are per thread basis Set_SEH_and_BreakPoints();
// Return original bytes to GetTickCount() i.e. unhook it. We only need this "callback" once. WriteProcessMemory(GetCurrentProcess(),(LPVOID)GetProcAddress(GetModuleHandle("Kernel32"),"GetTickCount"),&opcodes,5,0);
MessageBox(NULL,"HW-breakpoints are set !","SEH_example",0);
// Return actual function result return GetTickCount(); }
// Add the SEH-handler and set HW-breakpoint(s) void Set_SEH_and_BreakPoints() { // Store existing handler to global variable to reset later oldHandler=SetUnhandledExceptionFilter(UnhandlerExceptionFilter);
// Set debug-registers for HW-breakpoint and activate it CONTEXT ctx = {CONTEXT_DEBUG_REGISTERS}; ctx.Dr6 = 0x00000000;
ctx.Dr0 = dwBreakPoint; // Set Address of Breakpoint 1 ctx.Dr7 = 0x00000001; // Activate Breakpoint 1
/* use these for setting more breakpoints
ctx.Dr1=address; // Set Address of Breakpoint 2 ctx.Dr7 |= 0x00000004; // Activate Breakpoint 2
ctx.Dr2=address; // Set Address of Breakpoint 3 ctx.Dr7 |= 0x00000010; // Activate Breakpoint 3
ctx.Dr3=address; // Set Address of Breakpoint 4 ctx.Dr7 |= 0x00000040; // Activate Breakpoint 4 */
// Write the values to registers. From now on the breakpoint is active SetThreadContext(GetCurrentThread(), &ctx); }
// Our ExceptionHandler // study the ExceptionInfo-struct for stuff you need LONG WINAPI UnhandlerExceptionFilter(struct _EXCEPTION_POINTERS* ExceptionInfo) { // HW-breakpoints DON'T generate EXCEPTION_BREAKPOINT but EXCEPTION_SINGLE_STEP so we check for that if(ExceptionInfo->ExceptionRecord->ExceptionCode==EXCEPTION_SINGLE_STEP ) { // Verify that the breakpoint was the one we set if ((DWORD)ExceptionInfo->ExceptionRecord->ExceptionAddress==dwBreakPoint) { // move instruction pointer forward to skip unwanted instructions and let // the process continue as nothing has happened ExceptionInfo->ContextRecord->Eip+=nBreakPointJump; return EXCEPTION_CONTINUE_EXECUTION; } }
// Some other exception occured. Pass it to next handler return EXCEPTION_CONTINUE_SEARCH; }
// Hijacked GetThreadContext(). We don't actually need this in our notepad-example // I included it just for help since for a real hack you need to fake // DEBUG-registers so that the game doesn't see they that are altered // BOOL WINAPI GetThreadContext_Detour (HANDLE hThread,LPCONTEXT lpContext) { // Get the Real values from original API-function (see the _trampoline) BOOL ret=GetThreadContext_Trampoline( hThread, lpContext);
// If target is interested in Debug-registers return fake values if (lpContext->ContextFlags && CONTEXT_DEBUG_REGISTERS) { lpContext->Dr0=0; lpContext->Dr1=0; lpContext->Dr2=0; lpContext->Dr3=0; lpContext->Dr6=0; lpContext->Dr7=0; }
Jau, Software BPs gehen auch, allerdings nutzt man Breakpoint Hooks ja wohl nur, wenn andere detected sind, sonst macht es ja keinen Sinn, da es sehr unsicher ist.
Also würde ich direkt zu Hardware BPs greifen.
0xCC musst du btw. für nen Int3 BP schreiben, ich glaube die Exception dafür lautet nicht Single Step, sondern wirklich EXCEPTION_BREAKPOINT oder so...
Jau, Software BPs gehen auch, allerdings nutzt man Breakpoint Hooks ja wohl nur, wenn andere detected sind, sonst macht es ja keinen Sinn, da es sehr unsicher ist.
Also würde ich direkt zu Hardware BPs greifen.
0xCC musst du btw. für nen Int3 BP schreiben, ich glaube die Exception dafür lautet nicht Single Step, sondern wirklich EXCEPTION_BREAKPOINT oder so...
Ja der Rückgabewert von GetExceptionCode() muss EXCEPTION_BREAKPOINT sein.
Allerdings ist es auch nicht gerade schwer hardware breakpoints zu detecten.
Wenn GetThreadContext gehookt ist (mit einem Breakpoint ) dann schon ohne kernelmode zugriff ;O
Ist ja eigentlich recht bekannt das man das problem mit der detection durch das hooken von GetThreadContext und anschliessendes ändern der CONTEXT structur lösen kann.
[Release] Speed -- Editable Character Breakpoints 1.13 10/19/2010 - Diablo 2 - 36 Replies mit diesem programm kann man die caps bei fcr ar usw ändern
rest is erklärt
dank geht an Izaya
-->Speed für Diablo II: Lord of Destruction v 1.13C<--
Features:
Can't Debug? 02/08/2010 - CO2 Private Server - 1 Replies When I open a .cs file with C# why can't I debug it?
And sometimes when I open a file, it says the file ain't there.
How can I fix these problems?
Themida and Breakpoints 01/21/2010 - 12Sky2 - 0 Replies Hello,
I know a lot of you have already developed some pretty nice things for TS2 already. I have only dabbled in TS2 so far. Its been one of things were I download the game and start leveling a bit, try a few things with olly and then lose interest or something else comes up and I never get back to TS2 until a month later or so.
However I have tried re-building the VAC hack I made for TS1 on TS2 and ran into a problem(this was about a month ago now). I have found everything I need...
[HELP]lil bit of HELP on DEBUG pls 03/26/2008 - Cabal Online - 8 Replies wat do i need to do ??
issit the thing below is the ip ??
can some1 teach me some basic?
thx .
) dann schon ohne kernelmode zugriff ;O
