While my Debugger Gently Weeps,...

Zen · June 26, 2014, 08:16:00 AM

Tedd · June 27, 2014, 11:55:14 PM

First, you make the assumption that everyone else is sensible (first mistake!)
And then, since everyone else is as sensible as you are, you expect they would have also started their procedure with the usual stack-frame preparation ("push ebp; mov ebp,esp").
Now you have your current stack pointer (esp), and a pointer to the base of your stack frame (ebp), and the top and bottom of the previous procedure's stack are equal to the previous values for esp and ebp (the previous ebp was pushed first, and previous esp pointed to 4 bytes below that location -- which should actually contain the return address for the previous call, so top of their stack would be after that.)
So, following those assumptions, you can iterate down the stack, noting the top and bottom of the stack frame for each procedure.
Unfortunately, this isn't entirely foolproof, as not all procedures are going to be sensible -- some either have no stack frame, or simply don't use ebp for that purpose. So you also need to do some basic sanity checking on the values and see whether they make sense (top should be above than bottom, and bottom probably shouldn't be 300MB below).
If you do find a hiccup, you're left with scan the remaining stack space until you find someone that at least looks sensible, but still it's only a guess.

Zen · June 28, 2014, 03:12:25 AM

dedndave · June 28, 2014, 03:16:40 AM

you can get top and bottom of stack from the TEB
if EBP isn't between those and 4-aligned, look at ESP :P

Zen · June 29, 2014, 05:45:17 AM

Zen · July 02, 2014, 03:18:56 AM

dedndave · July 02, 2014, 04:20:07 AM

Code Select

;###############################################################################################

        .XCREF
        .NoList
        INCLUDE    \Masm32\Include\Masm32rt.inc
        .List

;###############################################################################################

        .CODE

;***********************************************************************************************

_main   PROC

        int     3                       ;comment this line out for testing

        movzx   eax,byte ptr [ebx+2]
        print   str$(eax),13,10,13,10
        inkey
        exit

_main   ENDP

;###############################################################################################

        END     _main

Zen · July 03, 2014, 03:15:43 AM

...vicious,...

dedndave · July 03, 2014, 08:25:26 AM

it detects the debugger :P

jj2007 · July 03, 2014, 11:55:26 AM

Nice find, Dave :t
Is that documented somewhere?

dedndave · July 03, 2014, 12:20:37 PM

well - upon entry, a PE EXE has 2 registers of interest
EAX holds the entry point - that one might detect a virus or something - but probably too late
EBX holds the address of the PEB

they're not documented on MSDN
one of Russinovich's books "Microsoft Windows Internals" has them documented, though

hutch-- · July 03, 2014, 04:00:29 PM

I am a fan of later OS design that randomise the stack address to make life difficult for stack based exploits.

nidud · July 03, 2014, 07:49:42 PM

deleted

dedndave · July 04, 2014, 01:20:52 AM

ouch !

what happens to the original stack :redface:

you can probe the original stack down and usually get something like 1 Gb

Zen · July 04, 2014, 03:33:57 AM

The MASM Forum

News:

While my Debugger Gently Weeps,...

Zen

Tedd

Zen

dedndave

Zen

Zen

dedndave

Zen

dedndave

jj2007

dedndave

hutch--

nidud

dedndave

Zen